Browsed by
Tag: Risk

What Jurassic Park taught us about cyber risk

What Jurassic Park taught us about cyber risk

The tl;dr version of this post: don’t forget about the insider threat!

This week I attended the first in a series of three events by the Institution of Civil Engineers entitled Preparing London. This particular event was designed to consider the human threats to infrastructure.

During a talk from Nathan Jones (see this blog on his talk) my mind wandered and wondered…Did Jurassic Park teach me everything I know about cyber risk?

God damn it! I hate this hacker crap!

Ok, so maybe not everything worth knowing about cyber risk is summarised in Jurassic Park, but it’s a useful introduction into what happens when the tables are turned and technology which usually helps keep us safe, becomes the risk.

Everything in Jurassic Park is connected. The electric fences, the lighting in the visitor centre, the locks on the doors. When it’s working as planned, this connectivity helps the park’s management maintain an efficient operation and a positive guest experience.

However, such a complex system requires some centralised control.  Looking at this through a business continuity lens, this is a clear single point of failure. An inherent risk.

This has clear parallels with our modern society and the interdependencies between systems that I’ve talked about previously.

Dennis Nedry exploits his colleagues limited understanding to enact his attack. He uses his tech-savvy advantage to provide cover for him stealing intellectual property, whilst putting lots of people in danger. The ultimate lesson here is that the real monsters aren’t the dinosaurs.

Objects in mirror are closer than they appear.

As well as a light-hearted moment during the dinosaur chase sequence, I think Spielberg also snuck this in as a metaphor for risks manifesting in ways which had not been considered.

Were the Jurassic Park team aware of cyber risk? Yes, there is literally a scene about passwords. I expect a lot of  people assume that a good password is all they need for their IT security.

It’s clear they had also considered other risks, and had taken proactive action to control that risk. Electric fences, professional hunters, CCTV and motion sensors and the attempt at all-female genetic engineering are just some of the risk controls in the film.

But had the team considered the possibility that an employee would want to hold the park to ransom for personal gain? Could they have identified the vulnerability of the computerised control? Could they have done more in advance to protect the systems from malicious attack?

Dennis, our lives are in your hands.

Early in the film there are hints at Nedry’s personal financial difficulties. Later he mumbles to himself about test runs of his embryo heist.

John Hammond, the park owner recognises the power that Nedry has.

There were clearly signals which the team missed and knowledge which is combined, could have allowed an intervention before he got the opportunity to shut down the park.

Clever girl / I know this.

Just as the team hadn’t anticipated an insider threat, Nedry wasn’t expecting a tech-savvy teenager to thwart his plan.

Just when it looks like the raptors will get into the control room, Lex (the park owner’s granddaughter) recognises the Unix system and takes maters into her own hands.

The actual interface may be debatable (in researching (yes, research!) this post I’ve found that it was technically available, but I’m doubtful that a school student would have been aware), but it comes as no surprise that kids have a natural affinity with the technology that adults have to think about.

Side note: Provided the right precautions are in place to prevent unauthorised use, user friendly systems aren’t just a productivity win; they help prevent people finding work-arounds or backdoors.

Life finds a way.

With the ever increasing access to, and pervasiveness of the Internet and smart devices, Jurassic Park remains relevant today.

I’d argue that we’ve already reached a point where complete understanding of system interdependencies is impossible. Our societies and the technologies used are just too complex. However, we can continue to challenge our assumptions, keep our risk assessments grounded in reality and take action in advance to mitigate that risk.

It’s also a reminder that physical and IT security are just parts of the puzzle when it comes to risk management. Solutions are also required, sadly, to prevent against malicious attack by either insiders or outsiders.

It’s also just a really great film!

30 Days 30 Ways – UK vs USA

30 Days 30 Ways – UK vs USA

You may remember that I participated in the American initiative 30 Days 30 Ways last September. It’s a monthly series of daily challenges designed to be simple tasks to help improve emergency preparedness. This year, colleagues in Northamptonshire have also developed a UK version.

Having a local version of the game is great. I found lots of the challenges last year rather difficult and the reason that I gave for this was down to different structures and practices. However, I drew this conclusion with very limited evidence….

Big Brother Eye and EP

As I’m involved in promoting #30Days30WaysUK, and therefore know the list of challenges, it would be a bit of a conflict of interests for me to participate properly. Instead, I’ve set myself the rather impossible challenge of competing tasks from both the UK and USA versions with a view to drawing out similarities and differences.

Each day (or as often as I can) I’ll provide my ‘answers’ to both the UK and International challenges. Where I can I’ll also provide trackbacks to my musings last year.

UK Challenge 1 – talk about emergency preparedness and develop a grab bag

Ok, part one is easy, I talk about emergency planning fairly often, although mostly in a work context rather than how I would actually respond myself.

