Inert Detritus The Internet's dust bunnies

Posted
15 August 2006 @ 9am

On Security, Terrorism, and Risk

I’m taking a post by Bruce Schneier and running with it.

None of the security precautions in place in airports have prevented or thwarted a single terrorist attack since 9/11. Richard Reid, the “shoe bomber”, got through security, and was only taken down by strong-willed passengers and doctors with sedation medicine.

The “security” put into place in airports is risk shifting, not risk reducing. What’s the difference?

Risk shifting is hardening one specific target, in hopes that attacks or security breaches will instead be focused on something else. When airport security improves, we’ve simply made other targets more attractive. This is what security experts, such as Schneier, mean when they say, “If they target shopping malls, we’ve wasted our money.”

A tactic is risk reducing if it reduces overall risk for all targets. LoJack is a perfect example of risk reduction: if my car has LoJack, the criminals are very likely to be caught, arrested, and prosecuted, lowering risk for all car owners. (LoJack is also risk shifting: criminals know that any given car may have LoJack, and so they may choose to rob houses, or mug people instead.)

Many people will naively say, “Why not just protect everything,”, asking if we could shift risk out of the country entirely. We could put metal detectors at the entrance to every airport, shopping mall, and restaurant. This would cost more than the United States GDP, and terrorists would then carry ceramic knives instead of metal ones, or blow up cars in the unscreened parking lot. The risk would been shifted from the crowds of people to the crowds of people and property nearby.

There is no feasible way to harden every target in the United States. There are too many bridges, nuclear reactors, tall buildings, parks, downtown markets, too many anything to possibly protect them all.

This is why Schneier harps, over and over, on why we should reduce risk, instead of shifting it. Real security, like intelligence services and public awareness, reduce risk. Evacuation planning, emergency services, things designed to minimize impact reduce risk.

Terrorists pose two basic risks to the United States: economic damage through public fear, and loss of life through high-profile attacks. Telling the public that the latter is “imminent” without giving details only causes the former. We are our own worst enemy, at the end of the day.

One last remark, from the comments:

… against an enemy determined to kill you at any cost, even killing themselves in the process, all the security in the world won’t protect you forever.