Worst Case Scenario Thinking
I've been reading books and articles by Bruce Schneier since 2002, when I purchased Applied Cryptography. I have a 50/50 opinion of him, on some days or on some of his opinions I think he's right, and other times I disagree heartily. His recent write up Worst-case thinking makes us nuts, not safe -CNN.com is one of his best critiques of security thinking. He basically says worst case thinking makes us ineffective by encouraging and substantiating any wild claim of likely future events. His quote and critique of Rumsfield is especially entertaining.
I do think Schneier's prohibition on thinking about and preparing for the worst is a little too extreme. For instance I think all high profile government offices should anticipate an Oklahoma City bombing as at least higher than 0 probability, but of course lower than a 1.
Still, it is useful to consider an over-emphasis on the unlikely, bizarre and anomalous as unproductive preparation. In this frame of critique I'd like to suggest what is productive preparation:
Incorporate every anticipation into your site plans.
Make every task in your site plan truly doable by the employees you have. This implies officers performing with competence and honesty, but the greatest onus of responsibility is on security management to establish reasonable and doable tasks. Assigning the undoable is worse than no assignment at all, because it creates a norm to ignore orders. Of course discipline or terminate employees who do not perform reasonable orders they have had adequate training for.
Daily (or hourly) routines are the antithesis of worst-case thinking, they are the blah kind subject matter as opposed to imagining a nuclear bomb in a white van. Daily routines, such as patrols, are the holy grail. Security is only as good as these routines provide. The "worst case" is going to be stopped by these, not by an expensive consultant visiting your company and telling his battle stories.
- Of course it is entirely reasonable to factor in flamboyant threat-thought such as IED's and other terrorist tactics. Security officers should have access to a compact document describing materials and behaviors to watch for.
Computer Network Security
The site I work at is government. They have chosen to use especially vulnerable software, in some cases simply not updated, and in other cases a more vulnerable software when a cheaper remedy is well known and available. My security company, and myself, lack the authority or leverage to change their computer software to something more secure. We are moving further into a century in which every aspect of business activity is controllable via computer network. Physical intrusion into the sites we are assigned to protect will happen because the computer network was hacked. I anticipate years of tension and vulnerability for traditional
security companies and their clients, as the computer network becomes more and more the entryway onto the physical site. Read: http://www.networkworld.com/community/blog/black-duck-eggs-and-other-secrets-chinese-hac
No comments:
Post a Comment