Tuesday, April 16, 2013

The (Mis)Perception of Safety

Yesterday, I was fascinated by the fact that my kids were so enthralled by the athleticism and spirit shown by the runners in the Boston Marathon that once they returned home from watching the race, they hosted their own "marathon" in our back yard, complete with number sheets taped to their shirts. They were oblivious to the tragedy that had occurred, innocence retained despite it's loss elsewhere. I tend to think my fascination humanizes me a little.

Being a security professional during catastrophic human events such as the Boston Marathon Bombing is a sobering position. At times manic with grief and disbelief, and at others a bit calculating and analytical, I can probably come off as standoffish at best, inhumane at worst. I accept the perception that others have of me but I would argue coming from a reasonable perspective is the best way to counter irrational acts of violence.

Perception is at the heart of how we react and respond to terrible events such as that which happened in my new adopted city on Patriots Day. Whatever we do, we must not let go of our humanity nor relinquish the rights and civil liberties that the great patriots of the past and those of our present sacrificed so much for. Allowing ourselves to give in to fear is the ideal outcome for our attackers.

There is no such thing as absolute security. In IT, the only absolute security would be to disconnect your computer from the Internet, wipe your data from it, and turn it off. But doing so would render it useless, an expensive and toxic paper weight that looks beautiful to geeks when operational but serves almost no aesthetic value whatsoever in other circumstances. To "secure" that piece of equipment, we assess risk based on criteria that may be at times very formal or informal depending on its operational context. Oftentimes, the measures and countermeasures that we apply are based on gut, our intuition of what will be sufficient and satisfactory. Then, we measure effectiveness based on the history of compromise. When that historical data illustrates negligible damage, we gain a perception of security that raises in a disproportionate curve relative to the risk. Essentially, the more that something bad doesn't happen, the stronger our belief that it never will. It's illogical and irrational, but that's how perception works.

Security professionals understand that when given time, opportunity, and desire, any dedicated attacker will eventually circumvent the controls that we put in place. When we convey this more realistic risk perspective of failure in the midst of strong historical data pointing to success, managers and executives often perceive us as naysayers simply seeking to justify our existence. 

However, if and when something does go wrong, we are held accountable for either not doing enough or not effectively communicating the actual risks. With a snap of the finger, the perception of success and longevity is replaced with that of failure and fragility. The positive curve that reflected an irrational sense of strength is marred by a mirror-imaged negative data point. From a statistical perspective, the actual risk remains unchanged, the one negative data point being insignificant when considered within the set of all data points. But, with perception already shown to be irrational, the one negative instance essentially erases the positive history to result in a net negative overall perception. 

As a security pro, my job is essentially to understand the actual risk and to manage a tenuous balance between the irrational and the illogical elements of perception. In my experience, that is a rare talent that often leaves me and other security folks on the wrong side of any event, positive or negative.

Security and safety are close brethren when considered within the context of perception. As we experience events in life, those events drive our perception of individual and collective safety. If we live in general safety, as we do just about anywhere in the United States, then we perceive ourselves as being safe in just about anything that we can do. With enough positive historical data, human nature steers us to an irrational sense of safety, even when approaching new or rare situations. In reality, there is always some level of risk, but we effectively choose to accept or ignore it based on our individual experiences. When you hear someone address the risk of something bad happening by saying, "It's never happened to me or to anyone I know," it demonstrates that same fallacy in human thinking.

Then, catastrophe strikes. The "unimaginable" happens that not only eliminates our irrational sense of safety, it swings us into an exaggerated arc to question our general safety. Despite all evidence showing that one disastrous event is insignificant when considered within a broader data set, we begin to question our experiences and wonder if we are seeing a new trend. We effectively redefine our baseline perception based on a single event.

Our response then tends to be similarly irrational. We begin asking what we could have done to be more safe. But, because of our irrational negative perspective in following a single negative event, we believe that we must do much more to achieve the same level of perceived safety we once had before the negative event. That's a second logical fallacy. We think that the problem is external, the responsibility of others, but fail to consider that our perception of safety may have been incorrect, or at least exaggerated, to begin with. 

It's that understanding that really gets me in trouble. I don't intend to be unsympathetic or to blame anyone. Rather, I hope that others can appreciate that, by having a more rational sense of safety, we can improve our collective understanding of what it is that makes us safe. For example, I would argue that we feel safe lining the marathon route, as my wife and kids did yesterday, because there is almost no historical evidence pointing to anything remotely bad happening at the Marathon in over a hundred years. We intuitively know that events that cause large numbers of people to gather in discrete locations are potential targets, but we don't believe that we will be targeted. Why the logical fallacy? Because we aren't generally seen as targets by those around us. We have an inherent human belief that each of those around us is as interested in his or her safety as we are. Historical evidence shows that to be true. Yet, every once in a while, events like what happened yesterday remind us that the truth is general but incomplete.

As a security professional, I can define risk in everyone I encounter, every event I attend, and every gathering I participate in. But, as a human being, I generally choose to accept that risk because it's not worth living life always wondering "what if." Perhaps there is more that can be done, but we must be careful to consider the actual benefits and potential consequences of our actions. For example, perhaps we could ban knapsacks at major outdoor events, but at what cost of enforcement? Would we lock down the entire city of Boston with intrusive searches, metal detectors, National Guard troops for next year's marathon? Those actions would most certainly increase our actual safety but would fail to eliminate the risk. So, if catastrophe were to happen again, what then? 

Just like the secure computer system, absolute safety at the Marathon is unachievable without simply canceling the whole thing. But then, how would our kids be able to view the indomitable spirit that drives us as human beings, the sheer determination in the face of adversity, that pain may show in our faces but not stop us from achieving the improbable, and how their support on the sidelines contributes to each runner's thrill in being victorious? That collective celebration of our humanity makes us better than those who choose to violate it. Erecting obstacles, challenging our civil liberties, and paying for much greater enforcement erodes at that experience and ultimately allows those very few, insignificant individuals that attack us to achieve far greater success than should be statistically possible.

Rather than seek the impossible, let's rally around those who were victimized by this obscenity and demonstrate to them that we will not answer their sacrifice with further sacrifice. Let's not run and hide and wonder what else we could do differently. Instead, we should challenge ourselves to view this event as the statistically insignificant blip that it is. Our perception may be shaken, but we are no less safe than we were yesterday, just a little more knowledgeable of the risks. I know from experience that that knowledge can be a powerful control in and of itself. We may never be able to eliminate these disasters from happening, but we can most certainly rise above them. History shows that when we do, we win.