Shostack + Friends Blog


One Bad Apple

I generally try to stay on technical topics, because my understanding is that's what readers want. But events are overwhelming and I believe that not speaking out is now a political choice.

I want to start from this Chris Rock video:

I hadn't seen it before, but I have spent a lot of time studying how airlines respond to problems, and you know what?

When German Wings had one bad apple, Europe rolled out new rules on pilot mental health.

That's how you deal with the bad apples. You don't let them spoil the whole lot. So what does that mean? The obvious answers are things like "fire them! Prosecute them!" Those are attractive answers. They seem like good ideas. Like a key part of justice for the victims. A key deterrent to future incidents.

Another element from my work is to improve, we need to learn. Learning is hard when emotions run high (this is not a criticism, it's a biological reality.) Learning is hard when people are getting blamed. Etsy has done great work in how to facilitate a blameless postmortems. But their post-mortems are not literal ones. No one knelt on someone's neck for 9 minutes. But, in this incident and almost every one like it, it turns out that the officer had a history of less impactful incidents. Today, we use adversarial processes to investigate those (review boards, courts). We know that adversarial approaches are at odds with learning. They result in dug-in heels, justification, righteousness, not understanding of the other side's position.

A large part of me wants to be righteous, and declare that even these smaller incidents should bring down the wrath of the system; that when police are failing to serve and protect, there should be Consequences.

But is that desire for consequences actually reducing our ability to change? If so, what do we do?

I make no claims to answers to these questions. There are clearly important differences between a computer security issue and death or "even" serious injury, and I don't claim that the analogies are perfect.

I want to thank Nicole Forsgren for inspiring me to write this.