Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Caroline Ramsey-Hamilton

Do Terrorists have Lower IQ’s?

Is it nature or nurture? Do you think there’s a correlation between the intelligence of a person and their choice of terrorism as a vocation?

I’m not talking here about the brilliant, twisted strategists who create the idea of the revolution. I’m talking about the mules – the new recruits who can’t wait to blow themselves up for the cause. Or shoot and kill innocent people – like the Holocaust Museum incident in 2009.

Take “The Underpants Bomber”, for example. If he REALLY wanted to blow up the plane, why didn’t he go into the bathroom and light himself up there? Why go back to his seat where it is always crowded anyway? Only one conclusion can be reached – he is stupid! He suffers from a serious flaw in his reasoning ability.

One of the most interesting films I have seen recently was done by Fareed Zakaria and which aired on HBO. It is called, “Terror in Mumbai” and Fareed narrates it.
Take the forty-five minutes needed to watch it because it is incredible and goes right to my point about terrorists being dumb.

After the Mumbai bombing attacks started, the government was able to hook up to the actual cell phones being used by the terrorists to communicate with the Big Brain Terror Leader ( also called his Controller, or Handler??) back in Pakistan. So the movie is actually the real conversations between the operatives and their Controller.

At one point, the Controller tells them to set the hotel mattresses on fire. They try but can’t get a fire going, so the Controller screams into the phone – go back and light them again.

The on-the-ground terrorists seem to have no idea of how to kill anyone, and are almost goaded into doing it by the Controller on the phone who has to explain to them what to do next, and who you hear him screaming into the phone, “Shoot him in the head”.

They seem almost like puppets and, as you watch the movie, you realize that these guys couldn’t terrorize anyone on their own. They are uneducated, unsophisticated young men who probably would have gone sightseeing if the Controller hadn’t kept a tight rein on them.

Some people think there are more of these unthinking people around than the thinking kind. I hope that isn’t true, and it really speaks to the power of education and sophistication as the best weapon we have against this sort of mindless terrorism



Fireworks Ignite After Latest Airline Terrorism Incident

It was a surprise to see the biggest news on Christmas was that a Nigerian terrorist managed to get on a plane coming to Detroit from Amsterdam with some sort of explosive strapped to his leg.

AND – the alleged terrorist was on the NO-FLY LIST. Just think about this for a moment. A recent paper from the Naval Postgraduate School on Homeland Security estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million! And after spending over $300 million, the terrorist is able to get right on the plane, WITH EXPLOSIVES STRAPPED ON, and fly to the U.S.

Besides being a risk expert, I was mom who didn’t let her boys have toy guns. So imagine my shock at THINKING (to myself) that maybe we should let certain
Cleared passengers fly PACKING.

The passengers on the flight under discussion are the ones who subdued the perp, and I have a feeling that US airlines passengers would all be happy to take over their own security while flying the un-friendly skies.

Despite spending billions on patting down the grannies and business travelers along with 9 year old girls – someone can still board a plane and fly right into the U.S. with
explosives strapped on.

A simple risk formula applied to this entire passenger screening program shows that the entire TSA passenger screening program is too expensive for the results they are getting. The biggest cost waster is the idea that every single air traveler is treated exactly the same way. This is the elephant in TSA’s conference room. Every traveler is NOT the same. The most simplistic metrics show that:

1) Terrorists are more likely to be men.

2) Women over 60 are not likely to blow anything up.

3) Small children and federal employees are unlikely to be
Smuggling in explosive devices.

As the noted expert, Stephen Flynn, pointed in his book, America the Vulnerable, this policy creates huge cost, creates inefficiency and does not stop the dedicated terrorist.

