When security controls become theatre

If you go to the supermarket today, it’s highly likely that you’ll find yourself in a line, two metres apart leading up to a person with a counter that looks like they’d literally be anywhere else than stood at the door counting people in and out of the store. Once you’ve made it past this Gandalf-like character shouting you shall not pass! It’s straight into a labrynth of one way arrows, black and yellow tape, and people who look like they’ve been searching for the arrow that’ll take them to the checkouts since the end of March. Welcome to the bizarre world of security theatre.

For those that haven’t heard the term, security theatre refers to security controls that look impressive, but do nothing to mitigate the actual risk you’re trying to control. In the aftermath of 9/11, security was tightened around what could be taken onto an airplane. You can therefore imagine the suprise when I managed to take a screwdriver from my PC service kit on a plane back in the early 2000s. Likewise, making people queue to enter the supermarket sounds like a great idea, until you realise that once inside, you have to cross within two metres of each other when the person ahead stops to pick something up off the shelf. Additionally, as the unless people are coughing the virus into each other’s faces; the most likely route of transmission is that they contaminate something on the shelf, which you then catch the virus from; and no amount of queuing or distancing will prevent that.

We see the same thing happen in information security where it is often in response to a major incident, and often by someone without a security background. It can be best describled as doing the wrong thing for the right reasons. This is where having a good understanding of the fundamentals of risk management is important. When a crisis occurs, there will be an enivitable desire for immediate action “to stop this ever happening again”; when the reality is that the event occurs so irregularly that the appropriate action may be to accept such things will happen and do nothing.

There is an argument that security theatre is a good thing, because it allows people to feel safer. However in most cases, giving the illusion of security is worse than not having any – If you were driving a car that you knew had no seatbelts or airbag, would you be driving more carefully? Now, what if your car had a seatbelt and airbag, but neither worked properly – Would you rather know your car is dangerous and drive accordingly, or remain ignorant?

Judging the line

This uses the premise that a security control exists to do one thing: Reduce risk. Whether this is by lowering the probability of the risk occuring, or minimising its impact, the aim is still to reduce the risk. If a control does nothing to address either of these factors, then it’s almost certainly security theatre. Using the supermarket above as an example, this can be demonstrated using a qualitative assessment. For this all the ways the virus can be caught and what can be done to prevent it need to be considered:

Risk: An individual catches Coronavirus at the supermarket

Threat: An infected person
Impact: In all cases the impact can be classed as Medium-High to High

VulnerabilityProbabilityProposed ControlControl is EffectiveControl is Easy
Infected people are able to enter the storeMediumSigns telling infected people to stay awayMaybe (1)Yes
Turning away visibly sick people at the doorMaybe (1)Yes
Conditions allow for direct transmission of the virusLowSocial distancing of 2mNo (2)Yes
Enforce wearing of face coverings and glovesNo (3)Yes
The virus is transmitted via contact with a contaminated surfaceMediumRegularly disinfect the store and productsYesNo (4)
Provide reminders to regularly wash hands (Including at home)Maybe (5)Yes
Provide alcohol gel stations throughout the store to allow for hand cleaningMaybe (5)Maybe (6)
(1) This requires the infected person to know they are sick and agree to follow the guidance, or be visably sick enough to be turned away.
(2) Government guidelines give the risk threshold as being within two metres of an infected person for 15 minutes or more – unlikely within a supermarket.
(3) Evidence suggests that PPE outside of a medical setting is of limited effectiveness and requires additional behaviours (e.g not touching face) to be effective.
(4) Regularly sanitising the store and all the products would be time consuming, labour intensive, expensive, and carry the risk of damaging the products.
(5) This requires people to actually wash their hands and do so correctly
(6) There would be a cost associated with setting up the stations and keeping them stocked

From this limited analysis, it can be seen that the controls being employed by supermarkets are those that are easy to implement, but provide limited mitigation to the risk. Some stores do provide the opportunity to clean hands with alcohol gel, but only on your way into the store. From this, we can identify the 2m distancing and forcing the wearing of face coverings to be potentially security theatre, as they provide no practical benefit within this environment (remember, we are only considering a supermarket – within a hospital, these controls may be more effective.)

Avoiding the trap

If you want to avoid staging a brilliant piece of security theatre yourself, here are five things to consider:

1: Changes to Security Controls should never be part of incident response
If you’re in the middle of a security incident, this is most certainly not the time to be making knee-jerk reactions to change your security controls. The first priority is to recover to the pre-incident state (or where this is not possible, a basis of stability) and conduct an effective post-mortem to understand what led to the incident and what went wrong. Only then should you beging considering changes to security controls.

