Shostack + Friends Blog Archive


The Principal-Agent Problem in Security

There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed:

“In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will you do to make us whole?”

The packed room of senior managing directors applauded.

Mr. Dimon responded gingerly. “You’re acting like it’s our fault, and it’s not. If you stay we will make you happy.”

But the Bear employee was not satisfied. “I think it’s galling you come into our house and you call this a ‘merger,’ ” the Bear executive went on.

Now, there’s an easy slam on that exec, but I’d like to do better than that. There’s a very real desire to not go from the mansion to the poorhouse overnight. Picking arbitrary numbers of shares, on Friday, this fellow might have held 10,000 shares, worth $300,000, representing a large fraction of his savings. Monday morning, it was worth $20,000. He’s worried about how he’s going to pay for his kid’s education or his next vacation. (There’s more excellent analysis in Jeffrey Lipshaw’s “Exuberant Bulls, Rueful Bears, and Rational Frogs” [link to no longer works]

People’s concerns, first and foremost, are for themselves.

People who work in security are often deeply concerned with security, because it’s the thing that makes or breaks their careers. They’re focused on the impact of security on them, as well as their business. So sometimes they make choices which aren’t perfect for the business, but take their perspectives into account. It’s only human.

Nick Owen talks a bit about the motives of security chiefs in “On the short tenure of CISOs and low-frequency, high-impact events.” [link to no longer works] (Damnit, Nick, I should have seen that. Now you’re banned from the prom.) ((Which is yet another instance of a principal-agent problem. I’d like to appear smarter and more insightful than Nick, so I have to ensure I don’t link to him.))

Economists call this set of issues principal-agent problems, with the classic example being Alice hiring Bob to sell a car that she doesn’t have time to sell. How does she know that he’s not selling it to a friend? Economists are generally worried about the CEO, but the thinking can and should be applied across a company. How do you ensure people’s motives are well aligned with that of the business and it’s shareholders?

Nick Szabo has some interesting points about “representation distances” in a political analysis of principal agent problems. I’m surprised that he talks about the distance from one agent to a group. I would think that the interesting questions involve average distances between various groups and agents, and the tensions between them.

9 comments on "The Principal-Agent Problem in Security"

  • Nick Owen says:

    What’s interesting about Bear is that the employees should have known best what the firm’s leverage ratio was, the potential impact of a credit crunch on the firm, etc. Now some of the stock may have been illiquid, but still. And the low-frequency, high-impact event was brewing their for a year when their hedge-funds collapsed.
    As for the prom, just be sure to look in the rafters for a bucket of pig’s blood before you get your crown ;).

  • Nick Owen says:
    for those too young to get the pig’s blood reference. See Adam, it’s not insight, it’s just age.

  • Roland Dobbins says:

    Why would Alice care if Bob is selling her car to a friend, as long as he performs to contract?

  • Alex M. says:

    Why bail out Bear Stearns for making decisions it knew were faulty, but not bail out the people who must default on their mortgages now?
    Because the Fed and the administration only want to protect the rich. Always in the name of security.

  • David Brodbeck says:

    Alex M.: That would be true to form for them, but I think there’s more to it than that. There’s a real fear that if they let one investment bank fail, there’ll be a run on the others. The fact that they’re propping up Bear Stearns makes me suspect many other firms are hanging by a thread.

  • What’s interesting about principal-agent in security is that it is unclear whether the agent will over invest or under invest.
    The standard model (even with a contract) is under investment but for low frequency events, much of that investment is highly inefficient, and may be done more as an ass-covering move (I followed best practices!) than as a careful consideration of the principal’s bottom line.
    Too busy to draw out the math, but it looks like this isn’t a terribly complex model. It would be interesting to try to get some ballpark weights on the agent’s behavior.

  • Nick Owen says:

    There is a real fear of a cascading domino for the wall street firms. And since many of them are now banks, the Fed is concerned.
    Here’s an interesting post on “level 3 assets”. These are assets for which no external market exists and are valued by the firms’ internal models.
    The answer to me seems to be better reporting of illiquid assets, which seems already to have happened though just a bit too late and tightening capital requirements based on the asset classes – now that these wall street firms can tap the Fed.

  • Chris says:

    Adverse selection is at work here, too.
    Bear deliberately hired risk-seeking, type A people. Risk-seeking until the poo hit the fan, of course. The firm they built, according to the market (which values things just fine, right Mr. Greenspan?) is worth essentially zilch. Why get paid handsomely for something a pigeon could do?
    There’s a reason Bear couldn’t find anybody to lend them a nickel: they refused to help LTCM back in the day. What goes around comes around.
    @Roland: Contract isn’t enough precisely because it is difficult to determine if Bob is living up to its terms. If it were easy, and if enforcement were costless, it would not be a problem.

  • nick says:

    Why would Alice care if Bob is selling her car to a friend, as long as he performs to contract?
    The price Bob can get for the car is usually uncertain and thus can’t be specified in the contract. This creates a conflict of interest, or broadly speaking a moral hazard (or if you define moral hazard narrowly, what I call operational bias): Bob to maintain or enhance his friendship may not negotiate as strongly with his friend as with a stranger, thus not getting as good a price for Alice as he could. The more uncertain the value of the car is, or the greater the representation distance is of Bob from his principal Alice, or the closer the friendship or under-the-table dealings between Bob and the car buyer, the greater the operational bias away from agent Bob carrying out Alice’s interests and toward his carrying out other interests (including his own).
    Sometimes these operational biases can be partially fixed by contract. Salesmen usually earn a percentage commission (and this would help for the problem with Bob here). Executives often get most of their pay in stock options rather than salary. But these are usually very imperfect solutions, and don’t work at all where the performance of the agent is not readily measurable in dollar terms.
    BTW, my article on relationship distance, graciously linked to in the original post, does focus on the political representation of voters by Congressmen. While the idea of representation distance does also apply, at least analogically, to shareholder/management, employer/employee, and similar commercial relationships, these are left as exercises for the student. 🙂
    While I’m making a comment about agency on a security blog, I have for a long time had a big beef with the field of computer security: it focuses almost exclusively on principal/agent (or even just boss/employee) relationships and ignores other kinds of relationships, such as those of more peer-to-peer kinds of contracts and property relationships. Indeed, all the varied relationships in commerce and of humanity generally are wedged into the Procrustean bed of principal/agent, or even more narrowly boss/employee, relationships. Even when computer security speaks of people “owning” “access rights”, these are really just temporary authorizations that are arbitrarily revokable by somebody with a higher level of access. They are delegations, not property rights.
    This bias is quite engrained because almost all security professionals work as employees, or at least contractor agents, and see commercial relationships from that perspective. The boss or his expert agent, the systems administrator, has to be able to revoke the access of agents who leave the company. But in a broader view forcing every kind of computer security problem into this model is an exercise in extreme distortion, and has resulted in the security of more peer-to-peer contractual or property relationships being almost completely ignored or translated by computer security into de facto arbitarily revokable principal/agent relationships.

Comments are closed.