I would rather consult a twice convicted Vegas bookie on the odds of a terrorist attack than any number of government- or industry-subsidized risk whisperer purveyors of formulae. Why? Because the latter -- whether they do this openly or subconsciously -- tailor their products to their masters, who increasingly call for risk assessments as a means of demonstrating how much more their given operation or jurisdiction merits funding over a lesser competitor, i.e., an entity not nearly facing so much risk of dire consequences. The same approach holds true regardless of whether the risk calculation involves the likelihood of terrorist attack or of natural disaster. The master wants as much of the pot of available money as can be won by legitimate wrangling and maneuvering, as for Urban Area Security Initiative funds. Hence the recent news from the New York Observer (details at http://www.observer.com/2011/politics/victory-new-york-receive-increase-anti-terrorism-funding) that an amendment has just passed the House that would enable New York City to receive more anti-terrorism funding. Where do calculations of risk come into play? This amendment proposes that only the 25 "highest-risk" cities would receive UASI funding. Alas for those cities that may actually be more vulnerable because they lack the resources to detect, counter, or mitigate an attack. One wonders if America's adversaries are sufficiently respectful of such maneuvering to heed the risk whisperers and to limit their attacks only to the 25 designated cities.
Now for a return to the Vegas bookie. Isn't he a little more palatable by contrast? Why? Because he has a vested interest in the results of his oddsmaking. If he is wrong, the bet that has to be paid off affects his bottom line. If he is right, the profits are what he has earned. Today's risk whisperers, by contrast, have everything to gain and nothing to lose by offering their dire predictions and calculations of relative risk. First, no public or private institution accords risk assessors executive decision-making authority. This is why the Department of Energy, despite generations of sponsoring Sandia and its computationally intensive risk assessment methodologies, does not look to its own in-house risk gaugers to decide budget priorities to counter leaks of nuclear secrets or security breaches. Second, risk whisperers have no skin in the game. They suffer no penalty for getting it wrong. Instead, they have the luxury of proclaiming that unknown variables came into play, or that their advice was imperfectly followed, or any other reasonable-sounding excuses. Imagine what would have happened if carnage experienced at Oklahoma City, Virginia Tech, or Fort Hood had to be anticipated through the same risk assessments that now determine which 25 cities are in greater danger than any others. Would any of these venues have made the list? Probably not. One can already hear the disclaimers being whispered: not the same kind of attack ... different situations ... other variables.
But the bookie would have to pay for getting it wrong and, so chastened, would be a little more careful in handicapping the next event. Give me the bookie any time.
-- Nick Catrantzos
Wednesday, February 23, 2011
Tuesday, February 8, 2011
The Protective Sequence
Dilettantes and agenda-driven executives ignore this for reasons of naivete or self-dealing: Security at times needs to occur in a particular sequence to maximize protective value. Indeed, this sequence can be like a telephone number, where the only way to get through is to dial all the right digits in the right order. There is little value in getting the numbers right but the sequence wrong. Where do we see this phenomenon at work?
Bomb Threat Checklists
What is the first question a well crafted security checklist would have you ask the person calling in a bomb threat? If it is either of these, then the architect of the checklist is not a security professional:
- What is your name?
- Why are you doing this?
Such questions waste precious time, making the caller defensive or inviting a diatribe without arming defenders with any immediately actionable information. Instead, what a security professional wants asked right away are questions that lend themselves to meaningful response, like
- When is it going off?
- Where is it?
- What does it look like?
In fact, the answer to the first question may well dictate whether the person taking the call stays around long enough to wade through the entire checklist. If the bomb threat checklist begins with questions that are emotively charged or otherwise take the dialogue in a direction other than one that allows finding or assessing the immediate threat, you may safely bet that this checklist is the product of a committee or rear-echelon staffer far removed from real-time response.
Critical Asset Protection
The same phenomenon applies on a larger scale when taken to the prevention vs. prosecution debate. If your prime objective is to protect people and property, you soon learn that you earn your salary not by catching adversaries after they have inflicted losses but by preventing those losses from occurring in the first place. True enough, apprehension and prosecution remain important societal objectives, linking crime to punishment and serving to throttle the baser impulses that, unchecked, might give rise to a world dominated exclusively by predators and societies marching daily by starkly Darwinian notions of survival. But a public safety objective is not necessarily the same as a security objective -- particularly if the security objective is to protect a critical asset. In the latter case, the management decision boils down to this: Do I apply my resources to catching the people who annihilate my employees and cripple my operations, or do I focus those resources on preventing such consequences to the best of my abilities?
The obvious answer is the latter. The right answer is more nuanced, seeking out a hybrid approach that really amounts to getting the sequence right. First prevent. Then respond, to at least limit the damage to the extent possible. Then worry about apprehension and prosecution. To do otherwise may nevertheless deliver societal value and validate the existence of organizations optimized to chase more than to interdict, but their objectives are not security objectives -- at least not as far as concerns the people, assets, or operations targeted. The dead, bankrupt, and leveled find small comfort in the eventual revelation that the agent of their destruction did not get away with it.
-- Nick Catrantzos
Bomb Threat Checklists
What is the first question a well crafted security checklist would have you ask the person calling in a bomb threat? If it is either of these, then the architect of the checklist is not a security professional:
- What is your name?
- Why are you doing this?
Such questions waste precious time, making the caller defensive or inviting a diatribe without arming defenders with any immediately actionable information. Instead, what a security professional wants asked right away are questions that lend themselves to meaningful response, like
- When is it going off?
- Where is it?
- What does it look like?
In fact, the answer to the first question may well dictate whether the person taking the call stays around long enough to wade through the entire checklist. If the bomb threat checklist begins with questions that are emotively charged or otherwise take the dialogue in a direction other than one that allows finding or assessing the immediate threat, you may safely bet that this checklist is the product of a committee or rear-echelon staffer far removed from real-time response.
Critical Asset Protection
The same phenomenon applies on a larger scale when taken to the prevention vs. prosecution debate. If your prime objective is to protect people and property, you soon learn that you earn your salary not by catching adversaries after they have inflicted losses but by preventing those losses from occurring in the first place. True enough, apprehension and prosecution remain important societal objectives, linking crime to punishment and serving to throttle the baser impulses that, unchecked, might give rise to a world dominated exclusively by predators and societies marching daily by starkly Darwinian notions of survival. But a public safety objective is not necessarily the same as a security objective -- particularly if the security objective is to protect a critical asset. In the latter case, the management decision boils down to this: Do I apply my resources to catching the people who annihilate my employees and cripple my operations, or do I focus those resources on preventing such consequences to the best of my abilities?
The obvious answer is the latter. The right answer is more nuanced, seeking out a hybrid approach that really amounts to getting the sequence right. First prevent. Then respond, to at least limit the damage to the extent possible. Then worry about apprehension and prosecution. To do otherwise may nevertheless deliver societal value and validate the existence of organizations optimized to chase more than to interdict, but their objectives are not security objectives -- at least not as far as concerns the people, assets, or operations targeted. The dead, bankrupt, and leveled find small comfort in the eventual revelation that the agent of their destruction did not get away with it.
-- Nick Catrantzos
Subscribe to:
Posts (Atom)