Schneier on Security
A blog covering security and security technology.
« Botox as a Terrorist Threat |
| Security Cartoon »
June 11, 2010
Mainstream Cost-Benefit Security Analysis
This essay in The New York Times is refreshingly cogent:
You've seen it over and over. At a certain intersection in a certain town, there'll be an unfortunate accident. A child is hit by a car.
So the public cries out, the town politicians band together, and the next thing you know, they've spent $60,000 to install speed bumps, guardrails and a stoplight at that intersection—even if it was clearly a accident, say, a drunk driver, that had nothing to do with the design of the intersection.
I understand the concept; people want to DO something to channel their grief. But rationally, turning that single intersection into a teeming jungle of safety features, while doing nothing for all the other intersections in town, in the state, across the country, doesn't make a lot of sense.
Another essay from the BBC website:
That poses a difficult ethical dilemma: should government decisions about risk reflect the often irrational foibles of the populace or the rational calculations of sober risk assessment? Should our politicians opt for informed paternalism or respect for irrational preferences?
The volcanic ash cloud is a classic case study. Were the government to allow flights to go ahead when the risks were equal to those of road travel, it is almost certain that, over the course of the year, hundreds of people would die in resulting air accidents, since around 2,500 die on the roads each year.
This is politically unimaginable, not for good, rational reasons, but because people are much more risk averse when it comes to plane travel than they are to driving their own cars.
So, in practice, governments do not make fully rational risk assessments. Their calculations are based partly on cost-benefit analyses, and partly on what the public will tolerate.
Posted on June 11, 2010 at 12:08 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And why is the "public" so "irrational"?
These kinds of comments just beg the question -- the subtext is so clear, yet the authors seem to be terribly unself-aware. I guess because the job of journalists is to drive that very irrationality.
No matter how cynical you get, these kinds of clowns make you more cynical yet.
Kangaroo, the public is "irrational" because ....
... wait for it ....
We're really bad at probability. CogSci experiments say our intuitive probability skills aren't bad for pre-linguistic worlds, but they haven't caught up with our current world.
BTW, the BBC journalist misunderstood the $30K QALY number. That's the cost per year of life, not the life cost.
So for a child multiply by 70 to get $2.1 million, which is in the range of legal settlements for loss of early life.
From the NYT article: "I was hired to protect the network. If I fail, I lose my job. Convenience and productivity are really secondary"
... And there you have it, the CYA externality behind this and many other poorly conceived ideas/implementations.
Or how about medical screening tests? People can't get enough of them although in many cases the risk/benefit is either a wash or the risks outweigh the benefits.
Careful analysis of pros and cons of one screening test:
Senator who is either clueless, illiterate (as he clearly hasn't read the materials he's criticizing) or cynically pandering to public fears and professional interests (ACR)--your choice:
I totally agree with you. Implementation of these "extreme" safety measures is definitely getting out of control. Speed bumps and other speed limiting obstructions are showing up everywhere!
But things could be worse...
Just imagine if it were possible to tap into your car's computer system and slow the car down based on the posted speed limit.
I wonder if BP is re-addressing their cost benefit analysis based on what happened in the Gulf?
Sometimes.. just somtimes.. It isn't just about dollar values.
I don't share the IT professional's perspective. He's not hired to protect the network. He's hired to facilitate the mission of the organization through Information Technology. Sometimes that means you have to choose to be less secure in order to meet that mission.
Also, what people are missing here is the threat model. What is the threat you're trying to protect from? If you're the NYTimes, there are many more threats that you have to protect from than if you're a small Video Production company. Knowing the threat model allows you to make good judgements. Not everyone needs to have the defenses of the NSA.
@John Gordon "We're primates"
That's just half the problem. The other half is that we have the delusion we are intelligent.
Great book on probability and how humans are terrible at intuiting the effects of conditional probability is "The Drunkard's Walk: How Randomness Rules our Lives"
Special interests work hard to confuse the public about medical tests and treatments. The Senator is (my guess here) probably getting a contribution from a group which has a financial interest in screening.
FY - Here's a site which covers this stuff extensively: www.healthnewsreview.org/blog/
@Joe "intelligent "
Nah. The problem is "I know that I know. And that I don't know ... I forget."
Damn me Clive how you write those dissertations on a phone I dont know.
"So, in practice, governments do not make fully rational risk assessments. Their calculations are based partly on cost-benefit analyses, and partly on what the public will tolerate."
A fully rational risk assessment includes the consideration of what the public will tolerate. Risk assessments that assume that the public will behave fully rationally are themselves irrational, or at least profoundly naive.
@Ted: Ideally, his job is to enhance the value of the company. However, he will do what he is rewarded for. If it's been made clear to him that his job depends on the network staying up, then he will make darn sure the network stays up, and only then will he make sure it's actually usable.
