Global Security, Privacy, & Risk Management

Evaluating “Safety & Security on the Cheap” June 21, 2011

Suppose you decide to take of sky diving and are looking for a parachute.  Would you consider buying a parachute from a street vendor at a great price or would you look for a company that specializes in parachutes?  I am confident that everyone reading this would opt for the specialists over the street vendor.

Security and safety are closely related and both are frequently debated topics in which risk and risk analysis plays a critical role (or should play) in allocating spending.  So the inevitable question of all for-profit companies becomes: “What is appropriate security or safety?”  In reading the blog post titled Risk 101 the answer is simply that spending should ensure that the controls are commensurate with the identified risks.  In his article “Safety on the Cheap” Robert Reich succinctly states the issue and challenges when he says:

“Inevitably there’s a tradeoff. Reasonable precaution means spending as much on safety as the probability of a particular disaster occurring, multiplied by its likely harm to human beings and the environment if it does occur.

Here’s the problem. Profit-making corporations have every incentive to underestimate these probabilities and lowball the likely harms.”

This is consistent with accepted risk management doctrine and where the challenges arise.  Companies are often willing to roll the proverbial dice and underestimate the likelihood of an event occurring or the impact should it occur.  While still a sensitive subject, the earthquake and tsunami that devastated Japan and resulted in the meltdown of nuclear reactors is a case study in this phenomenon.  Investigations after the tsunami indicated that the managers of the plant grossly underestimated both the likelihood of the tsunami and the impact.

While it is easy to talk in the abstract about spending on security, it is a difficult question to answer.  It is impossible (or nearly impossible) to determine a Return on Investment for security spending.  In the early 2000’s a number of companies attempted to define what they were calling the ROSI or Return on Security Investment.  The problem is that you cannot quantify a return for an event that does not occur.  In short, the only time you can see the value of your investment is when an incident occurs which the controls work and when you can quantify what the loss would have been.  Having been involved in many of the largest data breaches I have seen first hand the impact of underestimating the risk and ‘rolling the dice’. Another challenge that exists is the lack of actuarial data for events such as piracy.  While insurance companies have actuarial data refined to the n’th degree for automobile theft, the data does not currently exist to accurately predict the risk to ships.

According to the Dodd report, between 2007 and 2010, the average success rate of an attack is roughly 31%.  IMB reports that in spite of the presence of various task forces, piracy is at an all time high in the first quarter of 2011 with 150 incidents of the coast of Somalia in the first quarter of 2011, alone.  The average reported ransom is between $3.5 and $4.5 million. It should also be noted that pirates have captured 338 crew members, killed 7 and wounded 38 in the first quarter of 2011.  While it is difficult to precisely quantify anecdotally it is understood that piracy is increasing in both frequency and in violence.

Shipping companies, like all companies, are focused on revenue and the bottom line.  Spending on safety and security is always difficult as it is difficult to quantify a return on investment.  While it is not always possible to calculate with exacting precision the risk associated with an event, qualifying the risk is often enough to justify the spending.  When evaluating the level and type of security to engage for your ships, the same risk management principles apply as they would in information security, safety and any other industry where safety and security are critical.  It simply does not pay to buy parachutes from street vendors or approach the safety of your ships crews and the security of your ships by adhering to “security on the cheap”.