Instead of being run as a gigantic stimulus program for the underemployed, TSA should sharpen it’s focus and began to start a true profiling program. A profiling program doesn’t have to target certain groups or type of individuals, but it should work towards automatically EXCLUDING the large groups of people who are unlikely to be a threat; let them opt for “cleared” status by completing a background check, and if these many individuals were automatically cleared, it would leave the TSA screeners more time to MORE RIGOROUS checks on potentially dangerous individuals, and ENSURE THAT PEOPLE ON THE NO-FLY LIST — DO NOT FLY!

Sounds obvious doesn’t it, but instead, the U.S. budget is being squandered on thousands of unnecessary screens, while the potential targets are not getting the indepth, and in-airport screenings they need to have.

These inane policies are not just indefensible – they are dangerous – and the latest incident just proves the point.



Thanksgiving and Health Care Reform Debates

In a scene I could only dream was being played out in formal dining rooms across the U.S., my T-day dinner conversation was about the healthcare reform initiative chugging through the Senate. Representing the left on this issue — a young college guy who’s new job is as a waiter at a fancy restaurant. On the right — a government employee with health insurance. As in the rest of the country — the balance of the guests were somewhere in between.

Hot topic: Medicare. One of the guests parents are both on Medicare. They have no idea how much their medical bills cost because they are all paid automatically, unless they somehow want a procedure not covered by Medicare, although I could not think of one. The discussion centered about how health care consumer attitudes might change if even medicare consumers had to sign a statement ordering, and signing off on each procedure, with full accountability of the price sitting in front of them.

I’m imagining a Health Care Compliance & Accountability form that each patient signs for each procedure like:

Angioplasty $8,500.00
Hospital Stay – 1 day -$5,000 – $7000.00
PLEASE — give me a night in a cabana in Mustique for a mere $1200!

The conversation over the vegetarian entrees veered recklessly from the “free health care for anyone, anytime” group to the “don’t change anything ever” group.
But neither group, interestingly enough, could price any common hospital procedures, even thought 1/3 of the group worked in a hospital… I surmise that unless you are directly involved in billing, there is little understanding of the costs of healthcare procedures, regardless of your insurance status.

End of life issues are something of much interest to me because I have already decided the EXACT DATE I’m heading out onto the ice floe to be eaten by either polar bears or killer whales, depending which group is not yet extinct by 2018 (the year I have already picked) for my eventual eating by wild mammals.

I admit that I do not understand why old people with terrible wrinkles and horrible diseases of their own making (think diabetes, congestive heart failure, etc.) want to prolong their very uncomfortable lives for another day or another week. I suspect that they do not, but since health care is just as much of a business as a dry cleaners or a fast food restaurant — the docs are trying to sell the procedure (whatever it may be) with MRI’s, CAT and PET Scans, and several weeks of observation — in the same way that the 17 year old at the drive thru tries to get you to “Supersize” your order. Follow the money.

Which is exactly why I did a risk assessment and decided to put additional controls in place to stay healthy!

Happy Thanksgiving.



Pandemic H1N1 – Part 2

This is my second post on the H1N1 flu. I have a daughter-in-law in the high risk category — she’s expecting twins in December and didn’t want to get the vaccine — but I did finally convince her. Also: while I was hosting my 150+ person webinar on how to handle the pandemic’s effect on your business — one of my employees came down with the ful. He was very sick for the first 3 days, and then slowly improving but still with a fever after five days.

We asked several questions during the webinar, which was very well attended by banks, hospitals, credit unions, and other companies. The one that surprised me was that only 40 percent of the people had a pandemic plan in place and about 20 percent didn’t know if they had plan or not. When we are discussing alternate staffing plans, the place where you might see the most impact is in the IT area. IT managers and network managers usually have knowledge not shared with the rest of the organization.

It’s easy to get a temp to fill in as a receptionist, to add a salesperson, or replace clerical or admin functions, but to get someone who knows your network and how all the configurations work is a trickier proposition — and FLASH — IT and network people also get the flu!

One of the amazing facts from the webinar was that older people — that is, anyone who was alive in 1957 or right after, has a very low chance of getting the H1N1 virus (unless they have another underlying condition like asthma). This is because a similar strain went around the world is 1957 and so people from the era are relatively immune.