This is a special case of the problem of diverging incentives. In this case, the company could do a lot to make him more useful to the company by re-evaluating his incentives, and not automatically firing him if the network goes down. (Or, if they weren't necessarily going to fire him anyway, communicating better.)
The air travel vrs auto travel one is a misguided example. The public is not as irrational there as they may seem. The difference is in what you can do to mitigate the risk. I can significantly reduce my exposure when driving a car; don't drive drunk or extremely tired, drive carefully in inclement weather, etc. The risk can, to some extent, be managed. Although I can't manage other drivers, I can give preference to safer highways, etc.
Outside of not flying at all, and -- perhaps -- not flying some third world airlines, it is extremely difficult to manage your personal risk with air flight. I don't get to review my pilots record, or how much he has worked, or even have a little chat to see if he is drunk, tired or distracted. I generally have limited access to the planes maintenance records, etc.
So I think the comparison by the BBC article is quite incorrect. My tolerance for risk in an automobile and aircraft is not different, because my risk in an automobile can be brought well below the average, but my risk in an aircraft is very difficult to change, so the average must be quite low.
As someone somewhat involved in road safety/city design, this whole "road accident" mindset shows bad reporting. If someone gets drunk and then crashes their car, killing someone, that is not an accident. So for the NYT columnist to say "even if it was clearly a accident, say, a drunk driver" they have shown they have no understanding of road safety.
115K people died in road traffic collisions in india last year (source NYT); yet the politicians and the car driving voters are happy with that. The people walking don't choose to get in a car, they don't choose to die, it happens to them, and if it is a result of deliberate decisions by drivers then it is a crime, not an accident.
There's definitely a certain "this was bad and it must never happen again" bandwagon that springs up around unpleasant events.
1. People see it once and assume it can (and will) happen again if something isn't done. They tend to gloss over other considerations, such as the fact that in most cases it can (and will) happen again even if they DO something, just in a different way. In the example of an accident at an intersection, fixing the intersection to avoid that one type of accident can certainly make another type (being distracted by too many signs, for instance) possible.
People also tend to fail to weigh the costs of their fixes. How many construction workers are at risk while the intersection is rebuilt? How much inconvenience or damage will the speed bumps cause? And that's besides the pure financial costs.
2. It's easy for politicians to get "bonus points" with the public by taking a hard line against unfortunate accidents. Nobody is going to argue "oh, it's okay someone died here so we shouldn't do anything." The worst you'll get is "oh, it costs a lot" and as noted people don't like to weigh dollars against lives. If we CAN "do something" we almost have to.
And of course political rhetoric tends to turn to "never again" kind of talk. You won't get a calm, rational, reasoned discussion of the costs and benefits, because that's boring. The politicians veer to the absolutes because it sounds better, even though moderation is generally a far better policy than veering between absolutes.
The BBC article assumes that the level of death incurred in car travel is acceptable. Why not flip things around and say that car travel is far too dangerous, and that we need to improve it (through mandatory safety features, driver training, regulation etc.) to the point where it is as safe as air travel?
And the NYT article gets right that installing safety features doesn't prevent crashes caused by driver behaviour, but calling things "accidents" rather than "negligence occasioning death" as this case was doesn't help things.
It's also important to distinguish between the cases where a significant majority of the public has a clear preference vs. where a few loud, emotive people make repeated demands while a significant majority of the public fail to decisively disagree.
In any human endeavour, the degree of safety precautions taken is directly proportional to the newsworthiness of an accident.
Another example from the Uk a few years ago.
There was a rail accident, the first in years which killed half a dozen people.
The response was to basically shut down high speed trains for months (reducing their speed to 20mph etc) - forcing many more people to drive, causing a significant increase in accidents.
There is another issue that needs to be considered and that is our legal brethren.
The tort game is basicaly to extract as much money as possible out of the defendant.
The guilt of the defendent ie conversion form "act of god" to "act of man" is based on the assumption of foresight in man.
If the legal brethren search around and find just one vaguely simillar accident then they have a crack into which to drive a wedge of rhetoric and gain points. And as we all know "points make prizes".
We also know that "accidents" will always happen as long as we have potentialy dangerous activites going on at a given location. Our legal brethren know this as well and if there has been one accident at a crossing they know there are likley to be more, irrespective of what can be done (apart from close the crossing) simply because drivers are on mass selfish and will drive beyond their abilities or will let their minds wander away from what they are doing.
Now having an example of a previous accident at the same crossing is a golden nugget that shows the mother load to our legal brethren esspecialy if a reasonable time period has gone by and those responsable for the crossing have made no changes...
