If you go to the supermarket today, it’s highly likely that you’ll find yourself in a line, two metres apart leading up to a person with a counter that looks like they’d literally be anywhere else than stood at the door counting people in and out of the store. Once you’ve made it past this Gandalf-like character shouting you shall not pass! It’s straight into a labrynth of one way arrows, black and yellow tape, and people who look like they’ve been searching for the arrow that’ll take them to the checkouts since the end of March. Welcome to the bizarre world of security theatre.
For those that haven’t heard the term, security theatre refers to security controls that look impressive, but do nothing to mitigate the actual risk you’re trying to control. In the aftermath of 9/11, security was tightened around what could be taken onto an airplane. You can therefore imagine the suprise when I managed to take a screwdriver from my PC service kit on a plane back in the early 2000s. Likewise, making people queue to enter the supermarket sounds like a great idea, until you realise that once inside, you have to cross within two metres of each other when the person ahead stops to pick something up off the shelf. Additionally, as the unless people are coughing the virus into each other’s faces; the most likely route of transmission is that they contaminate something on the shelf, which you then catch the virus from; and no amount of queuing or distancing will prevent that.
We see the same thing happen in information security where it is often in response to a major incident, and often by someone without a security background. It can be best describled as doing the wrong thing for the right reasons. This is where having a good understanding of the fundamentals of risk management is important. When a crisis occurs, there will be an enivitable desire for immediate action “to stop this ever happening again”; when the reality is that the event occurs so irregularly that the appropriate action may be to accept such things will happen and do nothing.
There is an argument that security theatre is a good thing, because it allows people to feel safer. However in most cases, giving the illusion of security is worse than not having any – If you were driving a car that you knew had no seatbelts or airbag, would you be driving more carefully? Now, what if your car had a seatbelt and airbag, but neither worked properly – Would you rather know your car is dangerous and drive accordingly, or remain ignorant?
Judging the line
This uses the premise that a security control exists to do one thing: Reduce risk. Whether this is by lowering the probability of the risk occuring, or minimising its impact, the aim is still to reduce the risk. If a control does nothing to address either of these factors, then it’s almost certainly security theatre. Using the supermarket above as an example, this can be demonstrated using a qualitative assessment. For this all the ways the virus can be caught and what can be done to prevent it need to be considered:
Risk: An individual catches Coronavirus at the supermarket
Threat: An infected person
Impact: In all cases the impact can be classed as Medium-High to High
|Vulnerability||Probability||Proposed Control||Control is Effective||Control is Easy|
|Infected people are able to enter the store||Medium||Signs telling infected people to stay away||Maybe (1)||Yes|
|“||“||Turning away visibly sick people at the door||Maybe (1)||Yes|
|Conditions allow for direct transmission of the virus||Low||Social distancing of 2m||No (2)||Yes|
|“||“||Enforce wearing of face coverings and gloves||No (3)||Yes|
|The virus is transmitted via contact with a contaminated surface||Medium||Regularly disinfect the store and products||Yes||No (4)|
|“||“||Provide reminders to regularly wash hands (Including at home)||Maybe (5)||Yes|
|“||“||Provide alcohol gel stations throughout the store to allow for hand cleaning||Maybe (5)||Maybe (6)|
(2) Government guidelines give the risk threshold as being within two metres of an infected person for 15 minutes or more – unlikely within a supermarket.
(3) Evidence suggests that PPE outside of a medical setting is of limited effectiveness and requires additional behaviours (e.g not touching face) to be effective.
(4) Regularly sanitising the store and all the products would be time consuming, labour intensive, expensive, and carry the risk of damaging the products.
(5) This requires people to actually wash their hands and do so correctly
(6) There would be a cost associated with setting up the stations and keeping them stocked
From this limited analysis, it can be seen that the controls being employed by supermarkets are those that are easy to implement, but provide limited mitigation to the risk. Some stores do provide the opportunity to clean hands with alcohol gel, but only on your way into the store. From this, we can identify the 2m distancing and forcing the wearing of face coverings to be potentially security theatre, as they provide no practical benefit within this environment (remember, we are only considering a supermarket – within a hospital, these controls may be more effective.)
Avoiding the trap
If you want to avoid staging a brilliant piece of security theatre yourself, here are five things to consider:
1: Changes to Security Controls should never be part of incident response
If you’re in the middle of a security incident, this is most certainly not the time to be making knee-jerk reactions to change your security controls. The first priority is to recover to the pre-incident state (or where this is not possible, a basis of stability) and conduct an effective post-mortem to understand what led to the incident and what went wrong. Only then should you beging considering changes to security controls.
2: Change with the risk landscape
Sometimes the fundamental risk landscape can shift significantly without you ever having an incident to force you to review your controls to ensure they are still effective. This is where horizon scanning, and making time for periodic control reviews will prove valuable.
3. Leave emotion at the door
When designing security controls, their effectiveness should be considered dispassionately. If a control doesn’t have a measurable effect on the risk, then it’s likely not a good control and probably shouldn’t be employed. This also means controls should never be used as a punishment or inducement.
4. Sometimes you will have to accept more risk than you would like
Your dispassionate analysis of the risk and what can be done to reduce it may determine that in fact there is little to nothing that can be done. While this doesn’t preclude continuing to look for better controls, it may be necessary to accept that risk in order to continue operating while you do so.
5. Beware of the unintended consequences
Understanding the control in the context of the wider organisation is important. Just because a security control may reduce one risk, it doesn’t mean that it won’t create or worsen another. Additionally, unless you consult widely and test extensively, you may find that the changes you make have an impact on people, processes, and technologies that you could never have predicted.
An information security example
The Acme company gives it’s sales staff USB memory sticks branded with the company name that contain various presentation materials for when they visit customer sites. One day a salesman manages to lose his memory stick on a train, where it is lately discovered and the contents of these presentations make the news and proves somewhat embarrassing for the company.
Acme management are furious and an incident is declared. During the investigation into where this leak came from, it is discovered that over 10% of Acme sales staff are unable to account of the memory sticks they have been given.
Eventually through good PR, Acme manages to get the situation under control and return to normality. but it now needs to do something to stop such an incident happening again. A big group of people get round the table and brainstorm ideas for security controls. Using the same qualitative analysis as before, it is possible to see whether it’s likely to be security theatre:
Risk: Loss of Acme data by an authorised user
Threat: Person(s) not authorised to see the data
Vulnerability: Use of unencrypted portable storage device
Impact: Medium-High to High
|Proposed Control||Is it effective?||It it security theatre?|
|Replace memory sticks with an unbranded encrypted version||Yes, while they can still be lost, the data cannot be read and they are not associated with Acme||No, this is likely the best option|
|Move the documents to cloud storage||Yes, it would prevent the physical loss of data, but open up new risks around ensuring data is kept secure online||No, cloud storage is a potential solution|
|Have managers vet the contents of memory sticks||No, a loss of one could still prove embarassing to the company and this doesn’t guarantee sensitive data won’t leak||Yes, it fails to address the actual risk|
|Increase awareness and training for staff on data protection||Maybe, training won’t prevent it from happening, but may help to reduce the frequency with which it does, and let people know how to handle it happening||No, this is a practical control|
|Regular inspections to verify possession of memory sticks||No, if the inspections are too regular, it will be intrusive. If not, the damage may be done before the loss is discovered||Yes, there are better ways to manage the loss of assets|
|Require memory sticks to be attached to company lanyard||No, the data could still be lost, and now it can be associated with a company employee||Yes, the control fails to address the vulnerability|
|Require staff to pay for lost memory sticks||No, now if staff were to lose them, they’re less likely to report the loss||Yes, this has nothing to do with controlling the risk|
From these ideas, we can see that there are a number of options, though while some are good, many fail to help control the risk being discussed, and risk alienating the staff. Banning the use of memory sticks could render the staff unable to do their jobs, and the use of the cloud may be discounted depending on the type of environment the staff are going to.
Therefore from this exercise, you should be able to see that without changing working practices, the best options would be to switch to an encrypted memory stick, and provide education and awareness to staff about keeping their equipment secure.
Do you have security theatre stories? Share them below.