Shostack + Friends Blog Archive


SHB Session 6: Terror

Bill Burns [link to no longer works] (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to tens of thousands. GRP= Direct (casualties, property, business interruption) + indirect effects. Discussing community fear responses to anthrax. Starting to think in terms of half-life. Residual fear falls slowly in their model. Measured ridership loss after London bombings. (Graph). Communities don’t sit on their hands after emergency. Half-life of airline attack ~90 days. Investor fear after “potential financial meltdown” Half-life of 65 days. Looking at financial systems, emotional response. High trust in business leaders between 2-6% (gender gaps).

Chris Cocking, London Met (Suggested reading Effects of social identity on responses to emergency mass evacuation.) Pushing concept of collective resilience. Comes from social psychological perspective. How do people behave in groups? Have identity as individual, also as group (fan of a team, nationalist identity). Milgram authority, (Stanford prison) pushes a pessimistic view of human nature. Gustaf Lebon (sp?) had a theory that a crowd can’t be trusted. Threat causes emotion to overwhelm reason, no concern for those around you, pushing and trampling behaviors. Also concept of contagion. Contradicting, social attachment model (Mawson 2005). But there’s evidence that strangers cooperate in emergencies. Disasters create a common identity. Can result in orderly, altruistic behavior. After WTC 7 collapse, but there was spontaneous planning & coordination. 99% of people below where planes hit escaped. Showing image from 9/11. Picks apart image. Fear visible. Woman in pink has heels on, carrying shopping. Guy in back holding camera, taking photo. Guy gesturing is perhaps saying “get out of the way” to photographer. (Jean Camp asks for a picture of panic behavior. Google images doesn’t return the right thing.) Over-reaction comes from lack of information, or because people are addressed in an atomicized way. Use of collective identity may be helpful. How can authorities use people’s willingness to help each other. Summary: people are resilient.

Richard John [link to no longer works], USC (Suggested reading: Decision Analysis by Proxy for the Rational Terrorist.) Talk “Fear and Loathing in Hollywood and Elsewhere.” Social amplification of risk following accidents, natural disasters and terrorism. Small loses due to event, larger losses due to change in behavior. There are very few examples of under-response (San Francisco 1906 earthquake is an example of under-response.) Over-response: Three Mile Island + Chernobyl killed nuclear power industry. Dynamics of risk perception. Measure risk perception after event: elevation, duration, return time to baseline, and change in baseline. Using vignettes to study psychological impacts. Repeated attacks may have very different responses. How do people habituate? Working on a study in Spain with people who have personally experienced an attack. Have found it hard in some cases-people are not that afraid of terrorism anymore. Finding a need to add audio and video to trigger responses. (Is that evidence that terrorism has been overhyped?) Group at USC building virtual world for study.)

Mark Stewart [link to no longer works], University of Newcastle, Australia (Suggested reading: A risk and cost-benefit assessment of United States aviation security measures [link to no longer works]; Risk and Cost-Benefit Assessment of Counter-Terrorism Protective Measures to Infrastructure.) Need to use numbers. Words tend towards worst-case scenarios. Measure probability, consequence, risk reduction. (This would work in infosec if we had numbers; in terrorism, we can get them.) Shows process slides. Notes DHS never tries to figure out if we should do anything or not, but rather, asks how to spend money. DHS is obviously motivated to be risk averse. Numbers at best give you decision support, not decision making. Uses “net benefit = benefits – costs” used in many applications, nuclear plants, aircraft. Discussion Aviation security measures (Stewart and Mueller). Shows TSA 20 layers, asks how many we need. (A good baker’s dozen.) Air marshal program costs US $1B/year. (2,500-4,000 marshals, free seats in business class.) Shows some math about effectiveness of risk reduction measures. Demonstrates that, based on assumptions, air marshals are a poor investment, with a return of 19 cents on the dollar with an attack frequency of 1 per 10 years. (Talk too short to dig into assumptions.) Exhorts audience to come up with models that we can discuss and debate the assumptions and quantifications. Final observations: terrorist risks seems lower than other risks. Many counter-terror decisions made in response to 9/11. (Fighting the last war/attack?)

