SlideShare a Scribd company logo

Is it Security Theater?

Roger Johnston
Roger Johnston

Take this test to see if you are mostly doing Security Theater, instead of Real Security.

Leadership & Management
1 of 6
Download to read offline
1 First appeared in Security Magazine, September 2013, http://www.securitymagazine.com/articles/84691-­‐is-­‐your-­‐program-­‐security-­‐theater But is it Security Theater? Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D. Vulnerability Assessment Team, Argonne National Laboratory rogerj@anl.gov 630-252-6168 http://www.ne.anl.gov/capabilities/vat INTRODUCTION Security guru Bruce Schneier coined the term “Security Theater” to describe phony security measures, procedures, or technologies that give the superficial appearance of providing security without actually countering malicious adversaries to any significant degree. As an example, much of the activities undertaken by airport screeners have been characterized by some as little more than Security Theater. As vulnerability assessors, we frequently find Security Theater across a wide range of different physical security and nuclear safeguards devices, systems, and programs. It’s important to realize, however, that Security Theater is not automatically a bad thing. It can present the appearance (false though it may be) of a hardened target to potential adversaries, thus potentially discouraging an attack (at least for a while). Security Theater can reassure the public while more effective measures are under development, and help encourage employees and the public to stay focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get inspectors inside nuclear facilities where their informal observations and interactions with host facility personnel can be of great value to disarmament, nonproliferation, and international cooperation. The real problem occurs when Security Theater is not ultimately recognized as such by security officials or the public, or creates cynicism about security, or stands in the way of Real Security, or wastes resources and energy, or is actually preferred over Real Security (because it is usually easier and less painful). HOW TO TELL SECURITY THEATER FROM THE REAL THING The best way to determine if a given security technology, measure, or program (STMP) is primarily Security Theater is to conduct comprehensive vulnerability assessments and threat assessments to determine how easily the STMP can be defeated, and what threats and attacks it might have to stand up to. But this can be time consuming and expensive. In our experience, STMPs that eventually prove to be very easy to defeat and/or not particularly effective—to the point of being Security Theater—almost always exhibit certain common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even before beginning the vulnerability assessment.
As a public service, we offer the following survey that you can take to determine how likely it is that your security technology, measure, or program (STMP) is Security Theater. This survey is about as scientific as a “how’s your love life?” survey in a teen magazine, but we think it may nevertheless have some value. The survey questions being asked, along with our comments associated with some of the questions can at least help suggest warning signs and countermeasures for Security Theater. Add up your total points for all 33 survey questions and then see the interpretation for your score below. (If you’re between 2 choices on any question, split the difference on the points.) 1. Is the security application quite complex and/or challenging? 2 ☐ A lot 2 points ☐ A little 1 point ☐ Not at All 0 points 2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace? ☐ Yes 2 points ☐ No 0 points 3. Has substantial time, funding, and political capital already been spent developing, promoting, or analyzing the security technology, measure, or program (STMP)? ☐ Yes 2 points ☐ No 0 points 4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from bureaucrats, a committee, or senior non-security managers? ☐ Yes 2 points ☐ No 0 points 5. Is there considerable excitement, exuberance, pride, ego, and/or strong emotions associated with the proposed (or fielded) STMP? ☐ A lot 5 points ☐ A little 3 points ☐ Not at All 0 points 6. Is the STMP viewed with great confidence, arrogance, and/or characterized as “impossible to defeat”, “tamper proof”, etc.? (Effective security is very difficult to achieve. Generally, if developers, promoters, and end users of a given security approach or product have carefully considered the real-world security issues, they will not be in such a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.) ☐ A lot 5 points ☐ A little 3 points ☐ Not at All 0 points 7. Does the STMP in question have a feel good “aura” or make people quite comfortable with their security risk? (In general, Real Security doesn’t make people feel better, it makes them feel worse. This is because it is almost always more expensive, time-consuming, and painful than Security Theater. Moreover, when security is carefully thought-through—as Real Security must be—the difficulty of the task, the unknowns, and the knowledge of the unmitigated vulnerabilities will cause alarm. If you’re not running scared, you probably have bad security or a bad security product.) ☐ A lot 6 points ☐ A little 3 points ☐ Not at All 0 points
3 8. Do the promoters and developers of the technology or the STMP earnestly—even desperately—want it to solve the security problems at hand, and/or are they highly idealistic? (Strong desires to achieve a valuable goal can sometimes lead to wishful thinking.) ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points 9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates via careful analysis? ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points 10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial, psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly enthusiastic/optimistic? ