By Peter Cochrane, 28 May 2008 12:48
COMMENT
Written at Schiphol Airport in the Netherlands and dispatched via an airline lounge wi-fi service.
Some years ago I was struck by the amount of time people spent at my local supermarket trying to decide which pack of bacon to buy. Since the packs were almost identical, any time spent on deliberation must have been wasted.
My interest turned to fruit, vegetables and other goods. It seemed universal: an inverse relationship exists between time expended and item value. And this phenomenon even extends to electronic goods, furniture, cars and homes.
Exclusive Special Report: CIO Agenda 2008
Find out what's hot on the top tech execs' agendas for 2008Â…
♦ Video: CIO Agenda 2008
♦ Naked CIO: The true cost of IT
♦ Why IT must escape the belt-tightening
♦ Cost-cutting tops CIO priorities
♦ Recession fears hit IT budgets
♦ What governance can really mean to business
♦ The CIO shopping list
This caused me to think about security and I drew up the following rules:
- Resources are deployed in inverse proportion to actual risk.
- Perceived risk never equals actual risk.
- Security people are never their own customer.
- Cracking systems is 100 times more fun than defending them.
- Security standards are an oxymoron.
- There is always a threat.
- The biggest threat always comes from the direction you're least expecting.
- You need two security departments - one to defend and one to attack.
- People, irrationally, expect 100 per cent electronic security.
- Nothing is 100 per cent secure.
- Security and operational requirements are mutually exclusive.
- Hackers are smarter and younger than you.
- Legislation and management thinking always lag years behind threats.
- As life becomes faster everything becomes less secure.
- People are the number one risk factor. Machines may seem perverse but they aren't devious - yet.
The big problem is that this is mostly conjecture. But I recently turned my attention to the media and scare stories, where there is a huge amount of data.
Ask anybody, we all know terrorism is a big deal. So let's just do a broad-brush comparison based on reported death rates and see what the risk really looks like.
Terrorists kill fewer people per year than:
- Road deaths or medical malpractice worldwide per day.
- Falling down stairs, crossing the road or animal attacks per year.
- DIY, maternity problems, HIV/Aids, infected water supplies per year.
- Adverse drug reactions per year.
- Almost any single major natural disaster befalling humanity per year.
Surprised yet? To get a feel for the extent of the reality-skewing that goes on it is also worth looking at specific disaster reports and media predictions:
On 26 April 1986 the Chernobyl reactor exploded. Initial media reports for short-term deaths ranged from 2,000 to 30,000 individuals. But in 2005 a UN report found the actual number to be fewer than 50 deaths. That is quite an error, spanning 40:1 to 600:1 respectively
The long-term prognosis was even worse, with total deaths forecast ranging between 150,000 and 3,500,000 individuals. Again, the UN Commission findings of 2005 were in stark contrast at an estimated 4,000 total. This time the error spans 37:1 to 870:1.
I could cite many more. The examples seem endless: Y2K, the coming ice age, various pandemics, and so on. But there appears to be a consistent story, and gross errors are the norm. And I mean orders of magnitude not factors of just two or three. What is happening?
In a world that is increasingly connected, with abundant computing power able to model almost all situations and events, this seems to be quite a paradox. Not so.
The reality is our media and political establishments are more or less bereft of any machine-based support, unless that is, we are talking sporting events and elections.
So in a quirky twist it seems our best computing capabilities are used to track and predict the outcomes of sports and political battles - and predict stock prices, of course. But we don't seem to employ any significant resources when allocating national budgets to society's serious problems.
There is probably another vital driver - the need for news and, better, news that is sensational. The media is fuelled by advertising that demands eyes and ears, so no news ultimately means no money. Yep, I reckon good old-fashioned hype is in there biasing the perception of public and politician alike.
Clearly, the lack of a clear picture is leading to budget waste across the board. This is perhaps the best example of simple-minded reactionary management - pronounced ignorance - always being very expensive.
If our societies are not to continue wasting billions on non-threats and non-problems we are going to have to get far more professional.
Our only solution is to use our technology to gather accurate information and model the impact on society relative to all other risks and events. Not to do so will result in escalating waste as the number of potential threats will most likely continue to rise.
Of course there is always the argument that if we had done nothing, then it would have been much worse. But that is exactly my point - we don't actually know. Certainly, we model and plan wars well. But if only we could do the same for peace.
The resources and skills required are the same - but it seems we choose not to invest in getting the really important things right.
Comments
There are 10 comments. Join the discussion
1. Gary Hinson
Are you serious Peter, or just toying with us?
Just imagine the show Peter Sissons would put on if he had 'technology' to demonstrate the results of the latest hacking threat survey!
I can just picture the face-off between duelling stats servers as Sky News challenges the BBC and ITV to 'get behind' their data on phishing trends involving 25 year old female vegans living in Barnsley.
Technology and stats are irrelevant to the media show known as The News. Soundbytes have long since given way to videobytes ... and yes even bloggerbytes. ;-)
G.
2. misceng
It was ever thus. Just after WWII tobacco was scarce. A ship landed at Bristol and the press estimates of the number of cigarettes to be made from its cargo varied by a factor of 400:1.
Politicians prefer percentages where they can make comparisons without revealing the base.
About the same time as the tobacco fiasco, Moscow radio revealed that Poland had increases wheat production by 100 per cent whereas West Germany had only increased its production by 10 per cent.
The small print was that in Poland the comparison was with the devastated state after the war while the West German comparison was with the prewar bumper harvest.
You must never trust figures you cannot verify fully.
3. anonymous
Peter, there are two problems with your accurate, analytical and fact-based article.
The first is that it is all of those things, when media and government self-interest is not actually served by that approach - unless they have selected facts and analysis that suit them!
The second is that you are not in politics, seeking power or in the mainstream news press.
That means your readership is not driven by scare-mongering and sensationalism.
It also means you are not motivated to encourage a climate of apprehension, even fear, in order for your particular set of political cronies to claim they have the "answer" and so we should elect them.
This is one of the oldest political tricks in the book - create a demonised threat and align the populace against it but supporting you. How sad that we cannot all see through this by now.
The list of non-threats that are perceived as much more serious than they are is endless - child molesting, personal violence, identity fraud could be added to the list quite justifiedly.
That we are so poor at evaluating risk is one indicator of the extent to which our education system fails.
4. Peter Dunkley
Interesting stuff. The mechanism by which we evaluate options is really rather vulnerable to distortion, as it has a tendency to over-simplify complex scenarios. This can be used to the advantage of someone wishing to present a particular slant on a topic, of course.
I would question your contention that "cracking systems is 100 times more fun than defending them." Both sound dull to me...
5. anonymous
Unfortunately the reason why terrorism is justifying the effort spent versus other more significant dangers is because it is a strategy built around deliberately creating the perception of danger far beyond the reality i.e. terror - ism.
Psycologically the answer to this is not to calm people down, because that makes them more prey to fear, but to move them to anger/attack which alleviates fear.
Of course you need to blend in a little of budget to tackle the actual problem too but the politicians often need quite a hard jab in the fiscal ribs to remember that one in the midst of psycho-jingoism:-)
6. Peter Cochrane
Gary = We are blinded by our own technological brilliance! Peter
7. Peter Cochrane
MiscEng = How very true, and averages tell us far less than people believe! Peter
8. Peter Cochrane
Anonymous = You put your finger on several buttons at once. Thanks for the comment and observation. Peter
PS - I am sans political ambition!
9. Peter Cochrane
Peter = You want to try cracking! Peter
10. Swedsnus
Crisp and recent is what the information here is always.