Security is making people NOT fly.

I’m getting old and crotchety. Apparently I’m not alone. CNN reports that 100,000 people a day are choosing NOT to fly, because of the “inconvenience” involved. That’s 41 million flights a year. ( http://www.cnn.com/2008/TRAVEL/05/30/airtravel.decline.ap/index.html )

We all started flying, commercially, 70 years ago because it was “convenient”; expensive, but convenient. Safety was poor, but convenient was more important. Over time, due in large part to the FAA, safety improved. It actually improved to the point that flying is now the safest method of travel available on the planet.

For at least some of us (some 100,000 people a day) driving has now become more convenient than flying — even though it is frequently slower (for trips over 4 hours), it is more work (you have to drive yourself), more dangerous, and potentially more expensive. For at least some of us, there is now TOO MUCH security. I’m a “security guy” and for me Air Travel now has too much of a good thing.

When the FAA was trying to make air travel safe they focused on certain types of “threats,” primarily mechanical failure, pilot failure, and air traffic control (ATC) to direct traffic, and implemented systems to reduce the occurrence of catastrophic failures in those areas to minuscule numbers. For better or worse, they didn’t focus much on “bombers” or “hijackers,” with some exceptions. For example, you used to have “flight insurance” - really “crash life insurance” counters at every airport selling policies. In the bad old days, bombers were known to put a bomb in the luggage, their spouse on the plane, and buy a policy on the spouse on the way out of the airport. Removing the on-site insurance sellers removed some of the positive incentive.

For many years (up until Sept. 11, 2001), the standard procedure for dealing with a hijacking was to negotiate. This negotiating approach, sometimes lead to armed rescues, but it generally produced low loss of life.

Then, the threat changed. And it changed both the vectors of “likelihood” and of “size of damage.” Using packed airliners as missiles changes the game.

The US government responded with the TSA, now part of Homeland Security. Please note that the FAA is NOT involved any longer in this aspect of airline safety, with some minor exceptions (stronger cockpit doors being one). Whether you like it or not, in the US, the TSA is now responsible for airline security. Personally, I’m one of those who believe the TSA is mostly Security Theater (coined by Bruce Schneier — Beyond Fear: Thinking Sensibly About Security in an Uncertain World.), rather than real security. TSA will disagree and point to mountains of confiscated “weapons” and to the absence of successful hijackings.

What gets overlooked is the cost/benefit ratio. One of the basic tenets of information security is not to spend a $1 million dollars protecting a $1,000 asset. The direct and indirect costs of the TSA are ridiculously out of proportion to the benefit.

Another tenet is that you have to balance security and user convenience. If you make it too inconvenient, users will avoid or subvert your security. If they can’t subvert it, they’ll simply avoid it, whether it is requiring a log-in to post a blog comment, or getting “wanded” to board a plane.

People are willing to pay for convenience. If you inconvenience your customers, they WILL avoid you. TSA is inconvenience on a massive scale, and it could well kill the airline industry as we know it.

People expect, and SHOULD expect a certain level of respect. Respect for their person, respect for their time, respect for their property, respect for their privacy and respect for their psyche. Current TSA security theater dis-respects people on all five counts.

Filed under: Security