Pop quiz: which of the following statements about decisions do you agree with:
- You need at least thirty data points to get a statistically significant result.
- One data point tells you nothing.
- In a business decision, the monetary value of data is more important than its statistical significance.
- If you know almost nothing, almost anything will tell you something.
Think about the last time your company was faced with an investment in information technology – as an example. Perhaps you were deciding on a CRM platform, an upgrade to your replenishment or logistics software… – you can imagine such a scenario. Regardless of the exact details, you might recall reviewing a business case for this “technology investment”. Perhaps you were even responsible for the development of the business case. (more…)
Jack Jones, the inventor of the FAIR method for assessing cybersecurity risk, comments on a defense of NIST 800-30 by someone who commented on one of his blogs. I take Jack’s side on this. For those of you who have read my books, NIST 800-30 is one of the standards that promotes methods I spend a lot of time debunking (ordinal scales for risks, risk matrices, etc.).
It has been a heck of a winter for Portland, OR. The city has had nine school closure days due to snow and other winter weather. Per local reports, the metro area has been effectively shut down on many of these days. Portland’s transportation bureau budgets $300K a year for materials to respond to winter storms, and has 55 snowplows. In contrast, Portland’s GDP is $160 B/year which translates to $635 MM per work day.
At first blush, there is an intuitive sense that spending a fraction of a percent of one day’s GDP is going to be less than the optimal amount, but there are some mitigating factors. (more…)