The challenges of complexity - could security collapse?

I was recently turned on to what I consider a magnificent piece of writing by a guy named Clay Shirky, who's something of an Internet guru (the type of consultant I'm often very wary of, and may still be, but this guy can really come up with some good ideas). Here's the post. It deals with the collapse of complex societies and it's focused for media companies and broadcasters, but I think you'll find a lot of things that are relevant to the security industry. I'll outline where I see overlap below. If you're not going to take the time to read, here's the basic premise: Essentially, the reason that societies like the Romans, the Mayans, etc., collapsed and basically fell of the face of the earth is because they became so complex in their administration that the complexity stopped adding value and just started adding cost and impediments to growth and change. Once the complexity reached a certain untenable level, a challenge was introduced, the complexity made it impossible for the society to respond, and then everything collapsed, simplified, changed, and began growing anew. Here are the money paragraphs for that:
Tainter’s thesis is that when society’s elite members add one layer of bureaucracy or demand one tribute too many, they end up extracting all the value from their environment it is possible to extract and then some. The ‘and them some’ is what causes the trouble. Complex societies collapse because, when some stress comes, those societies have become too inflexible to respond. In retrospect, this can seem mystifying. Why didn’t these societies just re-tool in less complex ways? The answer Tainter gives is the simplest one: When societies fail to respond to reduced circumstances through orderly downsizing, it isn’t because they don’t want to, it’s because they can’t.
For a long time, security systems have been relatively simple, and the addition of complexity has added value. In the video world, cameras recorded to film/tape, and it was a pain to search for anything or get any information back. The introduction of more complex recording devices, which digitized that process, added value: Easier to quickly search through video, easier to find what you're looking for, easier to accomplish goals that help the organization. In the access world, keys, which were very simple and useful, have been increasingly replaced by cards or fobs or what have you, and complex systems that digitize data, allowing people to be tracked, denied entry if they've been terminated, etc., which adds value to the organization. In the intrusion world, wiring is being eliminated, the simple POTS line is being replaced by IP communication that allows for way more control and sophistication in the alarm signal, and value is added to the household or business by allowing the stakeholder/end user to have far more control over false alarms, arming and disarming, etc. Now, in all those world, more and more complexity is being added. Video analytics that can extract more and more data from video. Biometrics and software that allows for more and more control over who comes and goes from a facility. IPhone apps and integrated home systems that allow for more and more control over a home or business' innerworkings and more and more things that can be set to trigger alarms should they go awry. Many of these things add incremental value. Do some of them just add complexity, though? Here's the equation to consider:
Early on, the marginal value of this complexity is positive—each additional bit of complexity more than pays for itself in improved output—but over time, the law of diminishing returns reduces the marginal value, until it disappears completely. At this point, any additional complexity is pure cost.
When a feature is added, does every manufacturer consider whether value is added along with the cost of that new feature? Is that value a new positive? As alarm companies are adding RMR possibilities - flood notification, temperature notification, latch-key notification - do those added monthly fees add equal monthly value? I though this had an interesting parallel to the security alarm industry:
The ATT guys had correctly understood that the income from $20-a-month customers wouldn’t pay for good web hosting. What they hadn’t understood, were in fact professionally incapable of understanding, was that the industry solution, circa 1996, was to offer hosting that wasn’t very good.
When I talk with the industry about self-monitored systems, all I hear is that people don't want to monitor their own security systems. They want professionals to handle that. People don't want to get an alert on their phone while they're at the soccer field and then have to deal with it. They want someone to deal with that for them. For a long time, I've basically agreed with that sentiment. But doesn't that sound an awful lot like: People aren't going to want to update their web sites in real time and have their potential mistakes live and for everyone to see. They're going to want professionals to take care of that. They're going to want 24/7 service and support for those web sites. I think it sounds a lot like that. And I think a good, simple, self-monitored system that uses mobile devices and is easy to install, and comes with a very low, or no, monthly fee could be really attractive. As yet, it has proven to be a market crasher, but are we building so much complexity into home alarm systems that the simple self-monitored system might become more and more attractive? And what about security products in general. Every press release I get seems to be focused on a new feature, a new thing that the product can do, and very few things focus on price and affordability and accomplishing a small goal that many people have. I like this quote a lot:
