Malcom Gladwell had a recent blog post where he discusses an unnecessary fatal train accident.

The engineer who had probably caused this very rare fatal accident had what may have been the single worst safety record of 1,000 people driving commuter trains in the metropolitan area. Only five were even in his dubious ballpark. The great majority of engineers had no safety violations at all.

And here’s the kicker: about 8 percent of the engineers accounted for about half of all the violations. Yet not only were they allowed to continue working, they were under no particular scrutiny. Worse still, these three railroads actually did more to police the engineers than most railroads, and more than was required by federal law.

The results made me think of the Christopher Commission report, which I had also covered, and the finding that 44 of 7,000 officers caused the bulk of the problems.

How many incidents of any sort could be avoided by developing good predictive metrics and then taking action on them?

I know that here in the Information Security realm where I work, we see the same people doing the same stupid things over and over. They tend to be low-level staff who are in doing things in violation of our Acceptable Use policies. We can identify them prior to their causing a Major Incident, yet we cant/won’t do anything until after the damage is done.

I’m not saying that we need to fire anyone, although I wouldn’t rule it out for repeat offenders, but I’m also continually irritated that that most of the cost of an incident (specifically, all of the response costs) is an externality to the “guilty” party and their management, which may be the real weak link in the chain.

If we could transfer the externality back onto the high-risk employee’s managers by forcing them to accept the risk, then maybe we’d finally get somewhere. Maybe not, too, but it couldn’t be any worse than what we’re going today.