Schneier on Security
A blog covering security and security technology.
« Voting Problems in Congress |
| Phone Tapping in Greece »
February 3, 2006
Security Problems with Controlled Access Systems
There was an interesting security tidbit in this article on last week's post office shooting:
The shooter's pass to access the facility had been expired, officials said, but she apparently used her knowledge of how security at the facility worked to gain entrance, following another vehicle in through the outer gate and getting other employees to open security doors.
This is a failure of both technology and procedure. The gate was configured to allow multiple vehicles to enter on only one person's authorization -- that's a technology failure. And people are programmed to be polite -- to hold the door for others.
SIDE NOTE: There is a common myth that workplace homicides are prevalent in the United States Postal Service. (Note the phrase "going postal.") But not counting this event, there has been less than one shooting fatality per year at Postal Service facilities over the last 20 years. As the USPS has more than 700,000 employees, this is a lower rate than the average workplace.
Posted on February 3, 2006 at 6:19 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Working in the access control industry, I can tell you that it is very difficult to have an automatic gate that only allows one vehicle at a time though to work 100% of the time. Most of these gates operate on a sensor ( a metal detector loop, usually ) and if the trailing vehicle is very close to the one in front, then the sensor cannot distingush between the two. These metal detection loops are the same that are used at traffic lights to detect when a vehicle is present.
Actually the postal service has had few incidents since the switch to non licking stamps.....
So then the answer is: put a human at the gate.
But then you cut into companies' bottom lines and we're right back to the financial-motivation-for-security discussion...
Bruce, the multiple vehicle entry under one authorization is not a technology problem. The gate didn't configure itself, it was configured by a person.
Now I have an answer to people who say "It won't kill you be polite once in a while."
I'm boggled at the notion that "one shooting per year per facility" is less than the normal workplace. I guess I've never worked at a normal workplace. For example, when we were at Bell Labs together, I don't think being shot at work was a real worry! (The only time I joked about needing a bullet-proof vest at work was when I was on a project to replace human operators with speech recognition systems.)
The statistics probably have to be adjusted for the type of workplace and for the sociological backgrounds of the workers. And, yes, that difference in backgrounds was part of what made me joke about needing a bullet-proof vest.
I believe that you read the statistic incorrectly. A rephrasing of it is:"one shooting per year across all facilities" not "one shooting per year at each facility". As Bruce pointed out that is "one shooting across 700,000 employees" -- one way to put that in perspective is that few cities of 700,000 people have fewer murders than that in a year. (I have not checked the source of these statistics -- this is simply how I read Bruce's posting.)
Do you have a source for that workplace homicide rate stat?
I strongly suspect that your claim is true when one considers homicide generally (taxicab driver homicide mortality is 25x higher), but if one examines "worker on worker" homicide, I'd like to see a citation, if you have it.
My source for the overall death by homicide figure is old, unfortunately:
Castillo, et. al., "Industries and occupations at high risk for work-related homicide"
J Occup Med. 1994 Feb;36(2):125-32.
Bruce, you've pointed out the core problem. Shootings at postal facilities are rare occurances. There would be a significant cost associated with either posting guards or with retrofitting all postal facilities with multiple airlock-style gates (one for regular vehicles, one for semi's, because the airlock that will fit a postal semi truck will fit two cars easily) It's a stretch, but those costs could lead to staff cuts, or wage cuts, or other things that increase stress and might just increase the chance of someone "going postal".
Then, as you say, humans are hard-wired for politeness. Enforcing a "rude" workplace *might* actually increase the homicide rate also.
So it may be that the post office is doing precisely the right thing to minimize the danger to their employees, and any change they make may increase the total death rate. Unfortunately, even if true, that answer doesn't go over well when you're a politician.
Ex-Military Police, having worked at times as access security manager: The weakest link in all security systems was never anything other than people. Polite refusal is the hardest thing to learn. The worst element is any existence at all of a "us-vs-them" element within the system. For example, a US secure installation in a foreign country, where many of the civilian employees are locals. If your secure installation has a unionized workforce, it's just as bad with employees vs. management. And so it goes; the factors are numerous.
BTW, the car gate procedure is supposed to be: one car pulls in and stops just inside the gate, preventing a second vehicle entering, but not blocking the gate closure. If the gate can't close automatically, it sounds an alarm and a real person armed guard responds.
