Miscommunicating risks to teenagers
Security programs that depend on 100% compliance are a bad idea, especially if they depend on 100% compliance from people who are proven to be poor in compliance capabilities.
Case in point: I saw a documentary about “Abstinence only” sex education programs for teens in the public schools of New Mexico — one negative example in Albuquerque and one positive example in Socorro. (This is federally funded.) Skipping over the most aggregious errors and misstatements in these programs, I noticed one big blooper regarding risk estimation and risk communication.
The educators who developed and deliver this program emphasize the failure rate of condoms as argument against relying on them. In contrast, abstinence-only is touted because it is 100% effective in preventing unplanned pregnancy and all the negative stuff that goes along with it. Funny thing–they never mentioned the failure rate of abstinence-only when implemented by teenagers! Sure, you can tell teenagers to be abstinent and they can even commit to it, but would you bet on it? What odds would you demand for a large bet(say, $100,000 from your bank account) that a large group of teens would remain abstinent for five years? There are plenty of studies (e.g. here [link to http://www.cbsnews.com/stories/2007/12/02/health/main3564047.shtml no longer works] and here) that demonstrate the limited capabilities of teens to avoid risky behavior, control impulses, rationally balance short-term gain against long-term pain, think beyond a short planning horizon, resist peer pressure, etc. For most teens in the US, their “failure rate” (i.e. failing to avoid risky behaviors) is greater than 0%, and in cases of “multiple-risk adolescents ” the failure rate is far above 0%.
I would bet that condoms are much more reliable than the average teenager’s commitments to eschew immediate pleasures. Of course, using both would be much more reliable than either alone. This is “defense in depth”, of course. Better still, take it to the max and advise that they add a “full-body condom”. Then they would be “fer sher, fer sher!”, as the Valley Girl might say. 🙂
Awesome, correlating condom use with computer security, haha.
@nickhacks I suggest you read the post again. The main message of the post is about risk communication regarding alternative strategies. Specifically, I was using this example to highlight the importance of including both estimates of compliance % and estimates of effectiveness of the controls (or, conversely, failure rate of the control). I didn’t correlate” anything.
I disagree with Abstinence being 100%. I particularly depends on your perception of it. For some Abstinence means absolutely no sexual acts where as for some abstinence means no intercourse but forplay totally qualifies. So I propose:
Abstinence risks == PC off the tubes risks
Forplay risks = physical PC security risks
😀
@C Yes, the actual effectiveness of Abstinence may be less than 100% depending on how it’s defined and implemented. My point was that the Abstinence-only education program was being promoting it as the one and only strategy that is 100% effective.