Illustration: Mick Wiggins

I sometimes think that the essence of engineering is making intelligent tradeoffs between conflicting parameters. Improve one parameter and another one worsens. The art is in knowing where to make the best trade. As engineers, we are trained to quantify different tradeoffs, draw some kind of cost/benefit curve, and make a rational choice based on our analysis.

A classic case involves radar. As a general rule, we want to increase the radar’s sensitivity, measured by the probability of recognizing existing targets (true positives). But as the sensitivity goes up, we inevitably also increase the probability of the radar’s reporting things that don’t exist (false positives). Being good engineers, we draw a curve showing the probability of true positives against the probability of false positives. Most such curves have a well-defined inflection point, where the number of false positives begins to rise quickly above a certain sensitivity—usually a good place to operate. With that, we engineers feel satisfied that we have analytically identified the best tradeoff possible.

Unfortunately, the world doesn’t always cooperate with this straightforward approach. There seems to be any number of really important problems for which there just aren’t any quantitative, rational strategies for making tradeoffs. These problems present two intrinsic barriers to analysis: unquantifiable benefits and costs that appear to be infinite.

A good example is computer networking’s tradeoff between connectivity and security. This issue is often discussed, but I have yet to see the glimmer of an analytic justification for decisions made.

It’s easy to get perfect security—simply disconnect from the network. But while your costs—that is, the consequences of a successful security breach—have fallen to zero, so have your benefits. The value of a network increases with the number of connected users. The more people and computers that are connected, the greater will be the information acquired, the commerce attained, and so forth. But as your connectivity benefit rises and as more users are connected, more bad actors will appear, and your risks of costly computer attacks go up, too.

How do we make the networking tradeoff? In my mind, I see a cost/benefit curve. Plotted along the x-axis is the cost associated with the risk of opening the network, while the y-axis measures the benefits of increased connectivity. The cost in a business environment might be the probable loss of sales, increased liability, or monetary losses due to expected computer intrusions. The value of connectivity could be better operational efficiency, more knowledgeable and satisfied staff, and increased revenue. Similar values might be realized in a military context, although instead of revenue gains, there would be measures of mission success.

The sticking point is, how do we measure these values? I’m afraid that the answer is, we can’t. It isn’t just that it is difficult—I think that it is intrinsically impossible. I resist this conclusion as an engineer, but it is one that I cannot escape. Monetary cost is something that we are familiar with, but benefit is often not quantifiable. So, in the case of network connectivity, the benefit of connecting to all those other computers and people cannot be measured.

Assessing the expected cost of computer intrusions also seems impossible. In fact, the situation in this instance is doubly impossible, because of the other fundamental difficulty: the appearance of a small, but definitely nonzero, probability of practically infinite cost. In business environments, this means there is some chance that a computer attack could, say, irreparably damage the company, putting it out of business. On the military side, there’s an outside chance a computer attack could disable the entire defense system. Even though there might be tiny probabilities associated with these events, their harm seems infinite, and the cost/benefit analysis breaks down.

In these situations, it often seems that tradeoffs are made defensively. When a computer attack badly damages a company, the computer security people get their pictures on the front page of the paper, lose their jobs, and have to find other careers. If, on the other hand, the business is handicapped by a dearth of connectivity, it is likely that no one will notice. It is easy to see how systems administrators are reluctant to make their networks easily accessible. In discussions of defense networks, I’ve even heard distinguished engineers mull over the advantages of completely disconnecting the network.

Although I recognize the nearly insurmountable difficulties involved with dealing with unquantifiable parameters, I’m still unhappy that there isn’t a more rational approach to making these tradeoffs. There must be a better way than getting out the old dartboard!