Among the rules of thumb she offers for building in that environment is this: “If you want something to be 10 times cheaper, take out 90% of the materials.” Making media is like that now except, for “materials”, substitute “labor.”
For security products, couldn't we substitute "materials" with "features"? What if we got rid of the hundreds of features that very few end users actually use and just delivered very simple products that do very simple things that almost everyone wants? Security is certainly seeing the same supply/demand issues that media is being faced with:
About 15 years ago, the supply part of media’s supply-and-demand curve went parabolic, with a predictably inverse effect on price.
How many dozens of camera manufacturers, analytics providers, alarm companies are there? How many of you are seeing the value placed on the cameras and intrusion systems you're offering being driven down, down, down? What does that price pressure do to the marketplace and how products are created?
Bureaucracies temporarily suspend the Second Law of Thermodynamics. In a bureaucracy, it’s easier to make a process more complex than to make it simpler, and easier to create a new burden than kill an old one.
Serious question: When new products are announced, how many of them are just a former product with a new thing tacked on? How many are just taking a product and making it more complex, adding incremental value in some cases, but in some cases just adding another megapixel or another functionality on top of everything that was already available? Isn't it much harder to invent an entirely new product that offers a different set of features that target a specific problem? But isn't that product likely to be more intriguing and interesting to the end users who have specific problems that need solving. And integrators: How many of you are just adding more capabilities to the systems you deliver, rather than designing a simple system that just solves the specific needs of your customers? Are you giving them tools they can't and won't use just because you can and because you can convince them to pay you for it? Will the complexity of these systems - the PSIM software and the flood of data that can come with it, the firehose of information the industry is offering to end users - eventually cause the end users to throw up their hands and look for radically new ways of doing things that doesn't involve the traditional security channel? Is that already happening as they go to IT integrators and their own internal IT departments for answers to "security" questions? It's something to consider and keep in mind. Even if the traditional security industry is pointing toward collapse, though, Shirky offers a final interesting ray of hope:
When ecosystems change and inflexible institutions collapse, their members disperse, abandoning old beliefs, trying new things, making their living in different ways than they used to. It’s easy to see the ways in which collapse to simplicity wrecks the glories of old. But there is one compensating advantage for the people who escape the old system: when the ecosystem stops rewarding complexity, it is the people who figure out how to work simply in the present, rather than the people who mastered the complexities of the past, who get to say what happens in the future.
Maybe this is an analogy to the conversion from analog to IP: It's easy to see the ways in which the collapse of analog into IP wrecks the glories of old high product margins and easy installations. But maybe the move to IP is in some cases adding complexity where simplicity is needed and we're instead heading for a different kind of collapse to simplicity. Obviously, I don't know the answers here, but I think this goal, or maybe "threat," of simplicity is interesting to consider as you look toward the future.


[...] This post was mentioned on Twitter by Sam_Pfeifle. Sam_Pfeifle said: Thoughts on the simplicity/complexity dynamic in security: [...]

Excellent column Sam! I agree with most of the points you have brought up here, and I also have predicted a bubble burst equal to the sub-prime mortgage in 07. Many of the software solutions which suppose to compliment hardware products are complicating the life of the security personnel with unnecessary feature they never asked for and will never use. I feel that the VMS, Access Control software and "Situational Awareness" solutions are the three biggest complicators of the industry to date. 
I highly disagree about end users willing to self monitor their facilities though... as long as the industry does not produce False alarm free solutions, no end user would be interested in receiving alerts in the middle of the night, at the dinner table or while on vacation abroad, not to mention knowing how to deal with the authorities like monitoring professional often do. can you imagine the stress involved in being on the beach in Mexico and trying to verify if the fire alarm SMS you just received is valid or false?

Sagy Amit

Yes good article. My job involves upgrading Central Stations to IP and you are right, IP is simply too complex for many of them to handle. My experiences over the last few months have made me have a rethink about how we design our products and solutions. There is a big "dumbing down" process going on.