Weekend Edition Saturday is a two-hour news show from National Public Radio that covers a wide range of topics with intelligence and flair. On June 21, host Scott Simon reported on the Mississippi River flooding of recent weeks. I was particularly interested in his interview of Timothy Kusky, director of the Center for Environmental Sciences at St. Louis University, who explained that the improvements to levees all along the river has resulted in an inevitable rise in the flood crests all along the great river. In earlier times, upstream flood waters would be dispersed into flood plains, protecting downstream locations from some of the rising water; with tighter control over the flooding, that water now reaches downstream in much higher volumes and flood levels.

The story got me thinking about an issue that should concern organizations which have fallen behind industry standards of improved security in recent times.

Readers may have heard the old story about the hikers walking in the back country of British Columbia who round a corner and suddenly confront a 1,000-pound grizzly bear standing 8 feet tall in front of them. The hikers drop their packs and take off back down the trail running for their lives. One of the hikers says, “[pant, pant] This is crazy! [pant, pant] We can’t outrun a grizzly bear! [pant, pant] They can run 25 miles per hour and they can climb trees!” The other hiker responds, “[pant, pant] I don’t have to outrun the grizzly bear. [pant, pant] I just have to outrun [pant, pant] YOU.”

Security instructors have been using the story for years to emphasize that part of the task of securing systems is making the protected system a less appealing target for the opportunistic attacker than a less-secured system. The same principle applies to, say, steering-wheel locking bars. A determined car thief can easily disable such a device in less than a minute, but if there are many more equally valuable cars on the street that don’t have the locking bar, why bother? It’s less risky and less trouble just to steal some other car with lower security.

So what happens when almost all the cars have steering-wheel locking bars? The risk for unprotected cars rises.

Even the federal government’s information-security management has improved: a report issued in May 2008 by the House Oversight and Government Reform Committee comparing 2007 results to 2006 evaluations raised the overall grade from C- to C. When counseling students in similar situations, I always smile, adopt an encouraging tone and say things like, “This is a good beginning! Now let’s look at where you can make some more gains. First, let’s consider your study habits, and then we can look at this procrastination problem we’ve been struggling with….”

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.