“Oxford economics historian Avner Offer believes that we’re hopelessly myopic. When left to our own devices, we’ll choose what’s nice for us today over what’s best for us tomorrow. In a life of noise and speed, we’re constantly making decisions that our future self wouldn’t make.”
“The Freedom of Choice”, p12, New Philosopher, Issue 6: November 2014 – January 2015.
I’ve started this blog post with a quote I’ve used previously, but I think it’s pertinent given this topic.
The chances are that you’ve at some point been hopelessly myopic, as Avner Offer opined. If you’ve ever left studying or preparing for an exam or assessment to the last minute, you’ve done just that. You might even say that in general, if you’ve ever procrastinated, there’s probably been a bit of hopelessly myopic involved in that decision-making process, regardless of whether it’s a conscious or subconscious decision. That’s not to say putting a task off, for instance, is always procrastination or being myopic. I’ve also had plenty of situations over the years where I’ve not been in the right frame of mood to do something, but when I eventually get around to it, it’s a breeze – right time, right place, so to speak.
I also think there’s a lot of times where we can suffer from myopic optimism. That is, we make a decision that benefits us in the short term because we’re optimistic that the worst-case consequences of that decision won’t bite us. Myopic optimism often requires at least a little dose of cognitive dissonance, too. Or perhaps to be more precise, we suffer the cognitive dissonance first, then ‘solve’ the problem by being myopically optimistic.
I know I’ve got to drive 30km to that important customer meeting. Traffic is heavy and the low-fuel-light is on indicating I need fuel. I didn’t drive the car last so I don’t know if it’s just come on or had been on before. I’m in a hurry and need to not stop, but if I don’t stop, I may run out of petrol and not make it to the meeting.
There are two ways that sort of problem can be solved: we either choose to run the risk of being late to the meeting by stopping and getting petrol, or we continue driving and instead run the risk of being late to the meeting by running out of petrol along the way.
Myopic optimism might mean we decide that since in the past we’ve driven 50km with the low-fuel-light showing, it’s entirely likely that the low-fuel-light only came on when we started the car. It’s a guess, but one premised on making a short-term gain (avoiding interruption to the journey) in the hope of the worst-case scenario (being stuck on the freeway out of petrol) doesn’t play out.
Of course, Australia is currently seeing on a grand scale the results of myopic optimism. (“Maybe climate change is real but hopefully it if it is it won’t be too bad, and I’d really like the tax cut the conservatives promised to give me in 8 years time”.)
Like any other profession, IT also suffers from its fair share of myopic optimism. How many times have you worked on a project where there have been some corners trimmed because that scenario is just too implausible, then it happens once the system goes live?
Or – how about this one:
Almost a quarter (23.56%) of all encryption ransomware attacks that occurred in 2019 had encountered the WannaCry virus
“WannaCry was the most common crypto ransomware attack last year”, Anthony Spadafora, January 2020, TechRadar.
Keep in mind that the initial WannaCry attacks that swept the world were in May 2017. So, in the period 20-36 months after WannaCry first debuted, it still accounted for almost a quarter of ransomware attacks.
Regardless of whether we’re talking security, privacy or storage, data protection seems a prime dumping ground for decisions that hinge on myopic optimism:
- Security:
- Saving time by not patching systems because they don’t attach to the Internet
- Saving money by not upgrading systems because they only do a single function
- Saving money by only deploying anti-virus scanning on the fileservers
- Privacy:
- Anonymising this data set is fiddly but it’s on an internal system only so it’s more effort than it’s worth
- Left off the checkbox to “subscribe to marketing information” from the competition form at the trade show, but everyone entering the competition will know we’ll market to them so it’s an expensive reprint for no real need
- Have to get a copy of the customer database to the marketing company, I’ll just drop it in this S3 bucket to save time going across town to deliver it
- Storage:
- Increasing each link speed will be very expensive, it’s more cost-effective to design so that in the event of a link-loss, we switch from synchronous to asynchronous replication
- Storage at the remote site is running low but rather than delay the project we’ll just replicate snapshot deltas rather than the base volumes as well
- We’re running out of space on the backup system so we’ll reduce the primary copy retention to only two weeks. We hardly ever recover and we’ve still got four weeks’ retention on the clone copy.
The problem I see with myopic optimism when it comes to data protection is that it’s all too often trumped1 by Murphy’s Law. I.e., we hope for the best but IT is too often littered with the consequences of the exact opposite happening.
There are all sorts of measures and scales used to determine what level of maturity a business has within a particular operational area. The Australian Signals Directorate Essential Eight Maturity Model, for instance, suggests three different maturity levels of backup and recovery systems. For what it’s worth, I’ll say this:
The maturity levels proposed by the Essential Eight for backup and recovery are hopelessly inadequate, and reflective of advice given by people who fail to understand the challenges and risks in data storage. Their Level-Three maturity (the ‘best’) is barely adequate and hardly represents optimum maturity for backup systems. I would not countenance their Level-One and Level-Two backup maturity models. Any business that relies on the Essential Eight to decide they’ve “done enough” on backup and recovery is leaving themselves exposed.
(But, hey, they were having a go at least. A “for trying” stamp is in order.)
The point I’m moving to, in a roundabout way, is that myopic optimism is the sort of thing that needs to be understood and acknowledged – and while it might exist in the least mature ranking of a 5, or 7-stage maturity ranking model for data protection, it’s something we do need to look at calling out and stamping out.
If you’re looking for a 2020 IT design goal, that might be a good place to start.