Secure what people do, because information doesn't do

JP Rangaswami, in a delightful read, muses on Drucker's quote "people make shoes, not money" and how information has no value until it informs a decision.  Our institutions value sharing, cooperation and trust -- but create cultures of hoarding for advantage and control out of fear.  Perhaps this is because we haven't learned to manage when information wants to be free.  JP notes that "Information is changing. And it is becoming more valuable to us all by becoming less valuable to any one of us." 

But this except sparked a thought:

Take a completely different perspective on all this. Privacy. Why does someone worry about who has access to his medical records? Not because the records themselves have value. But because someone can misuse them. Because, for example, someone can refuse to insure, or raise premiums for, some hitherto undeclared medical condition. Or even worse, for some future projected medical condition, projected as a result of discovered habits.

It’s not about the information, it’s about what you do with it.

Privacy and security paradigms focus on controlling the flow of information.  I wonder not only if this is possible.  But if its the right focus.  Information precedes action.  Now I'm no Bruce Schneier, but perhaps the security industry should be focused more on controlling action than information.

I recall a panel on Data at Large at PC Forum, way back in 2003.  Jeff Jonas from SRD shared how they were at the frontier of using social network analysis for security in casinos.  In hallway conversation, Gilman Louie, then with In-Q-Tel, clarified an interesting tension around homeland security and civil liberties.  In a top-down manner you could data mine communications for patterns and profiles to discover threats.  Or, from the bottom-up, you could work with a lead to reveal a graph of conspiracy.  The latter is much closer to traditional intelligence or the practice of private investors, just with new tools.  And with less risk of infringing upon civil liberties.

I recall when we introduced wikis into a bank in London where JP was the CIO.  The compliance officer's initial reaction was to demand that he approve every edit before it was posted.  Of course we could have developed that feature, and the attempt to control would prevent any collaboration whatsoever.  But we showed him the audit trail inherent in a wiki, revision history where you can see who did what at what time.  We gave him some smart search feeds for basic monitoring.  If someone did something inappropriate, he could prosecute the lead and potentially fire them.

Perhaps the need to know basis has less of a basis than we believe.  Perhaps there is an opportunity for security systems to be more effective as a whole system when it focuses on what people do with information instead of controlling its flow.

Decoupling Decision Rights and Decentralization

Andrew McAfee has an interesting post that challenges the trend of decentralization in organizations.  Noting Tom Malone's work on how decreased communication costs enable more decentralized decision rights, he makes a distinction between information and knowledge.  You can now provide information to any potential decision maker at a low cost, but the best tacit knowledge for a given decision may reside in someone the core of an organization instead of the assumed edge.

Let’s say that a mortgage company realized that a few of its loan officers were just better at assessing credit risk than all the others. For whatever reasons (intelligence, experience, intuition, etc. ), they just had superior specific knowledge. In that situation, it would make good sense not to decentralize, but instead to centralize that decision right within the company, taking it away from the other loan officers. All the general knowledge (income statements, credit histories, etc.) would be sent to these few people, who would apply their specific knowledge to it and made decisions. In this example low information costs are still important; they allow all the general knowledge to be zipped to the few good officers. But the effect of low information costs isn’t decentralization and greater empowerment. Instead, it’s centralization of an important decision right and reduced autonomy for most loan officers.

Thought experiments like this one indicate to me that the net result of disappearing information costs won’t necessarily be decentralization. It will instead be the decoupling of information flows and decision rights. Organization designers will be able to allocate decision rights without worrying about how costly it will be to get required information to deciders. Leaders will be able to ask "Who should make this decision?" without adding "Keeping in mind that it’s going to be slow, difficult, and expensive to get them the general knowledge they’ll need."

Will this work always, or even usually, lead to more decentralized organizations? I find myself less confident than Malone that this will be the case. I agree with him that we’re at a very interesting point in the history of technology and the economics of information, but I’d label it a great decoupling (of information flow and decision rights) rather than a broad decentralization (as decision rights lateralize along with information flows).

Information has no value until it informs a decision that results in an outcome.  This is part of why it wants to be free and increasingly is.  The decider certainly plays a role in this equation.  But something concerns me about this Carr-esque classification of decision making capabilities based on tacit knowlege (what is it about theories from Harvard on expertise ;-P).  And I don't think it is enough to buck the trend of decentralization.

Decreasing communication costs and ubiquitous information begets transparency.  While the future impact of IT provides both the directions of strong crypto and transparent society, with uncharted privacy implications and policy -- I believe transparency is a greater force.  Especially when it comes to revealing bad decisions.

Lets take Andrew's mortgage company example.  First, celebrate that the organization can change structure from the decoupling of information and decision rights.  Then, note it can shift back.  If a group gains centralized decision making capabilities because of their, augmented by "general" information, it is in a good position to execute the decision making process. 

But my read of Malone's book is it is not just about decreasing communications costs that enable decentralization, but how decentralized organizations can scale.  I believe Andrew is suggesting that information systems that automate information processing enables this group to scale its capabilities.  At first glance, this is similar to how trading desks work.  But approving a mortgage for an individual is very different from institutional trading.  Markets are social and the actors in institutional trading actually rely on relationships, and by doing so improve their tacit knowledge and handle exceptions better.  By taking the social interaction out of the hands of the mortgage officer who is closer to the actual customer and in a position to assess different kinds of risks beyond the FICO score.  And perhaps worse in the long term, it dehumanizes the organization's capability to develop a relationship with the customer.

Perhaps I am being too prescriptive with the business model, and maybe sidestepped the issue by hypothesizing there is a different kind of tacit knowledge at the periphery of the organization.   But the point is some kinds of tacit knowledge and decision making capability, those best at detecting and handling exceptions to business processes, may not be scalable through automation and centralization.

What I really like about Andrew's idea is the ability to reassign decision rights because they are decoupled from information.  Good thing too, because corporations don't have deciding who is best to decide down to a science.  Given the potential transparency in an organization, we may get better at more broadly handling exceptions and learning from decisions made.  We may actually discover who influences makes decisions. But my long term belief in decentralized organization recognizes that it is the environment the organization exists within, not that inside the organization, that creates the greatest amount of exceptions.  And the organizations that put decision rights closer to exceptions are more likely to adapt and survive.

Perhaps a better structure is to encourage decoupling of decision rights