Global Security, Privacy, & Risk Management

Security 101: “You don’t have to out run a bear…just your friends” February 22, 2012

Yesterday MSNBC had a story that discussed the “arms race” between Somali pirates and shipping companies.  The article discussed the increasing violence of the pirates.  While this should come as no surprise to anyone, it is a single statement that caught my attention. “Greater use of private armed security guards on ships and a much tougher approach by international navies is beginning to work, some… say. But others worry they may simply be fuelling a growing arms race, ramping up the conflict and producing a rising human and financial cost.”  This statement is ridiculous on its face and demonstrates complete lack of understanding of security principles.  The statement suggests that if armed guards or other technologies were not used that the pirates would not become increasingly violent.  It does not matter if it is armed guards or razorwire that is stopping the pirates, the violence and effort will increase relative to the payoff.  Companies cannot be expected to sit idly by and allow pirates to operate with impunity.  The rising violence is due to the pirates and NOT the shipping companies taking steps to protect their crews, vessels, and cargo. Whether we are discussing banks, cyber security, piracy, or any other form of security, the inevitable result is an ‘arms’ race as described.  If you don’t believe this point, as why banks now use vaults and not ‘strongboxes’ or why companies are now required to use application layer firewalls instead of routers with ACLs.

Security is never absolute and is a function of effort and time. You can read my post on the subject here.  The amount of time, and effort the criminal will exert and the risk they are willing to accept is directly related to the payoff.  The greater the payoff the greater risk they are willing to accept and the greater effort they are willing to exert.   On that note, All things being equal, it is the target that presents the easiest (less effort, less risk) opportunity that will be at greatest risk from a criminal. Consider a burglar walking down a street of similar houses with similar belongings.  He comes to the first house and tries to open the door and finds it locked and an alarm.  Do we expect the burglar to give up the life of crime and go home?  No.  The burglar will go to the next house he believes is less secure.  So the neighbors decide to all put locks and alarms on their houses.  Are they safe?  Depends on the value of what is inside.  If each house holds a gold brick, then it is likely the burglar will accept the risk and work to bypass the locks and alarm to get the gold brick. Recognizing this, one house puts armed guards in the house.  This house now is ‘more secure’ than the rest and poses the least attractive target.  The cycle continues on until the level of effort required and risk involved exceeds the perceived payoff.   This is what we are seeing in the maritime security (and every other) security industry.  To suggest that the victims are exacerbating the problem is simply wrong and irresponsible.  The blame lies with the pirates (criminals) and the fact that the payoff is simply high enough for the criminals to continue to escalate.  This point was recognized in the payment card industry several years ago.  Companies began replacing the valuable data with nonsensical representations called tokens.  Unfortunately, we cannot replace ships, crews, or cargo with tokens.  The end result will be an escalation of violence from Somali pirates for the foreseeable future.