Those who know me will have heard about my Zombie Apocalypse bag. In reality it’s more of a series of small packs that I’ve stashed in various locations (not just at home) which have some essential items.

There isn’t so much of a grab bag culture in the UK. I think this is largely because we don’t face many of the acute risks that other places do. UK citizens are unlikely to be directly affected by earthquakes, volcanoes or hurricanes, so I’m not convinced that encouraging members they need to be able to live ‘off the grid’ for 3 days would ever have any traction. I do though, think there is merit in having situation dependant grab bags – live in a flood zone, then have a flood kit prepared; driving in the winter, better pack your winter car kit.

I despise checklists, especially when it comes to grab bags. There isn’t one bag to rule them all. Each of us need to tailor the contents to specific actual and perceived needs.

Many of us pack grab bags on a daily basis – whether it’s children’s school bags or the bags we each take to work. They contain what we think we need to get through the day. If you have a gym bag, it has the necessary items you’ll need for your workout. If you’re pregnant then your grab bag for the hospital contains essentials for mother and baby in the first few hours. A grab bag for emergencies is really no different – some key items that might make the disruption more bearable, but as different emergencies would have different impact I’m not keen on the grab-bag-by-numbers approach.

So, whilst I won’t be consolidating my grab bags into one, I’ll stick to maintaining my series of pick’n’mix grab packs!

USA Challenge 1 – Share a sign that illustrates a preparedness message

Any tourist that’s been to London in the last 8 years will know that you can’t move for souvenirs plastered with the Keep Calm and Carry On logo. It’s a fantastically simple message, but I thought it was too obvious a choice.

kcaco

So after some head scratching and googling I opted for this sign taken about 20 mins from where I live, regarding the Oak Processionary Moth.

opm

Although recently removed from the London Risk Register this remains my favourite (and by far the cutest) risk I have been involved with!

In case it’s not something you’re familiar with, the spines on the caterpillars can aggravate existing respiratory conditions such as asthma, but the little critters can also do damage to oak trees themselves.

Day 1 down, just 29 more to go!

 

Oh, and the top image is ‘adapted’ from this years Celebrity Big Brother logo. If the big wigs at Endemol don’t like my edits then I’ll remove it, until then I’ll take my chances!

What’s in a name: toponymy and risk

What’s in a name: toponymy and risk

Two years ago I sat on the underground with my friend Martin and studied the tube map for places with the suffix –ham, which means farm (I’ve found activities like this make the journey go quicker!). It was clear from those place names that London’s metropolis actually grew from a large number of farms, and that a lot can be understood about history just from what we call places. I didn’t then realise that I’d come back to blog about this in relation to risk!

Recently I attended a presentation from Somerset County Council on their experience of flooding in Winter 2013/14. The presenter made one comment which really resonated with me

“Muchelney…by the way, any place names which end in ‘ney’ means island…”

It was just a passing comment, but one which I’ve been reflecting on for a little while. Place names reflect local history, so can toponymy tell us anything about risk?

If a place has a history of repeated emergencies (lets say flooding), does that become part of its present and future through being incorporated into its name? To explore this a little I thought I’d investigate the meaning of place names on the Wikipedia UK flood list.

Modern Place Name Meaning Place name is a possible Indicator of flood risk?
London We’re often told that London has its roots in the latin Londinium however, Richard Coates suggests it could derive from the earlier Old Europeanplowonidā meaning ‘river too wide or deep to ford’. Flooding from a wide and deep river could have significant consequences. Yes
Sheffield Open Land by the River Sheaf Yes
Lynmouth Mouth of the River Lyn (meaning ‘torrent’) Yes
Canvey Island Not a lot of consensus, but either means Island of Cana’s People or Island Island. Possibly
Glasgow Green hollow Possibly
Boscastle Botreaux Castle No
Cockermouth Mouth of the River Cocker (meaning ‘crooked one’) Yes
Cumbria Compatriot Land / Countrymen No
Somerset Levels Somerset – Settlers by sea lakesLevels – refers to level marine clays Yes
Wraysbury Wïgrǣd’s fort No

A quick Google later and I found this map via Being The Hunt, which provides the meaning of country names in Europe. At this level it doesn’t say much about risk (with the exception of Land of Revolt), but I wonder whether the same could be done for place names in the UK/London, and what hidden patterns this might reveal?

toponymy

And it’s not just place names. Our own names may give some indication about historical events and could potentially be used to infer future risk…

The map below shows the prevalence of the surname Flood in England in 1891. What strikes me is that the surname is more common in coastal areas or those which anecdotally are prone to flooding. It’s impossible to infer much from this, but would be interesting to do a longitudinal study to see how these surname clusters have moved over time, and it’s an interesting pattern nevertheless!

names

I’m not sure, other than being interesting, what a detailed exploration of this would reveal. However, I’ve recently been doing some work on risk perception, and wonder whether people who live in places which have flood-related names have a higher degree of risk awareness?

Your thoughts and comments would be welcomed. This is very much just a collection of half-formed ideas rolling around in my head, and if anyone could help me make sense of them that’d be great!

Londonist have just released another alternative Tube map – I wonder if their next one could be ‘meanings’ of current places?

Pin the Risk on the Register

Pin the Risk on the Register

It’s been a while since I last blogged. I’d like to say that I’ve been busy with other things, or have been honing and fine-tuning this update for months. I really would like to say that.

Pin The Tail On the Donkey

However, reality is that for a while there wasn’t anything I was finding particularly sharable, and then because it’d been a while I forgot my password to login! However, I am back with renewed passion, and a plethora of things that I want to get off my chest about emergency management and resilience. *pauses for whooping*

Earlier in the year I attended the International Pint of Science Festival 2014 in London, where interesting, fun and relevant cutting-edge science talks are delivered in an accessible format to the public – in the pub!”. That sounded like my kind of event, and even better, the pub in question was a boat! So I headed below deck ‘below deck’ on Thamesis Dock (a converted Dutch barge moored just between Vauxhall and Lambeth Bridges) and propped up the bar!

First up was Faith Turner talking about the mechanics of landslides, which was particularly pertinent as the Oso landslide in Washington had just happened. With a nod to the Royal Institution Christmas Lectures, Faith revealed her demonstrator “Andrex Mountain”, to show some of the mechanics in play. However, this was essentially the warm up act…

Next was Professor Bruce Malamud from Kings College London talking about risk and how the public and experts can have different perceptions.

In preparation for the TV programme Perfect Storms: Disasters that changed the world (Yesterday 2013), the producers contacted Bruce to consider the results of a survey that they had undertaken. In what I expect was a bit like Family Fortunes, a group of 2000 people were asked ‘how risky’ they thought a number of scenarios were. The results of this survey were then compared to the ‘expert assessment of risk’ in the form of the National Risk Register.

What the study revealed (putting methodological flaws to one side) was that in some cases the expert and public perceptions of risk line up quite well, but for other scenarios there is a dramatic difference of opinion.

I spoke to Bruce after the talk, and we’re now looking at conducting some further research using the Talk London platform to see if there are wide discrepancies in risk perception specifically in London. essentially I want to play a game of Pin the Risk on the Register!

Awareness of what people are concerned about (and what they’re not) as well as a deeper understanding of factors that influence risk perception will then hopefully be useful in making our risk communication more effective.

For example – Heatwave is assessed as a High Risk, yet routinely people don’t take too much action either in advance of or during a heatwave. What factors influence that behaviour? How can we better understand the public perception of Heatwaves, and use that to target communications more effectively? (this particular example comes from a conversation with my parents late last summer when I ‘got it in the neck’ with questions like What does a Leave 4 Heatwave mean? and Can’t you find something better to say than keep cool when it’s hot?).

As the project develops I’ll keep you updated on what we find out and how it influences our thinking!

Events: another horn on the same goat?

Events: another horn on the same goat?

I’m going to put myself out there and just say it…emergency planning in isolation is pointless. If this goat only had just one horn, it would be more vulnerable. By working with other risk reduction initiatives, emergency management can help reduce vulnerability more than it could working in isolation.

Goat

I could come up with the most fantastic plans and develop the most immersive training programmes in the world, but doing that all by my lonesome would be a waste of time. One facets of emergency management that I enjoy is the ability to work with a diverse range of practitioners who know everything from GIS to Chemical Hazards and Triage to take-downs. The skill of the Emergency Manager is bringing those different strands together so that if needed there can be a coordinated response.

However, what bugs me is when people don’t see the connections. I expect this will be a situation I find myself in tomorrow.

I will be proposing that as well as considering the risk of ’emergencies’ such as natural hazards, industrial accidents or malicious attacks that we should consider risk posed by ‘events’ like sports matches and concerts. I already expect to face a hard time with this suggestion.

I know it’s not the case across the board in the UK, but in my recent experience emergency planning is quite strongly divorced from events.

What do the following have in common?

Mass Crowd Incidents

Soomaro and Murray identified 156 incidents at planned events between 1971-2011. Of these, the 21 listed above identified specific lessons for disaster preparedness. Admittedly different degrees of planning are required for a wedding compared to a music festival, but none of these events or similar events since (Boston Marathon etc) could be considered spontaneous.

Evidence demonstrates that emergencies can, and sadly do, happen at planned events. Whilst it’s true that there is Health and Safety, Licensing and a whole host of other policy areas working to control risks associated with events, what harm could it cause for events to be considered by the resilience community?

