That’s the title of Schneier’s upcoming RSA presentation, and yet his analysis of the Post Office shooting in California (titled “Security Problems with Controlled Access Systems“) lacks even a basic foundation in economics:

This is a failure of both technology and procedure. The gate was configured to allow multiple vehicles to enter on only one person’s authorization — that’s a technology failure. And people are programmed to be polite — to hold the door for others.

Many of the commentators picked this up right away and pointed out that it would be far too costly to upgrade the physical access controls at all post offices, since they are easy to defeat. Fine, but defeat by what/whom? The risk calculation is unbearably lopsided if all we do is debate how vulnerable we could be, as opposed to including what we need to protect ourselves from.

risk = asset x vulnerability x threat
threat = frequency x severity

Bruce does suggest that frequency should be taken into consideration when he notes “There is a common myth that workplace homicides are prevalent in the United States Postal Service”. But he still concludes rather misleadingly that basic gate and access card controls “failed” to prevent a motivated and armed assailant with insider knowledge from bypassing them. Moreover, he doesn’t address anything related to how the frequency might be determined going forward (or what countermeasures might have mitigated the threat, looking back).

Thus, I posted two comments to try and help balance out the discussion by touching on more of the economic considerations:

In a typical risk calculation, you have to factor in the threat as well as the vulnerabilities. If you don’t want to decrease the vulnerabilities (e.g. due to capital expense and inconvenience) then you should consider countermeasures for the threats. The article mentions the woman had been put on medical leave a couple years prior to the shooting and had tangled with law-enforcement already. Seems like there are some opportunities for improvement, regarding how her condition/situation was handled or at least monitored, that would give a far better return on investment than making a post office into a fortress.

It appears to me not just a failure of physical security (making the workers vulnerable), but of a health-care system (increasing the likelihood and severity of threats).

Posted by: Davi Ottenheimer at February 4, 2006 01:22 AM

It will be interesting to see if anyone makes the connection of the threat to Ronald Reagan’s program to reduce state (and eventually federal) spending on mental health treatment. Here’s how he described it in his Dec 7, 1973 article in the National Review:

“California has pioneered the concept of treating the mentally ill with an expanded system of community mental health programs. When we started, the budget for community treatment was $18 million. This year it is more than $140 million and California’s shift from the ‘warehousing of the mentally ill’ in large state mental institutions has become a model for the nation.”

Unfortunately, it turns out that while this appears to have reduced spending is has also led to a significant decrease in security and safety:

http://www.metroactive.com/papers/metro/07.30.98/cover/mentalprison-9830.html

“When then-governor Ronald Reagan closed state mental institutions in the 1960s, policy-makers anticipated that a network of community-based programs would develop to care for the mentally ill. But only a smattering of those facilities have materialized during the last three decades. In this county only 30 of these privately-run facilities provide 24-hour care to the mently disabled, leaving thousands with mental-health needs to fend for themselves. At the same time, new laws made it tougher to commit someone to the existing and meager state hospital system. California currently runs only five state mental hospitals, one of which is in Vacaville state prison. Of the 3,664 patients in state mental hospitals, the vast majority, 2,723, were placed there for criminal activity. Fewer than 1,000 Californians are held in state mental hospitals for solely medical reasons. For those who need 24-hour care but are not outwardly violent and have no police record, there are few institutions with openings, leaving patients in the care of families and communities often under-equipped to deal with them.”

Had the communities generated the programs, things might have been different. But it was a gamble and the risk of this policy appears to not only have been seriously understated but the savings up front seem to have transferred to far higher costs later on…

Posted by: Davi Ottenheimer at February 4, 2006 01:42 AM

I really enjoy Bruce’s blog, and the comments, but sometimes it feels like the market isn’t working since encryption is being ignored by the real cryptographers at the exact time when most of us need the most help with it. Instead, the market seems to be inciting him (as well as other specialists) to branch out into polisci, philosophy and economics…even a friend of mine who pioneered the use of ATM encryption is spending his time consulting on organizational risk. Strange, especially since I get more and more requests to help design and deploy identity and key management systems.

The Financial Times has had some interesting articles recently about the challenges America is facing under the Bush Administration. They have a certain way of putting things in perspective:

President George W. Bush likes to say that his job is to confront big problems, not leave them to those who follow. As he prepares to deliver the State of the Union address he has been forced to tackle the issues bequeathed him by the man who has occupied the White House for the past five years: himself.

And when they reach a conclusion, they don’t hold back. Here is their assessment of the Bush administration’s economic policies:

There is only one end to this scenario: higher interest rates. A vigilant Federal Reserve Board will have to boost rates to suppress demand, just as during the Johnson administration. The pressure for higher rates will be even greater given the forthcoming retirement of Alan Greenspan as Fed chairman. His replacement will need to convince financial markets that the Board remains determined to keep inflation in check. The consequences will be a slowdown or worse.

As the rebuilding effort slows, high interest rates and high gasoline prices may pull the economy into recession. Like President Johnson, President Bush took a chance and lost.

So the next question might be how the Defense Department can rephrase the term “lost” into something more palatable. The “Information Operations Roadmap” mission suggests that they are actively spreading propaganda abroad and even at home:

Perhaps the most startling aspect of the roadmap is its acknowledgement that information put out as part of the military’s psychological operations, or Psyops, is finding its way onto the computer and television screens of ordinary Americans.

Or maybe the question should be why the US federal government now represents a giant funnel of money to rather specialized interests. The Economist, aside from making fun of Senator Grassley for the Iowa rainforest boondoggle, hints at the real problem:

Lobbyists are not the disease, merely the symptom. Their numbers (in Washington) have doubled in the past five years, to 35,000, because federal spending has grown larger and more wasteful. Earmarks have proliferated under the Republicans, from 1,439 in 1995 to 13,997 last year.