1. 1
First
appeared
in
Security
Magazine,
September
2013,
http://www.securitymagazine.com/articles/84691-‐is-‐your-‐program-‐security-‐theater
But is it Security Theater?
Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D.
Vulnerability Assessment Team, Argonne National Laboratory
rogerj@anl.gov 630-252-6168 http://www.ne.anl.gov/capabilities/vat
INTRODUCTION
Security guru Bruce Schneier coined the term “Security Theater” to describe phony security
measures, procedures, or technologies that give the superficial appearance of providing security
without actually countering malicious adversaries to any significant degree. As an example,
much of the activities undertaken by airport screeners have been characterized by some as little
more than Security Theater.
As vulnerability assessors, we frequently find Security Theater across a wide range of
different physical security and nuclear safeguards devices, systems, and programs. It’s important
to realize, however, that Security Theater is not automatically a bad thing. It can present the
appearance (false though it may be) of a hardened target to potential adversaries, thus potentially
discouraging an attack (at least for a while). Security Theater can reassure the public while more
effective measures are under development, and help encourage employees and the public to stay
focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get
inspectors inside nuclear facilities where their informal observations and interactions with host
facility personnel can be of great value to disarmament, nonproliferation, and international
cooperation.
The real problem occurs when Security Theater is not ultimately recognized as such by
security officials or the public, or creates cynicism about security, or stands in the way of Real
Security, or wastes resources and energy, or is actually preferred over Real Security (because it
is usually easier and less painful).
HOW TO TELL SECURITY THEATER FROM THE REAL THING
The best way to determine if a given security technology, measure, or program (STMP) is
primarily Security Theater is to conduct comprehensive vulnerability assessments and threat
assessments to determine how easily the STMP can be defeated, and what threats and attacks it
might have to stand up to. But this can be time consuming and expensive.
In our experience, STMPs that eventually prove to be very easy to defeat and/or not
particularly effective—to the point of being Security Theater—almost always exhibit certain
common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will
be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even
before beginning the vulnerability assessment.
2. As a public service, we offer the following survey that you can take to determine how likely it
is that your security technology, measure, or program (STMP) is Security Theater. This survey
is about as scientific as a “how’s your love life?” survey in a teen magazine, but we think it may
nevertheless have some value. The survey questions being asked, along with our comments
associated with some of the questions can at least help suggest warning signs and
countermeasures for Security Theater.
Add up your total points for all 33 survey questions and then see the interpretation for your
score below. (If you’re between 2 choices on any question, split the difference on the points.)
1. Is the security application quite complex and/or challenging?
2
☐ A lot 2 points
☐ A little 1 point
☐ Not at All 0 points
2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace?
☐ Yes 2 points
☐ No 0 points
3. Has substantial time, funding, and political capital already been spent developing, promoting, or analyzing the
security technology, measure, or program (STMP)?
☐ Yes 2 points
☐ No 0 points
4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from
bureaucrats, a committee, or senior non-security managers?
☐ Yes 2 points
☐ No 0 points
5. Is there considerable excitement, exuberance, pride, ego, and/or strong emotions associated with the proposed (or
fielded) STMP?
☐ A lot 5 points
☐ A little 3 points
☐ Not at All 0 points
6. Is the STMP viewed with great confidence, arrogance, and/or characterized as “impossible to defeat”, “tamper
proof”, etc.? (Effective security is very difficult to achieve. Generally, if developers, promoters, and end users of a
given security approach or product have carefully considered the real-world security issues, they will not be in such
a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.)
☐ A lot 5 points
☐ A little 3 points
☐ Not at All 0 points
7. Does the STMP in question have a feel good “aura” or make people quite comfortable with their security risk?
(In general, Real Security doesn’t make people feel better, it makes them feel worse. This is because it is almost
always more expensive, time-consuming, and painful than Security Theater. Moreover, when security is carefully
thought-through—as Real Security must be—the difficulty of the task, the unknowns, and the knowledge of the
unmitigated vulnerabilities will cause alarm. If you’re not running scared, you probably have bad security or a bad
security product.)
☐ A lot 6 points
☐ A little 3 points
☐ Not at All 0 points
3. 3
8. Do the promoters and developers of the technology or the STMP earnestly—even desperately—want it to solve
the security problems at hand, and/or are they highly idealistic? (Strong desires to achieve a valuable goal can
sometimes lead to wishful thinking.)
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates
via careful analysis?
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial,
psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly
enthusiastic/optimistic?
☐ Yes 3 points
☐ No 0 points
11. Do the people developing or promoting the STMP have significant real-world security experience (not just
experience as bureaucrats or experience developing security technology)?
☐ Yes 0 points
☐ No 3 points
12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didn’t
like, or have they ever found fault with their own security or (publicly) with their employer?
☐ Yes 0 points
☐ No 2 points
13. Is the person who ultimately decides that the STMP should be deployed often thought of as naïve, a bureaucrat,
or less than astute, and/or did they get most of their information about STMP from promoters and vendors?
☐ Yes 2 points
☐ No 0 points
14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security
strategy?
☐ Yes 0 points
☐ No 2 points
15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding
of real-world security?