Just in the 21 examples above a staggering 3,758 people died and 4,508 were injured at events where, I suggest, they expect to be safe. Surely in inclusion of emergency management professionals in the event planning process could help manage some of the inherent risk in bringing large numbers of people together?

Whack-a-Mole Resilience

Whack-a-Mole Resilience

I don’t condone mole-whacking and here’s why…

Whack a Mole

Blog posts have been a little sparse recently. Since the St Jude storm in October 2013 the weather in the UK has been ‘freaky’ (this was a comment made by a colleague at the Met Office, there’s no arguing with insight like that!). Storms, gales, unprecedented rainfall, flooding…you name it, it’s battered our green and pleasant land!

London has largely escaped the worst of the weather. There have been some issues relating to groundwater flooding in susceptible areas, but nothing on the scale of what has been seen in Somerset or Surrey. (Incidentally. whilst this is terrible for those people affected, I do encourage people to occasionally pause, look at international incidents, and try to maintain a degree of perspective). However, an absence of significant impact hasn’t meant that a lot of work and long hours haven’t been necessary.

Since early February people have been beavering away (yes, another mammalian metaphor!) both on the ground and in offices to try and mitigate the impacts that flooding is having, or could potentially have in London.

Risk management is a funny old thing, and not dissimilar to that whack a mole game.

Take flood defences, massive investment like the construction of the Thames Barrier brings flood risk ‘under control’. This, combined with continually changing political drives, means that resource and attention is then focused elsewhere; counter terrorism perhaps, or protection against space weather. However, a combination of changing science, political oscillation and adjustment to resourcing mean that at some point the ‘control’ offered by the intervention diminishes and the risk returns. And whilst the risk returns to the same level, the vulnerability to it has increased, often because there has been development in that area.

The mole has popped up again, this time bigger and angrier. While our natural reaction, and that observed in the current flooding is to whack the mole (“we need to prevent this from happening again“) inevitably that will mean that attention is taken away from managing some other risk, providing an oportunity for a different mole to emerge.

Whilst I’m not surprised about the forward-leaning nature of politicians and senior leadership that has been seen recently in the UK (this seems to be an international trend) I think it’s important to stand far enough away from each mole individually to see when the next one is about to pop up.

Also, moles are undeniably cute, and don’t deserve to be whacked!

UPDATE: it looks like I’m not the only one to have observed this whack a mole effect. CNN reported a similar situation when talking specifically about the Fukushima response late last year

Image credit: technabob.com

Talking about talking about risk

Talking about talking about risk

Apocalyptic movies are a sucessful genre, 2012 took $769,679,473 at the box office. By my rudimentary maths, working on an average ticket price of £8, this means 64,456,930 people (globally) have seen John Cusack fly a plane through tumbling skyscrapers (if you haven’t there’s a still below). Anyway, what’s the point of this…well, despite movie success, getting the public to appreciate real risks of emergencies is often a challenge.

2012 still

There are a number of reasons for this, not least that the range of heuristics and biases which limit all of our abilities to accurately percieve risk (and which are partly shaped by movies). However, the aspect that I’m focusing on here relates to accessibility, by which I mean the ease of understanding information, not whether it’s available in large print and different languages.

To be clear, I don’t advocating “dumbing down” content, but I do think that there are ways of presenting information which facilitates it’s ease of use. Too often we conceptualise ‘the public’ as abstract dimwits with a reading age of 7 and no ability to have their own thoughts. I firmly oppose this stance and we should remember that “out there” are incredibly inteligent business people, entrepeneurs, professors, doctors and whole swathes of people exposed to complex information on a daily basis.

Having a lead responsibility for risk assessment in London means I spend much of my time thinking about how we can communicate risk information both to professional partners, but also to the public. We’ve certainly seen the Rise of the Infographic over the last couple of years, as shown in the Google Trends graph below. I’m currently playing with some thoughts on how this infographic approach could be used in the context of risk assessment.

Another recent approach that I’ve been trying recently is to avoid sending people directly to a risk register. A 40 page document doesn’t sound like something even I want to read, so why would anyone else? I discovered Prezi about 2 years ago, and have recently developed the presentation below to outline the London Risk Register. It’s already had nearly 1000 views, which is significantly more than the number of hits the London Risk Register has recieved. I’m not saying that’s an indicator of sucessful risk communication, but perhaps it indicates that proving risk information in a non traditional ways (by which I mean, not a document) is preferable?

Take a look, what do you think? Is this a more convienient way, for the public and community, to recieve risk information? Does it break down any of the barriers associated with traditional methods, or are people just interested in the novelty of Prezi’s zooming?

Image Credit: Columbia Pictures