Playing with toilet paper

 

Image from Pixabay

If you are eating right now and have a bit of a delicate soul, you better save this blog for after dinner. It has an, uh, sanitary approach. I try to keep it as neat as possible.

About five years ago, Dutch comedian Kasper van der Laan appeared on a couple of tv shows. He made an interesting suggestion there to save toilet paper. When you wipe your bottom, you continue until you see a clean piece of paper, that's how his argument begins. But, according to Van der Laan, then your buttocks were already clean. You could have stopped one wiping round earlier. The big question now is: do you dare to gamble on it? Like, “I think I’m done here,” in the comedian's words. Do you remember the sudden, unfounded fear that toilet paper would run out during the covid pandemic? Perhaps there were more people then who put Van der Laan's thought experiment into practice.

Using toilet paper is – if I'm being a bit broad – a kind of security measure. It protects you from skid marks, skin irritation and unpleasant odors. This immediately raises the question of how other animal species deal with this, especially with the second risk (the first does not apply and they will not have to deal with the third as much). But come on, let me not digress. What Van der Laan did here was a genuine risk analysis. And in view of the summer holidays, in which many people have to go to a camping toilet, whether pleasant or not, with a roll of toilet paper under their arm, and others will encounter hotel paper in various qualities, it is urgent to work this out in more detail.

The basic formula for risk analyses is: risk = likelihood × impact. In this toilet case we play with likelihood: if you keep going until you produce a clean piece of paper, the likelihood of skid marks is practically zero. If you put the idea described above into practice, the likelihood will always be greater than zero. But how much greater? That's difficult to determine, because you have to deal with another variable: the, er, output. If it were always of the same quality, you would know after a few swipes: after so many swipes it's done, so I can switch to that many swipes minus one. But we all know that our biological output can vary over time. For example, because of what you have eaten, because of a different climate or because you are ill or nervous. The chance of an incorrect assessment, and therefore also the chance that the risk will become reality, is variable.

Estimating the probability of an event which damages information security is in itself difficult. We usually do a qualitative risk analysis, which means we use terms such as low, medium and high. The counterpart is quantitative risk analysis, which involves calculating with numbers - for example with statistical data for the likelihood and with amounts for the damage. In all these analyses, the probability is not a fixed factor, nor is it in the sanitary example. However, most of the time we pretend that this is the case. And I don't think that should be a problem with quantitative analyses, because the necessary margin is already built into the terms used such as high and low.

However, if you are in a situation where the odds can go either way, you will have to assume worst case. This may mean that the measures you take to deal with the risk are 'too good' some of the time. After all, we do not strive for maximum, but for optimal security – not too little, but also not too much. If you are allowed to drive 30 km/h somewhere because of road works, that is fine, but if no one is working at that moment, that measure feels unnecessarily strict.

What to do? Do you tailor your measures to what the average is? Then you run the risk that the measures are too weak at times. How bad that is depends on the impact it may have. If the expected impact is acceptable, then you can do with a bit less. But if that temporary speed limit is not only there to protect road workers, but also because there is a large hole in the road, things are different.

In Japan they have toilets that make toilet paper redundant. You will be sprayed clean and blown dry from within the bowl. And sometimes you can even play a sound via the control panel to disguise certain typical bathroom sounds. They have taken all risks into account and implemented smart measures.

The Security (b)log will return after the summer holidays.

And in the big bad world...

• There is currently (Friday) a worldwide computer outage due to an incorrect update from a security company.
• there are also problems in the Microsoft cloud.
• it is a bad idea to connect a traffic light to the internet without security.
• The Trump shooter's phone was cracked within 40 minutes.
• we now know which phones Cellebrite can crack.
• the US Postal Service shared their customers' addresses with advertising and tech companies.
• the Dutch Data Protection Authority foresees a rat race around artificial intelligence. [DUTCH]
• a mistake of € 29,000 to your disadvantage will be corrected. [DUTCH]
• you also need to have your security in order if your name is Hackney (which, to Dutch people, sounds a bit like “don’t hack”).
• many Dutch government domains are still insufficiently secure. [DUTCH]