Other considerations to contemplate during this pandemic is whether to relax your requirements for employees to have to get a written doctor’s excuse — doctors may not have time to write one — and employees who only have the flu, but are staying at home sleeping, may not have to visit a physician or hospital. Another aspect to consider is whether you would rather have people stay out LONGER, to make sure they don’t infect others in your company.

A company full is 20-40 year olds is probably going to have more absences because they have small children at home. If you look at the flu maps for the last four months in the U.S., you can easily see that the flu started in March-April 2009 and then died down when school was out. School in session resulted in the 2nd wave of the pandemic that is still increasing, as we enter into the usual flu season.

If all the data was analyzed, I’m quite sure they would find that the concentration of children in school, colleges and universities is a big driver in keeping the flu numbers increasing.

One disturbing note was — children may not be protected completely from the first vaccine, but may need a booster. I saw this on the news this morning, and, with vaccine in short supply anyway, the idea that boosters may be needed would be very unwelcome.

By the end of next week, we should get a better idea of the trending of the flu waves and that will help companies in planning for increases absences. At the beginning of H1N1, experts were predicting a 20-40% absentee rate — so don’t take your eye off this pandemic.



How your health records are safer — or at least you’ll know about all the disclosures now….

Well – it wasn’t a billion dollar bailout and it wasn’t a new ‘public option’, but it was, on September 23rd, the official STARTING DAY of the new HIPAA breach disclosure rule, another tangible effect of the American Recovery and Reinvestment Act of 2009.

The breach disclosure rule is a little unusual in the way it dictates how healthcare entities have to behave if there is a disclosure of YOUR PHI (i.e. Protected Health Information). Your PHI could be interesting little tidbits of information like:

– detailed health info on 1000 Hollywood celebrities, probably all about face lifts, nose jobs and liposuction.

– Details on whose tubes got tied

– Embarrassing information on warts and other disgusting physical problems
Or
– Just info you don’t want everyone to know about.

The new Breach Disclosure rules protect you. Here are some of the details about what the organization that leaked your sensitive info has to do…

If the breach involved less than 500 individuals’ information, then you must be notified within sixty days and “without reasonable delay”. If more than 500 individuals’ information is breached, then the organization has to not only notify the Department of Health and Human Services, but also has to send out a press release and notify the media — film at eleven.

Covered organizations (covered entities) will not be penalized until February 22, 2010. So for now, organizations should make sure they have these disclosure guidelines in place and practice them, including training and awareness exercises, so they will be ready by February.

Organizations must also do an individual RISK ASSESSMENT on each breach to calculate the harm that the breach may do to an individual. For example, whether the breach would affect their health insurance, or their relationship!
There are additional considerations about whether the breach was done in error and actual disclosure was limited; or whether it was malicious disclosure – done on purpose, or for financial gain.

The breach notification rule, in my opinion, is just another manifestation of how serious the government has become about protecting personal information, whether it is protected health information, or personal financial information.

The FTC reported that identity theft is the one number consumer complaint and so protection of your information has moved up to the top of the list. Lucky us



Did you Wash Your Hands Today? RISK and the H1N1 PANDEMIC

The CDC reported on August 29, that, as of April 15, 2009, total of 9,079 hospitalizations and 593 deaths associated with 2009 influenza A (H1N1) viruses
have been reported to the CDC.

I put on a seminar last week with the Florida International Bankers Association in Miami, Florida, and one of the topics on the menu was the H1N1 Flu. Now, about ten days later, the media is starting to report on H1N1 sweeping through the college campuses and elementary schools. It hasn’t hit employers hard yet, but I am confident that it will.

And this time it comes with some surprising statistics. The younger you are, the more at risk you are. Apparently if you are over 60, or born after 1956, you are mostly immune because a similar flu that made the rounds in ’57 gave people alive at the time, antibodies that will protect you this time.

I have noticed the increase in sincere doctors talking about how they are going to immunize their own children – that is, after the new vaccine comes out in mid-October.

Hospitals have already been hit especially hard by the recession, due to the increase of patients who have lost their jobs, and therefore their health insurance; and that has increased activity in the local emergency rooms. But look what the forecast is for hospitals at the height of the possible epidemic — Under some models, seriously ill influenza patients could require 50 to 100 percent of intensive care unit (ICU) beds at the epidemic’s peak, stressing the medical and public health systems to the point of overwhelming some hospitals, and could cause from 30,000 to 90,000 deaths, concentrated among children and young adults.

I went to the local grocery and stocked up on hand sanitizer for the office and also lots of foil-wrapped sanitizing wipes – keeping them in my purse and suitcase, for those occasions where I have to shake a lot of hands.

What is the effect on a business if H1N1 does reach pandemic proportions?
Your personal risk varies depending on your age. Older workers will not be affected but take a look at your workforce and calculate how many have young children or school age children.

Since transmission increases in group settings, and kids are known for not being the most hygienic of creatures – there is a better than fair chance that your employees will have children who get sick and they will have to stay home with their children.
Some schools may have to close for 4-8 weeks. Especially since elementary school teachers are often in the target group and often have small children themselves. In my own office, two-thirds of the associates are under forty and half of those have small children. One expert said that if the 30% figure holds, then expect a ten-fold increase in absenteeism.

If your organization is part of the critical infrastructure, you might want to get a professional assessment of your risk, not just to identify it, but to get a set of operating procedures you can use if the pandemic does materialize.

Here are a few things to think about:

1. Encouraging an option for employees to work at home.
2. Deciding in advance what to do when an employee tells you he has H1N1.
3. Cross-training for important as well as critical functions.
4. Think about curtailing employee travel, if necessary.
5. Consider the impact if public transportation is not available, or
Not safe to use.

Seriously consider getting some No-Doz for your employees over sixty who may have to work much longer hours!!

AND DON’T FORGET TO WASH YOUR HANDS.



Crime & Punishment – Blame & Accountability

BLAME & ACCOUNTABILITY

Gee – they go together like a horse and carriage. The CIA Interrogation controversy has been front and center this past week and what stands out, no matter what side you take, is the blame game. Blame the old White House for overstepping authority; blame the new White House for waking up the sleeping dogs. Blame the lawyers. Blame the interrogators. Blame the detainees for being such intrinsically bad people.

A process tinged with so much blame highlights that there is another principle at work here – you could call it Greed (a la Gordon Gecko) and that is the phenomena of skating right to the edge of an ethical question, or ‘getting away with as much as you can’.

The Getting Away With (GAW) principle is the polar opposite of Accountability. In the GAW, the question is never asked about whether something is legal, or moral, or right. Instead the question becomes one of degree and how far you can go without brushing up against laws, moral outrage, the notice of Congress or whatever.

If Accountability means taking responsibility for one’s actions, then GAW means not taking responsibility, not even admitting what is obviously happening, but instead pushing the responsibility onto to someone else, i.e. the lawyers, the White House Counsel, the Justice Dept., the CIA, the individual interrogators. Sort of like a musical chairs game where you go as far as you can, do whatever you want, and hope by the time the game is over, someone else is left holding the bag.

If you are wondering what this has to do with RISK – it’s the pushing around of the accountability – responsibility. If risk is going to be addressed in an analytical manner, then you have to examine, and insisit on, accountability.

So in a corporate setting, say the ENRON debacle – the justice system addresses who was accountable. Who knew what? Who signed the memos? Who shredded? Who decided?

In government decisions, there is almost a preference for non-accountability. Even though, as an organization with a budget, it should be judged just like a corporation, an association or anything else – there is a tendency for government to say “it’s the system”, as if decisions were made by the eight ball instead of an actual person. If you contribute each government decision made to an actual person, then you have accountability.
Probably why there are so many committees!