2: Change with the risk landscape
Sometimes the fundamental risk landscape can shift significantly without you ever having an incident to force you to review your controls to ensure they are still effective. This is where horizon scanning, and making time for periodic control reviews will prove valuable.

3. Leave emotion at the door
When designing security controls, their effectiveness should be considered dispassionately. If a control doesn’t have a measurable effect on the risk, then it’s likely not a good control and probably shouldn’t be employed. This also means controls should never be used as a punishment or inducement.

4. Sometimes you will have to accept more risk than you would like
Your dispassionate analysis of the risk and what can be done to reduce it may determine that in fact there is little to nothing that can be done. While this doesn’t preclude continuing to look for better controls, it may be necessary to accept that risk in order to continue operating while you do so.

5. Beware of the unintended consequences
Understanding the control in the context of the wider organisation is important. Just because a security control may reduce one risk, it doesn’t mean that it won’t create or worsen another. Additionally, unless you consult widely and test extensively, you may find that the changes you make have an impact on people, processes, and technologies that you could never have predicted.

An information security example

The Acme company gives it’s sales staff USB memory sticks branded with the company name that contain various presentation materials for when they visit customer sites. One day a salesman manages to lose his memory stick on a train, where it is lately discovered and the contents of these presentations make the news and proves somewhat embarrassing for the company.

Acme management are furious and an incident is declared. During the investigation into where this leak came from, it is discovered that over 10% of Acme sales staff are unable to account of the memory sticks they have been given.

Eventually through good PR, Acme manages to get the situation under control and return to normality. but it now needs to do something to stop such an incident happening again. A big group of people get round the table and brainstorm ideas for security controls. Using the same qualitative analysis as before, it is possible to see whether it’s likely to be security theatre:

Risk: Loss of Acme data by an authorised user

Threat: Person(s) not authorised to see the data
Vulnerability: Use of unencrypted portable storage device
Likelihood: Medium-High
Impact: Medium-High to High

Proposed ControlIs it effective?It it security theatre?
Replace memory sticks with an unbranded encrypted versionYes, while they can still be lost, the data cannot be read and they are not associated with AcmeNo, this is likely the best option
Move the documents to cloud storageYes, it would prevent the physical loss of data, but open up new risks around ensuring data is kept secure onlineNo, cloud storage is a potential solution
Have managers vet the contents of memory sticksNo, a loss of one could still prove embarassing to the company and this doesn’t guarantee sensitive data won’t leakYes, it fails to address the actual risk
Increase awareness and training for staff on data protectionMaybe, training won’t prevent it from happening, but may help to reduce the frequency with which it does, and let people know how to handle it happeningNo, this is a practical control
Regular inspections to verify possession of memory sticksNo, if the inspections are too regular, it will be intrusive. If not, the damage may be done before the loss is discoveredYes, there are better ways to manage the loss of assets
Require memory sticks to be attached to company lanyardNo, the data could still be lost, and now it can be associated with a company employeeYes, the control fails to address the vulnerability
Require staff to pay for lost memory sticksNo, now if staff were to lose them, they’re less likely to report the lossYes, this has nothing to do with controlling the risk

From these ideas, we can see that there are a number of options, though while some are good, many fail to help control the risk being discussed, and risk alienating the staff. Banning the use of memory sticks could render the staff unable to do their jobs, and the use of the cloud may be discounted depending on the type of environment the staff are going to.

Therefore from this exercise, you should be able to see that without changing working practices, the best options would be to switch to an encrypted memory stick, and provide education and awareness to staff about keeping their equipment secure.

Do you have security theatre stories? Share them below.

Share

2 Comments

  1. Jesse Blue

    It’s interesting you mention having sanitation stations within supermarkets- in inner East Melbourne (Australia) the supermarkets I frequent have hand gel and wipes outside the door,a station inside the door,and even a few dotted around depending on the size of the store.
    Trolleys,a very obvious hazard,are continuously sprayed with antibacterial solution,and while product shelves are cleaned of an evening,all other surfaces (ie conveyors and checkouts) are sprayed and wiped between each customer,with customers now bagging their own groceries.
    Compared to the rest of the world,and being a fairly self contained and self sufficient country,we have been incredibly fortunate that the measures taken have been widely embraced,really not a big inconvenience,and have kept the vast majority of the population safe and healthy.

    Yet another well written and fascinating read- thanks!

    Reply
  2. John

    Great article – thank you for sharing.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *