Thursday, 23 May 2013

On testing and causal statements

Always unintended consequences.

Whenever we start going down a path of implementing policy we need to think about the consequences. This is both the seen and the unseen.

It is perhaps most importantly the unseen. We cannot say that an intervention has achieved the best outcome and that is better than something when we have not actually compared it. This means when we look at a risk reduction process in information technologies or implement new economic policy or for that matter any other intervention we need to investigate it fully.

In business, good project managers and more importantly portfolio managers will investigate the various results and compare these against what is in effect a null hypothesis. That is they will compare a sample project against the status quo. When doing this we need to also contemplate all the alternatives. This is where many people fail.

More importantly when we are doing correlational studies and investigations that do not allow for experimentally controlled trials (this is gold standard double-blind testing), it is critical that we investigate causation in a rigorous process.

Austin Bradford Hill (1897-1991), was a British medical statistician whose great contribution to science was to leave us with a set of minimal conditions that are required to establish a causal relationship between two events. Hill's criteria has become the basis of modern epidemiological research. It is one of the mainstay methodologies that I use in my research both in evaluating economic effects and when investigating malicious software and other security controls. In particular it is useful in evaluating the human aspects of information security and risk. It is not just epidemiology but other fields such as economics that can benefit from this approach.

Hill's criteria is the basis of good scientific research where we are seeking to establish a causal relationship amongst social phenomena and in particular ones where we cannot engage in controlled trials. In some instances it is in fact better than a controlled trial as the process of creating a controlled trial changes the environment and creates a bias in many of the results. Although it is true that this controlled trial has provided the best answer to a particular problem is not always true that we are investigating the same problem. One example would be looking at studies of irrationality. The University controlled trials testing the reactions of students generally biased the results. In selecting risk trials for instance we take selective forms of risk that bias the results towards male or female risk takers in the study. Later studies have now shown that these original studies into irrationality have been the result of poor methodology with both women and men exhibiting similar levels of risk. What was demonstrated is that the forms of risk taking differ between men and women but overall the levels of risk a similar.

If we are to make a claim that population growth results in poverty or that capitalist governments cause poverty in developing nations or even that Keynesian spending results in the long-term growth them to be scientific in our approach we need to demonstrate causal relationship. Hill's criteria provides one of the ways in which we can do this.

For example, as an economic investigation we can formulate a strategy and hypothesis based on welfare based systems such as a guaranteed minimum wage.

It seems a good process and we have created a safety net. Again an issue is that we are also not thinking of the unseen events. This is what will occur if there was no welfare. In starting such a welfare system, the differential incentive to work decreases. This is not hard to explain. 

Basically it is not poverty but a differential between income that people see as the greatest disparity. Even in Western nations where there is no need to be poor and in fact where most of the poor are wealthier than the middle-class 100 years ago what we see is a desire for more against those others in society.

So, the end result of such a policy is to have more people enter welfare. The result, those earning need to pay more for the increased welfare state. Less incentives for productive work. The differential decreases further making welfare more attractive and incentive's more onto state support. The result more welfare... A degrading cycle of creating more and more welfare.

This takes us back to Hill's criteria. Here we have nine criteria to measure any correlation effects against. These are:

  1. A temporal relationship where the cause always precede the outcome. If there is some factor that is believed to cause an event and this must always necessarily precede the event. This first criteria is the most critical and essential of all of Hill's criteria. If this one is not true then that we have a correlation alone and no causal effect.
  2. Next we need to consider the strength of the relationship. This is a statistical measure of the strength where the factors are highly related. We can look at the Pearson number for correlation as a means of testing this value.
  3. Next there is a effect response relationship. This is a measure of input. As we increase the amount of one factor the other must also increase. For instance if we put more time into training people in security awareness then naturally for this to be causal in relationship we would have to have improved security. The improvement is not required to be linear and we may find that each incremental expense returns less but it must return something more than it would've if it wasn't there.
  4. The fourth relationship is consistency. The results need to be replicable and repeatable. They should apply in different population groups and samples.
  5. Next we look at plausibility. The association that we are purporting to exist needs to be supported by a valid theoretical basis. There needs to be some phenomena that can act in a manner that causes the result or event.
  6. The sixth criteria is that we consider alternative explanations. Many so-called scientists fail here. They just assume a relationship matches with their understanding. It may be true that we can dismiss many arguments out of hand as they have already been investigated and shown to be false, but this does not mean that we do not consider alternative explanations. We must always consider multiple hypotheses prior to making any conclusion a about a causal relationship between events we seek to explain and investigate.
  7. Experimental evidence is also important. Even though we cannot expect to completely re-create an event we should be able to implement an appropriate experimental regime that supports our causal argument.
  8. Next there is a requirement that the causal effect is specific. This is one of the weaker criteria and we can demonstrate causal effects without it. The absence of specificity does not negate a causal relationship but the existence of specificity between associations does add additional support to the existence of a causal relationship. Here is important to always examine specific causal relationships with in a larger systemic environment.
  9. Lastly we have coherence. Ideally any association we are purporting to exist should fit within the body of existing theory and knowledge. Their are ways of course to introduce new theory and Thomas Kuhn referred to these changes to the excepted theoretical basis of science as a “paradigm shift”. To reject the existing theretical basis of science we need to have a particularly good and strong proof and evidence supporting our new claim of causality.

The third of Hill's criteria, the effect response relationship is one that seems to be missing in much of the so-called science we see. For instance in carbon studies we should see a related increase in atmospheric CO2 leading to corresponding increase in global temperatures (all other things being equal). We should also see a corresponding and commensurate decrease in global temperatures as atmospheric CO2 levels decline. This is been something that is rarely investigated enhance which still relegates much of the climate study to pseudoscience.

In a couple of my publications for instance we looked at the effects of economic sanctions on criminal groups involved cyber crime. Two of these papers are:

“Criminal Specialization as a Corollary of Rational Choice” (2012)


Territorial Behavior and the Economics of Botnets” (2012)

In demonstrating the economic effects of a policy designed to reduce cyber crime we need to investigate all of Hill's criteria. In this instance what we find is that cyber criminals are rational actors. Like most other people in society when they're acting individually they act in their own rational interest. When they are offered opportunities that provide better returns for low risk they will take these over the antecedent of a poor return or one with high risk.

Of course the current answer to this and the mainstay of many Keynesian economists that propagate government circles is to argue that what is rational for the individual may not be rational for society as a whole. They argue that irrationality comes of collective rationality.

Of course what they are saying is not that the collected actions of the many are in fact irrational but that people choose things that they did not desire. This is a typical political fallacy that is designed to appear scientific. Many economists make very poor scientists.

This is of course rational and itself. For when we see government favoring Keynesian aligned big government economics and rewarding those who support the idea of big government we also see incentives given by government to those who promote big government. So the individual behavior of these rational economists is to support in irrational policy itself. It is of course rational to support a biased policy when you gain from it at the expense of others.
What could be termed irrational is a libertarian policy that exists with little support and certainly none from government. As a libertarian one has to fight harder and do more. But here it again comes to what is a subjective value. When comparing rationality we need to look at the values of the individual. In my case my greatest value is freedom and that cannot be given through big government and subjugation. In this case economic constraints and an acceptance of lower benefits comes at the cost of upholding one's values.
One further part of this rant is that we need to start excepting that it is not irrational to hold one's values. In fact the only rational choice is to uphold one's values. In this we start to see where one's values lie.

Wednesday, 22 May 2013

What is trust anyway?

Ongoing education

In a typically Keynesian short-term policy the Australian government has implemented a plan to cut educational programs[1]. In this latest shortsighted plan the government has announced that it will be proceeding with a plan to cap all tax deductions for self-education expenses to only $2000 per annum. The idea is that by reducing deductions the government will be able to maintain a steady rate of income while still having people engage in further education. The idea is that those who are planning to undertake degrees or other further education will continue to do so at an equal rate regardless of the tax implications.

The flaw in this line of thinking was demonstrated by Frédéric Bastiat in his 1850 essay, "That which is seen and that which is unseen" and has come to be known as the parable of the broken window.

Here we see that which is seen in the government's policy. We see that people engage in further education and use a tax deduction to help fund this endeavor. The government has not looked beyond the short-term in their strategy. They make the assumption that educational levels will remain the same even as the effective cost of education rises. They're problems here as well. The cost to the user a further education is the net cost after the deduction has been made.

A student engaged in a part-time Masters degree such as a MBA or one of the various Masters degrees in applied information technology that are offered will generally pay between $6,000 to $10,000 per annum in fees with between $2,000 and $6,000 in textbooks and other supplementary material. At present all of this is deductible meaning that the average postgraduate student working while studying part-time can gain around one third of this expense back.

As such, the total cost of a Masters degree to the student comes to between $16,000 and $32,000. After the government’s policy takes effect the actual cost to the student will be in the range of $23,000 and $47,000. This makes the cost of doing Masters level education in a technical field between $7,000 and $15,000 more expensive. This is clearly an imposition of additional costs against people who many times already struggling to justify taking further education.

People do generally see this aspect of the policy and justify it by stating how those doing these degrees will earn more money. There are several problems with this argument as well. A well-known basis of the economy is supply and demand. As the cost of the product is altered the demand for it decreases. Here we are increasing the cost of education. The natural consequence of this increase is a decrease in the demand for education. In the flow on effect from increasing the cost of educating our nation we have in fact lower the number of people who will take degrees because the marginal benefits obtained will be decreased.

A key factor of all of this which has been neglected is that universities are predominately government-funded in Australia. However, postgraduate studies such as MBA programs and technology programs are only partially funded or in some instances actually run as profit centers the other parts of the university. When a student undertakes postgraduate education and university they are already paying the government. In not allowing the tax deductibility for education the government has in effect implemented regime of double taxing.

If we start looking at the broken window effect and the results that come from this policy we see that the government actually reduces the amount it will collect from taxes in the long run.

In reducing the demand for university courses the government is in effect changing the economic outcome they seek to promote. The unseen effects of capping taxable expenses start with the fact that fewer students will be paying for existing university costs many of which go to fund undergraduate courses. This then results in fewer undergraduate courses and not just a lower uptake of postgraduate courses.

This is not just a slippery slope argument but one that comes from the rational analysis of the unseen effects. Reducing demand for university courses results in fewer people taking courses within a university. Fewer students mean less income. A lower income means that the government needs to provide a greater level of funding to universities. The perverse effect of attempting to collect more money from the reduction of educational expenses that can be claimed is that the government actually needs to spend more to maintain the existing level of courses being offered.

What about trust?

The real difficulty comes in courses such as information technology and management technology. An executive MBA in information systems or a more technical information technology degree require up-to-date knowledge. A career in these fields does not end when one has gained a qualification. Education is an ongoing requirement in information technology.

This is particularly true when it comes to risk and security. They have been numerous security incidents in the press over the last couple years. Our own government, the same one cutting educational allowances has been touting the need to train information security professionals. In fact it has been argued that one of the primary needs that is not being met within the Australian economy is the provision of security and risk professionals in information technology.

For the online economy to grow we need to be able to trust the underlying systems. To do this we need trained professionals who understand risk and can help defend against cyber crime and cyber terror. This is a dynamic field which changes on a daily basis. New attacks a new defenses offer a consistently moving target that requires the information security professional to update their skills on a regular basis.

At the same time that we are calling for more trained security professionals and more places in universities we are increasing the cost and hence driving potential students away from this field of study. Information risk is a field that requires constant training. Not only do the software and hardware platforms change on a regular basis but so do the attacks against our systems. In the past decade we have moved from Windows 2000 to Windows XP to Windows Vista to Windows 7 and now Windows 8. At the same time we've seen a move from desktop systems to cloud-based infrastructure and mobile tablet applications.

To maintain skills within this field requires constant reeducation learning. To attract new people into this field and to maintain those who already here means that we should incentivize people to want to be a part of the solution. In making education more expensive we drive people away from educationally expensive occupations such as information technology, medicine, science, engineering, and all of the things that drive a modern economy.

If we want to create a vibrant and innovative economy, we need to be able to trust the infrastructure that it is based on. To do this, we need to allow those in this economy to develop the skills they need.

What is occurring overseas

In the United States, the need for a consolidated program designed to teach cyber security is well publicized[2]. To achieve this end information security practitioners need to be involved in constant education and adult learning programs. Like many other professions, information security is a dynamic field that changes from month to month and a failure to maintain the necessary skills moves the advantage to the criminal. Without a secure and trusted base as a foundation for electronic commerce Australia does not have the future. This is a message that is clearly been missed by the Australian government.

The economy is founded on trust in the electronic economy requires the implementation of acceptable security levels that are designed to minimize risk in order to function. This is not a static playing field. In game theory we would call it a predator prey model. It evolves over time with the cyber criminals becoming better at what they do and thus requiring consistent incremental improvements in the amount of security delivered by businesses. This risk function becomes affordable when there are sufficient numbers of trained professionals. That is, the supply of educated security professionals is sufficient to meet the need.

When the cost of education goes up the amount that professionals in this field earn decreases. This is a rational decision. Security professionals remain security professionals because they earn an adequate level of income. That income is not the pretax amount that the amount that they take home and can actually spend.

The Australian position[3] seems to be one aimed at protecting school children and little more.

The current policy is certainly one that has been designed with short-term thinking in mind. It is a set of policies that are designed to collect revenue in the short term at the expense of growth and capital development. So while we have acknowledged need to implement effective risk practices and secure our commercial systems, it is government policy to undermine the very foundation that this desire is built upon. It is government policy to make it more difficult and more costly for both individuals and businesses to engage an employee risk professionals.

Information technology in general is not an economic ill that needs to be punished as the government seems to believe in the implementation of the current policy strategies. In fact, we should be promoting applied education and not seeking to tax it more. It only when we incentivize correctly that we have good outcomes. In punishing those wanting to learn the government has created a policy platform designed to move Australia from being the clever country to a has been.

Rise in cyber attacks in Australia

Is only weeks ago that the Sydney morning Herald[4] reported on the rise in cyber attacks against Australian companies and the need for increased vigilance. This followed the 2012 Cyber Crime and Security Survey Report, commissioned by national computer emergency response team CERT Australia and conducted by the University of Canberra which stated the need for increased training and the announcement in January this year where Prime Minister Julia Gillard announced that CERT Australia would soon be part of a new Australian Cyber Security Centre, which aims to develop a comprehensive understanding of cyber threats facing the nation.

Australia may be on the offensive in creating a cyber threat tracking Center but at the same time we have decided to make education more expensive and reduce the supply of qualified security professionals to industry. It is astounding how government can state the need to increase education in cyber security whilst simultaneously reducing the number of future qualified professionals through taxation policy.

So, although the Commonwealth government has vowed to combat cyber crime[5] the actual policy they are implementing is one where fewer professionals will be available to do this.

"We are in a period of consolidation and we need to get the most value out of every dollar expended," Ms Gillard said.

Yet at the same time we going to reduce the number of dollars available. Instead of incentivizing people towards effective means, we have removed the incentives in a petty grab for short-term political gain at the cost and expense of the economic growth of this country. At the same time that the government is giving lip service to the need to implement security controls and acknowledged the marked increase in criminal activity against our online economy they have removed any incentive for people to engage in this activity.

Cyber crime cost the Australian economy between $1.5 and $2 billion in the 2011/2012 tax year. Yet the answer to this is a decision to disincentivize professionals who may wish to enter or stay in this field. What we are in fact seeing are the increases in incentives to move away from Australia to other economies that actually want educated people. The current 25-28% yearly increase in cyber attacks will only increase further as we take funding away from this profession.

Number of cyber security experts that Australia will be needed by 2015

The Federal Government spent a little under $500 million on cyber security in 2011-12. A large percentage of this going to the ongoing education and training of individuals. The majority of this money was spent on people working in this area. Maybe we can see this as a drive to centralize further taking security professionals away from industry in making them part of government in an expanded public service. This of course increases the cost to the economy while also increasing government spending. Worst of all, it does nothing to make business more secure.

It has been estimated that India would require about 500000 cyber security experts by 2015[6]. At the same time it is been estimated that we will require at least 20,000 more trained risk and security professionals by 2015 in Australia if we are to maintain a robust trusted online economy. This figure is expected to exceed a need to train 50,000 additional personnel before 2020. These figures of course based on CERT and government estimates in predominately focus on government needs so the actual figure is likely to be far higher.

Unlike counties such as India, USA, and UK, The Australian government has no strategy to compact the threat

Whilst we give lip service to information security needs, the Australian government has a policy of promoting the need that removing the incentives. Any economist will tell you that this is a strategy that cannot work. At the same time the government acknowledges the growth in cyber attacks and the need to train people both inside the government as well as in business it has increased the cost of maintaining the required levels of education for those in this field. The results of such a policy is simple and easy to understand. If we reduce the benefits we reduce the incentives.

People do not decide to work in a difficult job that requires long hours unless they are rewarded for their efforts. The government policy of telling us we should do this out of the goodness of our hearts does not work.

At a time when we desperately need to develop more cyber security expertise, the Government has capped self-education expanse claims at $2K

A strategy of deincentivizing people in making education more expensive is a strategy designed to destroy an industry. We have to ask at this point whether the government is intentionally attacking the economy or if they think we're too stupid to notice. Maybe this is the desire in making education more expensive. A land of sheep that does not complain is the only outcome in a land where education is penalized.

Australia is already a prime target for cyber terrorist because of we have a growing online economy and the lack of foresight by the government will ensure we become more of target

In research (Wright, 2011) published in 2012[7] it was demonstrated how cyber criminals think and act rationally.

In increasing the chances of being caught or making an attack more difficult the cyber criminal earns less. The economic incentive provided through having more vulnerable networks that have not been secured by adequately trained individuals means that more cyber attacks will occur.

We can see from this that the government has incentivized criminals at the cost of the economy. In typical short-term thinking the government has sacrificed the future of the country for political gains. Education is a long-term investment unfortunately politics is not.

Criminals may be rational but it seems that the political system is formed through irrationality. Instead of thinking through the consequences of decisions the government has chosen to act without thinking. This of itself shows the need for education.


Wright, C. S. (2011). Criminal Specialization as a corollary of Rational Choice. Paper presented at the ICBIFE, HK, China.








Monday, 20 May 2013

Finding Graphite

In the making of a pencil we have many different ingredients to consider, but the first of these we all know is the mainstay of the “lead” used in the item. This is not actually lead, but a graphite mix. I will cover other ingredients (such as the clay) in later posts.

The properties of graphite are listed below.

Hardness Associated Minerals Streak Colour characteristics Luster Field Indicators
1 - 2 quartz

black gray to brown/ gray black, silver thin flakes are flexible but inelastic, mineral can leave black marks on hands and paper, weakly conducts electricity metallic to dull softness, luster, density and streak.

For our exercise, the quality of the graphite is not so important. It is a common mineral, but one that is not found in quantity as a good pure source. This does not stop us finding it, but can make processing more difficult. For instance, graphite can be found in quartz. This is not uncommon, but quartz is an extremely hard mineral and mining graphite from a quartz deposit would be extremely hard work.

Lucky for us, graphite floats in water. So even if we have a deposit in another material (and we hope not one as hard as quartz) we can pound the mix into a powder and the graphite will float on water (were most other materials will sink).

But where do we find it?

