Risk Factor

As reported in the London Guardian Unlimited, the UK Custody-National Offender Management Service Information System (C-NOMIS) that was intended to keep close track of the 330,000 prisoners and those serving their probation, is in deep trouble. The cost of the development, originally estimated at â'¿240 million has jumped to an estimated â'¿950 million.

An "urgent review" is now being ordered to see in anything can be salvaged from the effort, which has been halted. About â'¿155 million has been spent so far, and cancellation the program would cost â'¿5o million in cancellation fees.

A government official said without irony that the original cost and schedule were "optimistic." I guess so.

The review will be published this autumn - we'll keep you informed of the outcome.

As I noted a few days ago, the Wall Street Journal published an article on how to get around your IT Department's security restrictions. As I think I made clear, I didn't think it was a particularly well-thought out article.

The WSJ finally published one letter yesterday questioning it that was written by Dr. William Hery from the Department of Computer and Information Science & Department of Management, Polytechnic University in Brooklyn. I thought I would reproduce it here, since I think it is spot on:

Your article "Ten Things Your IT Department Won't Tell You" (The Journal Report on Technology, July 30) is irresponsible. The article encourages and abets the circumvention of security controls developed by corporate information-technology departments. These controls are typically carefully thought out and based on a corporate-level risk analysis, with confidential corporate information, private employee information, corporate reputation and even the ability of the corporation to conduct business all at risk. It is unlikely that all employees who use the methods you suggest, even those who "play it safe," as described in your article, are knowledgeable enough to provide the level of protection the corporation needs.

The article also left out, except indirectly in one comment, a critical risk to the employee: Even though they are circumventing the technology, they are still bound by the policies that led to the controls. The resources the employees are using belong to the corporation for appropriate business use. By actively circumventing the policy, the employees are admitting that they know the policies. By violating the policies, they are subject to any penalties defined in the policies, including reprimand, poor performance appraisal and potential dismissal.

I also wrote a critical letter to the WSJ, but it didn't get published. It was probably because I asked why the journalist didn't ask whether the Journal's own IT Department thought that it was okay to ignore departmental security policies, or maybe it was because I encouraged the WSJ employees to throw off their shackles and ignore them as well, since the article seemed that its was an acceptable thing to do.

Now publishing Dr. Hery's letter as well as outlining mine is probably against Journal policy, but in the spirit of the advice given in the article to ignore policy, what the hey.

UPDATE

There was a response to Dr. Hery's letter in the 17th August edition of the WSJ.

IT and security groups need to come out of their ivory towers once a decade or so and learn what the rest of us already know: Computers are meant to be used, and when access to legitimate activities is blocked, we poor, dumb users will find a way to thwart them so we can get the job done. Unfortunately, that approach allows those with nefarious intentions a path to do damage.

Ah, the voice of the people. Legit here seems to me to mean whatever I want to do, the organization's interest be damned.

Is security too tight sometimes? Yes. But I would love to make users who complain about it be put in charge of trying to determine the "right amount"?

The day before California Secretary of State Debra Bowen decided to pull the plug on e-voting machines, across the country another electronic voting problem was causing fits. Seems that the US Congress electronic voting system went down during a extremely politically charged and extremely close vote dealing with agriculture and immigration. Republicans claimed they had won the vote 215 to 213, but Democrats claimed they won 216 to 212. Since they control the House, they indeed did win.

This has led to the creation of a special select committee that has subpoena powers to see if there was any "skulduggery" afoot. I doubt this action would have been taken if the vote was 400 to 28 for or against.

The lesson to be taken away: computer cock-ups only appear when consequences don't matter - it is always conspiracy when they do.

California Secretary of State Debra Bowen must decide by this Friday whether to decertify any or all electronic voting machines used in California. A recent test of three popular voting machines showed that they were vulnerable to various forms of hacking.

There is some controversy about whether the tests were realistic - the "red" hacking team from the University of California had unfettered access to the machines - and now that the vulnerabilities/threats have been exposed, whether they can be defended against by officials at state polling locations. Before the decision is made, a risk assessment of these factors, as well as whether the magnitude of any voter fraud or lost votes that could occur in comparison to paper ballots needs to be done. Given the time, I doubt a thorough risk assessment is possible.

Anyway, one underlying theme that keeps getting overlooked in the e-voting controversy is the idea that we should be able to count every vote, which is something we never did before. For some reason, we expect perfect precision and accuracy when it comes to e-voting - which is theoretically possible, but not probable. It is more likely that votes will be lost due to operator error or plain old reliability problems with the hardware (or software) than by deliberate fraud.

We really need to keep reminding ourselves that IS&T is error-prone - and that what we need to do is figure out where to place the error, rather than to expect perfection. My earlier posts on the legal profession and gambling industry expectations of IS&T just re-emphasize this point.

