News update 2003-05: May 2003
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.
In this issue:
1. Human error
2. Non human error?
3. FSA update
4. Correspondence
5. Newsletter information
===============
1. Human error
CompTIA, the Computing Technology Industry Association, recently
released a white paper on computer security. They surveyed 638
professionals in North America. The principal results were:
– 31% had between one and three major security breaches in the last
six months.
– Human error was the primary cause of 34% of the most recent
breaches; intentional action 29%, and technical malfunction 8%,
and combination of human error and technical malfunction
29%. Human error was thus implicated in 63%.
– 57% of organisations had no comprehensive written IT security
policy in place.
– About 20% of organisations had no IT staff with security-related
training.
The survey apparently included respondents from the educational,
governmental, financial, and IT sectors among others. There seems
no real reason to think that the situation is substantially
different in the UK.
Human error is clearly a big problem; the figures above indicate
that in a six month period it may cause at least one major security
breach in 20% of organisations. The report doesn’t analyse the
causes in any more detail, but two possible reasons for human error
are poor user interfaces and documentation combined with complex
systems, and lack of training. Human error can occur among users as
well as among IT professionals; passwords are an obvious problem
area, as is software installation.
The report also shows that many organisations don’t take computer
security seriously. The “it won’t happen to us” mentality is
clearly alive and kicking. Human error is much more likely where
there is no comprehensive IT security policy in place; people may
simply not know that their behaviour is dangerous.
As in so many areas, ignorance is the big problem: people either
don’t know what they should (or shouldn’t) be doing, or they know
the correct procedures and ignore them. Education and training are
necessary, but so is a commitment to good practice that runs
throughout the organisation.
Committing to Security: A CompTIA Analysis of IT Security and the
Workforce is available at
http://www.comptia.org/research/whitepapers.asp?topic=Security
===============
2. Non human error?
You might think that one way to eliminate human error is to
automate the process, whatever it might be. However, automation can
lead to different problems, and anyway people are nearly always
involved at some stage.
A woman in Seattle is suing Farmers Insurance Company of
Washington, claiming that the company uses an expert system to
provide inaccurately low estimates of automobile-related
injuries. She argues that she would have taken her business
elsewhere if she had known the company would use a computer to
judge how much her life was worth. “They didn’t even come out to
see me,” Barbara Martin said. “How could they know me or what
happened to me?”
The expert system in question is Colossus, a product of Computer
Sciences Corporation (CSC). It is fairly clear from CSC’s web site
that Colossus, which they describe as “the industry’s leading
expert system for evaluating bodily injury claims,” is used
interactively by a claims adjuster. Indeed, it’s difficult to see
how it could be otherwise. The results produced by Colossus thus
depend on what information is available to the claims adjuster and
how that information is interpreted. As usual, “Garbage In, Garbage
Out” applies.
The complaints about Colossus aren’t new. Two former employees of
Farmers were sued for saying that Colossus places unfairly low
values on personal-injury claims. They claimed that Farmers
adjusted Colossus so that its estimates were consistently below
those of experienced claims adjusters.
I know no more about this case and Colossus than I have read in the
papers and on CSC’s web site (see references at the end of this
section), but it seems to me that several issues are being
conflated here.
– Mrs Martin says that she was never visited by a claims adjuster,
and that Farmers therefore couldn’t have had accurate information
about her injuries and their effects. This issue is independent
of whether Colossus was used or not.
– People don’t trust computers. They don’t like the idea of
decisions that affect them significantly being made by a
collection of silicon chips. On the whole, people doubt whether
computers can understand the subtleties of their particular
circumstances: we see this to a lesser extent with credit rating
systems, for example.
– Although CSC claim that Colossus should be used as a guide rather
than as an infallible source of estimates, it is very possible
that in practice it is rare for claims adjusters to disagree with
the numbers it produces. This effect might be due to corporate
culture, pressure on people to conform, but may also be because,
somewhat inconsistently, people do seem to trust computer systems
that they actually use themselves.
– There is a belief that this particular expert system has been
made to produce artificially low claims estimates. Of course it’s
entirely possible that its estimates are below those of human
claims adjusters. Possibly Farmers had thought that its claims
were getting out of hand. However, a reduction could have been
accomplished without Colossus by simply instructing the adjusters
to reduce their estimates. The use of Colossus would however help
to enforce a general lowering of estimates.
On the whole it looks as if the use of Colossus is a peg on which
various concerns are being hung. Clearly its use is perceived as
threatening by both customers and employees. Possibly management
are using it as a shield, rather than taking responsibility for
events themselves.
There is some good scaremongering going on in the press: “About
half of insurance companies that operate in the United States,
including some of the largest, such as Aetna, Hartford Financial
Services and Zurich Personal Injury, use the Colossus program. But
those companies have done a good job suppressing information about
the program. Colossus is not mentioned in insurance policies or
advertising brochures. Neither is the fact that claims are being
adjusted by computer.”
A description of Colossus can be found at
http://www.csc-fs.com/MARKETS/detail/cc_COLOSSUS.asp
There’s coverage of the story at
http://seattlepi.nwsource.com/local/122105_colossus15xx.html
and http://seattlepi.nwsource.com/local/93620_insurance31.shtml
===============
3. FSA update
Looking at the lists of new consultations and feedback out within
the last month I was struck by the imbalance: 8 new CPs, and
feedback to only 4 CPs. Are things getting out of hand? When I
investigated further, however, I was less worried. A number of CPs
never get explicit feedback documents of their own, but are dealt
with in the monthly Handbook Notices. These are mostly “small” CPs,
such as the series on Miscellaneous amendments to the Handbook,
which often have very few responses or even none at all.
Unfortunately the relevant Handbook Notices aren’t referenced on
the main CP web pages, which continue to say that “Response Paper
will be available at the end of the consultation process”. I have
also found at least one CP that does have feedback, including a
policy statement, that is not referenced from the main CP page
(CP138).
So if you are particularly eager to find out if there is feedback
on a CP, your best bet is to use the FSA search facility, which
works very well, to search for all references to it (eg, entering
CP138 as the search term will show you the relevant feedback).
New consultation and discussion papers out this month:
—————————————————–
CP179 The Authorisation manual – Draft perimeter guidance on
activities related to pension schemes
CP180 Fees for mortgage firms and insurance intermediaries
CP181 The Interim Prudential Sourcebooks for Insurers and Friendly
Societies: Implementation of the Solvency I Directives
(2002/12/EC and 2002/13/EC)
CP182 Proposed changes to the Listing Rules to take account of the
introduction of treasury shares
CP183 Standardising past performance – Including feedback on CP132
CP184 Miscellaneous amendments to the Handbook (No.8)
CP185 The CIS sourcebook – A new approach
CP186 Mortgage regulation: Draft conduct of business rules and
feedback on CP146
Feedback published this month:
—————————–
CP132 The presentation of past performance and bond fund yields in
financial promotions
CP146 The FSA’s approach to regulating mortgage sales
CP149 Market abuse: Pre-hedging convertible and exchangeable bond
issues
CP168 Fees 2003/04
DP17 Short selling
Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html
===============
4. Correspondence
Contributions are anonymous this month as I hadn’t warned people
that they might be quoted. In future, I’ll use your name unless you
say otherwise.
Last month I chatted about the problems of public holidays in
Scotland, where they are both different from those in England and
vary between cities. A reader wrote:
On the subject of Bank Holidays, I was surprised shortly after I
moved to India to find that unlike England, where I think Bank
Holidays are called that because even bank staff get them, here
Bank Holidays are called that for the opposite reason – only
bank staff get them.
I also talked about how difficult it is to ensure that software has
no errors, unless it has been so rigorously specified that it can
be proved to be correct. I received the comment:
and in that case, the specification will contain bugs 🙂
or the proof will…
===============
5. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.