Shostack + Friends Blog Archive


Bicycling & Risk

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking.

I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks.
I’m inspired by
To Encourage Biking, Cities Lose the Helmets:

In the United States the notion that bike helmets promote health and safety by preventing head injuries is taken as pretty near God’s truth. Un-helmeted cyclists are regarded as irresponsible, like people who smoke. Cities are aggressive in helmet promotion.

But many European health experts have taken a very different view: Yes, there are studies that show that if you fall off a bicycle at a certain speed and hit your head, a helmet can reduce your risk of serious head injury. But such falls off bikes are rare — exceedingly so in mature urban cycling systems.

On the other hand, many researchers say, if you force or pressure people to wear helmets, you discourage them from riding bicycles. That means more obesity, heart disease and diabetes. And — Catch-22 — a result is fewer ordinary cyclists on the road, which makes it harder to develop a safe bicycling network. The safest biking cities are places like Amsterdam and Copenhagen, where middle-aged commuters are mainstay riders and the fraction of adults in helmets is minuscule.

“Pushing helmets really kills cycling and bike-sharing in particular because it promotes a sense of danger that just isn’t justified.

Given that we don’t have statistics about infosec analogs to head injuries, nor obesity, I’m curious where can we make the best infosec analogy to bicycling and helmets? Where are our outcomes potentially worse because we focus on every little risk?

My favorite example is password change policies, where we absorb substantial amounts of everyone’s time without evidence that they’ll improve our outcomes.

What’s yours?

8 comments on "Bicycling & Risk"

  • Brad Hill says:

    Not exactly the same thing, but nearly every time I give a talk on web application security techniques – things like preventing XSS, a vulnerability that impacts nearly every web site – one of the first questions I get from developers is, “why bother when a SSL is broken?” SSL breaks get more attention than XSS on individual sites, but the real risk of any given site getting compromised by XSS is several orders of magnitude greater. The small risks they can’t control lead them to be complacent about larger risks they can.

  • Alan says:

    Stats link below but figuring out what they mean is another matter. A lot of the cyclists in my neighborhood fly through red lights, down one way streets the wrong way, cycle at night in dark clothes and without lights, etc. And these are the sort of cyclists that are also unlikely to wear a helmet. So if you look at the stats, cyclists who die are much more likely not to be wearing a helmet but maybe it’s cyclists who don’t wear helmets who are much more likely to engage in cycling behavior that will result in serious accidents.

    I think the infosec analog is that the average computer user is sort of like the crazy bike user cycling down a busy one-way street the wrong way in the dark without lights. Getting them to use a slightly stronger password is irrelevant when they’ll click anything that comes into their inbox and give their credentials away to anyone who asks for them.

  • Alan says:

    Crazy bike user cycling down a busy one-way street the wrong way in the dark without lights…

    1 in 6 Amazon Web Services Users Can’t Read

  • cyclist says:

    Why aren’t more people jumping off mountains in winged bat suits? Is it because of the helmet they’d have to wear?

    Oh ye of little brains. There is so much more that should be going on in your risk assessment of riding a bike than whether or not you are wearing a helmet. In some environments even without a helmet you are taking on much less risk than another environment that was more dangerous even with a helmet. Then there are environments where it is more dangerous to be wearing a helmet than not to be wearing it – like local kids who have been strangled by their helmet straps on park play structures and zip lines.

    This goes so much deeper than helmets but I do think it is nice to practice the logic outside of the security realm before bringing it back.

    I actually think the XSS and SSL example is great because it shows how this is as much psychology as it is technology. XSS and SSL attacks rarely have anything to do with each other yet someone will use it as an excuse to cover up or hide a poor decision elsewhere. Instead of quitting, go the distance intellectually and you will discover what you need to do to improve.

  • Scott Weil says:

    I disagree with the last part of your post “My favorite example is password change policies, where we absorb substantial amounts of everyone’s time without evidence that they’ll improve our outcomes”. If technical people would comply with their own organization’s password policies, outcomes would be improved. If IT Auditors actually audited system passwords, they would find many of them out of compliance with password and password change policies. How many organizations enforce password change policies on systems? Better put, how many networks have been secured by the user name: admin and the password: admin
    That is what we call the insider threat.

    • adam says:

      Hi Scott,

      I find it fascinating that you disagree. What evidence do you have?

      (Also, when I say password change policies, I mean “Change your password every N days”, not “set a password as part of setting up a device.” However, I’ll be happy to see evidence that either policy changes the number of breaches.)

  • Sven Türpe says:

    Considering online privacy part of the wider field of infosec, I’d vote for OMG-don’t-reveal-any-personal-information-on-the-Intenet-and-be-very-afraid-of-cookies advice as a close analogy to helmet propaganda. Such advice, like helmet promotion, is easy to utter, seemingly (but not actually) easy to follow without any downsides, with few exceptions irrelevant to the actual risk profile, and distracts from those issues that really matter.

    As regards cycling, I recommend to learn and practice vehicular cycling and to understand and avoid the causes and contributing factors of typical cyclist accidents.

  • Kevin Neely says:

    I would be interested in password change statistics, especially the cost v effectiveness. Has anyone performed or produced a study on this?

Comments are closed.