Is not crying worse than crying wolf?

Is Not Crying at All Worse Than Crying Wolf?

Recently, many watched as Lahaina city, on the island of Maui, the second largest island of Hawaii, was razed to the ground.  The fire damage was extensive and many homes and cars were utterly destroyed.  Connor O’Keeffe in his article (https://mises.org/wire/thanks-government-mauis-lahaina-fire-became-deadly-conflagration) highlights the impact of human choices and, as Australians, we are overtly aware of the impact of allowing the fuel load within a forest or bit of bush to grow.  O’Keeffe calls out both the impact of a high fuel load as well as a lot of aging infrastructure (especially the electrical poles) and makes quite an alarming statement about the County officials not activating the emergency sirens.  That is, they failed to activate them.  

As a result, this fire has become one of, if not the most deadly fires in the US in 100 years.  In the aftermath, the issue of the 400 or so sirens not activating was called out and then a tirade of information was provided by the County officials, including that the reason for not activating them was that they were afraid that people would go inland (“would have gone mauka”), assuming that residents would think there is a tsunami on its way.  The Governor, also made statements that they believed that “some” of the sirens were broken, which was later contradicted by the county (https://edition.cnn.com/2023/08/17/us/maui-sirens-silent-lahaina-what-we-know/index.html).  Ultimately, both the State and the County were able to activate the emergency sirens and both failed and people died. 

Interestingly, the Maui County promotes the testing and reporting of errors for their “All-Hazard” siren system on their website. https://www.mauisirens.com/  This site clearly articulates the intended uses, including tsunamis, wildfires, terrorist threats….  

In my career I have managed several projects to setup notification systems, including one similar to the Maui sirens.  We considered the impact of a single tone siren and built into the system the capability of injecting messages, either ad hoc or recorded.  The client, who managed the whole island, did request a special tone or alert which would be indicative of “just run”.  They wanted it to be enabled in the event of a fuel fire or in the event of an issue with a radioactive source (ie exposure or damage to containment).  It was understood that these types of incidences would occur near or on the wharf, so being able to get all staff to just run away from the ships (that is the most likely source of danger), was more important than in a normal sense where an orderly evacuation is prioritised.  This was both an interesting distinction, and also an important one, when thinking about implementing a treatment in an emergency.  The premise for design becomes “in the shortest amount of time, save the most amount of people from harm. Therefore, shorter is better even though more people may be harmed.  There will be a level of potential harm by people running away and not doing so in an “orderly” fashion (running, amongst other risk activities is a known contributor to the injury count in an emergency https://business.leeds.ac.uk/research-cdr/dir-record/research-blog/1645/possible-solutions-preventing-dangerous-evacuation-behaviours-results-from-interviews-with-crowd-safety-experts). This is offset by the amount of harm generated by staying in the area and being exposed to the primary and secondary hazards.  This is particularly important for particular types of hazards. For example, certain types of fuel fires burn without visible flames (ie jet and car racing fuels), and the same too goes for radiation (ie it cannot be seen by the naked eye), therefore exposure is measured in time and increased time creates increased risk and harm.  

Any is better than nothing

There is quite a body of research on the reaction of people in an emergency.  Notification, on any level is useful, with success changing as the more personal and the richer the communication method (https://www.sciencedirect.com/science/article/pii/S092575352030518X). The researchers found that the response time reduced from approx 27min to act to 0.68min for a recorded message, giving those in danger a 25+ minutes head start to get to a safe location is a significant advantage.   

In ICT disasters and emergencies, which is the greater sin, to not raise the alarm or to raise it too often?  Earlier this month, an IT Service provider was formally warned by the OAIC and was compelled to hand over its client list, after the OAIC “became aware” of the anomalous behaviour in not properly disclosing a data/information breach (https://www.itnews.com.au/news/australian-authorities-tire-of-excuses-delays-on-data-breach-disclosure-599896).  When does the moral and ethical obligation to send up the warning and activate the digital sirens kick in?  This service provider was handling patient data for a collection of health service providers.  What happens if the data breach was suspected and not proven? How long is long enough to investigate, and how much harm, if any, is done by delaying the notification to the people whose personal information was stolen?

Each of these curly questions need to be answered by every organisation.  

My observation is that the companies who have invested in robust crisis/BCM, have both weathered the public storm as well as minimised their costs (rectification, remediation, communication, and reassurance).  BCM asks you to consider, practice, and strategise potential system weaknesses, potential mitigations, and potential communication templates, in the event of an unwanted breach or digital emergency occurs.  As the adage states “Prevention is always preferable over a cure.”  Thus, sending up the signal as early as possible is preferred, howerver it needs to allow people to understand the risk at hand and how this risk might affect them directly.  Their response, based on their perception of the risk, will determine how they respond (sometimes effectively, sometimes not so).   

You may only be buying time

Like a money safe, greater security does not buy impenetrability, rather it buys time (as MGM found out this month https://www.dailymail.co.uk/news/article-12505921/MGM-Resorts-Las-Vegas-cyber-attack.html), so spending on information technology protection makes you potentially just that little bit more difficult than your neighbour and hopefully the bad actors will move on to someone or some organisation which is easier to exploit.