So you have a problem as the keeper of the crossing. You know you cannot make drivers behave responsably, you know you cannot close the crossing so you know that it is inevitable that another "accident" will happen...
You also know that if it does the cost due to our legal brethren will be beyond reasonable comprehension due to punitive damages.
The result the keepers of the crossing go over board on precautions to mitigate against punative damages, but...
There is this notion of "best practice" to drive this process, because the legal brethren only have to find a couple of examples where somebody else has gone more overboard and has not (yet) had another "accident" to show that the defendant has acted unreasonably by "not taking all reasonable precautions".
And this actually has the problem that the punative damages will be even higher...
Why because the legal brethen can argue that the work carried out shows the defendants know that there is a danger that needs to be mitigated against and the amount of work they have done shows the level os the danger BUT they deliberatly stopped short of doing what was necessary. Thus punative damamges have to reach the moon to punish the defendents for their arrogance.
What it all shows as humans we have absolutly no responsability for our actions against others or ourselves and seek to blaim others. And as we have no knowledge of probability we turn from grief to vengance eagerly egged on by our legal bretheren and end up harming countless others...
Oh and it's not just accidents where this happens think back to Bruce's previous comment on patents and not reading other peoples.
On day we will wake up and realise what harm we have done to ourselves via the legal brethren and the pendulum will start to swing the other way, untill.... we start getting real deliberate arogant neglagence by the keepers of crossings etc and then the pendulum will swing back again.
Unfortunatly the pendulum will never come to rest at an acceptable mean simply because of the joint effects of human greed and human ingenuity...
Air travel vs. road travel is also comparing apples with oranges because unlike your average Joe on the road, there are only highly trained professionals at the stick of commercial airliners, which are well maintained by professional mechanics and directed by professional air traffic controllers.
If you instead look at non-commercial aviation, you will find similar if not higher accident rates.
Comparing air travel with trains would be fairer.
Oh I forgoto to mention above that the only way not to play into the legal brethrens game is to activly chose not to.
This can of course be extreamly difficult but can be done.
The simple choice after the accident at the crossing would be to close it thus remove the oportunity of a crossing related accident happening.
However although it stops the game there it moves it, crossings are usually only put in because they have a recognisable utility to those living in the area.
Thus you have to explain properly the risks and the remadies and the costs involved to those it effects.
For instance you might sugest a 15mph speed limit for two hundred yards in appropriate directions with 100% perking restrictions at all times and show that you will enforce it without any kind of prefrence.
However in turn you have to show how you effect the people around the area especialy if you decide you will remove the crossing etc.
In the long term any option that nuters the avoracious behaviour of the less reputable of the legal brethren is to be encoraged.
Also people need to be made very aware that short term cheap is usually long term expensive.
@ BF Skinner
"Damn me Clive how you write those dissertations on a phone I dont know "
Hmm your lack of usual capitalization on your name makes me wonder if you to are trying a mobile phone post?
But the answer is "a bit like walking down a dog filth laden path in the dark"
Or "you put one thumb in front of the other and hope you hit the right key or see your mistakes before committing the post".
Sadly as can be seen from my previous post distractions such as loud youths in the railway carriage can further cause problems.
For instance "nuters" started out as a thought to "nullify" and should have been "neutralize" but a more major interruption to the thought process by the afore mentioned youths made me think along the lines of "what vets do to tom cats that make nuisances of them selves" (why I can not possibly imagine ;)
And mobile "smart phones" do have some real advantages over netbooks, laptops and "luggables" for a number of reasons (such as usable when standing, less obvious to theives, very fast to put away and better battery life).
However do make sure you get one with a slide out keypad... and have a real careful think about what you need. For instance make sure you can have a basic editor to type notes into and save away either on the phones removable media or say via an Email or other online storage you can easily access from your main work desktop etc.
Likewise if you have a particular file formate (say PDF) you look at a lot in webpages then make sure the phone has an appropriate app to not just display but also download and importantly allow to be attached to an email...
And avoid ones with very proprietor OS's where the phone owner compels you to use their "market place" it means that they can steal peoples ideas whilst locking them out from the customers...
That being said none of them can be even remotly considered "secure" in any real sense of the word (it's a resource issue) but that is improving with the likes of google's Android etc.
I dread to think what the NSA etc geeks did to make POTUS's "Ombamaberry" sufficiently secure (and what cheats they used like say excluding most EmSec attacks due to presedential protection detail providing a sufficient "clear zone" around POTUS...).
Oh and get one with a proper alarm system (ie like Unix cron) it realy helps when your brain starts to dim for whatever reason (head trauma, old age or enjoying life to much ;). Likewise "calendering" with daily count down reminders etc so you don't forget to remember your current significant "brain wranglers" important little dates such as birthdays day of first meating / kiss / ... (for some reason they seem to judge you by such little things)
They are also usefull for those times when you have to sit and wait on others or need to take impromptu notes with picture etc (think accidents as well).
