Bike Helmets & The Limit of Controls

| 3 Comments

I had an unfortunate bicycle accident last week (yep, that's me below - if you think the right side of my face looks rough - and it is, with non-displacement fractures - consider that I primarily landed on my right shoulder). I was riding on a paved trail, standing up to pump uphill, when the chain jumped and locked up the rear tire. At 7-10mph, I couldn't control the sudden and unexpected deceleration, causing me to fly over the handlebars at an awkward angle. Yes, I was wearing a helmet, though it appears to have only sustained a glancing blow.


In my years of biking, one thought has occurred to me repeatedly, which is: What's the marginal utility of bicycle helmets? Consider the helmet below (which is very similar to the one I was wearing), and then think about the injuries to my face depicted above. What do you notice? What I notice is that the helmet provides very little protection for the ears and side of the face, and certainly nothing for the front of the face. Which makes me wonder... if bike helmets are so important, then why don't they protect more of the head?

When we architect our security solutions, do we typically focus on the benefits or the limitations? It seems that most of the time we look at the benefits, oftentimes overstating how good the solution will be without necessarily getting very far into the limits on effectiveness. To make matters worse, in our compliance- and audit-driven environments, we're oftentimes more concerned with the presence of a control (e.g., wearing a bike helmet) than the effectiveness of that control or the limits on its utility.

It seems to me that this is perhaps a major component to our current failures as an industry. Too often we focus on defining a single requirement - often in a vacuum - and how to meet it with a control. Unfortunately, as ongoing breaches of various organizations have shown us, it's not about the controls implemented, but about the holes between those controls. That is, it's not how well our control is implemented, but what the limits are on those controls.

This seems to me to create an interesting opportunity for future audit and consulting work. We need to find ways to better analyze the entire enterprise, looking not only at the controls implemented, but the limits of those controls and how those limits might interact to create unexpected exposure/liability. When we do this, then we'll probably start to realize that controls like requiring "a bike helmet" are not really as useful as perhaps requiring a more significant bike helmet (like the one below - which provides far better protection for the head and face). This is only one small aspect of an overall program, but I believe it's one that's been overlooked. We need to go over being self-satisfied with what we've implemented and start taking a sober look at what we have yet to do.

3 Comments

Ouch. However a question. If bike helmets with more extensive protection of the ears and face were available, would you have chosen to wear one, or would you have said 'I won't ever need such extensive protection'?

And if some government regulation said you have to wear such a helmet, would you have loudly complained?

Such complaints can only be overcome by education in the real risks.

One of the biggest challenge for security professionals is to spend sufficient time and energy educating organizations about the real risks. Albeit such is made difficult as a result of the snake-oil salespeople who are simply interested in scare tactics designed to sell their products and/or services. Nevertheless it is a course of action that security professionals cannot shirk, otherwise the number of bad accidents will continue to grow at an alarming pace.

A fair and excellent question, Frank. I've always chosen to wear a helmet because I thought it made sense. However, only recently have I been thinking about whether the helmet I chose was worthwhile. Even now I'm grappling with whether or not I should buck the status quo and look into a more significant helmet. Clearly, minimal protection is en vogue and socially acceptable.

Now, would I have complained about being required to wear a helmet, or even a more significant helmet? I don't know that I would. I don't complain about wearing seatbelts, or driving cars with mandated safety features. I do, however, complain about "security" measures that don't make sense, like much of the TSA checkpoint insanity, or even Border Patrol checkpoints so far instead US borders (excluding airports) that are at best a gray area in the eyes of the law.

My points with this post were two-fold:
1) Beware the promises of vendors, and in so doing, be sure to analyze the limits in addition to the benefits.
2) As you note, we need to actively educate people using actual risk analysis, rather than hyperbole, FUD, and innuendo. We're already seeing an alarming increase in incidents, and yet vendors are merely using this to whip customers into a buying frenzy. We should be working to improve true awareness and understanding. In the end, maybe everybody should be wearing a helmet that protects the whole head, but we'll never be able to go there if people are just reacting emotionally.

Thanks for the great comment!

Perhaps,looking at your injuries now I really believe that yes,their is no use of bike helmet,if it cannot protect the part for which it had been made.It's better to used motorbike helmet while cycling at least it will completely protect your head as well as your face.

About this Entry

This page contains a single entry by Ben Tomhave published on June 14, 2011 12:04 PM.

Gaining Some Perspective was the previous entry in this blog.

Security Is Like Gardening is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7