83,247
edits
Bad apple: Difference between revisions
no edit summary
Amwelladmin (talk | contribs) No edit summary |
Amwelladmin (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
{{a|systems|{{image|bad apple|jpg|}}}}{{dpn|/bæd ˈæpl/|n|}}{{C|newsletter draft}}One of those mischievous human imps occupying unobserved crevices in the great steampunk machine who, by human frailty, ruins the best-laid plans of the machines. Bad apples need not be mendacious, ill-spirited or even conscious, but often are. [[Bernie Madoff|Bernard Madoff]] was a bad apple, but so was the [[GameStop]] share rally, and Citigroup’s archaic [[Citigroup v Brigade Capital Management|loan servicing software]]. | {{a|systems|{{image|bad apple|jpg|}}}}{{dpn|/bæd ˈæpl/|n|}}{{C|newsletter draft}}One of those mischievous human imps occupying unobserved crevices in the great steampunk machine who, by human frailty, ruins the best-laid plans of the machines. Bad apples need not be mendacious, ill-spirited or even conscious, but often are. [[Bernie Madoff|Bernard Madoff]] was a bad apple, but so was the [[GameStop]] share rally, and Citigroup’s archaic [[Citigroup v Brigade Capital Management|loan servicing software]]. | ||
On the conventional wisdom, [[bad apple]]s are the last remaining fly in the ointment. They alone keep us from the sunlit uplands of | On the conventional wisdom, [[bad apple]]s are the last remaining fly in the ointment. They alone keep us from the sunlit uplands of financial services utopia that our collected labours have surely earned. Once the last one has been rooted out, all will be well. | ||
It’s not clear what we’ll all then ''do'', but this is surely just a quibble: the problem we would love to have. | It’s not clear what we’ll all then ''do'', but this is surely just a quibble: the problem we would love to have. | ||
=== Bad apples and complex systems === | |||
The JC likes to ponder human nature, however inexpertly. He wonders whether we should be quite so credulous. Is not the barrel of bad apples ''bottomless''? Aren’t ''bad apples just gonna be bad''? | The JC likes to ponder human nature, however inexpertly. He wonders whether we should be quite so credulous. Is not the barrel of bad apples ''bottomless''? Aren’t ''bad apples just gonna be bad''? | ||
| Line 11: | Line 12: | ||
For there will ''always'' be bad apples, and they will always seek out, find and exploit [[Zero-day vulnerability|zero-day flaws]] in our fragile systems. We should expect this, because it is in their — ''our'' —nature. ''[[Air crashes v financial crashes|This is what bad apples do]]''. | For there will ''always'' be bad apples, and they will always seek out, find and exploit [[Zero-day vulnerability|zero-day flaws]] in our fragile systems. We should expect this, because it is in their — ''our'' —nature. ''[[Air crashes v financial crashes|This is what bad apples do]]''. | ||
Bad apples will find [[Zero-day vulnerability|zero-day vulnerabilities]] exactly where we least expect them, and are therefore paying least attention: ostensibly harmless, sleepy backwaters. [[LIBOR]] submissions. [[Enron|The accounting department]]. [[Citigroup v Brigade Capital Management|The outsourced loan servicing team in Bangalore]]. [[Kweku Abodoli|The delta-one index swaps desk]]. | Bad apples will find [[Zero-day vulnerability|zero-day vulnerabilities]] exactly where we least expect them, and are therefore paying least attention: ostensibly harmless, sleepy backwaters. [[LIBOR]] submissions. [[Enron|The accounting department]]. [[Citigroup v Brigade Capital Management|The outsourced loan servicing team in Bangalore]]. [[Kweku Abodoli|The delta-one index swaps desk]]. A [[Archegos|family office]]. | ||
The question is not “where are all the bad apples?” | The question is not “where are all the bad apples?” but “where are all the [[Zero-day vulnerability|zero-day vulnerabilities]] they will surely exploit?” | ||
And the more byzantine, multi-dimensional, formalised, technology-overlaid and ''complex'' our | The answer: ''no-one knows''. | ||
And the more byzantine, multi-dimensional, formalised, technology-overlaid and ''complex'' our systems become, the ''more vulnerabilities there will be'', and the harder they will be to find, when they start playing up. | |||
