Spot On Security

I’ve been studying new technologies in the security industry for over twenty years. When estimating how successful a new product or company will be, there are many factors. One of the biggest is how easy is it for new users to accept the new solution.

This issue recently came up in John Honovich’s recent post:

http://ipvideomarket.info/report/objectvideo_poor_reputation_and_blaming_others

John takes ObjectVideo to task for blaming others for the slower adoption of their video analytics.

Brian Baker at ObjectVideo had written:

“Many in our industry correlate the need for trained users and the need to configure the analytics with the notion that analytics, as a whole, are immature and unreliable. Nothing could be further from the truth.”

Brian took the position that highly complex stuff requires training, and this is the same for SAP and Oracle systems. That doesn’t mean it is immature. It simply requires expertise.

Well, this is a perfect example of the the technology acceptance curve. If you have something different that requires new levels of training and new skill sets to be taught, you should expect sales of that product to grow slowly. There is no way it can take off rapidly or be adopted quickly. Why? Because you have to first build a whole new cadre of skilled workers before the system can be deployed.

In the late 1990′s when DVRs were still PC based software products, their sales grew incredibly slowly. They had been around for years, but so few integrators used them that many wondered if they would ever succeed.

The company I worked for then (Interlogix) and a few others in the industry took a different approach. We designed DVRs that were embedded appliances and worked exactly like the VCRs that everyone had been using for years. The sales of DVRs suddenly boomed.

The DVR business went from maybe $50M worldwide, to over $500M in a 2-3 years, and doubled again shortly after. That’s how quickly it changed once the technology acceptance curve was overcome.

The problem with the first PC based DVRs is that very few of the video integrators knew how to use them or how to fix them when they broke. It was a whole new world of computer software, and without extensive training they were afraid to adopt them. It was simply too much of a time investment, and too many opportunities to get caught in a hornet’s nest because you didn’t know what you didn’t know. So, most installers avoided DVRs unless they absolutely had no other choice.

Once they could pull out a VCR and replace it with a DVR that worked almost exactly the same – that’s when DVRs started selling like hotcakes.

A lot of people confuse this with “ease of use”, which is also important but is different. The technology acceptance curve is more about how familiar something is and how intuitive it is to use based on what people know and have used before.

This why I’ve long said that widespread use of video analytics would not begin until it was as easy to install as traditional video motion detection, which everyone is familiar with. Then anyone who knows how to install a camera would know how to install video analytics.

That’s what makes the adaptive analytics that we use at VideoIQ so significant. It is the only technology that gets rid of all that need for camera calibration and tuning required by other technologies. This means that anyone who knows how to use an IP camera can use our iCVR.

In fact, we’ve had quite a few installers who simply took our iCVR out of its box, plugged it in, and it was working. We rarely need to send someone out to help anyone understand how to use our analytics. Our number one tech calls are over IP related issues: How do you set up port forwarding on a router, or how to track down network problems…

It is still a good idea to understand video analytics, so you know where best to use it and what to avoid. So, we offer on-line training. But the skill set of knowing how to tune and calibrate a camera are not needed.

Sam Pfeifle, from Security Systems News, and I will be talking about this and other key technology differences that matter when using video analytics, along with the most popular uses for it – outdoor protection – in a webinar this coming Thursday. You can watch live, or you can watch it later if you can’t make the time:

https://presentations.inxpo.com/Shows/UnitedPublications/02_10/Registration/UnitedPublications_Feb_Registration_Page.html

The need for training can seem like a small thing, but this ends up being one of the biggest factors in how quickly a new technology spreads. That’s why the most important advances are often the ones that seem almost invisible, because people gain all the new benefits without having to change their lives.

Mystique can be a great advantage in lots of professions. For example, movie stars seem more exotic and interesting the less we know about them. The attraction of traveling to distant countries and strange cultures is also boosted by the desire to see something obscure.

But I’m not sure mystique is a good thing when it comes to security systems, and that’s one of the problems I see with BRS Labs. They have generated market interest by their amazing claims, but there is very little known about their technology. That may be their biggest advantage – at least for creating marketing buzz – but it raises quite a few concerns when it comes to actually using their systems for security.

Let’s take their central claim that they can detect out of the ordinary behaviors without any rules being set up or configured. It automatically observes the area, learning what is typical. Then it alerts you when something happens that is abnormal.