☐ Yes 2 points
☐ No 0 points
16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture, and practices
that make one good at engineering aren’t optimal for thinking like the bad guys.)
☐ Yes 3 points
☐ No 0 points
17. Does the STMP rely primarily on complexity, advanced technology, the latest technological “fad”, and/or
multiple layers? (High technology does not equal high security, and layered security isn’t always better.)
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
4. 4
18. Do the people using the STMP on the front lines substantially understand the technology or security strategy?
☐ Yes 0 points
☐ No 2 points
19. Are the use protocols, training materials, and manuals for the STMP non-existent, vague, poorly written, or ill-conceived,
and/or is the terminology sloppy or misleading?
☐ Yes 3 points
☐ No 0 points
20. Is the STMP complicated or difficult to use?
☐ Yes 2 points
☐ No 0 points
21. Was the STMP forced on the end users from superiors?
☐ Yes 2 points
☐ No 0 points
22. Have the end users of the STMP ever been consulted about it? (These are people who understand the real-world
implementation issues, and are the ones who will have to make the STMP actually work).
☐ A lot 0 points
☐ A little 1 point
☐ Not at All 2 points
23. Have vulnerability assessors, hacker types, devil’s advocates, question askers, or creative independent outsiders
closely analyzed the STMP?
☐ No, Weren’t Allowed to 6 points
☐ No 4 points
☐ Yes 0 points
24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one)…
☐ Attacked Emotionally 7 points
☐ Attacked Unemotionally 4 points
☐ Ignored 2 points
☐ Vaguely Tolerated 1 point
☐ Listened to but Ignored 1 point
☐ Enthusiastically Listened to 0 points
25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the
STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes
to improve the security for economic, political, timeliness, inertia, or psychological reasons).
☐ Yes, or Vulnerabilities Aren’t Considered at All 3 points
☐ No 0 points
26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without
actually addressing the Achilles heel of the old STMP?
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical
security?
☐ Yes 3 points
☐ No 0 points
5. 5
28. Is the main tamper detection mechanism—if there even is one—a mechanical tamper switch, a light sensor, or
an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.)
☐ Yes 2 points
☐ No 0 points
☐ There are no tamper detection mechanisms 3 points
29. Is the STMP directed against a specific, well-defined adversary with well-defined resources?
☐ Yes 0 points
☐ No 3 points
30. Is the STMP dominated by the desire to address security compliance, rather than true security? (Compliance-based
security is a particularly pernicious type of Security Theater.)
☐ Yes 3 points
☐ No 0 points
31. Is deployment of the STMP really motivated more by a desire for control than for real security?
☐ Yes 2 points
☐ No 0 points
32. Is the operation of the STMP strongly dependent on rules that only the good guys will follow? (For example,
don’t bring thumb drives into the facility.)
☐ Yes 2 points
☐ No 0 points
33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes
that can’t be duplicated? (“Security by Obscurity” doesn’t really work long-term because people and organizations
can’t keep secrets. See Manning and Snowden.)
☐ A lot 4 points
☐ A little 2 points
☐ Not at All 0 points
INTERPRETATION
Add up the total points for questions 1-33. If the sum is…
81-100 then: You have so much Theater going on that you ought to charge admission!
61-80 then: You’re pretty heavy into Security Theater, but there’s at least some Real Security.
41-60 then: This appears to be a mix of Security Theater and Real Security.
21-40 then: You apparently have more Real Security than Security Theater, but there’s still
plenty of nonsense going on!
0-20 then: Good job! There’s likely still room for improvement but you’ve got serious security!
6. COUNTERMEASURES TO SECURITY THEATER
Being alert for the presence of Security Theater, knowing its characteristic attributes, and
applying common sense countermeasures can go a long way towards avoiding it. This survey
might be a useful tool to at least get you thinking about some of these issues.
The countermeasures for avoiding Security Theater are relatively straightforward, and some
are not much different from countermeasures for groupthink and cognitive dissonance. Perform
legitimate (not “rubber stamp”) vulnerability assessments and threat assessments early, often,
and iteratively—not only after it is too late to make any changes. Focus on what the purpose is
for the security technology/measure/program, and on the adversary’s mindset and goals.
Early on, invite independent, skeptical, and creative people to analyze your security. Appoint
a devil’s advocate if necessary. Don’t let the enthusiasm for solving the security problems
steamroll over the realities of the task. The people developing or promoting a given security
technology/measure/program should not be the ones to decide whether to implement it. And
don’t automatically believe everything manufacturers and vendors say!
Hold egos, hype, and boosterism in check. Talk (early!) to the end user and to the people
(including low level personnel) who will actually be doing the security in the field, and learn
from them.
Always bear in mind that Security Theater is going to be seductive. It is easier, cheaper, and
less painful than Real Security, and it takes a whole lot less thought.
DISCLAIMER
This submitted manuscript has been created by UChicago Argonne, LLC, Operator of
Argonne National Laboratory (“Argonne”). Argonne, a U.S. Department of Energy Office of
Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S.
Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable
worldwide license in said article to reproduce, prepare derivative works, distribute copies to the
public, and perform publicly and display publicly, by or on behalf of the Government.
The views expressed here are those of the authors and should not necessarily be ascribed to
Argonne National Laboratory or the United States Department of Energy.
6