If we are seeking a graphite deposit, we need to start looking for large deposits of felspar, mica, quartz, pyroxene, rutile, pyrites, and apatite. These minerals are commonly found with graphite. For our pencil we do not care to much about the quality and amorphous graphite will suffice. This is found in shale, slate, sandstone, quartz and limestone based rock formations.

I have included a number of images of graphite from to aid in the determination of a piece of graphite. Graphite is grey to black in tone. Most of the time it has a shiny metal gloss and will smudge easily. If it is graphite, it should feel a little greasy to the touch and is in fact used as a dry lubricant. Molybdenite looks similar to Graphite but is heavier. The easy test is that this does not smudge as Graphite does.


Thin Graphite Crystal on Matrix

Chunk of Graphite vein

Graphite Vein

Sharp Graphite Crystal Flakes

Graphite in Marble Matrix

Foliated Graphite Crystals

Rounded Graphite Mass

Remarkable Graphite Mass

Hunk of Layered Graphite

Graphite in Marble Matrix

Furthermore, graphite will make a mark on paper. In determining whether a rock happens to be graphite, start with a dark grey to black rock you have found in a limestone or shale area (and others as noted above) . Try and scratch it with your fingernail. Graphite is soft and will scratch easily.

For those of use who are close to a limestone cliff it is not too difficult to find graphite. It takes time and you need to mine into the rock, but at least limestone is nowhere near as hard as quartz.

With a good hammer and pick (which we have to make another time) we should be able to find a suitable quantity of graphite for one pencil in only 8 cubic meters of mined limestone. The main reason for this (even though we have more than enough for a single pencil is to account for the chance of finding a suitable deposit as well as having a large enough deposit to actually process).

The rate at which one mines will vary based on the strength of the person, the tools and the difficulty posed in the ground itself. In my case, I am a large 6’ male with good upper body strength. I needed to repair the picks at the end of this exercise but did complete 12 cubic meters of excavation. The blisters account for the exercise and it is not one I plan again.

This is basically a pit 2 meters in each direction. This was a 12 day exercise (and replaced going to gym and boot camp for a couple weeks of vacation). I cannot say I am far from the best miner but I am am also far from the worst. The main part to remember is that we are trying to find graphite deposits and as such the rock needs to be pounded rather finely.

Once we have sorted the deposits with some graphite (or at least a black substance in the limestone) we can pound and grind it to a powder. This is cast into water and left to settle for a few nights. The graphite will remain on the top floating as a the limestone sinks.

So, for two (2) weeks work and a total of 124.5 hours effort I was able to gain 328grams of low grade fine graphite powder. As a pencil generally contains between 1.001 - 1.067 gram of graphite we have a sufficient amount of graphite for just under 300 pencils in 124.5 hours of work. So far, in just extracting one raw material (without accounting for the wear on the tools we had to make) we have  spent far more than we could have through trade.

In our exercise we will not measure cost and value in money. We will do this in time. This process will cover the finding, the extraction and even the tool making. In this, we are lucky to assume the knowledge is all available (as it is for us in the age of simple access to information). Just think how difficult and more time consuming this would have been if it was done using a library.

We also have the luxury of having food and shelter. Imagine if you also had to make and maintain a shelter and find food at the same time you have been looking for a suitable deposit of rocks.

I was lucky in this. I had a property where I could do this excavation with only a 1.2 km walk each morning whilst carrying 24-30 kg of tools. Not all areas are in metamorphic deposits and this would have been more difficult if I needed to walk further afield or to have mined in quartz.

Graphite time measurement – 0.415 hours per pencil

We will continue to investigate another part of the process next time. Just remember how amazingly complex a modern economy really is each time you look at a pencil and try to think what it takes to make a computer.


  • Chesterman, Charles W. (1997) National Audubon Society Field Guide to North American Rocks and Minerals. Chanticleer Press, New York.
  • Klein, Cornelis & Hurlbut, Cornelius (1993) Manual of Mineralogy. John Wiley & Sons, New York.