jump to navigation

“One Adam Twelve, One Adam Twelve…”: Security Theater & Doggies Doo June 11, 2012

Posted by Chris Mark in security theater.
Tags: , , , , ,
add a comment

Chris’ Dog BO

Today on Yahoo News Canada is a story in which it is claimed that Jerusalem such a problem with dog poop that they are enacting a program in which they will match offending doggy doo against a master DNA database.   According to a statement from the Jerusalem municipality: “The municipality pilot project calls for establishment of a database of dog DNA to allow us to reduce the soiling of pavements, parks and public spaces,”  In short, the city plans on DNA profiling 70-80% of the 11,000 dogs that live in Jerusalem and then, if there is a “pile” of DNA on the sidewalk, someone will pick it up, send to a lab, test it, and then the owner of the offending pooch will be fined $193.  This plan is so ridiculous that it does not merit much discussion but…for the sake of this blog let me use an example from a previous post. (more…)

More Security Theater – “CyberCops and Robbers” March 15, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, Uncategorized.
Tags: , , , , , ,
add a comment

Today in my Google alerts, I had a story from FoxNews (…ahemm) titled “CyberCops and Robbers; Digital Posses to Bust Bank Robbers”  After reading the article, I had to write a post and discuss (rant?) about the fluff that is being proposed.  The article talks about a new initiative by the FBI and select banks where banks that comply with certain rules and agree to be involved in the program get to post a “badge” on their door like the one in this post.

There are so many flaws and issues with this approach, I don’t know where to start.  This is Security Theater at its finest.  For those who are unfamiliar with the term, Bruce Schneier, in his book Beyond Fear, coined the phrase security theater.  Security theater describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. (more…)

Black Swans, Probability Ignorance & FUD: Risk 101 February 13, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I have written several posts on risk and risk within the maritime security industry.  You can read them here (#1, #2) There is a common mistake people sometimes make when venturing into risk management.  It is the focus on the impact of an event while ignoring the probability or overestimating the probability of the event.   Very serious events with very low probabilities of occurrence (or those which you are unable to calculate) are what has been coined as Black Swan events by Nassim Taleb in his book of the same name.  When calculating or estimating risk it is sometimes a temptation to look at those incidents with high impact potential and low probabilities while ignoring the less severe events with her probability.  This would be akin to venturing into the Amazon Rain Forest and protecting yourself from Grizzly bears (very large impact but low, low probability) only to die of blood loss from being bitten by a million mosquitoes because you did not take a mosquito net or bug spray as you were not concerned with “a little mosquito bite”.

It is important to calculate risk by using a method that accounts for both impact and probability.  This will give you a method by which to calculate the actual risk of an event and take appropriate steps to manage the risk.  As can be seen by the graphic at the top of the post, a high impact low probability event poses the same risk as a low impact, high probability event assuming the ratios are equal.  While the impact can be calculated as someone finite (for example, the worst that can happen to a person is likely to be killed) the probability of an event which can cause the event can range from unlikely to infinitesimally small.  As an example of probability ignorance I will use an example from my own life.  A woman I know carries a hammer in her car given to her by her mother.  The purpose of the hammer is to break the car window and escape in the event the car plunges into a lake or other body of water and begins to sink.  While the idea of drowning in a sinking car is certainly frightening, the likelihood of a car plunging into a body of water at 7,000 feet in high desert is very, very, very low.  In this scenario it would be suggested that a better use of the money spent on the hammer was a 20 minute discussion on the value of always buckling the seatbelt and never speeding.

So why is this important?  Simple.  Security practitioners sell on a concept known as FUD or Fear, Uncertainty, and Doubt.  A great example of FUD is a commercial I saw recently.  A security company announced that 4  houses are  burglarized every 14 seconds in the US. The commercial then goes on to show a mother and her children and how scary a burglary can be.  Lets do some quick math to see how ‘scary’ this really is.  According to the US Census Bureau there are about 131 million housing units in the US.  If there is a house burglarized every 14.6 seconds this means that there are 4.1 burglarized per minute, 246 per hour, 5,917  per day and 216,000  per year.  WOW!  That is alot! BUT…this means that if you live in a home you have a .16% change of having your home burglarized in a given year. This does not seem so bad now.  Keep in mind that some areas such as urban areas have higher crime rates than other areas and some houses are burglarized more than once.  Another area where the security vendor attempts to convince you to use their services is by intimating that burglaries result in physical assault.  In the commercials, a woman (not a man) is with her children talking about how the neighbor was burglarized and “while the children weren’t home, imagine if they had been.”  Very few burglaries result in any physical harm to anyone but the imagery in the commercial is significant.

When listening to the inevitable sales pitch from a security vendor, keep in mind that they have an objective to sell you services.  The easy way to do this is to use the FUD technique.  If I am selling meteorite insurance, I will tell you about the dangers of meteorites, irrespective of who small they may be.  Remember, it is easy to lie with numbers and easier to lie with statistics.  Always base security implementation on a risk analysis.

Black Swan events – The Amazon rain forest example gives us a good opportunity to talk about Black Swan events.  While we can calculate the probability of being attacked by a Grizzly bear in the Amazon (practically zero since they do not live anywhere but North America) there could be a situation in which a Grizzly bear was present and did attack someone.  Maybe a person illegally imported a bear and let it go in the Amazon.  This type of event would be a ‘Black Swan’ as you really could not calculate the probability of that specific event.  The book is a very good starting point for this concept.

-Graphic from MindTools.com

Security Theater- Airplanes, DNA, and Anti-Piracy June 29, 2011

Posted by Chris Mark in Piracy & Maritime Security, Risk & Risk Management.
Tags: , , ,
add a comment

Bruce Schneier, in his book Beyond Fear, coined the phrase security theater.  Security theater describes describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.  One of the clearest examples is that of US airport security.  The guards checking people (randomly, I might add) is intended to make people feel as if they are more secure while really doing little to address the the risks to which airliners are exposed.  Today I read an article in which the Contact Group on Piracy off the Coast of Somalia or the clumsily named CGPC had announced it is building a DNA database of Somali pirates.  This database is due to be completed by 2012 and is intended to help cut off funding for pirates.  According to the president of the organization proposed database will be a “base for other international actions against piracy” in waters off Somalia.  While it is nice that something is being done, the question must be asked as to whether this is the right approach.

Another example of Security Theater is the joint patrols in the Gulf of Aden. The Gulf of Aden is approximately 205,000 square miles and the Arabian Sea is approximately 1.5 million square miles.  Task Force 151 is a multinational task force which consists of between 14-15 ships (usually).  It does not take a brilliant mathematician to see that 15 ships cannot patrol 205,000 square mile effectively.  Spread equally, each ship would be responsible for about 13,666 square miles.  When the Arabian Sea or Indian Ocean are included, the Task Force is anemic to say the least.  In spite of this, the task force maintains that while it is not exactly winning the battle, it is not losing either:

“We are not fighting a losing battle. There has not been a successful piracy attack on merchant vessels since the end of April,” Commodore Tim Fraser, a regional maritime commander, told journalists aboard the amphibious assault ship Albion.

“There has been no successful piracy event in the Gulf of Aden since September last year. Although I would not wish to give an indication that this is sorted out, because it is not,” he told a news conference.

While these statistics, if true, are to be lauded the reality remains that the first quarter of 2011 has seen the most pirate attacks on record and has shown the pirates to be increasing in violence and sophistication.  The fact remains that approximately 600 crew members remain as hostages of pirates as due scores of ships.

Growing up in Texas I remember racing my motorcycle through desolate West Texas and reading signs that warned “traffic monitored by aircraft”.  As a teenager, I slowed down until one day I had an epiphany.  Aircraft are expensive to fly and maintain.  To use aircraft to catch the odd speeder simply did not make economic sense.  From that day forward I raced like a bat out of hell on my motorcycle.  In spite of frequently exceeding 120 mph, I was never once caught by one of the airplanes.

While many of the proposed controls are intended to keep traffic flowing by increasing the confidence of air travelers and ship owners (managers, masters) the reality is that many of the current practices are less effective at actually preventing piracy than they are at making people believe they are preventing piracy.  A critical look at the numbers tells a more accurate story.  Do not be taken in by security theatrics.  The only way to ensure safe transit in pirate infested waters is to take personal accountability for the ship and her crew.

%d bloggers like this: