Schneier on Security
A blog covering security and security technology.
« Attack Against Apache.org |
| Can Safes »
April 28, 2010
Seat Belt Use and Lessons for Security Awareness
From Lance Spitzner:
In January of this year the National Highway Traffic Safety Administration released a report called "Analyzing the First Years Of the Ticket or Click It Mobilizations"... While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 - 2006, when most states in the United States began campaigns (called Ticket or Click-It) promoting and requiring the use of seat belts. Just like security awareness, the goal of the campaign was to change behaviors, specifically to get people to wear their seat belts when driving... The campaigns were very successful, resulting in a 20-23% increase in seat belt use regardless of which statistics they used. The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage.
I feel the key lesson here is not only must an awareness program effectively communicate, but to truly change behaviors what you communicate has to be enforced. An information security awareness campaign communicates what is enforced (your policies) and in addition it should communicate why. Then, follow-up that campaign with strong, visible enforcement.
Posted on April 28, 2010 at 7:39 AM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Isn't it "click it or ticket" and not the reverse? (If you don't click the seatbelt closed then you will receive a ticket.)
I can't click to the original PDF to see, but Spitzner seems to use the "ticket or" version consistently.
The NHTSA document seems to be available for a $15 fee - none of the links from Spitzner's article or from Google seem to work without money.
This seems to be the 'best' link:
The department of homeland security would be hard pressed to deal with the "why" aspect. They seem to work hard at the "enforcement" aspect but seem laughingly successful. Since the whole adventure has broken down to a "control" situation and "data gathering" for later control, it is essentially doomed.
Google show 17,400 hits for Ticket or Click It, while there are 164,000 hits for Click-it or Ticket. I suspect a deliberate transposition for purposes of FUD.
Isn't enforcement much more expensive than campaigning though? How do the two compare in cost-effectiveness?
How about perception of enforcement?
I went nearly a whole year without wearing a seatbelt due to medical reasons and not once got pulled over or a ticket for it.
As a matter of fact, when I did get pulled over for another violation (wasn't given a ticket due to extreme circumstances and a very understanding officer who helped out) during that time period I wasn't given a ticket for that either. The officer walked away and just said: buckle up.
I don't think I've ever heard of anyone getting a ticket for not buckling up.
In the UK we have had this for years.
(see "clunk, click every trip" from 30 years ago).
People do get stopped and fined occasionally for not belting up but generally people do now wear a seat belt. A change in what is socially acceptable is what is needed.
I've always felt there are loads of parallels between traffic safety and security. A while back, I took a day off my security job and went to a seminar on traffic safety (highways are a hobby). They talked about the "Four E"s: Engineering, Enforcement, Education, Emergency Trauma Services. This works so well for information assurance as well. Just an example.
I have been using seat belts since the late 50's when my dad put lap belts in our 1936 Oldsmobile. Then we got a Peugeot 404 in 1962 which came with 3-point (lap + shoulder strap) belts and we used them consistently. When my wife and I had kids in the 1970's, we used them religiously and trained our kids to do likewise. Now that they have kids, they have continued this "tradition" of ALWAYS wearing seat belts, and making their kids wear them, when in a car or other transportation when available. My point I suppose, is that habit and training also have a lot to do with the pervasive use of seat belts today. Enforcement helps "encourage" the habit, but it is the habit that wins out.
Honestly I can't see how people can feel the least bit comfortable not wearing a seatbelt. Maybe because I am a security researcher I have always had that little voice telling me when I am subject to a vulnerability, but the reason I fasten my belt is due to the feeling of not being solidly anchored to the vehicle. Perhaps there's a way to replicate this feeling when people give out personal information or use poor authentication methods.
@andrew "...it "click it or ticket" and not the reverse"
Although in terms of causation I think you are are correct. I believe commutativity applies. With a simple OR statment there is a commutative conjunction.
You can choose only one of two states so it doesn't matter order they are represented in.
The question should be -- what sinks the hook deeper into the human brain. And remember advertising doesn't care a fig about linguistic or logical purity. It aims only for result. (wha'd'ya want good grammer or good taste?)
For me it isn't the words but the graphic of the seatbelt. I see it commonly and see myself recognize it without even thinking about it.
But it sounds like most people have associations with the ritual of being stopped, red lights flashing, ticket being written, money being taken, much annoyance, flushed cheeks and head shaking "I'm not doing that again."
This is a very simple message backed by enforcement.
In computing we have horribly complicated and difficult to comply with messages backed by enforcement usually only undertaken by partners that don't want us to comply :)
I know I'm not the only one to be confronted by a pained look on a client's face and a demand for some simple easy rules to follow...
A simple OR means both can be true simultaneously. I do not believe any jurisdiction will ticket you for (properly) using your seat belt.
Having my first car be one with really slipperly bench seats was a strong incentive to buckle up. Either that or go sliding accross the seat at every left turn I encountered.
By only measuring compliance they make the same mistake Schneier has previously identified in agencies that congratulate themselves for getting skittish citizens to report false threats. (The ongoing "If you see something, say something" nonsense.)
When you measure against ultimately desired outcomes—reduced traffic fatalities of all kinds—the history of seatbelt law is substantially less celebratory: http://john-adams.co.uk/?s=seat+belt
I don't pretend to know if fatality rates would break down differently depending on the way seatbelt use is compelled, but in terms of public health (the only justification for government intervention here) the failure to report these makes findings significantly less meaningful.
"I don't think I've ever heard of anyone getting a ticket for not buckling up."
I live in NYC and get about four or five seat belt tickets every years. I never commit any other violations, so the seatbelt is the sole reason for my being pulled over in 100% of the cases. On numerous occasions, I've had an NYPD car headed in the opposite direction execute a 3-point turn to stop me.
Being from the UK and more than somewhat jaundiced by tax raising pretending to be "nanny state", does anybody know the actual figures for,
1, Change in road deaths?
2, Estimate in change for health care provision?
2, Revenue raised from ticketing?
3, Cost of ticketing system?
Only when these are known can it be said what the successes are (or are not) and from who's perspective
I don't have this problem, because it's not relevant to me; you can't be in my car without a seatbelt, and I can't physically drive without one. Mostly because I accelerate hard enough that the rolling resistance from my tires will nudge you out of your seat a few inches when I hit the clutch to shift gears (that's as I leave gear, not as I enter another gear-- which I try to rev-match, but occasionally miss by a few RPM and get a jolt out of).
Never mind when I actually brake.
Restraints required for this ride.
In Washington, DC, I was waiting at a traffic light while an on-foot officer walked through the crosswalk in front of me. He stopped to tell me that even though I was wearing my seatbelt, because my wife in the passenger seat was not, I could be not only ticketed, but could get points on MY license. I guess that makes sense in a way, since there's no guarantee the passenger would be a licensed driver.
Anyway, I didn't even get a ticket, but now I always make sure my passenger is buckled up in addition to myself.
@John- it doesn't sound like one would be missing much by not being in your car. Try not driving like an ass sometime.
@johnE "simple OR means both can be true simultaneously"
I was thinking an exclusive or wasn't I? Dang it.
It seems that or can mean either OR or XOR. Darn fuzzy natural language.
I'm going back to fractionating rat brains.
@Mark R said, "...now I always make sure my passenger is buckled up..."
I was in an accident in which my seat belt saved my life. (In fact, it saved me from any serious injury.) Ever since then I've made sure that my passenger wear a seat belt too.
So the reasonable chance of doing a superman impression through the windshield in an accident isn't a deterrent to not wearing a belt - but the extremely unlikely chance of being stopped and given a $50 ticket is?
Quite possibly. That people don't evaluate risks accurately is surely something you've learned from reading this blog.
Taking advantage of that would be a nice twist, for once.
But that's the thing....
Behaviors that are conditioned based on random reinforcement are subject to much longer extinction rates those developed through regular, constant, reinforcement. It's odd.
I once left my office on an out of town trip in the rain and was having trouble buckling the seat belt as I was maneuvering out of the parking lot and onto the highway. I almost left it off, but finally got it buckled. A half a mile later my car was hit head on by another car's rear end as that car was spinning out of control down the wet road. My car was totaled and my only injury, besides a bad case of the shakes, was a sore shoulder that hurt for a week from the pressure of the seat belt. That was about 15 years ago and I still always buckle the belt even if I'm just driving in the neighborhood.
Ooops, I see a logical flaw from Lance: False dichotomy.
"The key finding of the report was that enforcement and not money spent on media were key to results."
This says to me that money spent on media does not correspond (pun intended) directly to better media. It does not say to me that the best media is not as effective as enforcement.
"states with the weakest enforcement had the lowest seat belt usage"
What about states with the weakest media? What about states with the strongest media?
How much money was spent on enforcement versus money spent on media.
All this could just be a call to manage media/communications better.
After all, we know that social engineering can be very very effective.
The use of authority, guilt, empathy, etc. messaging will be far more cost-effective in terms of changing mass behavior versus road-blocks and pull-overs. In fact, I'd argue the enforcement would in fact have a negative effect without proper messaging.
What business is it of the government to make sure I'm using my seat belt. That's my problem. My life is my own to do with it as I please. To think otherwise would mean, my life doesn't belong to me and we are living in a totalitarian regime.
Education... well only if it saves lives, and gets people to click it.
But this conclusion is at odds with the success of the "Don't Mess with Texas" marketing campaign, which is credited with reducing litter on Texas highways 72% between 1986 and 1990.
Stepped up enforcement was not a significant factor in achieving this success. Instead, marketing alone managed to change people's attitudes and behaviors, and without having a significant self-preservation factor. Or if we compare and contrast the two, do we conclude that pride is a better motivator than personal safety? What are the security implications of that?
bruce - its a valid comparison between visible policing and media (assuming the media is designed well).
i'm thinking there is another choice in addition to visible policing and media - intrinsically safe designs offer another option that doesn't require coercion of citizens or law enforcement based modification of behavior at all - and its more reliable than any system of policing which relies on inevitably fallible surveillance, detection and response (apparatus of the state that could also be misused against disfavored minorities - security researchers who criticize the government perhaps - perhaps persons such as myself :). For seat belts, the car ignition design can make sure the car can't be operated without putting the seat belt on, or have the act of closing the door put the seat belt on.
An option to override these systems is possible - it need only be set to require a 5 second or so delay to ensure that most drivers would rather just let the system put the seat belt on unless they actually need to have it off. Having an option can be safer than having a prohibition on not wearing a seat belt - for instance people returning from hospital after having their appendix out, open heart surgery or similar procedure (hopefully not as the driver) might be safer without seat belts and probably more comfortable.
its often easy to change the situation and the circumstances around risky decisions - sometimes it even makes the possibility that coercion gets people to do things a mute point - the safe defaults of the design make the question of coercing or convincing safe behavior unnecessary.
a society in which continual encounters with police are common on the basis that coercion is effective is likely to run into serious political stability problems itself, because people value autonomy and independence quite often and resent and disparage coercion.
another poster makes a very valid point which i agree with - that as tax payers - we're interested not in what is most effective, but what is most efficient - if visible policing is so expensive that it displaces the budget for health care or emergency rooms - we might actually loose more lives than we gain.
Or a really great Visual. My flight instructor told me, "Always wear your seat belt. Often it and gravity are the only thing keeping you in your plane, and gravity is easily upset."
He then punched the door (Cessna Aircraft) and demo'd in flight that worn door latches are probably a given in rented aircraft as the door easily popped open.
I remembered that when a family friend got ejected from and subsequently rolled over by his own vehicle during an accident. Never could convince the guy that the first reason for wearing the belt was to keep you in the seat behind the wheel and in control so you could avoid the accident in the first place.
After reading other comments, I have to ask - what's the standard for deciding that government, or any other social institution, needs to change people's behavior?
As author of the blog post, I want to thank you folks for pointing out the bad URL link. NHTSA changed it on me since the original posting. Paul is spot on with his recommended new URL, which I have updated the blog with (thanks Paul!). As for the title I used the same wording as the title from the report itself. Based on everyone's input it appears that the title of the report is most likely in the wrong order, thus the source of confusion.
Once again thanks!
Enforcement is essential, but its how you enforce that changes behaviour. A beligerent traffic cop makes you resentful and focus on his behaviour not yours. When you know that you should wear your seatbelt, and you both behave like adults, you are likely to say 'yep, fair cop'.
you said: [ For seat belts, the car ignition design can make sure the car can't be operated without putting the seat belt on, or have the act of closing the door put the seat belt on.
An option to override these systems is possible - it need only be set to require a 5 second or so delay to ensure that most drivers would rather just let the system put the seat belt on unless they actually need to have it off. ]
Give me a vehicle with one of those systems and I will DISABLE it immediately. I work in disaster management (we train by providing safety for walks and bike rides). I also work with emergency response units. There are legitimate times when the seat belt is contraindicated - ones that the "five second delay" can cause problems.
If you don't want to wear your belt, it is your choice (just as not wearing a motorcycle helmet). Just do us all a favor and make sure that "organ donor" is stamped on your identification.
"After reading other comments, I have to ask - what's the standard for deciding that government, or any other social institution, needs to change people's behavior? "
Usually that people are behaving irrationally. In this example it seems odd that you need a law to tell people to do something that may save their life. But strangely we often need that nudge - it allows us to externalise a decision that we don't want to have to think about.
I have noticed that revenue authorities are often most edvanced in this thinking - they call it behavioural comliance (this is an excellent introduction and source of references http://www.skatteverket.se/download/... )
Some seem to doubt the safety benefits of automotive safety belts ... perhaps it will serve as a modern example of selection for certain genes.
The evidence for the effectiveness of safety belts is plentiful, and strong. Anyone here with an engineering background (Clive, for example) will understand that if you want to measure the effects of a change to a system, you hold all other parameters constant to the extent possible.
With traffic safety statistics, all parameters are continually varying. Some examples:
* traffic flows
* traffic patterns
* vehicle design
* driver behavior
* driver alertness and attention (factors such a drug use, fatigue, number of passengers, etc.)
* driver demographics
* vehicle mix
* weather patterns
* tire technology
* road design
And there are many more. ANY of these can have quite significant effects on safety statistics. That modern safety belts are highly effective at preventing death and reducing injury has been very soundly established. In some cases, we can be confident that a precaution is worthwhile without statistical proof (take a minute to think about this: it is not unusual in security).
When considering measures such as traffic fatalities over time during recent decades, consider that in many countries, any changes in seat belt usage were probably accompanied by:
* greatly increased traffic densities
* increased speeds and decreased vehicle spacing on some categories of highway
* dramatic changes in average vehicle mass, center of gravity, and stability
* phasing in of airbags
* phasing in of anti-lock brake systems
It is enormously difficult to isolate the effect of one influence on traffic safety statistics. Any study claiming to have done so, merits exceedingly careful review.
About media effectiveness: I don't have references for you, but I saw video of a traffic safety conference, where several professionals in the field gave presentations. More than one of them claimed that "safety education" measures (for example, public service announcements on television) had been studied in numerous cases over a period of decades, and had been found to be almost perfectly ineffectual in changing driver behavior, whereas enforcement had been found to be quite significantly effective. These folks seemed to know what they were talking about.
About behavioral feedback: Fortunately, violent auto crashes are rare for most of us. "Learning by experience" isn't altogether satisfactory, because a significant fraction of the people who might have benefited from their first lesson, won't survive it. By contrast, seat belt penalties are a form of feedback motorists can experience much more frequently. It is intuitive, that this can be more effective.
(BTW, I have known several people who DID benefit from the first type of feedback. The didn't use safety belts until they experienced a heavy collision in which they were fortunately not badly injured. For them, the EXPERIENCE of becoming human missiles was educational in a way that no previous safety information had been. Every one of them consistently used safety belts afterward.)
Australian states made seat belt wearing compulsory somewhere around the 1970s. It is rare to see somebody NOT wearing a seat belt.
There were the silly arguments of the kind: What if the truck in front of me stops suddenly and its load of poles come through my wind shield and I'm held in their path by a seat belt?
Mobile phone use while driving has been very difficult to stop. Even cyclists can be seen on the phone while riding. Laws have been tightened to make even touching a mobile phone or having one sitting on your lap while driving is illegal.
Even a few percentage points improvement in safety measures can save hundreds or thousands of lives each year.
if you want to encourage to actually click the belt - why not place some sharp glass shards on the center of the steering wheel? Being constantly reminded that even at 15km/h any sudden stop can permanently alter your looks should help. And it prevents people from honking. win-win
"Even a few percentage points improvement in safety measures can save hundreds or thousands of lives each year."
Yes which begs the question why do we not bring all vehicle speeds to 30 MPH or less.
A 30 MPH speed limit would be relatively easy to enforce and the number road deaths would go down significantly (depending on who's stats you look at the drop could be as much 90%...).
As a rough mental average of various figures given over various years,
If inside the vehicle in a head on at 40 MPH your survivability as a driver without anything other than a sensibly designed steering wheel (and holding it at the approved 10 to 2 position) is in the mid to high 90s dropping to less than 50% around 50 MPH. However it is worse for the passengers and... As a driver at 40 MPH you are much more likely to be killed by a passenger in the back seat being thrown forward into you and causing crushing and or breaking of bones in the upper body and head. However down at 30 MPH survivability for both passengers and drivers is quite good (you then have the side impact issues).
And for those outside the vehicle the magic 10 MPH appears to be 30 MPH 85% survivability 40 MPH 20% survivability.
From a pure safety perspective limiting all vehicles to 30 MPH would show the most cost effective return (and please don't flame me for saying it ;)
@ Mal "silly arguments of the kind"
First time I approached a system designer with an auditing requirement his response was "I'd need a TB database the size of my database to audit." And recently when approaching a client about removing LM from their network was told "Legacy! BOOM!"
I've since learned to not take them at their word but to interpret conflation and exageration as engineer speak for "I don't wanna," and, "I don't know how," or "I don't know what will break -- the complexity of the enviornment got away from us 10 years ago."
While I would never doubt the accuracy, authority or integrity of the anonymous contributors to Wikipedia...
NHTSA itself DOES call it "Click It or Ticket" CIOT --http://www.nhtsa.gov/CIOT
But perhaps the blog author's making an intentional point putting Ticket first because the study showed it was enforcement not awareness that made the real difference.
Actually, in downtown Washington DC, those odds are reversed... your chances of being in an accident at > 40 MPH are small (severely constrained by your chances of being able to drive > 40 MPH in the first place).
Given the high police presence and the fact that tickets = revenue, your chances of getting that ticket are much higher.
It's irrelevant to me, because I've always worn my seatbelt anyway... but the decision-making is not as irrational as you make it out to be in this perhaps atypical case.
I haven't read his study, but one flaw i see in a lot of them, is that they only consider fatalities. Since for example a majorty of fatalities in NZ is head on when passing, seats belts are going to have little effect.
However what about major vrs minor injuries, or permanent vrs non so permanent injuries. The data is harder to get. But the numbers for seat belts do look a lot quite convincing (can't find the report right now).
It's slightly off topic, but the history of the seatbelt is linked to Murphy's Law. Edward A. Murphy, Jr. was an engineer working on rocket sled experiments for the air force, which led to the discovery that seat belts help pilots survive significant deceleration. See http://improbable.com/airchives/paperair/volume9/...
The other advantage of enforcement over media campaigns is that enforcement generates revenue instead of costing money. And as any successful traffic enforcement officer will proudly explain, the most effective lesson is one accompanied with a painful sting.
But if you're looking to enforcement as a reliable source of badly-needed revenue, you have to be careful. If the enforcement successfully modifies behavior, it will destroy the revenue stream. I would not doubt that there are any number of Operations Research specialists who make a nice living quietly selling their services to municipalities seeking an optimal selective enforcement strategy that maximizes revenue without permanently modifying the behavior that generates those golden tickets.
you may have misinterpreted my point - i want to wear my seat belt - i think seat belts are generally a good thing.
you suggest that you would disable an ignition system that requires a seat belt before the car can be started. i think the situations where a regular civilian person can't afford to put on their seat belt and would as a result be subject to a five second delay in starting their car hold few risks compared to the 44k fatalities on the roads each year. i think that people might well be able to apply for a license to disable the connection from seat belt to ignition when they are regularly in situations where wearing a seat belt is a dramatic risk to them. my impression is its safer to encourage a safe default setting (having a seat belt on) by having the five second delay or to have a seat belt that the car automatically puts on for you than to rely on coercion by police.
another poster makes an interesting point - coercion is becoming a revenue stream for government and government contractors.
@JohnConnner, the government pays for the hospital, recuperation facility, and/or morgue that you may end up in if you crash. Their interest, and mine, is to reduce unnecessary spending, and in this case prevention is *much* cheaper than response.
You can do what you like, as long as it doesn't impact on others. If you didn't wear a seatbelt, you'll cost others a lot more than if you did.
Seatbelts Save Lives.
Anyone who is not convinced, should read this blog entry from a paramedic whose job was to respond to car accidents all day long. He can always tell who was not wearing their seatbelt at the time of collision: it was the guy who was ejected through the window and flew twenty meters, leaving a 12-foot smear of blood and brains across the pavement.
This is also a personal pet peeve of mine. I ALWAYS wear my seatbelt when in a moving vehicle, no exceptions. My car does not move until all passengers are belted in.
My dad often refuses to wear his seatbelt nowadays, which drives me crazy. He used to wear it when we were children growing up, and he claims that he always wears it on the highway (which I don't believe). But for just driving around town, he won't do it. He claims its uncomfortable and he's never gotten used to them. Last time I was visiting, I flipped out and yelled at him and refused to ride in the car with him: by not wearing a seatbelt, he is also endangering MY safety by becoming a 170+ pound projectile. An unbelted passenger who is thrown into other passengers can easily cause head injuries or even kill them.
Seatbelts do occasionally cause an injury (just like airbags), however, not wearing your seatbelt VASTLY decreases your survivability in any high-speed collision and also in some other types of collision like side-impacts.
The difference between IT security and seat belts, is, that using seat belts is really really easy for most people. It takes about a half a second. Sure there's some who complain about comfort, but those are rare in a day where anybody under about 40 or so barely remembers a time where driving without seat belts was ever _legal_.
So sure, a public awareness campaign combined with harsher penaties was effective, but if putting on your seat belt was a confusing, arbitrary-seeming process that was time consuming and inconvenient, how many people would wear them _every single trip_?
@BF Skinner: I see that you're still struggling with the OR. Perhaps it's because it's neither the (inclusive) OR nor the XOR, which both are commutative, but the OR-ELSE, a close cousin of the IMPLIES, which isn't ?
@JohnConnor: regarding seatbelt laws, there's also group behaviour to consider. If it's socially accepted or even expected to ignore the seat belt, then chances are that people who would have no objection to buckling up will just do as good lemmings do.
For example, it's quite common for Europeans, myself included, who would previously never have dreamt of not buckling up to quickly learn to disregard the seat belts (if present and in working condition) in the rear seats of taxis in Argentina.
Another incentive should be protecting others from the consequences of you becoming messy roadkill. E.g., I would consider it at least impolite to expose a friend who's driving to an unnecessarily large risk of having to feel responsible for my death or injury in the event of an accident.
Thinking of it, the prospect of guilt may work better as a motivator in a media campaign than the prospect of personal safety.
@n8han: those John Adams statistics are in fact just what one would expect if seat belts work as advertized: they don't change the overall trends of accidents, they don't do much for or against pedestrians, but they do protect the ones wearing the seat belt.
If the best the opponents of seat belts can come up with is to dismiss statistics on the grounds of them not showing an improvement in the control group, with the suggestion that it is somehow immoral to use the misfortune of the control group to exhibit the success of the measure in question, then I couldn't think of a much clearer admission of defeat :-)
Even cyclists can be seen on the phone while riding.
In my experience it's more a case of "trying to ride". Often also by the same idiots who think that they are exempt from every other traffic rule...
Sorry to hijack the topic, but ...
@Ian N: you hit upon precisely what should bother you about government involvement in your health care. When someone else bears the cost of your decisions, that someone will feel justified in controlling your behavior. This is inevitable, and is incompatible with liberty.
The real solution to the problem you cite is to not agree to be responsible for the medical care of people who decide to not wear seatbelts or motorcycle helmets. Let them bear the consequences.
If you're not free to make bad decisions, then I'm not free to make good ones.
Ah, yet another piece of pseudo-scientific bullshit.
Correlation is not the same as causation.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.