Lockdown Drills: How to make school Scarier But Not Safer

A friend recently drew my attention to this article (or lightly-edited press release) on lockdown drill legislation which appeared in Contingency Planning & Management. The State of New Jersey has passed legislation to require monthly lock-down drills for public and private schools in New Jersey. The state also requires schools to have two fire drills per month.

In a lockdown drill children and staff practice for the scenario of a gunman on the loose in the school. Children have to stay quiet and out of sight of windows and doors, while teachers lock doors and draw blinds.

Apart form scaring children (see this blog entry) it's difficult to see what the legislators of these monthly drills hope to achieve.

If you read this list of school-related attacks one thing should be evident: it's hard to find cases where a lockdown would have made any difference. In the worst cases the attacker enters a room full of the people he wishes to attack and opens fire. More frequently isolated victims known to the assailant are attacked. The idea that killer(s) will wander around the corridors looking for random victims after a convenient announcement has been made over the public address system is mainly a TV fiction.

Even if lockdowns were effective, there's a second problem here. Remember the saying, "familiarity breeds contempt". When I was at school, we used to have one fire drill a year. (It was a residential school, and the fire drill was always at night). It didn't take us long to (a) learn the procedure, and (b) start assuming that all fire alarms were fire drills. New students might hurry; experienced students took their time and made sure they had warm clothes.

That was with one fire drill each year.

If you had twice-monthly fire drills and monthly lockdown drills would you take a fire alarm or a lockdown call very seriously? These aren't emergency responders trying to knock seconds off their reaction times. These are just children. A few seconds is unlikely to matter. Practice, yes. If the practice goes badly, repeat the practice until everybody gets things right. But twice a month? Correct me if I'm wrong, but I bet the New Jersey Senate doesn't practice fire drills twice a month. Maybe it doesn't make the news, but search for "New Jersey Senators Evacuated" and you will get zero hits.

And, of course, if killing random children is really a killer's aim, fire drills actually make things much more convenient. Large numbers of students evacuating to standard places outside a building are an easy target. Sadly it doesn't take a genius to figure this out. And the state of New Jersey gives potential killers two opportunities each month to observe an evacuation and plan accordingly.

School shootings are tragedies, but if we think that monthly lockdown drills will do anything to eliminate this risk we are fooling ourselves.

---

[If anybody has any evidence that school lockdowns are effective, please comment. I've found a few stories of lockdowns being used to keep students out of the way while premises are searched for intruders, but nothing suggesting they have ever saved lives. ]

RiskIT: A Useless Risk Framework due to Copyright Restrictions?

ISACA.org have recently published a Risk Framework which they claim is designed to fill the gap between generic risk frameworks and detailed ones.

I wish I knew what was in it.

But if I did know, I wouldn't be able to tell you or make use of the information.

That's what the isaca.org copyright policy states.

Specifically, the second paragraph starts with the words:

"The Material that you are downloading may only be used for personal, informational, non-commercial purposes."

What the proposed use of an IT risk framework that cannot be used for commercial purposes is I do not know. (Perhaps I could use it to manage my kid's Wii.)

Anyway, if you are willing to agree not to use this framework in your organization, ISACA.org have kindly made it available for the cost of your email address and contact information here.

Just don't tell me what is in it. I might use that information for corporate, commercial purposes. I wouldn't want you to break their copyright policy.

---

And don't get this confused with all the other RiskIT out there:

• RiskIT Method for Software Risk Management
• Risk-IT! Game for understanding financial terms
• The RiskIT method for risk management developed by professor Jyrki Kontio
• University of Florida Risk IT Assessment Guidelines
• RiskIT.org.uk - A game to convince you to live near nuclear power stations.
• Eric Dressen Risk It skateboarding video
• Tom Knox Risk It skateboarding video

These RiskIT don't require you to agree to a ludicrous copyright policy before you can see them.

A Better Way of Explaining Risk

I recently came across the book Know Your Chances: Understanding Health Care Statistics. If you want to see through the misleading medical statistics provided by drug companies and featured in news reports, then this is the book for you. The authors have an excellent way of presenting risk which makes it easy to understand what effects (good or bad) any drug or treatment has. The point is to put every risk in perspective, along with related risks. For example, there is no point in knowing that a drug will decrease your risk of stroke by 50%. What you need first is a table:

The table shows the risk of death from various causes for a group of 1,000 50-year old women. The numbers in the table are the expected number of deaths from a particular cause. If an entry contains "-", then less than 1 person in a group of 1,000 can be expected to die from that cause.

I like this table for a number of reasons:

• It uses whole numbers not probabilities. It's easier to relate to 4 women in 1,000 than to a probability of 1/250 or 0.0004.
  
• It shows a selection of risks, so it's easy to place an individual risk (such as AIDS or breast cancer) in perspective and prioritize it.
  
• It shows all causes. A new drug which reduces the risk of death from (say) stroke by 50% may sound significant, but this needs to be compared with the overall risk of death. Your chances of death as a 50-year old woman are now 36.5 in 1,000 not 37 in 1,000. If the side-effects of the preventative drug are bad, this may not be a sensible choice given your chances of dying due to other causes.
  
• It shows the risk for a group of comparable people (50-year old women). A table for the entire population, or for all women is not going to be as helpful as a more specific table. This is especially true of health statistics where probabilities vary with age and gender.

Our field of business risk management is not so very different from that of health. We can identify a number of risks our business faces. We have treatments which may possibly reduce some of those risks. Those treatments typically have side-effects (cost and inconvenience) which may cause us to hesitate before implementing them.

A table showing business risks, set out like the table above, is a good way to explain risks and to start determining what actions to take. Our figures may be approximate and lack the rigor of the Cochrane Collaboration meta-analyses of medical trials, but such a table still makes it far easier to understand what a risk means in practice.

When you see risk figures presented out of context you should be suspicious. Will the elimination or reduction of a risk make any practical difference? Should we be concerned about Risk X or Risk Y? Unless we are given the context, we just can't say.

We should therefore always try and present our risk figures in their context. We should follow the excellent example above given by Woloshin, Schwartz and Welch, and not copy the more dubious practices of the pharmaceutical marketeers.