Log in

Site menu:



Site search

May 2018
« Dec    



Fooled by Information Asymmetry

On July 24, 2009 Trina Thompson sued her alma mater, Monroe College for the full cost of her tuition after graduating with a bachelor of business administration degree in information technology. Why? Because she couldn’t find a job. Before sympathizing with Thompson’s claim that “they [the counselors] have not tried hard enough to help me”, consider this other quote from that article:

“As Thompson sees it, any reasonable employer would pounce on an applicant with her academic credentials, which include a 2.7 grade-point average and a solid attendance record.”

You mean, not only did she have a superlatively covetable 2.7 GPA, but she also showed up? “She showed up, your honor! She… showed… up. How derelict in their duty must those counselors have been to not find her a job?”

The article further states “she suggested that Monroe’s Office of Career Advancement shows preferential treatment to students with excellent grades. ‘They favor more toward students that got a 4.0. They help them more out with the job placement,’ she said.”

Some will read this and say: “another American with a distorted sense of entitlement and fairness playing the legal system like the lottery” or simply “how ridiculous!” Others will read it and say: “why didn’t I think of that?” Among those in this second camp, there will be the expected lot of ambulance chasers and compensation culturists, but there will likely also be another class… paranoid, attribution-biased, epiphenomenalists. In other words, most CEOs.

In fact, one CEO in particular comes to mind: Robert Carr, CEO of Heartland Payment Systems. In a recent interview following the HPS data breach, possibly the largest breach to date, Mr. Carr made the statement “the audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever”. While I tend to largely agree with him (based on my personal experience with a certain of these unfortunately ironically named service providers), it is not a long stretch from “no value whatsoever” to litigation. After all, when your strategy consists of one part transference of responsibility + one part don’t waste my very important 15 second attention span with details + one part blind faith in soothsayers, soapbox orators, or snake-oil salesmen, you are very likely the sort of person who takes all the credit for your occasional random successes, and shifts all the blame to other agents for your collection of failures. But if you are among those prone to take umbrage at that – wait. Instead, let me first distract you with this, and then a stoking of your paranoia and egotism: you are being watched.

Gina Moore, a portfolio manager at investment firm Aronson + Johnson + Ortiz, a Philadelphia investment firm with $17 billion under management, says she doesn’t talk with executives of companies she’s considering investing in, but instead monitors their levels of insider trading. This, she explains, provides her with more accurate information about where executives “think their company is going without the corporate spin.” This is just an example of signalling, a term that describes ways in which principals (uninformed parties) try to gain information on agents (informed parties) in asymmetric information scenarios. This is analogous to the Trina Thompson situation above – in one case it’s insider (agent) activity signalling the portfolio manger (principal), and in the other it’s Trina’s (agent) 2.7 GPA signalling prospective employers (principals). But there is a difference: While the GPA is an enduring fait accompli (and probably not high enough to enable Trina to change it), insider trading is ongoing, so it is subject to manipulation.

So perhaps Gina Moore should not have done that interview with Business Week… Platitudinous as it is, few would disagree, in general,  that “power corrupts”, and that executives gravitate to the stereotypic.  Armed with the knowledge that their trading activity is being monitored for signals by investors attempting to counterbalance information asymmetry, executives are either:

  1. Already engaged in such signal manipulations
  2. Ashamed of themselves for not yet having concocted an appropriate set of such manipulative schemes.

Investors might be inclined to worry more about this were it not for the fact that an executive’s predisposition toward corruption is rivaled by his predilection for exec-speak, sports and war metaphors, and unintelligible references to Sun Tzu, all of which add up to almost guaranteed failure of a reverse Turing test. As Nassim Taleb describes:

What is a Turing test? The brilliant British Mathematician, eccentric, and computer pioneer Alan Turing came up with the following test: A computer can be said to be intelligent if it can (on average) fool a human into mistaking it for another human. The converse should be true. A human can be said to be unintelligent if we can replicate his speech by a computer, which we know is unintelligent, and fool a human into believing it was written by a human.

Taleb then goes on to provide some postmodernist examples created with Andrew C. Bulhak’s recursive grammar Dada Engine. And these engines are easily adapted to other grammars, such as the highly entertaining brag generator, or the just plain sad Corporate Gibberish Generator.

After reading some of the output from the Corporate Gibberish Generator, it’s worthwhile to keep in mind (even in today’s climate) Taleb’s closing in that section:

If this bears too close a resemblance to the speech you just heard from the boss of your company, then I suggest looking for a new job.

So while we might not need to worry much about information warfare adversaries who can be replaced by a python script, we should worry about adversaries who could write such scripts, or worse. For example, a friend of mine recently had a rather valuable domain hijacked by a cyberthief who managed to crack a certain registrar’s account authentication system. After doing so, the thief then changed registrant passwords and domain contact information to a different email address. This action, of course, sent a notification to my friend, who, unable to login to his account at the registrar, immediately reported the matter to them. To this point, the attack was similar to the DomainZ hack described in this ICANN report titled “Measures to Protect Registration Services Against Misuse”. But then it turned; rather than exploiting the theft to redirect visitors to a malicious site, the thief in this case produced a very convincing set of fraudulent identification and supporting legal documentation so as to sell the domain for a large sum of money through a well-known domain marketplace. Fortunately, said marketplace flagged the offer as suspicious, and their (not your typical) CEO contacted the registrar. The registrar, having already been notified, was monitoring all activity around the domain, and immediately contacted my friend with a “get a load of this” email. This situation is still in-progress, so more details will have to wait until it is resolved, but I mention it to make a point:

Counterintuitively, sometimes it is better to allow certain types of attacks or illicit activities to go on even if you can stop them. Why? So that you might gain information on your adversary. On any effort more targeted and intent than a simple recon scan or scripted-attack, outright prevention, termination, or other types of detectable intervention are signals to the attacker that they have been discovered. And while in some cases this may work to thwart the attack and prevent or limit any damage, there is also the chance that it will prompt the attacker to adopt more cryptic tactics. Even worse is the chance that the damage has already been done, and that by scaring-off the attacker prematurely, you lose all hope of discovering either the full scope of the damage or your attacker’s identity. Signal with care.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • StumbleUpon
  • Reddit

You must be logged in to post a comment.