Chris’ comment on my post about differing risk assessments from the same data highlighted another factor that I thought worth mentioning:

You, by definition have 50% fewer hands the first screw-up. After that, it’s totally safe.

Chris has just defined his risk loss tolerance for getting his hand caught in a garbage disposal as being the non-fatal loss of one hand. Personally, my risk tolerance is no loss of any hand, but maybe it’s because you really need two hands to risk your life effectively.

I’ve now got my definition of risk loss tolerance (zero–no accidents whatsoever) for garbage disposal accidents. Let’s see if I can find some benchmark data. google for “garbage disposal accidents.” The only thing I find that even comes close is a discussion thread started by someone who seems to have decided that risk avoidance is their risk management decision for disposal risk. Someone in the thread points out, though, that

I tried to look up garbage disposal injuries…couldn’t find any that weren’t part of sit-coms or tv commercials.

I am sure that there are some that do happen…but you’ve got a bigger risk getting out of bed in the morning.

Finally, however, I found an extremely graphic photo (maybe nsfw) of a disposer full o’ fingers. So, assuming the image is both real and is actually a garbage disposal*, maybe these accidents happen after all.

So now, the question comes down to whether or not the likelihood is too high to be acceptable with my risk loss tolerance of zero. That makes this a binary event–either I have an accident or I don’t. While I haven’t kept count, I’d say that the number of times I’ve actually stuck my hand down a garbage disposer for any reason in my entire life probably averages out to less than once per year, so I’ll round up and use once per year as my rate of potential accidents.

There are about 300,000,000 people in the United States of America (Households would be a better number, but I don’t have it handy so I’ll round down on the proportion with disposals). Even if only 10% of them use garbage disposals, that’s still 30,000,000 people, each of them sticking their hand in it once per year.

If a google search (the source of all knowledge and no wisdom in the world today) can’t find a single reference to garbage disposal accidents, then the likelihood of it occurring is probably less than one in 7,500,000 (figure google news goes back 90 days–I’m pretty sure this is low, too).

I think I can live with that risk, even if I’m not a big risk taker like Chris.

* As opposed to some other piece of finger-removing industrial machinery–it doesn’t really look like the inside of a disposer to me, and seems to have just severed rather than disposing of the fingers, but I’m not looking again to be sure.

I recently bought a new home and one of the items that came up in the inspection report was the risk that

The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.

That is to say, the switch is right next to the sink.

I thought about this, and realized that I preferred that situation in the “risky” state.

While the likelihood that I will flip that switch on if I have my hand in the garbage disposal for some reason are exceedingly low, I’m willing to bet that they’re still lower than the likelihood that someone would accidentally flip the wrong switch and turn on the disposal during one of the rare occasions when I have my hand in it.

If I were writing the report, the risk I’d have identified (had it existed) would have been something like:

The power switch for the garbage disposal is located such that a person at the sink cannot reasonably ensure that another person won’t accidentally turn it on while the person at the sink has their hand in the disposal.

Who’s right? We’re both using the same data (the location of the switch in relation to the sink) to evaluate the same incident (the disposal being accidentally turned on) while in a vulnerable state (hand stuck in the disposal).

The threat is different (I turn it on myself versus someone else turns it on), but I would argue that the risk is truly lower with the switch by me for three reasons:
1) I am highly motivated to not accidentally hit that switch while fishing in the disposal;
3) I, by definition, only have 50% as many hands which could potentially turn the switch on if one is in the disposal; and
3) I’m effectively protecting the switch from someone deliberately turning it on in order to to mangle my hand and thus, say, put an end to my blathering on about risk management in a weblog.

This was a trivial case involving clearly defined impacts, assets, and very low likelihoods, and yet it still was able to produce diametrically opposing positions on what the appropriate risk stance should be. Is it any wonder that risk management of non-trivial problems is hard?

I often feel like much of what I do goes on in a world of hypotheticals, not just the assessment of risks, but even the assets, systems and processes I’m assessing risks and making recommendations about. It can start to feel pretty abstract.

Out in the real world, however, things get a little more physical. For example, at my local grocery and drug stores, they have the “pay-by-touch” system where you can just use your thumbprint to biometrically authenticate yourself and pay for your groceries. It’s been deployed for at least a year and I have yet to see anyone use it. I also examine the reader on more than one occasion and noticed a layer of dust across the scanning area–people aren’t even interested in playing with it.

Quite the opposite, in fact. Last week, I was waiting in line behind two women, one of whom was a “local” and the other an out-of-town guest, based on their conversation. They reached the counter and the visitor noticed the pay-by-touch machine, which led to a conversation that went roughly like:

“What’s that?”

“That’s the fingerprint pay thing.”

“You pay with your fingerprint?”

“Well, I don’t, but you can.”

“Not me. That’s creepy, big-brother-ish.”

“You won’t see me using it.”

Now I had always assumed that, other than security professionals, the reason that biometrics haven’t taken off was an unwillingness to accept the risk of catching whatever disease the user before you had or having your key stolen by way of a sharp knife.

But if the resistance is actually based on a distrust of the information state and corporate or governmental privacy abuse, then it’s going to take a lot more than Sony’s technology solution to the biometric “key theft” problem.

The company’s biometric system uses an infrared camera to record the unique pattern of capillaries just beneath the skin, which can only be seen when blood is pumping through them. When this blood flow is cut off - when the finger is cleaved from the body, for example - the pattern disappears and the finger can no longer be used for identification. Thumbs up to Sony for this one.

All hype aside, the commercial release of finger scanners based on Sony’s patent will not be the inflection point of increased biometric adoption.

This is a people and process/policy problem, not a technology problem. Getting buy-in will only happen if people believe that their personal information is being handled responsibly, something that (at least here in the United States) the government and corporations demonstrate every day they have less-than-no interest in doing–they’re all-too-often trying to either weaken or develop workarounds to what anemic privacy rights we have.

Personally, I would argue that people are behaving sensibly in this case. They look at the supposed benefits of pay-by-fingerprint, which are quite clear and finite, primarily that it is “secure*” and convenient. This also ignores the reality that the inconvenience of grocery shopping is the shopping and standing in line, not paying for your stuff once you finally get to the front of the checkout line.

I think that most people (rightly) compare that to the potential risks, which are perceived to include Big Brother-ish snooping, disease, and getting you finger chopped off, and decide that the risks outweigh the benefit.

* I strongly suspect that if you examined the security of the system, it would be quite weak. Additionally, depending on how the transaction agreement is structured, the consumer might be exposed to liability for fraudulent transactions that they are currently protected from by law with a credit card transaction.

Personally, I would be very hesitant to create a new, unevaluated avenue for risk of financial loss for what is at-best a minimal convenience gain.

This is not only an interesting risk assessment, but also an excellent approach to explaining risk to people such as business decision makers. The ability to present a compelling argument in the face of lack of data or disagreement with the data is a critical skill for those of us who must explain risks to our businesses.

I have successfully used similar approaches in the past with generally good results. Sometimes, people aren’t going to Do The Right Thing, regardless of the logic, and all you can do is make it clear that they were well-informed before making their wrong decision. That is, of course, what we refer to as “becoming a statistic.”

Watch the video (it’s 9 1/2 minutes). Even if you completely disagree with him, watch him for technique, then I’ve got my post-game after the jump.

(more…)

Equality before the law is a concept that dates back to at least the writing of the U.S. Constitution. The meaning has evolved over time, but generally boils down to the concept that protections and penalties should be constant for everyone who comes into contact with the legal system.

I’m not going to claim that this has often (ever?) been the case, but it certainly seems like an admirable goal which some have pursued more aggressively than others. For example, in Finland, traffic fines increase progressively with income:

In Finland, traffic fines generally are based on two factors: the severity of the offense and the driver’s income. The concept has been embedded in Finnish law for decades: When it comes to crime, the wealthy should suffer as much as the poor. Indeed, sliding-scale financial penalties are also imposed for offenses ranging from shoplifting to securities-law violations. “This is a Nordic tradition,” says Erkki Wuoma, special planning adviser at the Ministry of Interior. “We have progressive taxation and progressive punishments. So the more you earn, the more you pay.”

The Finns obviously understand Utility in a way that Americans, who all slept through economics based on my personal observations, do not.

In fact, if anything the trend in here in the U.S. is heading the opposite direction, with Jail Upgrades now becoming an option for certain crimes and criminals:

For offenders whose crimes are usually relatively minor (carjackers should not bother) and whose bank accounts remain lofty, a dozen or so city jails across the state offer pay-to-stay upgrades. Theirs are a clean, quiet, if not exactly recherché alternative to the standard county jails, where the walls are bars, the fellow inmates are hardened and privileges are few. . . .

While equality under the law has always been a joke in the United States–research has shown repeatedly that the ability to afford extravagant (or at least competent) legal defense directly correlates to lower conviction rates and shorter sentences–at least the playing field purported to be level.

While I feel that the current state of inmate safety within the prison system is a travesty, I don’t feel that providing officially-sanctioned mitigation to those who can afford it is an appropriate starting point to fixing the problem. Physical and sexual violence at the hands of their fellow inmates is probably a non-violent offender’s greatest perceived risk during incarceration. To allow the wealthy to opt out of is, so long as their crimes are not too heinous, strikes me as outrageous and probably (IANAL, etc.) unconstitutional.

To me, $82/day (which is what the “safe” jails cost) would be expensive but well worth it for the risk mitigation it would provide. For others, $82/day is probably less than they would have spent each day on lunch if they were On The Outside. For most people, however, $82/day (== $9.00/hr working a 40-hour work week) is simply not an option. This is pretty much the definition of a regressive system.

If punishments (the Impact in a personal risk decision) are intended to encourage the desired risk decision (Avoidance, which is to say, “don’t do the crime”), which system seems more likely to encourage that behavior, meaning, Is Good Risk Management?

Security, as we all (should) know, is a people problem. Throw a little bit of technology into the mix and it can get messy in a hurry. I’ve got two interesting tales of security woe today, both addressing the role of people and, more specifically, the interaction of people and technology leading to security woes.

First, consider the case of a Powerpoint presentation from the Office of the Director of National Intelligence:

Terri Everett of the Office of the Director of National Intelligence gave a Powerpoint presentation which was also hosted online, unfortunately some data behind his pie charts revealed rather more than intended. Writer R.J. Hillhouse found that she could open the chart object and extract the numbers from within. The result is that she, (and all of us, thanks to her blog) now know that the budget of the 16 US intelligence agencies is 25% more than previously thought - $60 billion.

Oops. For some reason, people often fail to comprehend that that data-driven tools (such as graphing controls) are backed by data, and that unless they explicitly sever that relationship (for example, by copying and pasting the values they want to use into a new document), that the underlying data from which they distilled their pretty pictures is still there, either directly or indirectly.

But the problems don’t stop there. A critical eye and a fundamental understanding of the system that the data is modeling can catch all sorts of interesting opportunities.

For example, a couple of years ago I was reviewing the results of our annual employee satisfaction survey. The information included not just my department, but the totals for each department in the entire group up through the CISO.

I noticed that there seemed to be an off-by-one error in one of the results, and realized that it wasn’t an error, but rather that the CISO’s answers had been included in the totals (”x people rated us a 1, y people rated us a 2 on it,” etc.) as an unlisted one-person department! It therefore became trivial to extract out his “confidential” answers to the entire survey.

Fortunately, the survey had not been widely distributed yet (and most people who had a copy hadn’t looked hard enough to notice this), but even so HR was loathe to withdraw and re-issue every report that was vulnerable to this simplistic Data Mining Attack.

Next, carrying forward the theme of the importance of knowing how much you do or don’t know, there’s a tale of social engineering gone horribly wrong. For a little background, Steam is a combination online community and license key management application that Valve Software, a major game developer, built to support their online games and (eventually) roll in some fairly DRM-ish anti-piracy features into their products.

Their technology is good enough that social engineering has become the preferred method of stealing keys. Of course, it works better for some than others, and so our story begins…

Greg_ValveOLS says:
my name is greg a member of the valve online Support team

br0kenrabbit says:
On MSN?

Greg_ValveOLS says:
yes :)

br0kenrabbit says:
Why?

Greg_ValveOLS says:
we logged multiple ips from your account and ned to verifi your information

br0kenrabbit says:
My information?

Greg_ValveOLS says:
we believe someone may have stolen your account mmmm you havent shared youre account infomation with anyone have you?

I won’t endorse the final outcome of the conversation, but needless to say, social engineering can be kind’ve like picking a fight in a bar–you won’t know just who you’re up against until it’s too late.

Since I’m spending some quality time stuck in an airport this afternoon, I’ve had a while to ponder this unique form of security theater and come up with a new form of movie-plot terror threat which, if attempted, would probably take passenger inconvenience to a new level.

It’s simple–ninjas. Cold-blooded assassins who need nothing but their sock feet (no shoe bombs here!) and bare hands to take down a plane. A video could be released onto the ‘Net of these trained suicide killers practicing punching out the windows of old airliners to depressurize the cabin.

The only “solution” would be to handcuff all passengers for the duration of the flight, of course.

Just a thought.

Some days, I think that the only thing that occurs less frequently than actual terrorist plots or attacks is public figures speaking reasonably about terrorist plots and attacks. But that’s exactly what Michael Bloomberg, the mayor of New York City, seems to have done:

WCBS-TV quoted Mr. Bloomberg as saying:

There are lots of threats to you in the world. There’s the threat of a heart attack for genetic reasons. You can’t sit there and worry about everything. Get a life.

The mayor added, “You have a much greater danger of being hit by lightning than being struck by a terrorist.”

Maybe there’s hope yet for rational thinking in the face of mindless, media-driven fearmongering.

So much for the “Upgrade to Vista for improved security” line.

Computer Reseller News held a security bakeoff between XP and Vista and the results were less-than-impressive:

…businesses that migrate their Windows PCs from XP to Vista will get a slightly more secure OS. But as the Finjan reports showed, Vista’s security remains wafer thin.

In the end, both the Vista and the XP test notebooks were almost equally damaged by viruses, trojans and other malware. And because most of the Web sites in the test were able to exploit Vista’s weaknesses, Internet users are just about equally vulnerable with both OSes.

What isn’t mentioned is that most of even the incremental benefit only comes by surrendering yourself to Trusted Computing–essentially, handing the decision of what’s “OK” on your system over to Microsoft and their annoited corporate partners like the MPAA and RIAA. I’ll pass on that, thank you.

Talking to the OS gurus I know, they’re generally less-than-impressed by Vista as well, and not just from a security perspective. Throw in the DRM Nightmare it brings with it, and the story becomes even less compelling in my mind.

However you want to look at it, though, whether from a Dan Geers biodiversity perspective or just as good application of Portfolio Theory, having multiple operating system options is a Good Thing for reducing risk to the computing infrastructure.