Oh and get one with WiFi ability as well and a port of kismet or airsnort etc to walk the perimiter with so you can further justify it on expenses ;)
Another important consideration when selecting a mobile device is whether or not it has an integrated spell-checker. ;-)
"is whether or not it has an mobile device is whether or not it has an integrated spell-checker. ;-)"
Yes this one does have a predictive US "spellchecker" but it has several realy annoying habits such as "poping up" over what you are typing and it lists only a couple of words which have such annoyances as being shown in alphabetical order. Thus if you are "vowel blind" it may not show the word you actually want. Oh and it displays what you type as the left most word and if you happen to spell it correctly it does not display the word in the rest of the word list which combined with other problems means it is difficult to see when a word is not correctly spelled. Oh and last but not least there appears no easy way to make it behave like a traditional spell checker which would be better for those with various forms of word blindness (dyslexia).
And there is no real excuse Google has solved this spellchecking issue on web based systems like GMail (Hint to Bruce and Movable Type it can be done ;)
@ AppSec at June 11, 2010 1:51 PM
"Sometimes.. just somtimes.. It isn't just about dollar values."
I think I see the point you are driving at here, but I also think the BP example is purely about dollar values.
BP wouldnt (I believe) have given a toss about the environmental impact of the leak if it wasnt for the inevitable costs it will incur and the overall impact on the company's dollar values & the return for its shareholders.
Rightly or wrongly, costs drive everything - not always in cash terms though.
"I was hired to protect the network. If I fail, I lose my job. Convenience and productivity are really secondary"
This is the result of someone who doesnt understand the job. Either that or its a bit of hyperbole from someone who understands a bit less than they think they do.
If its true, he has a very easy job.
as far as the ash cloud...
maybe the gub'mint should have allowed airlines to take their chances, provided they give already ticketed passengers the right to free rescheduling, then let economics work out the rest.
i don't know about all y'all, but i'd be 10,000% more willing to risk driving home on new year's eve in mexico city than to get in an airplane and take even a miniscule chance that ash particles might cause all engines to fail, which would give me a leisurely couple of minutes to observe my impending demise.
I read as nutters and it actually made more sense to me in context. Now I have to go re-read your post and find out what you really meant.
From our cell phone discussion I did locate a motorola product that I think is what the STE/STU people were talking about. The timeport looks like it can be configured to a secure voice solution to the TS level and there looked to be a smart version at Cisco.
Likely the POTUS uses one of these. I wonder how they are handling the presidential records act. Nixon and some of his predecessors made tape recordings - until they found out why that was a problem. Reagan's Whitehouse used the PROFS email system until they found out that THAT was a problem when they tried to destroy the Iran-Contra material.
IM and emails from the President at the speed of his thought? Self documenting at a very granular level.
In many countries with representative governments, officials are elected to make decisions the people want them to make -- not the "best" decisions. So, it's a dressed up form of gang mentality.
@ BF Skinner,
"Now I have to go re-read your post and find out what you really meant"
Do you remember the Red Queen that upset Alice?
She had a catch phrase of "Off with their heads!" well like the women that think the way to a man's heart is through his stomach, she was aiming a bit high, more like "Off with the Family Jewels" for many of our legal brethren ;)
Its called "democracy".
Those who run things have *always* been under the control of those who rule. Either they are also the rulers, or they must cow-tow to the king, aristocracy, Caesar, etc.
You can't have it both ways. Either the people have authority the elected officials, or they don't. If they do, it is "gang mentality". If they don't, then they have just given up the power to a chosen group of aristocrats. If you have a middle ground, then guess what? You have what we have now.
@Steve and Matt
It's still an accident. Whether caused through negligence, recklessness, stupidity, or bad luck. It wasn't deliberate, therefore it was accidental.
RE: Your comment relative control of risk in car vs plane.
I think your comment clearly shows the problem we have of evaluating risk. The airplane you fly in is almost guaranteed to be more well maintained than your car (Full inspections every 100 flight hours). The pilot is guaranteed to have better training and be under much more scrutiny than your driver (especially if you drive yourself). Most airplane incidents involve one vehicle so you don't really have to worry about "the other guy" like you do in a car. The only thing that makes you feel safer in a car is your illusion of control.
it's worth nothing that the countermeasure applied doesn't mitigate the process flaw: the driver was drunk.
a proper management would be to have those driving drunk and their offspring put to death penalty, so that in a couple generation only people with the gene trait for responsable driving are proliferating and those driving drunk are extinct.
don't ask what evolution can do for you, ask what you can do to help evolution!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.