Category Archives: Risk Assumptions

Remembering the Tragedy of 9/11

Posted on by 0 Comments

Today is the 10th Anniversary of 9/11.  Like most other Americans, like the Kennedy assassination so many years ago, the memories are indelibly burned into my soul.

On September 11, I was flying to a conference in Chicago, so I got up at 5 am to catch the 7:45 plane from BWI to Pittsburgh.  I was on the next plane to Chicago and it boarded at 9:35 and pushed out onto the runway.  I was waiting for it to take off when my cell phone rang and it was my son, Michael, who said, “They flew a plane into the Twins Towers in NYC”.   As a security professional, I knew what that meant.

After a confusing 15 minutes, the plane went back to the gate, and they told us the flight would be delayed for 6 hours, but as we walked off the plane, the man next to me got a call on his cell and said, “They hit the Pentagon”.

There was a hotel at the Pittsburgh Airport so I immediately ran over there and checked in because I knew there would be no planes leaving today, I noticed the huge crowd at the bar, watching the TV.   My brother worked in NYC, my sons and friends were in DC, so the phone lines weren’t working, but I signed on to AOL and was able to connect with them to say I was all right.  

They evacuated the airport, but I was up in my mini command center by then.  I must have gotten 400 emails that day and I was watching the coverage on TV and crying, and then I heard about United Flight 93.

It took me about 2 days to get home.  A friend DROVE from the conference in Chicago to Pittsburgh and picked me up at midnight on 9/11.  We drove together through the Appalachian mountains to her home south of Philadelphia.  She had small children and wanted to get home fast.

We arrived at about 9 am on 9/12, after driving all night.  I slept for 4 hours on her son’s bed, and then her husband took me to the Amtrak station at Wilmington and I took the train back to BWI. It felt like I was moving through a bad dream.

Next, I tried to get my car, which was in the parking structure by the terminal, but it was blocked and they said I wouldn’t be able to get my cars for several more days, so I took a cab back home.

I remember driving up my street and seeing the American flags on houses, and I remember thinking about why I didn’t know all these neighbors and how I would change that in the future.  I remember how blue the sky was, not a cloud, not a plane.  It was surrealistically quiet.

I know several people who were killed in the Pentagon, and many in NYC who were dramatically affected, including the children in the NY suburbs who got called out of class one by one, to hear that their father, or mother was gone.

My theory is that people who lived on the west coast didn’t feel the impact quite as much as we did – who had been to the Pentagon every week, and been in the Twin Towers.

A friend of mine in San Diego who was proud of not having a TV, and who got up early that morning to order a sheet set on QVC.  She was in the middle of her order when the operator started crying and could not continue – she kept telling Kathy, “please turn on the TV and call back tomorrow”.

Just for me, I think I am permanently damaged by what happened on 9/11, and I think the whole country shares a continuing sorrow and grief from this event. 

We won’t let it happen again.

Risk Assessment: How about Giving Guns Back to Former Mental Patients

Posted on by 0 Comments

A recent New York Times article explained that a provision tucked in a bill to make it harder for people diagnosed with mental illness to possess firearms, actually restores the rights of mental health patients to get their firearms back. The legislation was passed after the massacre at Virginia Tech in 2007.

One of the main elements of risk assessment is a quantitative (meaning = real numbers) on what has happened in the past. Looking at 2 or 3 years of incident reports, for example, show how many times there has been an incident involving gun violence in a particular neighborhood, city or organization.

Another element is the history of a particular individual to see whether individuals with a diagnosed history of mental illness are MORE OR LESS likely to trigger (forgive the pun) – a violent incident.

If we run that scenario, we will find that individuals who previously had a violent incident with a firearm are MORE LIKELY than the standard population to have another incident.
And that especially holds true if other threat indicators are present, for example:

Termination from a Job
Romantic Difficulties
Foreclosure
Difficult Economy

There is a ‘risk multiplier’ effect that takes place that makes the risk higher. By combining different sets of threat categories with areas of weakness, we are create general predictions on the likelihood of repeated violent incidents.

Do the math – it doesn’t make sense for people with a history of mental illness to
get their guns back!

Lessons I Learned from little Caylee Anthony

Posted on by 0 Comments

Caylee Anthony and Lessons Learned

Everyone who has watched this case found it compelling and fascinating – like watching a cobra ready to strike.

This case caught my attention right in the beginning, and what a great job #Nancy Grace and HLN did in keeping the pressure on, assisting with the search in the beginning, and actually finding photos, etc.

My daughter-in-law wasn’t pregnant when this trial started, but now she and my son have 18-month old twins, and we are all watching this trial together.    I started out disliking the Anthony parents, but now that I’ve seen Cindy and George break down on the stand and now that I understand the critical role of grandparents, I have sympathy for them.

Here’s what my lessons learned include:

1.  If you are a grandparent and thinking something is wrong – don’t wait.  Who 
     cares if your child thinks you’re nuts, you are an advocate for a child too young to
     protect themselves.   Grandparents can save the lives of their grandchildren when
     young parents are overwhelmed.

2.  Lock up the swimming pool.   Whether it’s an in ground or above-ground pool – it’s
     too dangerous for children who can’t swim.  Take extraordinary steps to keep that pool
     out of reach of any children.

3.  Don’t tolerate lying from your children when they are young.  This must be a
     lesson that is taught when children are young.  Lying is not right, and not acceptable. 
     When you in your twenties, or even in high school, it’s too late.  This tragedy was
     compounded by the constant lies of Casey Anthony.

4.  Love and enjoy your children every day because life is uncertain and you may
     never get another chance to say how much you love them, and how much they add
     to your life!

Unsnarling political differences based on Type preferences

Posted on by 0 Comments

A key component of decision making is laying out all the options to make an informed decision.

Watching the angst of the political parties trying to solve the debt problem shows that they are both charging around saying their favorite rallying cries, which does not promote dialogue, but just inflames the other party.

Think of these two parties, Dems and Repubs, as made up of two TYPES of individuals.  The MBTI (Myers Briggs Type Indicator) personality test is made up of 16 distinct types of people and you can summarize and put them into two main groups – the Traditionalists and the Innovators.

See if this sounds familiar – Traditionalists like for things to stay the same, they always support the status quo.  They dislike change for change’s sake, so they don’t want to raise taxes.  They like to keep a strong sense of order so they
are often military, law enforcement, corporate titans, etc.  They are often presidents of associations and organizations and they are great at keeping things running efficiently.

Innovators want to explore and try new things – in life AND in politics. They want to get out of Afghanistan and put in a new tax structure, and reinvent old institutions, instead of cherishing them, as the Traditionals do.

Both these groups have great contributions that they make to society – Traditionals keep things organized and running and Innovators find new, better ways of doing things.

Innovators are always searching for the next new thing so it’s so coincidence that
California has more than it’s statistical share of Innovators – they keep kept going west, and kept looking until stopped by the Pacific ocean.

Type preferences are set before you are 5 years old and indicate preferences for your entire life.  I am already seeing types emerge from watching toddlers under the age of 2.

When you understand the values of the other party, according to type preferences, you can have a more civil dialogue because you can now understand where the other side is coming from, so to speak. 

You can find out which type you are,  or just find out more about the MBTI at www.myersbriggs.org.

Using Risk Assessments as a Business Process

Posted on by 0 Comments

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!

Not with a Bang…. The Japanese Nuclear Disaster

Posted on by 0 Comments

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.

After Arizona, Does Congress Need Gun Legislation, or Just More Effective Security Risk Assessments?

Posted on by 0 Comments

The terrible shooting in Tucson this week was widely seen as a wake-up call for members of Congress who probably spent at least part of the weekend wondering if their security was enough.

 I can answer their question – it is probably NOT enough.  The morphing of politicians into celebrities (call them Pol-ebrities??) is great as long as you get lots of TV time and the cameras are flashing and the contributions are rolling in.   The downside is the same one that led to John Lennon’s death – Celebrities draw the crazies.  Now that elected officials are becoming Pol-ebrities – they are becoming targets.

With proposals rolling in from all quarters, including putting a giant Plexiglas shield around the House floor, limiting the distance a constituent can stand in relation to a congressperson or senator, and many other ideas, it is clear me that what is missing is the use of standardized Threat/Risk Assessments.

 Security is always a trade-off.  How much money to spend to protect a public servant and legislator?  Is it worth an extra $25,000 per year per person, or should it be $100,000 per person per year – or should it be a million dollars?

Ask the potential target and I guarantee they are voting for the $100,000 solution.  Ask a beleagured taxpayer and they would think maybe $5000.00.  The problem is that it is impossible for an individual to do a true cost benefit analysis and decide how much money is enough?

Enough to provide ‘adequate” and ‘reasonable’ protection. 

Enough for a ‘normal event’?  What about a high-profile event?

Can you analyze it based on the numbers of people who attend a certain event?

All these questions are about 1/15th of a security risk assessment. 

Like the Department of Homeland Security – the executive protection should move to a more quantitative, risk-based model.  Traditional executive protection checklists are no longer enough.

There are so many elements that go into a threat risk assessment of an public, or private event.  We can look at the Tucson shooting and see that if the usual checklists were used, someone might have:

Checked the crime rate around the location (which turned out not to be at all relevant.)

Checked to see if any other congressperson had ever been attacked
at a town hall meeting in the last twelve months (perhaps more relevant).

These are just a few of the many checks that would have been performed prior to the event, but whether these were done partially, completely, or not at all, they are not risk-based, instead, the classic protection model is more threat-based than risk-based, when what you need is a combination of the two.

If we can create a standardized risk-based scenario for protection of these high profile Pol-ebrities, it would include all the basic information, plus data on the number of phone threats received by that individual legislator; and also, an aggregate of threats received by all legislators.  It would include blog and web searches to see how many times a particular name was mentioned or cited in a negative way.  (And yes, finding a web site that includes a rifle target signal over your district counts).

In addition, it’s interesting to get a historical perspective to see how many government representatives have been threatened, shot, stabbed or murdered in the last five years, and to see whether that trend is increasing or decreasing.