It’s a truly fascinating marketing concept. Who wouldn’t want a system that you could just plug in and was smart enough to know when a potential threat was occurring – even warning you about things you would not have thought about before. At first it seems like the perfect answer to security.

However, the more I think about it, the more concerned I get. The problem is that we don’t know what it is going to detect or why, and we don’t know what it might miss that could be important. In other words, it is mysterious about how it works.

How do you know how effective the system will be unless you know what it is detecting and how it works? How do you know it is going to catch real threats that matter to you, if you don’t know its enigmatic methods of detection?

Being curious, I decided to do some research. I tracked down the first patents that BRS Labs filed to get a better idea of what was under the hood. And just like in the Wizard of Oz, once I pulled back the curtains and understood what they were doing, it lost a lot of its mystique.

The most important thing I learned: Their system isn’t smart enough to work without rules. Their system requires rules just like all analytics systems. The big difference is that they simply aren’t telling you what those rules are that the system is using. It can’t detect anything out of the ordinary, it can only detect the types of things they program it to look for. How can you ever judge how well the system is going to work unless they tell you what those rules are?

From what folks at BRS have said, their system watches where objects enter the field of view and where they go in the scene, including their direction of travel. I believe they also detect where objects stop and about how fast they move. They probably distinguish people from vehicles and seem to be able to filter out ordinary background movement. This is actually all stuff we do as well, as do many other analytics systems.

What is different, is that they monitor these specific activities over time, and if some pattern of actions happens that is different from previous activities, they consider that a potential threat. In other words, if a car parks in an area where the system hasn’t seen a parked car before, it generates an alert. It will do this whether you care about that or not. If you get the alarm and don’t care about it, then you can tell the system to stop sending alarms like that.

But here’s the problem: when you are telling it you don’t care about that kind of alarm, you can never be sure what you are saying you don’t care about. You might think you are telling the system that you don’t care about someone parking in that spot, but in fact it might have alarmed because it was a truck and it had never seen a truck in the scene before, or the truck might have taken a different path than usual. You are telling the system to stop sending those alarms, but you don’t even know what it is you are turning off – because you don’t know the rules it was using in the first place. So, you might be making the system worse.

You might think, then, that you should not tell it to stop sending alarms, but the system needs you to, because when the system starts up, it generates large quantities of alarms, because lots of things look abnormal at first. The false alarm rate would never be manageable if you didn’t teach it what was not important. This process takes weeks of training, from what I’ve heard.

If you were trying to protect a high risk facility, such as a nuclear power plant or a place were dangerous chemicals were stored, how secure would you feel if you never knew what your system was detecting and what it was ignoring? And how secure you would feel if you told the system something was unimportant, but you didn’t know exactly what you were turning off?

If I want to detect someone in an area that is off-limits at night, with a rules based system you define the detection you want, and you can easily measure if it is missing real threats or sending you false alarms. But how do you measure or judge the accuracy of a system when you have no idea what it is detecting or avoiding? I don’t think this is a place for mystique. I think this is a place where we need to know what the system is doing. Otherwise, how can we ever know if it was going to provide the kind of protection we need?

That’s the first big problem that concerns me about this idea. However, as I thought about it, another problem became clear as well. This is something that is important in security: How easily could someone defeat your system? In this case, it becomes clear that if you do something repeatedly, the system is going to start ignoring it, because it is no longer abnormal. So, if someone wants to defeat the system, they just need to do something over and over again, and they can be sure the system will stop alerting on that behavior.

For example, you might want to be warned whenever a car enters a parking lot at night. Well, if a smart terrorist or criminal knew you had one of those mysterious behavioral detection systems, they would simply make a habit of driving into the parking lot and turning around and driving out. The first few times it would generate an alarm and anyone looking at the video would probably think a person just came in by mistake and left. But even if you wanted to keep an eye on such behaviors because it could potentially be a problem, you would not be able to, because the system would start ignoring it once it happened often enough.

Hopefully BRS has a way for the user to tell the system that although an alert was not important, that it still wants to keep seeing them – and not to start ignoring those kinds of things. But the problem is that you don’t know exactly why it generated the alarm, and so you don’t know what it is you are asking for more of, or saying you don’t want to see any more.

The BRS Labs  systems would be a lot more useful if they told everyone exactly what their rules are for detection. However, this would probably rob them of the great mystique their system has, which has certainly created a lot of good marketing for them.

Mystery is a great attractor. But when it comes to security, I think we need to know how a product works before designing it into a system. Spice is nice, but it doesn’t make a good main course.