Another one that's been sitting around for awhile. Bruce Schneier pointed out a great article (registration req'd) last year about the effectiveness of security. 

Security measures can behave in different ways. Some simply shift the risk from one owner to another.

Professors Nalebuff and Ayres note that other antitheft devices, such as the Club, a polelike device that locks the steering wheel, help protect that car, but only at the expense of the next vehicle.

"The Club doesn't reduce crime," Mr. Nalebuff says. "It just shifts it to the next person."

Such a security measure may be fine when you're only interested in protecting your car, but from a broader perspective, the LoJack system is a much more effective deterrent.

The thief's challenge is that it's impossible to determine which vehicle has a LoJack (there's no decal). So stealing any car becomes significantly more risky, and one academic study found that the introduction of LoJack in Boston reduced car theft there by 50 percent.

As he mentioned, this was something Bruce discussed in Beyond Fear (highly recommended).

It's important not to lose sight of the forest for the trees. Countermeasures often focus on preventing particular terrorist acts against specific targets, but the scope of the assets that need to be protected encompasses all potential targets, and they all must be considered together. A terrorist's real target is morale, and he really doesn't care about one physical target versus another. We want to prevent terrorist acts everywhere, so countermeasures that simply move the threat around are of limited value. If, for example, we spend a lot of money defending our shopping malls, and bombings subsequently occur in crowded sports stadiums or movie theaters, we haven't really received any value from our countermeasures.

In other words, you're only as strong as your weakest link. If the airlines are totally secure (which, of course, is impossible), then the attacker will simply move to a less secure target. Policies that emphasize a single asset simply shift the risk to other assets.

Speaking of airline security, my recent trip to London was the first time I flew internationally since 9/11, and I was amazed at some of the ridiculous security measures enacted. Virgin took it a step further with some of their security on top of the standard TSA stuff. For example, they checked your ID and boarding pass three times, each time putting a sticker on it. This, of course, doesn't guarantee the authenticity of the document, only that I used the same one each time. Furthermore, they won't let you check your bags without boarding pass or, since we had e-tickets, a printed agenda.

In this sense, the security may make sense because the Virgin is more like the local homeowner, not the police department. The problem is that it's not far off from the measures that the government is making, both on a micro- and macro- scale.

(On a side note, congratulations to Bruce for receiving the 2006 Dr Dobb's Excellence in Programming award. I've always admired him for his remarkably level-headed and rational approach to security, especially in the context of software development.)


blog comments powered by Disqus