UPDATE: California Secretary of State Debra Bowen imposed severe limitations on the use of electronic voting machines. The companies that made those machines like Diebold are very unhappy, as are California Country election officials.

It will be interesting to see whether the process of casting paper ballots will need to meet the same level of security/reliability as e-voting machines do. If they don't, then the whole e-voting testing exercise is little more than political grandstanding.

There are reports tonight of a bridge collapse in Minneapolis, Minnesota. As I write this, the number of dead and injured is unknown.

The reason I add it to this to a blog on IS&T failure and success is that recently I spoke with Dr. Henry Petroski, professor of civil engineering at Duke University on success and failure of design, as articulated in his recent book, Success Through Failure. Dr. Petroski has written extensively on the history of bridge failure, and one of his predictions using historical evidence is that about every 30 or years or so, there is a major bridge collapse that surprises everyone. We are/were overdue for one.

It is too early to tell yet why this bridge collapsed, which is about 40 years old from news reports. But we shouldn't be surprised if it turns out that it was because of a design flaw hidden in plain sight.

UPDATE:

From the 02 August edition of the New York Times:

A 2001 evaluation of the bridge, prepared for the state transportation department by the University of Minnesota Civil Engineering Department, reported that there were preliminary signs of fatigue on the steel truss section under the roadway but no cracking.

It said there was no need for the transportation department to replace the bridge because of fatigue cracking.

Governor Pawlenty said the bridge had an unusual design and was inspected in 2005 and 2006. No structural deficiencies were detected, he said.

UPDATE 2

From an LA Times report:

When it opened 40 years ago, the bridge was hailed for its novel design: an unbroken, 458-foot-long arch across the river. Engineers did not support the bridge mid-span with piers or pylons that would impede barge traffic on the Mississippi.

UPDATE 3

There is a story titled "Generation of Bridges was Built With Less Steel," in Sunday's Washington Post describing the engineering assumptions used during the time the Minneapolis bridge was built:

The 40-year-old bridge that collapsed in Minneapolis last week was built during an era when designers were confident they knew enough about bridge strength and weight loads that they could build bridges lighter and cheaper.

But a number of bridge collapses have taught engineers painful lessons about the frailty of bridges and the punishment they take from heavy trucks, strong tides and even the errant barge that slams into bridge supports, according to engineers, bridge builders and academics.

There are lessons in the article that IS&T designers should take to heart about engineering hubris.

Today's Wall Street Journal (subscription required) published a "helpful" set of tips to those who find their IT Department's desire to keep their network safe and secure or their company's desire to have their employees work during business hours unreasonable or overly restrictive.

To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software.

Other tips are on to download blacklisted software onto your network, or cover up the fact that you are using your work computer for non-work activities during work time.

The Journal - to cover its butt - also posted advice on how to keep everything "safe" while you hacked your IT Department's system. Very nice of them.

Of course, the Journal reporter did not interview the Journal's IT Department manager to see what he or she thought of the tips; one can only assume that hacking the Journal's IT network using these tips is an acceptable, if not, endorsed behavior.

So, to all you Journal employees, I say, go for it. Hack away at the chains the Journal's IT Department has shackled you with.

Oh, BTW, if I find any of my personal information has ever been exposed by such hacking - since I am a subscriber to the Journal - I know exactly who I am going to sue. And you know what, I bet you I am going to win.

A few years back, Ray Kurzweil wrote a nice article on the promise and peril of technology in the 21st century. He writes,

As technology accelerates toward the full realization of genetic engineering, nanotechnology and, ultimately, robotics (collectively known as GNR), we will see the same intertwined potentials: a feast of creativity resulting from human intelligence expanded manyfold, combined with grave new dangers. We need to devise our strategies now to reap the promise while we manage the peril.

Last week the US House Committee on Oversight and Government Reform held hearings on "to examine recent developments regarding inadvertent file sharing over peer-to-peer (P2P) networks, the impact of such sharing on consumers, corporations and government entities, and whether such sharing creates privacy or security risks for users."

Well, the hearings weren't really about whether P2P networks create privacy or security risks - that was a foregone conclusion - but about the magnitude of the risks and whether there was a way to put the P2P genie back into the bottle.

As reported by CNET News, Government Reform Committee Chairman Henry Waxman (D-Calif.) considers P2P an ongoing national security threat and is considering new laws at addressing the problem. Others on the Committee seemed to agree.

Of course, as Kurzweil points out, it is counterproductive - and useless - to try to restrict a technology once it enters the mainstream. As he states in regard to GNR but is applicable to P2P,

Most important, we need to understand that these technologies are advancing on hundreds of fronts, rendering relinquishment completely ineffectual as a strategy.

Kurzweil is right - file sharing software has become ubiquitous and new P2P providers are appearing all the time. Also as Kurzweil points out, a more effective strategy is to think through and create technological defenses for the potential harm new technologies like P2P can create. Will these defenses have potential harm effects? Of course, but that is the problem with any technology - it is a ultimately a question of risk and reward.

It is far easier and more effective to teach people to not use P2P software on machines with sensitive data, and to encrypt sensitive data on the machines, and to run software checks for P2P activity, etc., then to try to pass laws to stop P2P file sharing. Off course, this won't keep legislators from passing their useless little laws, for they need to be seen as doing something. At the end of the day, however, people will learn through possibly painful experience, and adjust accordingly.

As most of you know, I have been regularly writing about the various initiatives involving electronic health records (EHRs). EHR advocates claim that they are necessary to empower consumer-driven health care.

One of the assumptions, however, is that consumers are medically literate - which is a problem if they are in fact illiterate. Articles in the New York Times and Baltimore Sun (registration may be required) this week highlight the problem.

As reported in the Sun in a study conducted by Northwestern University's Feinberg School of Medicine, for patients over 65,

Almost 40 percent of those deemed medically illiterate died during the study, compared with 19 percent of those who were literate. Factoring in health at the outset and other variables, medically illiterate patients were 50 percent more likely to die than the others.

The medical literacy problem has been recognized for over a decade (here, here and here), but EHR advocates nor designers have yet to address it directly. If EHRs are ever going to be truly effective, how the information contained within them is going to be communicated to patients, especially those illiterate or literate but with little medical knowledge will have to be solved.

Maybe Apple should look into this problem, since they seem pretty good at the person- machine interface.

Nothing like a potentially good controversy to keep one's interest during the dog days of summer. The Dublin-based company, Heavey RF Ltd., which builds rugged mobile solutions using Radio Frequency (RF) technology, posted a small report on its website that questioned the overall business value of RFID. The report concludes,

Given that bar-coding still hasnâ''t been fully deployed after 40 years in the supply chain, I find it hard to accept that this much more expensive, infinitely more complicated and not yet mature technology is going to be any different. Given the last 15 years of what is effectively an RFID failure in the supply chain, insist in seeing a proven working solution before taking what is ultimately a big leap of faith. History is littered with large technical blunders â'' RFID in the supply chain could be one of the biggestâ'¿

The Heavey report starts off as follows:

Before I start, I would like to categorically state that I am a very big fan of RFID. Since 1995, I have been exposed to various methods of solving unique problems using RFID and I have been directly involved in RFID projects. My company, Heavey RF, has a large range of RFID products to offer and has deployed RFID solutions to a number of companies in Ireland. Unlike most RFID providers, we have actually made money doing it.

So whatâ''s the problem?

The problem is this â'' RFID simply cannot do what people expect it to do from the hype that has been generated over the last decade. It is not a magic wand that will tell you where all your products are in real time. It is not as reliable as bar-coding, and can never be as cost effective. While mankind frequently bends the laws of physics, we have never actually broken them which is what would have to be done if the technology were to be able to live up to the hype.

Heavey posted the report because,

RFID technology in 95% of cases presented to me would be technology for technologyâ''s sake. I have had customers question why I have not brought this ground breaking technology instead of bar-coding to them to reduce costs and improve accuracy only to scratch the surface and be thanked by them afterwards for saving them from a big mistake.

One could view the report as a good marketing ploy (especially if one wants to keep selling bar-coding), but I thought the report was not only interesting but well--balanced. It was aimed at separating RFID-hype from reality. I am admittedly sympathetic to that idea, because my field of risk management too is surrounded by excessive hype and a dearth of reality.

Anyway, I found it refreshing, and I sincerely hope it creates a stir. Then maybe the real benefits, costs and risks of using RFID will be better understood by all.

About 30 patrons of the Caesars Indiana casino in Elizabeth, Indiana reportedly might be facing felony criminal charges for winnings that the casino is claiming is not theirs. Seems that there was a software error in the slot machine called Easy Money which registered $10 worth of credit for every dollar inserted. Caesars reported that it had lost $487K over the July 21 weekend.

Turns out this is not a new occurrence. The Majestic Star Casino in Gary, Indiana lost more than $300K in February to the same software problem. Seems strange that the problem wasn't fixed on every machine after that incident, or if it was, maybe the patch caused a new problem with the same result.

Funny though, in this case faulty software created an opportunity for going to jail, while in the case I discussed a few weeks ago about Warren S. Jeffs' trial, a software error was seen as an opportunity to suppress evidence (he lost this argument). I find it an interesting juxtaposition regarding the world's increasing (and maybe unrealistic) expectations of how reliable IS&T should be.