The old saying, “Don’t just stand there, do something!” could pretty well sum up the TSA & Homeland Security’s approach to selecting airport security measures. Per Reuters, No proof airport security makes flying safer:study

Airport security lines can annoy passengers, but there is no evidence that they make flying any safer, U.S. researchers reported on Thursday.

A team at the Harvard School of Public Health could not find any studies showing whether the time-consuming process of X-raying carry-on luggage prevents hijackings or attacks.

They also found no evidence to suggest that making passengers take off their shoes and confiscating small items prevented any incidents.

The U.S. Transportation Security Administration told research teams requesting information their need for quick new security measures trumped the usefulness of evaluating them

I have traditionally ascribed the pointless harassment we call “security” in airports to incompetence, a desire to exert control over others and political expediency rather than any real interest or understanding what would produce effective security. DHS/TSA seem to view air travelers as a group to be handled in a matter akin to a prison population, where everyone is 100% “bad” and must be controlled to prevent chaos rather than citizens who, on any given day, are almost certainly 100% good.

But to have the effectively admit that they don’t care if their security measures are effective or not really makes my blood boil.

From Cory Doctorow:

Whenever someone asks you which of two futures you think is more likely, your best bet is always “none of the above.”

From the always-excellent Economist’s View, a link to a fascinating study on medical overtreatment:

Vermont has one of the most homogenous populations in the country… Yet medical practice across the state varied enormously, for all kinds of care. In Middlebury, for instance, only 7 percent of children had their tonsils removed. In Morrisville, 70 percent did. …

The children of Morrisville weren’t suffering from an epidemic of tonsillitis. Instead, they happened to live in a place where a small group of doctors — just five of them — had decided to be aggressive about removing tonsils.

But here was the stunner: Vermonters who lived in towns with more aggressive care weren’t healthier. They were just getting more health care.

This sounds a lot like the information security industry. We’re relatively homogenous (Dan Geer’s Windows Monoculture is alive and well), and for the most part, the results of our efforts are pretty much the same–consistently mediocre, with high opportunity costs and lots of unrecognized externalities.

Spending varies hugely between organizations, no matter how you try to measure it. Most attempts at survey or measurement is really just comparisons of product inventories: “Do you run anti-virus? check. Do you have IDS? check.” The quality, coverage and effectiveness of the deployment never really comes to bear. To make matters worse, the focus of most IT Security is all-too-often prioritized toward protecting the technology, rather than the information and processes which are the real assets*.

Finally, we live in a Tyranny of the Vocal where a small group of experts or analysts will tell us that something is “essential” or a “Best Practice” and now we’re all expected to run out and do or (more likely) buy it or be accused of negligence by everyone from those same analysts and experts to a chorus of worst-case scenaro FUD-Meisters.

How’s this approach working for the US healthcare business? Going back to the study…

“We spend between one fifth and one third of our health care dollars,” writes [Shannon] Brownlee, [author of Overtreatment] … “on care that does nothing to improve our health.” Worst of all, overtreatment often causes harm, because even the safest procedures bring some risk. …

Once again, more is not necessarily better. In other words, don’t solve problems you don’t have. Not only will it not make things better, but it might make things worse. Sounds just like InfoSec again.

So how do you figure out which problems you have and which need solving? It’s not FUD, frameworks, checklists, best practices. It’s Risk Management.

* Yes, I know that I will probably get at least one comment from someone saying, “That’s not true! I consider asset value.” Great. Now there are two of us. What about the tens of thousands who still don’t?