Security Leadership and Management

Is Your Program Security Theater?

Is your department making the enterprise safer, or is it a false sense of security? Take our quiz to find out!

sec theater body
 

 

Security guru Bruce Schneier coined the term “Security Theater” to describe phony security measures, procedures, or technologies that give the superficial appearance of providing security without actually countering malicious adversaries to any significant degree. As an example, much of the activities undertaken by airport screeners have been characterized by some as little more than Security Theater.

As vulnerability assessors, we frequently find Security Theater across a wide range of different physical security and nuclear safeguards devices, systems and programs. It’s important to realize, however, that Security Theater is not automatically a bad thing. It can present the appearance (false though it may be) of a hardened target to potential adversaries, thus potentially discouraging an attack (at least for a while). Security Theater can reassure the public while more effective measures are under development, and help encourage employees and the public to stay focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get inspectors inside nuclear facilities where their informal observations and interactions with host facility personnel can be of great value to disarmament, nonproliferation and international cooperation. 

The real problem occurs when Security Theater is not ultimately recognized as such by security officials or the public, or creates cynicism about security, or stands in the way of Real Security, or wastes resources and energy, or is actually preferred over Real Security (because it is usually easier and less painful).

 

Security Theater and the Real Thing

The best way to determine if a given security technology, measure or program (STMP) is primarily Security Theater is to conduct comprehensive vulnerability assessments and threat assessments to determine how easily the STMP can be defeated, and what threats and attacks it might have to stand up to. But this can be time consuming and expensive.

In our experience, STMPs that eventually prove to be very easy to defeat and/or not particularly effective – to the point of being Security Theater – almost always exhibit certain common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even before beginning the vulnerability assessment.

As a public service, we offer the following survey that you can take to determine how likely it is that your security technology, measure, or program (STMP) is Security Theater. This survey is about as scientific as a “how’s your love life?” survey in a teen magazine, but we think it may nevertheless have some value. The survey questions being asked, along with our comments associated with some of the questions, can at least help suggest warning signs and countermeasures for Security Theater.

Add up your total points for all 33 survey questions and then see the interpretation for your score below.  (If you’re between two choices on any question, split the difference on the points.)

1. Is the security application quite complex and/or challenging?

o  A lot             2 points

o  A little         1 point

o  Not at All    0 points

 

2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace?

o  Yes             2 points

o  No               0 points

 

3. Has substantial time, funding and political capital already been spent developing, promoting, or analyzing the security technology, measure, or program (STMP)?

o  Yes             2 points         

o  No               0 points

 

4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from bureaucrats, a committee, or senior non-security managers?

o  Yes     2 points

o  No      0 points

 

5. Is there considerable excitement, exuberance, pride, ego and/or strong emotions associated with the proposed (or fielded) STMP?

o  A lot            5 points

o  A little         3 points

o  Not at All    0 points

 

6. Is the STMP viewed with great confidence, arrogance and/or characterized as “impossible to defeat,” “tamper proof,” etc.?  (Effective security is very difficult to achieve. Generally, if developers, promoters and end users of a given security approach or product have carefully considered the real-world security issues, they will not be in such a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.)

o  A lot            5 points

o  A little         3 points

o  Not at All    0 points

 

7. Does the STMP in question have a feel good “aura” or make people quite comfortable with their security risk? (In general, Real Security doesn’t make people feel better, it makes them feel worse. This is because it is almost always more expensive, time-consuming and painful than Security Theater. Moreover, when security is carefully thought-through – as Real Security must be – the difficulty of the task, the unknowns and the knowledge of the unmitigated vulnerabilities will cause alarm. If you’re not running scared, you probably have bad security or a bad security product.)

o  A lot             6 points

o  A little         3 points

o  Not at All    0 points         

 

8. Do the promoters and developers of the technology or the STMP earnestly – even desperately – want it to solve the security problems at hand, and/or are they highly idealistic?  (Strong desires to achieve a valuable goal can sometimes lead to wishful thinking.)

o  A lot             3 points

o  A little         1 point

o  Not at All    0 points

 

9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates via careful analysis?

o  A lot            3 points

o  A little         1 point

o  Not at All    0 points

 

10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial, psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly enthusiastic/optimistic?

o  Yes             3 points

o  No               0 points

 

11. Do the people developing or promoting the STMP have significant real-world security experience (not just experience as bureaucrats or experience developing security technology)?

o  Yes             0 points

o  No               3 points

 

12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didn’t like, or have they ever found fault with their own security or (publicly) with their employer?

o  Yes             0 points

o  No               2 points

 

13. Is the person who ultimately decides that the STMP should be deployed often thought of as naïve, a bureaucrat, or less than astute, and/or did they get most of their information about STMP from promoters and vendors?

o  Yes             2 points

o  No               0 points

 

14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security strategy?

oYes              0 points

o  No               2 points

 

15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding of real-world security?

o  Yes             2 points

o  No               0 points

 

16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture and practices that make one good at engineering aren’t optimal for thinking like the bad guys.)

o  Yes             3 points

o  No               0 points

 

17. Does the STMP rely primarily on complexity, advanced technology, the latest technological “fad” and/or multiple layers? (High technology does not equal high security, and layered security isn’t always better.)

o  A lot             3 points

o  A little         1 point

o  Not at All    0 points

 

18. Do the people using the STMP on the front lines substantially understand the technology or security strategy?

o  Yes             0 points

o  No               2 points

 

19. Are the use protocols, training materials and manuals for the STMP non-existent, vague, poorly written, or ill-conceived, and/or is the terminology sloppy or misleading?

o  Yes     3 points

o  No      0 points

 

20. Is the STMP complicated or difficult to use?

o  Yes             2 points

o  No               0 points

 

21. Was the STMP forced on the end users from superiors?

o  Yes             2 points

o  No               0 points

 

22. Have the end users of the STMP ever been consulted about it?  (These are people who understand the real-world implementation issues, and are the ones who will have to make the STMP actually work.)

o  A lot            0 points

o  A little         1 point

o  Not at All   2 points

 

23. Have vulnerability assessors, hacker types, devil’s advocates, question askers, or creative independent outsiders closely analyzed the STMP?

o  No, Weren’t Allowed to    6 points

o  No                                       4 points

o  Yes                                     0 points

 

24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one)…

o  Attacked Emotionally                   7 points

o  Attacked Unemotionally             4 points

o  Ignored                                          2 points

o  Vaguely Tolerated                       1 point

o  Listened to but Ignored              1 point

o  Enthusiastically Listened to      0 points

 

25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes to improve the security for economic, political, timeliness, inertia, or psychological reasons).

o  Yes, or Vulnerabilities Aren’t Considered at All     3 points

o  No                                                                                    0 points

 

26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without actually addressing the Achilles heel of the old STMP?

o  A lot           3 points

o A little         1 point

o  Not at All    0 points

 

27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical security?

o  Yes             3 points

o  No               0 points

 

28. Is the main tamper detection mechanism – if there even is one – a mechanical tamper switch, a light sensor, or an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.)

o  Yes             2 points

o  No               0 points

o  There are no tamper detection mechanisms    3 points

 

29.  Is the STMP directed against a specific, well-defined adversary with well-defined resources?

o  Yes             0 points

o  No               3 points

 

30.  Is the STMP dominated by the desire to address security compliance, rather than true security?  (Compliance-based security is a particularly pernicious type of Security Theater.)

o  Yes     3 points

o  No      0 points

 

31.  Is deployment of the STMP really motivated more by a desire for control than for real security?

o  Yes     2 points

o  No      0 points

 

32.  Is the operation of the STMP strongly dependent on rules that only the good guys will follow?  (For example, don’t bring thumb drives into the facility.)

o  Yes     2 points

o  No      0 points

 

33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes that can’t be duplicated?  (“Security by Obscurity” doesn’t really work long-term because people and organizations can’t keep secrets.  See Manning and Snowden.)

o  A lot                        4 points

o  A little         2 points

o  Not at All    0 points

 

Interpretation

            Add up the total points for questions 1-33.  If the sum is…

            81-100 then:You have so much Theater going on that you ought to charge admission!

            61-80 then:You’re pretty heavy into Security Theater, but there’s at least some Real Security.

            41-60 then:This appears to be a mix of Security Theater and Real Security.

            21-40 then:You apparently have more Real Security than Security Theater, but there’s still plenty of nonsense going on!

            0-20 then:Good job! There’s likely still room for improvement but you’ve got serious security!

 

Countermeasures to Security Theater

Being alert for the presence of Security Theater, knowing its characteristic attributes and applying common sense countermeasures can go a long way towards avoiding it. This survey might be a useful tool to at least get you thinking about some of these issues.

The countermeasures for avoiding Security Theater are relatively straightforward, and some are not much different from countermeasures for groupthink and cognitive dissonance.  Perform legitimate (not “rubber stamp”) vulnerability assessments and threat assessments early, often, and iteratively – not only after it is too late to make any changes. Focus on what the purpose is for the security technology/measure/program and on the adversary’s mindset and goals.

Early on, invite independent, skeptical and creative people to analyze your security. Appoint a devil’s advocate if necessary. Don’t let the enthusiasm for solving the security problems steamroll over the realities of the task. The people developing or promoting a given security technology/measure/program should not be the ones to decide whether to implement it. 

Always bear in mind that Security Theater is going to be seductive.  It is easier, cheaper, and less painful than Real Security, and it takes a whole lot less thought.

 

Disclaimer

The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy.

 

About the Authors:

 Roger G. Johnston, Ph.D., CPP, is Leader of the Vulnerability Assessment Team at Argonne National Laboratory. He was founder and head of the Vulnerability Assessment Team at Los Alamos National Laboratory from 1992 to 2007. Johnston has assisted more than 50 government and international agencies, private companies and NGOs. Jon S. Warner, Ph.D., is a Systems Engineer with the Vulnerability Assessment Team at Argonne National Laboratory. From 2002-2007 he served as a Technical Staff Member with the Vulnerability Assessment Team at Los Alamos National Laboratory. His research interests include vulnerability assessments, nuclear safeguards, physical tamper/intrusion detection and microprocessor and wireless applications. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Roger Johnston

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+