The Economics of Security

That’s the title of Schneier’s upcoming RSA presentation, and yet his analysis of the Post Office shooting in California (titled “Security Problems with Controlled Access Systems“) lacks even a basic foundation in economics:

This is a failure of both technology and procedure. The gate was configured to allow multiple vehicles to enter on only one person’s authorization — that’s a technology failure. And people are programmed to be polite — to hold the door for others.

Many of the commentators picked this up right away and pointed out that it would be far too costly to upgrade the physical access controls at all post offices, since they are easy to defeat. Fine, but defeat by what/whom? The risk calculation is unbearably lopsided if all we do is debate how vulnerable we could be, as opposed to including what we need to protect ourselves from.

risk = asset x vulnerability x threat
threat = frequency x severity

Bruce does suggest that frequency should be taken into consideration when he notes “There is a common myth that workplace homicides are prevalent in the United States Postal Service”. But he still concludes rather misleadingly that basic gate and access card controls “failed” to prevent a motivated and armed assailant with insider knowledge from bypassing them. Moreover, he doesn’t address anything related to how the frequency might be determined going forward (or what countermeasures might have mitigated the threat, looking back).

Thus, I posted two comments to try and help balance out the discussion by touching on more of the economic considerations:

In a typical risk calculation, you have to factor in the threat as well as the vulnerabilities. If you don’t want to decrease the vulnerabilities (e.g. due to capital expense and inconvenience) then you should consider countermeasures for the threats. The article mentions the woman had been put on medical leave a couple years prior to the shooting and had tangled with law-enforcement already. Seems like there are some opportunities for improvement, regarding how her condition/situation was handled or at least monitored, that would give a far better return on investment than making a post office into a fortress.

It appears to me not just a failure of physical security (making the workers vulnerable), but of a health-care system (increasing the likelihood and severity of threats).

Posted by: Davi Ottenheimer at February 4, 2006 01:22 AM

It will be interesting to see if anyone makes the connection of the threat to Ronald Reagan’s program to reduce state (and eventually federal) spending on mental health treatment. Here’s how he described it in his Dec 7, 1973 article in the National Review:

“California has pioneered the concept of treating the mentally ill with an expanded system of community mental health programs. When we started, the budget for community treatment was $18 million. This year it is more than $140 million and California’s shift from the ‘warehousing of the mentally ill’ in large state mental institutions has become a model for the nation.”

Unfortunately, it turns out that while this appears to have reduced spending is has also led to a significant decrease in security and safety:

http://www.metroactive.com/papers/metro/07.30.98/cover/mentalprison-9830.html

“When then-governor Ronald Reagan closed state mental institutions in the 1960s, policy-makers anticipated that a network of community-based programs would develop to care for the mentally ill. But only a smattering of those facilities have materialized during the last three decades. In this county only 30 of these privately-run facilities provide 24-hour care to the mently disabled, leaving thousands with mental-health needs to fend for themselves. At the same time, new laws made it tougher to commit someone to the existing and meager state hospital system. California currently runs only five state mental hospitals, one of which is in Vacaville state prison. Of the 3,664 patients in state mental hospitals, the vast majority, 2,723, were placed there for criminal activity. Fewer than 1,000 Californians are held in state mental hospitals for solely medical reasons. For those who need 24-hour care but are not outwardly violent and have no police record, there are few institutions with openings, leaving patients in the care of families and communities often under-equipped to deal with them.”

Had the communities generated the programs, things might have been different. But it was a gamble and the risk of this policy appears to not only have been seriously understated but the savings up front seem to have transferred to far higher costs later on…

Posted by: Davi Ottenheimer at February 4, 2006 01:42 AM

I really enjoy Bruce’s blog, and the comments, but sometimes it feels like the market isn’t working since encryption is being ignored by the real cryptographers at the exact time when most of us need the most help with it. Instead, the market seems to be inciting him (as well as other specialists) to branch out into polisci, philosophy and economics…even a friend of mine who pioneered the use of ATM encryption is spending his time consulting on organizational risk. Strange, especially since I get more and more requests to help design and deploy identity and key management systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.