Learning About Measurement From Airplanes

I recently came across the following article on Digg titled “This Insane Image Shows How Many Planes Are In the Air Right Now For Thanksgiving” in which the author states that a ‘helluva’ lot of people are in planes the day before Thanksgiving. Normally I would look at that picture and go “wow” but two things caused me to take pause. First, I wondered what that picture looked like on a normal day? Second, I know a pilot really well and he had recently told me how he wasn’t flying because “the flight schedule is severely reduced over the holiday”.

Over the next few days I went to FlightRadar24.com and took screen shots of the air traffic and realized that my nerdy obsession actually gave way to two important rules for interpreting user behavior in the security industry.

Measure Behavior….Repeatedly

Upon first look the picture provided by the Casey Chan does make it look like tons of people are in the air but what does it look like when you measure that behavior repeatedly?

The above picture was taken November 23, 2012 at 8 am.
The above picture was taken November 25 at 8 am.

While both look busy, there are significantly more planes in the air on a ‘normal’ travel day (25th) than the morning after Thanksgiving (23rd). This is important because it tells us that even though there were a lot in the air on Thanksgiving, that is nothing compared to a normal day. The only way for us to know that, as well as have a more accurate picture of overall flying activity, is to repeatedly measure behavior.

This is especially true for understanding user behavior. Unless secure user behavior is measured at least twice, you only have a snap shot of what it going on. If you measure behavior one day and realize that no one fell for a phishing email sent out does that tell you that everyone is good on awareness to phishing attacks? No! What if everyone is on a company retreat? Similarly, if a new training method is implemented but user behavior was never measured prior, how do you know if it’s more effective than the previous -possibly less expensive- method? You don’t.

In order to really understand user behavior, measurement needs to happen….repeatedly.


Stand Back Far Enough and Everything Is A Cluster

Even though you can deduce from the above pictures that more planes were flying on the 25th than on the 23rd, it still looks nuts. Is the flying more or less in West Virginia? What about in the south? Utah? Colorado? When the map is this far there is no way to know the specifics of what is going on.

(Above taken November 23 8 am)

(Above taken November 25 8AM)

When zoomed in a little several more things can be deduced. First, our previous observation that more planes fly on a normal travel day is upheld. Also there are three obvious areas of activity (Denver, Salt Lake City and Las Vegas). With a little research you can find out that these three locations are hubs and therefore more planes fly in and out. I’m sure a seasoned ATC professional could deduce more but you get my point.

Again this same concept applies to measuring user behavior. Even if you measure over and over, it will be hard to identify patterns in behavior -and correctly identify specific problem areas- if you are standing too far back in perspective (e.g., measuring the company as a whole). Once you ‘zoom in’ to the appropriate view of the data you may see that certain departments need more training that others or that anyone trained under the new system is less susceptible to phishing emails that those trained under the old system. The list could go on and on.

So there you have it. ATC does have something to teach us about security.
Didn’t think I could make that leap did you? :)


cyber securitymetricsphishingrantsecurity awarenesstraining

One Comment

Leave a comment

January 7, 2013 at 9:01 pm

Nice post!
-possibly an ATC professional

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>