@D who said "So then the answer is: put a human at the gate."
When photo ID badges were first rolled out at LAX, a Federal inspector cut an image of a badge out of a poster (which explained to employees what the different badge colors meant) and even though the fake badge had "VOID" across it and the picture of a dog on it, a guard still let the inspector through the door... whoopsie. (I worked for the company that wrote the badging software by the way.)
Computer security is hard enough. I, for one, can't begin to fathom how to tackle physical security.
Lou the troll
"There is a common myth that workplace homicides are prevalent in the United States Postal Service. "
During the 1990s, when the phrase going postal was especially current, there were many incidents of a particular type of workplace homicide at post offices: a coworker or former coworker shooting at work, usually shooting multiple people.
That type of incident was more common, see this list: http://en.wikipedia.org/wiki/... To be fair, one of these incidents was a robbery by a former employee.
If you include all workplace homicides (80% are robberies), the post office is a safer place to work.
For all work-related homicides from 1992 to 1998, see this report from the Bureau of Labor Statistics: http://www.bls.gov/opub/cwc/archive/... Homicides by coworkers accounted for 65 deaths per year, about 1 for every 1.9 million workers. During the 1991 to 1995 period, there were about 4 "going postal" deaths per year, not counting those shot outside the post office, or about 1 for every 250,000 employees. If you exclude the robbery, it's still 3 per year, or about 1 for every 330,000 empoloyees.
Since 1998, there hadn't been any such incidents until this year.
(The BLS report may classify former workers as acquaintances, so the rate may be somewhat higher, but still less than 1 in 1.2 million.)
I used to think the problem of people holding doors for others was unsolvable. How do you train people not to be polite? But then I saw the system in place at Boston University's dormitories. They have a turnstile that you have to swipe your ID card to pass through. If you don't swipe your ID and walk through the turnstile anyway, there's a very loud buzzer that lets everyone (including the guard) know you shouldn't be there. THEN you have to use the card again to open the door, but nobody's going to hold the door once that buzzer goes off and they know you're not authorized.
My old office place used a revolving door with a proximity card. More effective than a turnstile, because you can't just jump it, but I also prefered it because I find them more convienient to walk through. And, it means that someone else is unable to hold the door open for you.
On the other hand, most people assume that once you're inside, you obviously have permission to be where you are.
The gate issue is a bit of a red herring, isn't it? If the shooter can't get into the parking lot, they'll just park on the street and walk in. Granted the gate ought to work, but even a working gate doesn't increase security.
It might help instead to step back and look at some of the broader issues. Can we agree, for example, that someone who decides to shoot up a workplace can be considered mentally or emotionally ill? Does this not define insanity?
Okay, then let's ask this question: if someone is mentally insane, why are they not detected beforehand and offered treatment? Rather than a futile effort to keep an insane person from exercising their madness, how about mental health resources and affordable health care for everyone regardless of employment.
While even a perfect society cannot offer perfect protection, I suggest that a problem like this shooting has been building for a while. If better means existed to detect and prevent this attack, several people might now be alive who are dead.
Preventing someone from deciding to shoot up a workplace is probably more affective than trying to thwart such an attack once its initiated. That holds true for terrorism, too.
At my work you have to swipe your ID card to enter the building through the turnstile. Thus you need a valid ID to enter the building (I'll ignore the fact that the facilities staff who know me well have let me in through a side door before). The turnstile is a floor to ceiling type. It makes a big difference that this building used to be a check printing facility for one of the larger banks.
Unfortunately once you are in the building there are some areas that have more restrictive access and those are the places that you could follow someone else through.
I agree that peoples' tendency to be polite can be at odds with security interests. However, I'm not so sure that it was a factor in this case. Two people were found dead in the parking lot, one right outside the entrance, and one wounded just inside (http://www.cnn.com/2006/US/01/31/postal.shooting.ap/). I think that coersion may have been a more likely avenue for her entrance to the facility.
I'm much more bothered by a common attitutde toward security I see here in California. Keep the bad guy on the outside and wait for the police. It's a brittle system reminiscent of the Hobbits' saying "Keep your nose out of trouble and no trouble will come to you". There's nothing to stop a sufficiently motivated bad guy who gets inside. A lot can happen in the 2-3 minutes (in this case) that it takes the police to respond.
This individual was a former employee who was known to be mentally unstable. She took another employees access badge at gunpoint and used it to gain access to the facility. These badges unlock doors.
@ Bruce "This is a failure of ... procedure. ... people are programmed to be polite -- to hold the door for others"
From the article "[She] then got in the front door by taking an employee’s electronic identification badge at gunpoint"
Giving up a badge at gunpoint is not being polite, its any easy trade-off to make... I keep my life (hopefully) and you keep my badge.
Gating methodology is a pretty well known security field, and has a robust mathematical background in queuing theory. There are lots of different ways to arrange gates to restrict access.
You can have a single gate, or a man trap, two gates with different authentication mechanisms, gates with an investigative trap (think prisons -> one gate to get you into the vehicle inspection area, another to keep you there until you pass inspections), etc.
We might regard this gate behavior as broken, but it might not be. The gating process is designed to restrict certain classes of access, and allow others. If part of the design criteria is "The gate has to be cheap", and the threat vector doesn't include "multiple vehicles gaining access on one card swipe", then the gate is performing precisely to spec.
Note, this is still a security failure, but this doesn't necessarily mean that the design is bad. Given enough time, all security measures fail. This may still be the proper tradeoff of access/security.
As Bruce has pointed out, these shootings are so rare as to be pretty close to completely unpredictable. When there is such a small risk, it is often counterproductive to spend great sums of money, or invest in psycologically hostile systems to try to prevent it. Many people really do not want to work in a lock-down prison style environment (and the average person is taking a higher risk while walking on public street).
yes, there may be some types of facilities where that level of lockdown is necessary, but by and large few people want to live or work in such an environment. As has been pointed out, the nature of the environment itself could serve to increase risk of aberrent behavior.
And even if there were complete person/badge security, a significant proportion of the historic shooters actually still had access to the facilities at the time of the attack.
I have worked as a temporary employee at the Goleta processing plant where this happened.
On the rare day when I forgot my proximity card I would occasionally follow a car through the front gate. Or if I was the first car there, I would just pull forward and let the car behind me swipe; and then that car would follow me in.
For either swing or grave employees there is no other way in. Because the intercom at the front gate is only answered by the office, which is only manned during business hours (0800-1700 hours), the only way to get in is to follow someone with a proximity card.
In a typical risk calculation, you have to factor in the threat as well as the vulnerabilities. If you don't want to decrease the vulnerabilities (e.g. due to capital expense and inconvenience) then you should consider countermeasures for the threats. The article mentions the woman had been put on medical leave a couple years prior to the shooting and had tangled with law-enforcement already. Seems like there are some opportunities for improvement, regarding how her condition/situation was handled or at least monitored, that would give a far better return on investment than making a post office into a fortress.
It appears to me not just a failure of physical security (making the workers vulnerable), but of a health-care system (increasing the likelihood and severity of threats).
It will be interesting to see if anyone makes the connection of the threat to Ronald Reagan's program to reduce state (and eventually federal) spending on mental health treatment. Here's how he described it in his Dec 7, 1973 article in the National Review:
"California has pioneered the concept of treating the mentally ill with an expanded system of community mental health programs. When we started, the budget for community treatment was $18 million. This year it is more than $140 million and California's shift from the 'warehousing of the mentally ill' in large state mental institutions has become a model for the nation."
Unfortunately, it turns out that while this appears to have reduced spending is has also led to a significant decrease in security and safety:
"When then-governor Ronald Reagan closed state mental institutions in the 1960s, policy-makers anticipated that a network of community-based programs would develop to care for the mentally ill. But only a smattering of those facilities have materialized during the last three decades. In this county only 30 of these privately-run facilities provide 24-hour care to the mently disabled, leaving thousands with mental-health needs to fend for themselves. At the same time, new laws made it tougher to commit someone to the existing and meager state hospital system. California currently runs only five state mental hospitals, one of which is in Vacaville state prison. Of the 3,664 patients in state mental hospitals, the vast majority, 2,723, were placed there for criminal activity. Fewer than 1,000 Californians are held in state mental hospitals for solely medical reasons. For those who need 24-hour care but are not outwardly violent and have no police record, there are few institutions with openings, leaving patients in the care of families and communities often under-equipped to deal with them."
Had the communities generated the programs, things might have been different. But it was a gamble and the risk of this policy appears to not only have been seriously understated but the savings up front seem to have transferred to far higher costs later on...
> It will be interesting to see if anyone makes the connection of the threat to Ronald Reagan's program to reduce state (and eventually federal) spending on mental health treatment.
I make this connection everytime I pass the clearly mentally challenged homeless people (as opposed to the not clearly mentally challenged homeless people) on my way to work every day. Don't get me started on the topic of people and parties who think it's better to kick the mentally ill out into the street than to treat them. This nation has no soul.
Given the current state of political affairs, I don't expect that heartlessness to change anytime soon.
A few points. First, we see again the too-common problem of blog commenters writing without even reading the linked article. Several of the issues raised are made moot by the facts. In particular:
* The victims didn't hold the door open out of politeness, the killer took an access card at gunpoint (she did not shoot the person who surrendered the card);
* Half the victims (or more than half, if you don't include the suicide of the perpetrator) were actually outside, possibly as many as three of them not even in the compound ;
* Yes, the perpetrator was known to be psychologically disturbed, had several years previously received a medical pension for this reason. She had also once been involuntarily confined to a mental hospital but they found nothing wrong with her and she was almost immediately released; she had no prior history of violence, and at the time of the incident, she was (not very successfully) running a small business. So, we aren't talking about someone who showed obvious signs of insanity or was living on the streets. There is no regime, pre- or post- Reagan, in which she is likely to have been institutionalised. In fact all published signs of Sanmarco's insanity concern a persecution complex about people who were, in fact, responsible for her losing her job, so it is arguable whether she was insane at all.
Second, what can we learn from this? The most obvious thing to me is that a lot of simple security mechanisms fall to pieces when you hold a gun to someone's head. "Violence is the last resort of the incompetent" -- yes, because it's simple and it bloody well works. A variety of measures have been suggested to harden the security at this facility, but the only one that would have been of much benefit to the victims outside the building, might have been an armed guard at the gates. Even then, it is revealed that many of the employees took their meals together at nearby restaurants, so the killer could have just waited for mealtimes.
Still, a human guard, armed or otherwise, and either watching the gate or able to see CCTV coverage of the gate or parking lot, could perhaps have given other workers more warning, or perhaps even remotely disabled the access card reader at the front door. (This might have been fatal to the worker who gave Sanmarco the card, but saved the 3 killed inside. Assuming the door could not be opened by pistol fire.)
As Bruce points out, such rampages are very rare, and it probably is not practicable to base security provisions around them. However, most of the security measures that might protect against this sort of attack are also those that might protect against armed robbery. I do find it curious that the US Postal Service apparently thinks that mail sorting facilities are unlikely to be targeted in armed robberies.
Finally, a small aside: looking at a list of these "postal" shootings (linked in a comment above), it appears that in several cases, the killer slew one other person outside the workplace immediately before attacking the workplace. In the all of those cases, that first victim was an older woman. In this case the killer also killed an older woman at another location before attacking the former workplace. Might be interesting for the psychological profilers.
1. It is not mentioned in the linked article, but the wounded woman, Charlotte Colton, has since died from her wounds, while an additional shooting victim was discovered several miles away in her own home. This latter victim had apparently been Sanmarco's landlady at the time when she was still working for the postal service. The total death toll is now 8 including the perpetrator, of which 1 victim was found just inside the facility door, 2 victims and the perpetrator were well inside the postal building, 1 victim was in the parking lot, 2 more were either in the parking lot or just outside the compound (there are conflicting reports), and one victim was found several miles away.
but I thought that there were laws against carrying guns into a post office, how can any of this be?
"As Bruce points out, such rampages are very rare, and it probably is not practicable to base security provisions around them."
Sure, he pointed out that "going postal" is rare based on the total number of USPS facilities. This does not account for the nature of the threat, the likelihood, or even whether current threat countermeasures are relevant.
"However, most of the security measures that might protect against this sort of attack are also those that might protect against armed robbery."
Actually, this was not a robbery, although I do see the overlap when looking at the vulnerabilities of a postal facility to armed attack. However, security measures used to reduce the threat of robberies are very different to measures used to reduce the threat of mentally unstable suicide attackers.
"I do find it curious that the US Postal Service apparently thinks that mail sorting facilities are unlikely to be targeted in armed robberies."
It wasn't a robbery (threat), although it was armed (vulnerability).
The workplace is likely to remain vulnerable to armed attack, but unstable and violent attackers probably can be stopped/helped long before they become a credible threat.
"Yes, the perpetrator was known to be psychologically disturbed, had several years previously received a medical pension for this reason. She had also once been involuntarily confined to a mental hospital but they found nothing wrong with her and she was almost immediately released; she had no prior history of violence, and at the time of the incident, she was (not very successfully) running a small business. So, we aren't talking about someone who showed obvious signs of insanity or was living on the streets. There is no regime, pre- or post- Reagan, in which she is likely to have been institutionalised."
That makes no sense. First you say she was involuntarily confined, then you say there is no health-care system that would institutionalize her. Seems to me that a health-care system that is functioning might have in fact helped her, rather than finding nothing wrong.
"it is arguable whether she was insane at all"
What?! You consider suicide vengeance shootings related to job loss arguably "sane" behavior? That pretty much undermines everything you say about the system working normally.
Incidentally, the issue is that people who need help either can't afford it or can't find anyone qualified to recognize/treat their condition. False negatives can be very dangerous indeed.
@Davi: I believe that Roger was invoking a more legalistic definition of insanity, wherein the perpetrator is not aware of the wrongfulness of the action and is therefore not legally culpable for the associated criminal violation. I think we can all agree that this woman had some form or other of mental illness.
As regards involuntary commitment, it is possible for physicians to commit their patients for brief periods, provided they believe that the patient presents a threat to himself or to others. Sustained confinement is predicated on a more exhaustive psychiatric diagnostic process with a higher standard of evidence. That standard was apparently not met in this case, and this is likely because, on closer scrutiny, the woman did not in fact present a threat to anyone -- at the time.
I'll decry the current and former attempts to dismantle public health and mental illness programs right along side you. The promised outpatient facilities do not materialize as predicted and are probably more difficult to defend at budget negotiations than are monolithic institutions. Nonetheless, I fail to see any 1:1 relationship between this woman's slow-growing delusional thought processes and sudden capacity for violence with decay in mental health infrastructure.
If you could point to actual missed opportunities (instances of her seeking help and failing to obtain it), your argument rises above conjecture.
Fair enough. I don't claim to have all the details of her medical history. And I'm sure there's much room for interpretation. For example, some people are making a big deal of the fact that the killer was a woman:
"450 workplace murderers who used guns in killings from 1976 to 2004, 93% were men"
And the last USPS slaying apparently ended up with the killer (Maceo Yarbough III) found not guilty of murder by reason of insanity.
I was just trying to call out the fact that finding a countermeasure / control for the threat is as appropriate, if not more, than for the vulnerability. From an economic standpoint, as many others have stated above, the vast majority of workplaces in America are unlikely to try and reduce the vulnerability to armed vengenance attacks by insiders -- it's obviously cost prohibitive unless the threat is under control. Therefore, it seems more likely that the frequency/severity of the attacks need to be better understood and controlled accordingly (if people care enough about the assets that are in danger -- worker's lives).
In that sense, I thought health-care treatment was one obvious area to discuss. Another one that often comes up in these cases is how the attacker was able to purchase a handgun if she had something on her record that was relevant? Or is it relevant that she was removed from her job by the police and found to have paranoid delusional tendencies? In other words, which control failed to prevent a gun from becoming a part of the threat variable (increasing severity)?
"[Santa Barbara County Sheriff's Sargent] Raney said that despite a history of mental illness, San Marco managed to buy the gun and ammunition used in the killings from two New Mexico pawn shops."
It is not uncommon for these tragedies to have a story like "s/he was told to leave and not come back" or "s/he was told she was not qualified" (e.g. the Odighizuwa and Gang Lu cases)
You might find this report more helpful:
"To her neighbors, she was the woman who shouted furiously to herself, who ordered food at restaurants and bolted out the door before eating it, who knelt in prayer at the roadside and who peeled off her clothes in random parking lots.
Nobody knew where she came from or what she was doing here. People just knew there was something wrong.
'She would just come in here and stare at me,' Sonya Salazar, who works in Milan Village Hall, said. 'We knew she had mental problems. We just felt sorry for her.'
'It is very difficult to contain someone in a treatment facility as compared to how it was a decade ago,' said Barry R. Schoer, executive director of the Sanctuary Psychiatric Center, a private center in Santa Barbara.
Forty-two states, including California, have established commitment laws for people in and out of treatment who show signs of being a danger to themselves or others. They are collectively known as Kendra's laws, after Kendra Webdale, who was killed when a schizophrenic who had been in and out of treatment centers pushed her in front of a New York City subway train in 1999.
New Mexico does not have such a law, but legislators are considering a bill to establish one."
More on the connection between public policy and workplace risk...
Ronald Reagan and the Commitment of the Mentally Ill:
Capital, Interest Groups, and the Eclipse of Social Policy
"Perhaps what is most interesting about the change in policies of involuntary commitment is the coalition that helped bring it about: a combination of 'law and order' conservatives, economic conservatives, and liberal groups that sought reform in the provision of mental health services. But the policy shift had hardly anything at all to do with the mentally ill or the practitioners who treated them. It was designed to lower taxes and shift responsibility away from the federal government. Ironically then , the need for reform perceived by those involved and concerned with the mentally ill (practitioners and families) was co-opted by the interests of capital."
Ultimately the actual treatment of illness suffered. And so a risk analysis might in fact find that businesses are far better served from an investment in reducing the frequency and severity of attacks (a healthy infrastructure and base of workers to choose from) instead of trying to spend enough to significantly reduce the vulnerability to directed and well-armed attacks.
== Threats vs. vulnerabilities ==
You make a good point about distinguishing between threat reduction and vulnerability reduction. My main point in regard to vulnerability reduction was that armed robbery is presumably a significant threat for postal facilities, and they had almost no defenses against armed robbery, either. The ought to have, and if they had done so, those defenses would have partially overlapped with ones for this type of (much lower threat) attack, and probably some of the dead would have survived.
I do not think that at present you are going to get very far with USPS management reducing the _threat_ of such attacks because their present position is (rather emphatically) that the threat is already extremely low. Further, some associations of former employees who say that there is a problem, say that the problem is USPS management culture, which is abusive to the rank-and-file, and allegedly includes -- get this! -- systematic use of false claims of mental illness against employees who try to stand up for their rights.
"The workplace is likely to remain vulnerable to armed attack, but unstable and violent attackers probably can be stopped/helped long before they become a credible threat."
"I was just trying to call out the fact that finding a countermeasure / control for the threat is as appropriate, if not more, than for the vulnerability. From an economic standpoint, as many others have stated above, the vast majority of workplaces in America are unlikely to try and reduce the vulnerability to armed vengenance attacks by insiders -- it's obviously cost prohibitive unless the threat is under [out of? -- Roger] control."
I'm afraid I take quite the opposite view here. While the workplace cannot be made totally invulnerable to armed attack, there are many simple measures which would greatly reduce the vulnerability, and in particular reduce loss of life in the event of an attack. Furthermore as I pointed out the cost/threat ratio is mitigated by the fact that most of these measures also protect against much high threat problems, such as robbery and civil disturbances. On the other hand, reliably identifying and helping potential violent attackers is a profoundly difficult problem. It certainly merits research but I would not expect to see any effective solutions arising any time soon.
In a sense, concentrating on threat reduction for armed robberies ("don't keep cash on the premises") has enabled employers to avoid investment in actual protections (e.g. solid doors, good locks, door bars, peepholes or CCTV, alternate escape routes) and thus *increased* the hazard of the rarer armed violence scenarios (psychotic episodes, marital violence, abductions, civil disorder, etc.)
== Psychiatry ==
Disclaimer: I am not a psychiatrist!
"That makes no sense. First you say she was involuntarily confined, then you say there is no health-care system that would institutionalize her."
It makes perfect sense. It means that someone recommended she be confined (on what basis we have no idea), and after psychiatric examination it was found that this was unwarranted, and she was released. Note that unwarranted involuntary psychiatric confinement is a terrible thing to do to a person, and they are quite appropriately very cautious with agreeing to it.
"Seems to me that a health-care system that is functioning might have in fact helped her, rather than finding nothing wrong."
To be clear: I am NOT claiming that there are no problems with the current state of the mental health system, either in your country or in mine (which decided to copy your experiment after seeing how disastrously it went). What I am saying is that Sanmarco DID receive the attentions of psychiatrists and they did not find any reason for involuntary confinement. This is not surprising, as the capacity of psychiatry to predict future mental illness is still very limited.
""it is arguable whether she was insane at all""
"What?! You consider suicide vengeance shootings related to job loss arguably "sane" behavior?"
Umm, potentially, yes. Stephen later suggested that I meant "legally sane", but actually I did mean psychiatrically sane in that -- on the basis of the evidence before us at that point -- it was arguable whether she was suffering from any disorder classed as a mental disorder under DSM-IV, possibly excepting the controversial category of personality disorders. (That she was legally sane I think is practically a given.) I do not claim she was sane, but that the evidence of her being afflicted by anything more than rage is weak. (Apparently some psychiatrists have regarded rage significant enough to motivate a crime as necessarily being a personality disorder and hence a mental disorder, however this view is very controversial and the authors of the DSM admit it has no scientific basis.)
Now, the NYT article you found changes that perspective somewhat, but is not at all a clincher; the only items that are sourced are that Sanmarco would pray audibly in public places, that she believed her deceased relatives were "with her", that she would stare at Sonya Salazar (an employee in the local government), and that she became irate at the local government's repeated thwarting of her business plans. This is remarkably weak stuff; if we institutionalised everyone who believes deceased relatives can hear their prayers you would need capacity for about 1,000 million inmates, while institutionalising anyone who gets annoyed at petty bureaucrats would leave no-one at all.
Some of the other claims are a little more sensational, but they are unsourced rumours: hardly surprising in a small town with a famous murderer, and no doubt droves of journalists roaming the streets. Even then, only one item (car park nudity) clearly tips the scales between eccentric ideation and illness.
"And the last USPS slaying apparently ended up with the killer (Maceo Yarbough III) found not guilty of murder by reason of insanity."
Out of the incidents on the wikipedia list (which however appears to be incomplete), Yarbough was the *only* one found not guilty by reason of insanity. All the rest either committed suicide or were convicted and received stiff sentences. Yarbough's case also does not particularly fit the "going postal" profile: he was a recent, temporary employee with no disputes with management who killed one co-worker peer in an argument and then fled. Strangely, while he was awaiting trial his father, Maceo Yarbough II, was also murdered. Incidentally, Yarbough is also NOT the last "going postal" incident before Sanmarco; there were at least two subsequent incidents which were not on USPS premises, and resulted in serious woundings but no deaths.
Someone just anonymously sent me a message about the Carolyn McCarthy Center on Gun Violence and Harm Reduction.
It actually has some interesting perspectives on why data integrity issues undermine background checks, so I thought I'd share:
"H.R.1415, Title: To improve the National Instant Criminal Background Check System, and for other purposes.
Introduced: 3/17/2005, Cosponsors: (5)
Latest Major Action: 3/17/2005 Referred to House committee.Status: Referred to the House Committee on the Judiciary."
Also found a lot of data on the severity and frequency of attacks in the US.
"More the 30,000 firearm related deaths occurred in 2002 alone, 10 times more than the lives lost in 9/11 attacks. (Centers for Disease Control (CDC))...The total societal cost of gun violence is estimated to be between $100 Billion and $126 Billion each year. (Sen. Dodd)"
Not sure how Dodd arrived at those numbers...
"I'm afraid I take quite the opposite view here. While the workplace cannot be made totally invulnerable to armed attack, there are many simple measures which would greatly reduce the vulnerability, and in particular reduce loss of life in the event of an attack. Furthermore as I pointed out the cost/threat ratio is mitigated by the fact that most of these measures also protect against much high threat problems, such as robbery and civil disturbances. On the other hand, reliably identifying and helping potential violent attackers is a profoundly difficult problem. It certainly merits research but I would not expect to see any effective solutions arising any time soon."
This is the essence of the risk manager's dilemma: With limited funds do you spend money on controls to reduce vulnerabilities for the highest frequency of threats with the least severity, or do you reduce vulnerabilites for the least frequency highest severity (or other relevant combinations)?
It is difficult to identify threats, but it's easy to see when we do a poor job of anticipating them. Root-cause analysis is the right approach to help figure out how to measure frequency/severity...
So let me propose a different take on the same problem. The recent riot in the California prisons illuminated several factors that led to the death of an inmate:
1) the threat of attack by another inmate in detention is very high since an increasing number (if not vast majority) of people incarcerated are violent offenders
2) the jails were not designed for a high likelihood of attack. in fact they use shared dorms that leave inhabitants exposed
For the sake of argument let's set aside the problems related to the decline in staff to monitor the jails (apparently it is at 50:1 because of decreasing numbers of applicants, even though the budget has been expanded).
The cost of reducing the threat of attack in this situation seems to me to be far higher than the cost of building or retrofitting facilities to significantly and permanently reduce the vulnerabilities (change the dorms to cells). However, I find it interesting that the guards have instead decided to separate prisoners by race, in spite of a Supreme Court ruling against the practice, hoping that this will reduce the threat of attack. Did they do it because they need an immediate fix and changing jails takes time? Or do they think this is a permanent solution? My guess is that the threats will continue to increase, with little hope of fixing them anytime soon, and so reducing vulnerabilities is the right approach. Kind of like Cat5 hurricanes increasing in frequency, you can either reduce the severity or address vulnerabilities.
Back to the Post Office case, let's say the cost of retrofitting each single facility to prevent violent attack would cost in the ballpark of $100K with $50K/yr recurring (e.g. man-traps, a guard, dual-gates). Compare that with the roughly equivalent cost of treating a single person for mental-health issues that are believe to lead to violence. Since the frequency of attack is so low, versus the number of offices that would have to be retrofitted (even if you only choose the highest-risk ones), doesn't it make far more economic sense to set aside funds to address the threat?
I agree again that vulnerability to robbery might be easily handled (since the control changes are relatively minor), but armed suicide-attacks by insiders introduces a very different result from a risk calculation. The threats need to be called into the open and better understood. To paraphrase the old African proverb: don't fault the grass for being weak when elephants fight.
Going postal a myth? Au contraire, says James Alan Fox, professor of criminology at Northeastern University and workplace-crime savant. "The Post Office is very fond of saying its violence isn't higher than other workplaces. But if you distinguish between episodes by intruders/clients/customers versus episodes by insiders/employees, it has a number of attacks many times greater than other organizations and companies."
Perhaps that's why USPS is quietly changing parking lot gate access (which was essentially absolutely not secure) at facilties previously configured like that in Goleta.
As for this particular incident "coming out of the blue", Ms Sanmarco made "I'll shoot you in the head" gestures to co-workers, some who were eventually killed, before leaving employment in Goleta.
If she was in fact contesting her involuntary disability retirement, as alleged, and had lost that appeal right before driving out to Goleta from NM, where was the required follow-up to take reasonable precautions to protect those co-workers she threatened?
To all interested
Ive worked in the gate automation and access control industry for about 13 years in Australia and London.
Ive encountered many situations whereby cars without authority follow permitted cars through the gate or people pass their prox tag through the fence to let someone else through etc.
People will always try this sort of thing I suppose.
The latter example is easily fixed with an access system with anti pass back ie the prox tag used must exit before it can re-enter.
The vehicle situation is far more difficult to prevent without security personnel to moniter the entrance.
In the past we have developed new chips for our logic controllers with a feature to specifically target this kind of carry on.
As the first car activates the gate and passes through the photelectric beams accross the driveway, the gate will immediately reverse direction and start to close as soon as the beam is not obstructed.
This makes it very difficult for a car to follow behind unless of course the car in front allows the gate to open more than necessary to fit their car through. This allows the car behind more time to get in front of the beams (used for safety to prevent the gate closing on a car) and pass through the gate.
This is no sure fire method of prevention but it does make it more difficult.
It doesnt prevent people on foot. thats virtually impossible without a manned entrance.
A previous poster stated that would affect the company bottom line but what price does a company put on the safety of their employees.
Its not an easy problem to fix effectively without human presence unfortunately.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.