But its such a lovely panopticon, I’d hate to have to return it

Anyone else not surprised by recently findings from this internal report form the London policy force? The net of it is closed circuit television (CCTV) camera do little to solve crimes. It seems that the success rate is 1,000 cameras per solved crime. Just a few million more cameras and we’ve got the crime thing licked, eh?

Questions that I’d like to see answered are:

  • How many crimes were not committed because of the presence of a CCTV camera?
  • How many crimes were committed in a different location because of the presence of a CCTV camera?

The first question is impossible to answer. The second can be answered and a UC Berkeley study of the city San Francisco’s CCTV camera efficacy has been released. You can ready about the results here and here. The San Francisco study shows the cameras move crime from areas near cameras to areas away from cameras – no big surprise there.

As I have mentioned previously on Tuesdaynight, trading the feeling of safety (without an actual increase in safety) for an invasive, always-on, 3rd-party-accessible video monitoring presence is a choice that leads to a far more paranoid society, less willing to engage in social behavior and less like the kinds of societies in which we want to participate.

The role of design in protecting cyberspace: thoughts from CFP 2009

Among the sessions in this year’s Computers Freedom and Privacy conference was a panel on the recently released National review of cyber-security. Ed Felten presented three related areas that he believes have to be improved in equal measure to improve overall cyber-security:

  1. Product development
  2. System administration
  3. User behavior

But, to me, there was something missing from the list – product design.

Too often I have seen products whose user interface, in fact its entire user experience, was constructed after the fact.   First the special sauce gets codified, then the chrome is put on and product gets a face.  It is easy to recognize products that have been built in this way as they tend to expose their internal data models to users, forcing users to adopt the metaphors of the engineers that built the product in the first place.  These types of products make problems internal to the product problems for the end-user and this can lead to very bad things.  See Three Mile Island as an example.  Poor user experience design leads to so-called “user error,” but is it really user error if the end-user is confronted with meaningless alarms, confusing error messages, and misleading feedback?

At CFP, I talked to Bruce Schneier his research that went into Beyond Fear to get a better understanding of the psychology of fear and its relation to security.  As you probably know, humans (and other animals too) are fantastically bad about evaluating risk. Optimism bias and other factors cause us to either over or under-estimate risks. Combine this with the fact that how choices are presented directly influences how choices are made and you realize the crucial need to build better user experiences for security (frankly, all) products.

“Is everything okay with the mother ship and should we blow up Russia?” This is the question presented Buckaroo Bonzai and I think I’ve seen a form of it as a dialogue box in Windows.  Would it be considered user error if an end-user pressed the “Yes” button and nuked Moscow? Bad design is at the least confusing and at the worst dangerous.

I did talk to Ed afterwards and he acknowledged the role of design in product development. As he said, if we only attempt to improve one of the three areas product devolvement or system administration or user behavior we won’t improve cyber-security; we have to improve all three.  User experience design as a part of an improved product development processes can directly lead to better more informed user behavior. Okay you product managers and designers make your voices heard – better safer products through better design!

(Cross-posted from Burton Group’s Identity Blog.)

Your network ate my fine-grained auth engine: Cisco to acquire Securent

Cisco has announced it has agreed to acquire Securent. First, of congrats to my friends there. Well done.

Second, I have to wonder about this one. It makes a form of sense to integrate Securent into SONA. That makes sense… at some point. I wonder how baked the addressable market is for fine-grained authorization capabilities managed from the network through the application stack. Abstracting routing tables to business processes and objects is definitely an interesting one, but when does it really transition from an interesting academic exercise into a Cisco-sized market?

Third, Andras Cser over at Forrester writes:

Given the fact that enterprises are increasingly looking for integrated IAM stacks, the entry of Cisco into the entitlement management market will require a clear strategy of becoming a provider of IAM solutions either through organic growth or by acquisition.

If Cisco is really getting into the IAM market, they picked a bit of an unusual beachhead. Entitlement management and fine-grained auth are emerging submarkets within IAM; they are important, but are significantly smaller markets than web access management, enterprise single sign-on, user provisioning, etc. If Cisco is that serious about tackling this market, it seems to me they would have started with a more mainstream, mature area.