Inert Detritus The Internet's dust bunnies

15 August 2006 @ 9am

On Security, Terrorism, and Risk

I’m tak­ing a post by Bruce Schneier and run­ning with it.

None of the secu­ri­ty pre­cau­tions in place in air­ports have pre­vent­ed or thwart­ed a sin­gle ter­ror­ist attack since 9/11. Richard Reid, the “shoe bomber”, got through secu­ri­ty, and was only tak­en down by strong-willed pas­sen­gers and doc­tors with seda­tion medicine.

The “secu­ri­ty” put into place in air­ports is risk shift­ing, not risk reduc­ing. What’s the difference?

Risk shift­ing is hard­en­ing one spe­cif­ic tar­get, in hopes that attacks or secu­ri­ty breach­es will instead be focused on some­thing else. When air­port secu­ri­ty improves, we’ve sim­ply made oth­er tar­gets more attrac­tive. This is what secu­ri­ty experts, such as Schneier, mean when they say, “If they tar­get shop­ping malls, we’ve wast­ed our money.”

A tac­tic is risk reduc­ing if it reduces over­all risk for all tar­gets. LoJack is a per­fect exam­ple of risk reduc­tion: if my car has LoJack, the crim­i­nals are very like­ly to be caught, arrest­ed, and pros­e­cut­ed, low­er­ing risk for all car own­ers. (LoJack is also risk shift­ing: crim­i­nals know that any giv­en car may have LoJack, and so they may choose to rob hous­es, or mug peo­ple instead.)

Many peo­ple will naive­ly say, “Why not just pro­tect every­thing,”, ask­ing if we could shift risk out of the coun­try entire­ly. We could put met­al detec­tors at the entrance to every air­port, shop­ping mall, and restau­rant. This would cost more than the Unit­ed States GDP, and ter­ror­ists would then car­ry ceram­ic knives instead of met­al ones, or blow up cars in the unscreened park­ing lot. The risk would been shift­ed from the crowds of peo­ple to the crowds of peo­ple and prop­er­ty nearby.

There is no fea­si­ble way to hard­en every tar­get in the Unit­ed States. There are too many bridges, nuclear reac­tors, tall build­ings, parks, down­town mar­kets, too many any­thing to pos­si­bly pro­tect them all.

This is why Schneier harps, over and over, on why we should reduce risk, instead of shift­ing it. Real secu­ri­ty, like intel­li­gence ser­vices and pub­lic aware­ness, reduce risk. Evac­u­a­tion plan­ning, emer­gency ser­vices, things designed to min­i­mize impact reduce risk.

Ter­ror­ists pose two basic risks to the Unit­ed States: eco­nom­ic dam­age through pub­lic fear, and loss of life through high-pro­file attacks. Telling the pub­lic that the lat­ter is “immi­nent” with­out giv­ing details only caus­es the for­mer. We are our own worst ene­my, at the end of the day.

One last remark, from the com­ments:

… against an ene­my deter­mined to kill you at any cost, even killing them­selves in the process, all the secu­ri­ty in the world won’t pro­tect you forever.