Leaving it to “the system” to detect and destroy bad apples — by policy attestation, outsourced compliance teams reading from [[playbook|playbooks]], “[[Chatbot|A.I.-powered]]” software applications — is surely the Bond villain’s way of despatching an enemy: you tie it up, gloat for a while, deliver a quick monologue and then leave it unattended while a nasty-looking, but plainly fallible, clockwork machine counts down from a thousand. | Leaving it to “the system” to detect and destroy bad apples — by policy attestation, outsourced compliance teams reading from [[playbook|playbooks]], “[[Chatbot|A.I.-powered]]” software applications — is surely the Bond villain’s way of despatching an enemy: you tie it up, gloat for a while, deliver a quick monologue and then leave it unattended while a nasty-looking, but plainly fallible, clockwork machine counts down from a thousand. | ||
In the meantime, the | In the meantime, and while the risk control gin-traps snare other passing, peaceable, but ignorant, citizens as they go about their quotidian day, those bad old apples, wise to the world, have long since untied their bonds and made stealthily away. | ||
== | ==Spotting bad apples== | ||
The regrettable thing about bad apples is their habit of looking like boring functionaries, or even good guys, right up to the moment that they ''don’t''. | The regrettable thing about bad apples is their habit of looking like boring functionaries, or even good guys, right up to the moment that they ''don’t''. | ||
| Line 31: | Line 34: | ||
Hence, our controversial proposal: A good bad apple, that doesn’t ''look'' like a bad apple, ''isn’t a bad apple''. | Hence, our controversial proposal: A good bad apple, that doesn’t ''look'' like a bad apple, ''isn’t a bad apple''. | ||
It won’t do to say '' | It won’t do to say ''our good apples must be better at spotting bad apples'' if, at the time of looking, our bad apples look like good apples. — for that is to spread by association the stigma of bad appledom on the mediocre good apples who fail to spot them. | ||
We should ask ''why'' did they not notice perfidy going on around them? Are they uncommonly stupid, or or have their bad apple detectors somehow been disarmed? | We should ask ''why'' did they not notice perfidy going on around them? Are they uncommonly stupid, or or have their bad apple detectors somehow been disarmed? | ||
| Line 73: | Line 76: | ||
In any case the Opco will methodically plough through each department’s slides, which all will tell variations of the same story: in the main, ''plain sailing'' but, by way of colour, the odd fixable glitch in [[process]] — nothing serious; just the inevitable operational snags of modern financial services — and for those, a remediation plan, already in train, for how they will be resolved. | In any case the Opco will methodically plough through each department’s slides, which all will tell variations of the same story: in the main, ''plain sailing'' but, by way of colour, the odd fixable glitch in [[process]] — nothing serious; just the inevitable operational snags of modern financial services — and for those, a remediation plan, already in train, for how they will be resolved. | ||
All kinds of [[metric]]<nowiki/>s will be presented, analysed and set out in voluminous graphs, charts and data tables. There may be a dashboard of “high risk” situations — but only ones numerically derived from [[metric]]<nowiki/>s. In any case the [[RAG]] array will read, mainly, uniform ''green''. Perhaps the odd amber, for the sake of punctuation, attesting to easily-addressed low-impact hazards to be included “for good order” and with confident assurances there is elevated risk of loss. | All kinds of [[metric]]<nowiki/>s will be presented, analysed and set out in voluminous graphs, charts and data tables. There may be a dashboard of “high risk” situations — but only ones numerically derived from [[metric]]<nowiki/>s. In any case the [[RAG]] array will read, mainly, uniform ''green''. Perhaps the odd amber, for the sake of punctuation, attesting to easily-addressed low-impact hazards to be included “for good order” and with confident assurances there is elevated risk of loss. | ||
It will be like this because we are enculturated to always need to be in ''control'', for all systems to be ''go'', all processes in good standing, all engines ticking over without significant strain. We tell ourselves that as long as this is so we, personally, are safe and cannot be blamed. We have been acclimatised to believe that the greatest sin is ''to'' ''disrespect'' ''[[process]]''. If you disrespect process, you ''can'' be blamed. | It will be like this because we are enculturated to always need to be in ''control'', for all systems to be ''go'', all processes in good standing, all engines ticking over without significant strain. We tell ourselves that as long as this is so we, personally, are safe and cannot be blamed. We have been acclimatised to believe that the greatest sin is ''to'' ''disrespect'' ''[[process]]''. If you disrespect process, you ''can'' be blamed. | ||