Shostack + Friends Blog Archive


Only an idea after a bunch of calculating

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:”

This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately when an employee suffers a disabling illness; another quarter do so within a year,” the report states. Most of the medical debtors were well educated, owned homes, and had middle-class occupations, and three-quarters of them had health insurance. “Unless you’re a Warren Buffett or Bill Gates, you’re one illness away from financial ruin in this country,” lead author Steffie Woolhandler, M.D., of the Harvard Medical School, said in an interview. “If an illness is long enough and expensive enough, private insurance offers very little protection against medical bankruptcy, and that’s the major finding in our study.”

In other words, all those people who oppose health care reform because they like the coverage they’ve got really have no idea of the real dangers they face, because they have no idea what their insurance companies would really do to them if they got sick. This poses a real political challenge for the proponents of reform. The people who will most benefit from the consumer protections that Obama is advocating – those who will experience serious illness in the future – have no idea that they are benefiting, and so will not politically reward those who deliver the benefits. The Democrats could give most Americans substantially greater security and receive no reward for it.

Now, reading that, I actually still have no idea of the real danger I face. I have some understanding of what might go wrong, but no idea how likely it is. (Nor how effectively the new health care bill might address it.)

It turns out that the paper includes some very important data that the above does not: “Between January 25 and April 11, 2007, we obtained from Automated Access to Court Electronic Records, a list of all 118,308 bankruptcy petitions filed in the US.” That’s a roughly 11 week period, and an annualized rate of 365/77*118308=560,810. Given that the new US bankruptcy law came into effect October, 2005, that wasn’t a confounding factor. Comparing that to other things that might impact our lives (from the CDC), there were 631,636 deaths from heart disease, and 559,888 (or so) deaths from cancer, and a “mere” 137,119 deaths from strokes.

I know the new bill is tremendously complex, and contains more than catastrophic insurance of last resort. Which is broken: you can’t insure the cost of managing a chronic illness once you know you have it, all you can do is spread it around. While that may be a proper function of government, it’s no longer insurance when p=1. I’d prefer to pay for routine and minor care, and buy insurance against the chance that I contract something chronic.

You may be asking “so what does all of this have to do with The New School of Information Security?” Well, it’s about presenting data in context. Koppleman’s post didn’t do as much as I think it should have to correct the problem that most people “have no idea of the real dangers they face.” If you’re explaining security issues to Bob Carr or some other exec, you can’t just present impact. You have to present context. Ideally, you’d do it without comparing apples to oranges, or bankruptcies to deaths, but I’m taking it easy this Labor Day Sunday. Asking execs to know what the right comparatives are, and either have the data at hand or to dig it out as you’re presenting is nearly a dereliction of the presenter’s duty.

Of course, in information security, we don’t have a CDC. We have the fine volunteers over at DatalossDB.

If you decide to take this post as license to debate health care reform in the comments, I’ll ask that you keep it civil and respectful.