I think about four times since I have moved into my current home, I have had the building’s fire alarm pulled with three of those times being when I’d otherwise be sleeping. Last night was no exception and fortunately like the previous times, the night was temperate and dry.

When the alarm went off, I hesitated to leave my unit. It’s a concrete and steel building and would be rather difficult to simply burn down. However, this is very poor thinking as my tired brain was not considering the possibility of smoke and either suffering inhalation or simply being trapped. But as a safety and security conscious person, I eventually recognised what I should do and left after a futile attempt to get my cat to leave.

As I was standing outside while the Vancouver Fire Department determined the situation, I thought about how I was considering ignoring the evacuation alert. On the surface, the idea that another alarm late at night was yet again going to be another false positive seems innocent, but there is going to be that time where that self-assurance is incorrect.

We’ve seen this play out in society before as with the Homeland Security Advisory System (now National Terrorism Advisory System) with its colour-coded system indicating the possibility of a terrorist attack on American soil and foreign services. News outlets really loved to latch on to whenever it was changed, but it provided inadequate information and was too broad for the typical person to understand.

Homeland Security eventually admitted during the Obama administration that it was ineffective and subsequently adopted a new version which outlines current threats. I have a lot of opinions on HSAS/NTAS and its role as security theatre, but that is a different discussion.

Here at home, Alert Ready–a system associated with alerting via mobile devices–has faced criticism for not being used enough or used too much. As evident in the severe heat and then severe rain my province of British Columbia faced in 2021, criticism over the government’s lack of response did eventually lead to changes to their use of it.

Outside of British Columbia, similar remarks were made during Nova Scotia’s public inquiry over the mass shootings which led to the death of 22 people in 2020. It was revealed that hesitation as well as jurisdictional clashing over roles and responsibilities led to a lack of sending an alert at all.

RCMP in Nova Scotia considered issuing an alert on April 19 after multiple calls from the provincial Emergency Management Office (EMO), but ultimately that didn’t happen.

At the time of the mass shooting, all agencies had to go through EMO to request an alert, which the provincial agency would then issue. The inquiry heard this week that the RCMP and regional police forces in Halifax and Cape Breton had been offered direct access to the alert system in 2016 and 2017, but declined.

Who ultimately should send these alerts and when? British Columbia’s severe weather and Nova Scotia’s mass shooting are two examples of lacking organizational preparedness. But it is this part from the CBC article I linked to earlier that stands out about my original problem with alert fatigue:

He said this was a devastating lesson to learn after the 2011 Norway shooting, where dozens of teens who were killed by a gunman on a remote island were given away by the alert sounds on their phones.

Australia and other countries have systems that don’t override user settings, Hallowes said, but Canada does not. Currently he said someone hiding from a shooter in Canada would have to turn off their phone completely and give up the ability to call for help to ensure their location wasn’t revealed.

Should users be allowed to override settings? The 2011 Norway attacks were an extreme example, but of course it cannot be ignored that the alarms emanating from the victims’ mobile devices made them targets. Is this a failure of the alert system itself or its use? Were the alerts too broad in geographic scope? Or would it be better for the alerts to have sounds controlled by the issuing authority?

And that is really just it: can you entrust users to ignore the sounds? I had the option to just sit in my apartment and endure the loud clanging coming from my apartment’s alarm, but its persistence and my ability to hear it led to me evacuating anyway. If someone sets their phone to silence such alarms, is it defeating its purpose?

In my world of cyber security, it is this sort of problem I fear. When Target was breached in 2013, there were many indications that a problem existed, but nobody was answering the call.

At first, the malware went undetected, and it began compiling millions of records during peak business hours. This data was being readied to be transferred to the hackers’ location in Eastern Europe. But very soon, FireEye flagged the malware and issued an alert. Target’s security team in Bangalore noted the alert and notified the security center in Minneapolis. But the red light was ignored.

FireEye flagged as many as five different versions of the malware. The alerts even provided the addresses for the “staging ground” servers, and a gaffe by the hackers meant that the malware code contained usernames and passwords for these servers, meaning Target security could have logged on and seen the stolen data for themselves. Unfortunately, the alerts all went unheeded. Furthermore, given that several alerts were issued before any data were actually removed from the Target systems, FireEye’s automated malware deletion feature could have ended the assault without the need for any human action. However, the Target security team had turned that feature off, preferring a final manual overview of security decisions.

Trained cyber security personnel as well as an experienced security vendor did not respond to these alerts in a timely fashion. The alerts were seen, forwarded to the appropriate party, and then nothing happened until it was too late. This was alert fatigue at its finest and is now used as a case study by other cyber security teams.

My long-time boss very much likes to make the statement “let no incident go to waste”, but it’s still not a badge of honour to be made an example of.

I guess a more current matter would be the response to COVID-19. It’s still a pandemic and it’s still raging through many workplaces, homes, and events, but I feel as if the exhaustion around lockdowns and news about variants has similarities to the fears public officials have using public alerting systems. Are we just doomed to have failure in light of the information we are presented with?

At least I left my apartment, but I wish I didn’t hesitate and I also wish my cat would have cooperated.