Friday, April 2, 2010

Haiti, Urns, and Non-Quantifiable Risks

I've been too busy to post lately because I went on a mission trip with our church to Haiti. They was a fantastic experience, so I started another blog about it at Please check it out and let me know what you think!

There are definite lessons from the security perspective, though. It is no secret to professionals in the field that we tend to over-estimate the risks of what is unfamiliar and novel, and under-estimate other risks.

Concerning Haiti, much has been sensationalized in the press about gang kidnappings. However, our mission group drove all over and almost everyone was friendly and there were no gangs in sight. In fact, the UN and the police have been cracking down on the gangs, with some success. We definitely worried about the risk way too much.

At the same time, I kept emphasizing to our group that we should not get complacent. Everyone was starting to relax as we kept going places and nothing happened. For example, one day we got lost and were driving through unnamed alleys and streets, rocky dirt roads, the driver didn't speak English, was lost, we had no interpreter and though this wasn't a bad area, it wasn't far from one. I took our team leader to task, insisting that we must always take "reasonable and prudent measures."

I told the group Bob Blakley's story about the Fallacy of Induction, that he wrote about in his Burton Group report "Managing Non-Quantifiable Risks." Imagine that you have an urn and are told it is full of red marbles and blue marbles. You can draw one marble at a time out of the urn; blue marbles are good but red marbles are very, very bad. And you can't see into the urn, so you don't know if it is full of one color marble, or mixed and what the proportions are and if they random or how they are distributed.

So, you could draw a long string of blue marbles and go on without a care in the world, let your guard down, and then draw a red marble. Oops! So let's not let familiarity make us complacent.
There could even be an evil child sitting above the urn, watching someone draw blue marbles, and waiting for the perfect time to drop a red marble on you. Kidnap risk, insider IT risk, and even some external hacker risks could be like that enigmatic urn.

Well, I didn't talk about security the whole time on the mission trip. We did a lot of good work, putting solar panels and water pumps into a combined church, clinic and school. And it was great trip. I'm still writing all about it at