The shooting in Tucson was a workplace violence incident by a totally deranged person who had total access to his victims.   There was no advance screening, no physical barriers, no bodyguards waiting in the wings in case something went wrong.

Many of these missing elements, along with others, can be used to create useful threat risk assessments that can be standardized,   and automatically generated for all our high profile public servants to provide much more effective security for the people who need it most.  

Instead of treating each of these violent incidents as a completely isolated event, society needs to recognize these patterns that are emerging as legislators become celebrities, and that there is an increasing acceptance of violent solutions to individual problems.  These patterns need to be watched, tracked, and applied to each individual’s protection profile to improve personal security and prevent future violent attacks.

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

Posted on by 0 Comments

Every fifteen minutes, the media is full of images of children being patted down at the airports. The media is stirring up the porridge on this story.  But think for a moment – TSA is spending 90% of it’s budget, resources and energy on passengers who are not and will never be a threat.  And that leaves only 10% to spend on legitimate and potentially dangerous travelers.  This raises several questions.

First – why?  When the DHS espouses it’s emphasis on RISK MANAGEMENT – it’s clear that they don’t follow it.  The private company that runs the screening programs makes substantially more money by screening everyone, if they only had to screen real suspects – their income (which is over $8 Billion per year) could be cut in half!

By applying the risk management principles that are in their charter – they would be able to spare the poor traveling public and spend more time and more resources on checking and double-checking the potential terrorists. 

Most rational people can watch an airport scanner line for two hours and realize it is an enormous waste of resources for very little results and testers can routinely smuggle in knives, lighters and whatever else they want.

The inability of TSA to adopt a rational approach to airport screening – and remember – they still don’t’ screen the cargo riding on the same plane – is just lining pockets including the lobbyists who have been pushing the extra-expensive full body scanners.

The justification for this big expenditure is that is avoids the dreaded “profiling”.  We should be profiling – we should be checking people who like to visit Yemen for Easter.  We should be doing intense screening of young men between the ages of 18 and 30 who have recently traveled in or out of Pakistan.

 Here’s a partial list of who we shouldn’t waste time and resources screening:

 Children under 10
Active and Retired Military
Civilian Federal Employees
Civilian Federal Partners
Members of a ‘Preferred Traveler Program’
Individuals who opt for an intensive background check
Senior Citizens over 70

But you know what they say – Money Talks… and it’s talking to me this Thanksgiving week.

The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

Posted on by 0 Comments

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.

BLUES ON THE BORDER – WILL SECURITY FINALLY GET A BREAK?

Posted on by 0 Comments

Arizona finally did it.  They called DHS’s bluff, and actually DID SOMETHING about the US-Mexican border.  it has nothing to do with racial profiling and nothing to do with discrimination — it has everything to do with America’s security against terrorism.

Everyone who is so shocked, appalled and worried – shouldn’t be.   Everyone wants to prevent the next 911, they want to keep out drug traffickers….. and you cannot get that done with an open border to our south. 

I say it over and over – PLEASE QUOTE ME – you can’t have homeland security with an open border!  You can NEVER have homeland security unless you have security at the border first. This is a key risk assessment vulnerability that anyone doing a formal assessment would spot immediately. 

What good is having a checkpoint on the I-5 interstate in San Ysidro if illegals can avoid the border crossings and run right into the U.S.? 

Look at strictly as a cost issue – looking at the real numbers helps… 

  • Cost of maintaining our phony border controls   $100 Million Dollars for 2010

(from the total ICE (U.S. Immigration & Customs Enforcement) budget of  $5.7 Billion Dollars). 

  • The Drug Enforcement Agency (DEA) says that since 2005, 15% of domestic arrests are arrest of illegal aliens!
     
  • Budget for DEA to combat Drug Traffic from Mexico   – over $25 Million Dollars (just to add an additional 128 agents along the southwest border). 
     
  • The Southwest Border Initiative Virtual Fence Project – $800 Million dollars
  •  The Secure Fence Act – over $7 Billion dollars 

AND OUR BORDER is still wide open.    Federal agents trying to police the border do not have the proper support and are discouraging from killing murderous drug dealers and human trafficking mules.   

If you look even farther – take the entire budget of the Department of Homeland Security, which is  $55 Billion dollars.   This money can largely be considered as wasted, if there is no control over our border with Mexico.  

You see it all the time at companies out in rural areas – they have a chain link fence around the back of the property, but the fence has a 14 foot gap in it, and all it does is concentrate the intrusions right through the gap in the fence.  It does not deter crime, it cannot prevent theft – because the fence is not secure, there is an open gap.  

That analogy works with our borders, too.  If you wanted to get into the U.S. illegally, would you choose to drive thru the checkpoint at El Paso?  Through San Ysidro?  Fly in from Mexico City and have to show a passport?   NO – you would breach the border and just walk across someone along the thousands of miles of unsecured border. It is a no-brainer, even for a terrorist.

As a risk assessment expert, I am personally thrilled that Arizona has pushed the envelope and passed a bill that at least attempts to find a solution to our horribly expensive and totally ineffective southwest border controls.  It might galvanize enough people to actually get something done about this open border policy. 

Remember, you cannot have a secure country without securing the borders.