Internet security is in a position similar to that of safety in the medical industry. Many doctors have an opinion like this one,
“Only 33% of my patients with diabetes have glycated hemoglobin levels that are at goal. Only 44% have cholesterol levels at goal. A measly 26% have blood pressure at goal. All my grades are well below my institution’s targets.”
And she says, “I don’t even bother checking the results anymore. I just quietly push the reports under my pile of unread journals, phone messages, insurance forms, and prior authorizations.”
“Inadequate Investigation or Followup on Accident Reports.
Every company building safety-critical systems should have audit trails
and analysis procedures that are applied whenever any hint of a problem
is found that might lead to an accident.” p. 47
“Government Oversight and Standards.
Once the FDA got involved in the Therac-25, their response was impressive,
especially considering how little experience they had with similar problems
in computer-controlled medical devices. Since the Therac-25 events, the FDA
has moved to improve the reporting system and to augment their procedures
and guidelines to include software. The input and pressure from the user
group was also important in getting the machine fixed and provides an
important lesson to users in other industries.” pp. 48-49
The lesson being that you have to have built-in audit, reporting,
transparency, and user visibility for reputation.
“Actor Dennis Quaid has become an advocate for electronic medical
records. In 2007 his 12 day old twins received a massive accidental
overdose (10,000 units of heparin instead of 10 units), a near-fatal
error that could have been prevented by the kind of bar code technology
that the VA has been using for decades. (Yes, folks, sorry, a government
institution was decades ahead of privatized healthcare on this.)”
“Quaid points out that the widely quote 100,000 accidental deaths every
year from medical errors equates to a major airline crash every day.”
If you grew up in a small town, you’d likely cross the street without stopping to look each way. Try that in New York City, and you’ll end up in the hospital. Similarly, most of us grew up in meatspace and clicking on any old link in cyberspace often ends up with our bank account in the hospital.
OK, that was my mangled simile, but it illustrates what Michael Kaiser and the National Security Alliance are trying to do: educate the public about what to do and not do in cyberspace without losing their audience with technical details or lengthy pedantic instructions. In his talk at APWG he had all sorts of interesting points, such as address different audiences (K-12, small business, elderly, etc.) differently, and that it’s not just unlearning bad habits (including ones that would be good habits in other contexts), it’s teaching good habits. ANd changing habits of any kind requires repetition and persistence. As Kaiser said, look at the CDC and its ongoing campaigns of prevention of HIV, domestic violence, etc.
Personally, I think staysafeonline.org could use more graphics and less text, or, more importantly, more storyline. It seems a tad pedantic to me. More poets in prevention! Or more marketing in staying safe. Or something.