Metrics Should Change Behaviour
A British University studied 1,050 rock stars and concluded:
European artists are twice as likely to die early than the rest of the population.
US rocks stars died with an average age of forty two while European rock stars died with an average age of thirty five.
One in ten children in the UK aspire to be a rock star.
One in four rock stars die from drug or alcohol related issues.
I like these metrics they are interesting but ….. they mean nothing to me. If I were a kid I wouldn’t change my life at all based on this.
Now consider this:
If a child ran in to the road while you were driving at 40 miles per hour there is an 80% chance they will be killed.
If a child ran in to the road while you were driving at 30 miles per hour there is an 80% chance they would survive.
I now drive slower as a result. Security metrics should be like this. They should shape behavior and not just be interesting.
September 4, 2007 at 1:19 pm
Mark, I agree that Metrics should change the way that we practice security. Unfortunately that seems to fall into the same bucket as awareness training should change the way users interact with technology. People just gravitate to what is easiest. That’s one of the frustrating things about this industry. You expect more from us because of the nature of our work, but since there are more jobs than “truly” qualified people to fill them we get those who think shortcuts are OK.
September 4, 2007 at 2:01 pm
Hi Andy
Iam not sure it “always” falls in to that bucket. I know of some large development shops who calculate bonuses based on security metrics. If you introduce a security bug you loose bonus, if you were the person that found it you gain bonus. It was very instrumental in affecting change! For the most patr though I find myself nodding with you…sad isn’t it?
September 4, 2007 at 2:23 pm
Restated, Mark’s basic premise is that the metric has to be relevant. Otherwise, it doesn’t pass the “DILLIGAF test”. =)
Metrics should support behavior but only because they are used for decision support. Sometimes you have to ignore the data and push on, that’s what experience is for.
September 11, 2007 at 9:17 am
You know that is really interesting, because the residential speed limit in Seattle is 30 MPH - and in Arizona where I live now it is 40 MPH and most people drive at least 45 MPH. And the funny thing is that Arizona leads the USA in traffic fatalities by far. Additionally, it seems to be filled with people who are so narcissistic that they really couldn’t care less if they kill your kid. And that brings me to my next idea Arizona has the most draconian of all traffic laws in the USA; but you have to enforce the law if people are going to obey it. And it seems that in Arizona at least they choose to enforce it semi-sporadically - like TSA searches. I recently saw a show about traffic by a Pulitzer Prise winning author and he observed that during rush hour the HOV lanes open up; and as soon as they do people vacate the regular lanes for the HOV lanes, the HOV lanes then backup while the regular lanes go nearly empty. And people remain in the HOV lanes!? What a mind boggling behavior. Clearly people have some built in “follow the leader” behavior that is really strong, and used to be important for survival. Few people even ever examine their own behaviors; and fewer still modify their behavior.
So to bring this all back full circle:
I must be optimistic about my fellow man because there are many examples of stupid security; from TSA to the impotent traffic laws of Arizona - and PCI DSS… for example. While clearly they are needed; and are steps into the correct direction; they are impotent on their own and ineffective at bringing about that change of behavior that really makes a difference.
Changing the behavior of people almost certainly doesn’t occur without education; and an understanding of how your personal actions really can change the world. People today I think feel very impotent - and frustrated; it seems to permeate thinking everyplace I go. People think that their vote doesn’t count; or that one person can not possibly make a difference anymore.
Is this the fallout from post-modernism (ie Nietzsche)?
People need to be educated about the security process; they need to realize that they do make a critical difference in the security of their organization - every body… from the Janitor to the C*O… People need to be empowered to make a difference. I think that people will do the right thing if they have somebody else who believes in them.
As I get older; I really think that security is not a technology problem; we have complex mathematics and cryptography; but all the security in the world wont help you (ie Robert Hanssen); it is a social problem; it is a trust problem… And the gaming industry is light years ahead in manipulating peoples behaviors; as is the ‘marketing industry’.
I agree with Mark we need to get Security Psychologists in on this; and some marketing people start a marketing campaign to motivate people to do the right thing… Where the right thing is of course; that which has been measured to be the most effective behavior for the security issue at hand.
September 11, 2007 at 9:33 am
[...] Metric Shows Behavioral Change A week ago I posted that Metrics Should Change Behavior and used what I think is a clever play on statistics to demonstrate the art of positioning. You can [...]