Accountability is always the Number One Control!



How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.



THE WANTED — NEW TV SHOW ILLUSTRATES THE CONCEPT OF ACCOUNTABILITY

If one picture is worth a thousand words, then this new TV show “The Wanted” is worth about a million words!

The debut of “The Wanted” showed the terrorist-fighting journalists meeting with the Norwegian government to find out how to get a Jihad-loving Mullah deported back to Iraq to face charges for murder. The interesting twist of this series is that it shows the journalists meeting with, and clearly identifying, the woman and agency in Norway that is protecting the mullah. They go on to meet with other politicians in Norway and step through all the red tape to find out — what is required to get this terrorist out of Norway and to Iraq to face charges.

Their actions have already set a chain of events in motion including having Iraqi officials say they will not give the Mullah the death penalty, which is apparently what Norway wanted to hear. But even after that concession was made, the person directly in charge of having him deported, was still denying that he would be sent back.

Enter accountability! One TV show with the individuals picture on it — and the bureaucracy is exposed and now action takes place and spurs other actions.

It reminded me of the power of having individuals names linked to their truthful answers about how well or poorly they were complying with specific security requirements. You can talk about high, medium, and low until your face turns blue, but it just theoretical talk — until you actually show real names, with real answers and then it becomes REAL. It becomes actionable intelligence that is much much harder to ignore or push away, out of your consciousness.

I have never discussed a TV show before — but you should check out THE WANTED and see how it focuses the white light of accountability on everyone who is interviewed!! Monday nights on Dateline — catch it.



Hotel Bombing in Jakarta – A Dangerous Trend

The hotel bombings yesterday were a bad sign. According to an article this morning in USA TODAY, both hotels had been assessed by iJet, a security and intelligence company based in Annapolis, and had received high ratings, said iJet president Bruce McIndoe. The fact that Friday’s blast didn’t do more damage shows those measures were effective, McIndoe said.

“(With) the new security procedures, all they could do is get suicide bombers in and blow out some windows,” he said. “You can’t stop it — there’s no 100% foolproof way. But they’ve minimized the impact. It was a fairly sophisticated operation. (The terrorists) put a lot of time and effort into this, with very little outcome (in terms of ) death and destruction.”

McIndoe is correct that there wasn’t a catastrophic loss of life in these bombings and the damage was relatively minimal. I started to review some of my hotel experiences and see how much security COULD you put into an international business hotel. If the bombers took the bombs right up their rooms in their suitcases — there are a couple of obvious next steps.

1. All luggage gets turned over to hotel staff at the curb, or entry area, and
then is screened in an anteroom before it is taken up to the room by the hotel security staff. That seems to be a relatively easy program to implement, and would dramatically improve security.

2. Bring in the x-ray scanners and all visitors go thru the metal detector and have luggage, briefcases and shopping bags inspected upon entering the hotel. This would be more expensive and intrusive, but probably more effective and just one more travel inconvenience to get used to.

We have a model developed for hotel and casino security. The hotel/hospitality model is a little more complicated than your average business facility because it has more than one purpose. What I mean is that a business is usually set up to conduct business — but a hotel/casino has several lines of business including overnight room business; gambling; shops; restaurant business and also meeting business. All these have different objectives and they are influence the other business lines.

The maids, maintenance personnel, engineers, waitresses, cooks, etc., are all local elements that could potentially be used to gain access for terrorism purposes. Everyone has a cousin somewhere that may use family ties to get access to even a secure facility. The stowaways that get into ships, are almost always the result of the exploitation of family ties.

Better background checks conducted on hotel personnel may be another area that needs work, and would probably improve the hotel’s bottom line because other areas such as cash-handling and letting friends access empty rooms could also be improved at the same time.

Having stricter access controls and luggage/package controls at hotels would just extend the aggravation of current airport security programs right to your next hotel. Let’s hope it doesn’t come too soon.




top