John Adams, UCL (Suggested reading: Deus e Brasileiro?; Can Science Beat Terrorism?; Bicycle bombs: a further inquiry.) Plugs John Mueller’s “Overblown.” Goes into risk thermostat. Propensity to take risk, perception, rewards, balancing and accidents. That’s individual, but you can imagine institutions doing the same thing. Mention of financial risk. Discusses “top loop” (rewards & risk propensity) and “bottom loop” of accident reduction. Top/bottom requires the picture:

risk thermostat.jpg

Points out that the geography department in which he works has bomb-glazed windows. Has funny signs and warnings. “All of this is now starting to backfire.” An increasing reaction is to be more afraid of the government than the terrorists. Shows a risk chart showing how risk is perceived. Risk voluntary, impersonal controlled:


London bombs killed six days of road casualties. Mentions sticker from a band called “This bike is a pipe bomb.” Comments that cycling without a helmet is very safe. (I really enjoyed John’s book, “Risk.”)

Dan Gardner has a book Risk, as well. Journalist, will talk about the media. Runs down complains about media: cover vivid dramatic causes of death. Media reports things like “this doubles the risk of X” without stating the baseline. Reporters are human, and make human decisions. Tells story about two stories in New England Journal of Medicine. 19 stories. 9 mentioned both. 10 mentioned only bad news. All the both stories gave more space to bad news. Sell more papers? No, bad news is attractive to journalists for the same reason we rubberneck at car accidents. Storytelling is universal. What’s a story? Novelty, conflict, emotion, drama. Why terrorism gets more stories? It’s a better story. What’s not needed for a good story? Numbers! (Bruce adds “Facts!”) Brings up “the miracle on the Hudson.” It’s a little local story. People in audience know name of the pilot. What does it tell you about air travel? (I add “it’s very safe.” Dan responds “If you have Sully as your pilot.) 2007-2008 no one died in an air crash in the United States. Working on a new book on why expert predictions routinely fail and why we believe them anyway.


David Livingstone Smith suggests that response to infection is biological. Richard John responds that we assess the risk poorly. Terry Taylor says that incidence of death from infection is still high. Response to infection disease risk varies tremendously based on risk. Southeast Asia, risks are more real, responses better considered.

Bruce Schneier comments to Mark that there’s an assumption of a single risk. In DHS’s case, it’s the risk of being fired. Have to look at a spectrum of risk. In air marshall case, there’s a deterrence effect or effect of saying we have them. Mark agrees that we need to capture multiple risks, dealing with principle-agent risk of DHS requires policymaker awareness. John Adams comments that liability is key. Ob-Gyn is hugely successful at improving infant survival, but has high insurance rates.

John Mueller compares sports writers putting context in to other journalists. Joe Bonneau argues that sample size, other knowledge missing. Dan Gardner responds that they have numbers in stories.

Jean Camp asks question about al quaeda being treated as terrorists, not criminals, while attacks on women’s health services are called criminals not terrorism. Would labeling it a terrorist campaign change the impact? Bill Burns says it would have an impact. Had we framed 9/11 as a crime, chances are good we would have caught more terrorists, and impacted the recruiting environment. Calling 9/11 the start of a war was one of the biggest mistakes. Chris Cocking is often asked “do people behave differently in a terror incident or a natural disaster?” Not a lot of evidence, but anxiety is higher in terror attacks.

James Pita asks if amount of panic is relative to proximity of danger? Chris Cocking suggests that it’s not primary. Bill Burns says 9/11 investigators found evidence of order and altruism in tower evacuation. Adds that he’s only encountered panic once: in a drowning person. Richard John adds that we don’t have pictures from above, but we know that people jumped. Chris Cocking says people who know they’ll die, they become apathetic. Jon Callas points out that there are final phone calls.

Andrew Adams asks about new risks, such as false air marshals as part of a plot. Mark Stewart says stay focused on big picture. (I agree strongly–in threat modeling, we sometimes see experts trying to go depth first, missing important big picture stuff.) Richard John says that air marshals may reassure and get people flying. (Of course, there’s evidence that fewer people are flying, so overall it’s a fail. )

Angela Sasse says that not everyone got out of towers-in part because of a ‘go back’ announcement. Drills and training are important, and often overlooked. (There’s a tie here to Gene Kim’s work on change control–it’s highly effective and boring.)

Terry Taylor asks about value of uncertainty in defense. Mark Stewart says there’s tremendous layers of uncertainty. Richard John says that uncertainty impacts terrorists substantially. Terrorists are relatively risk averse. Discussion of risk aversion: willing to accept death, but want attacks to succeed. Terrorists want an expected 70-90% success. Failure impacts recruiting.

[Update: Schneier’s blog is here. Matt Blaze’s audio [link to no longer works].]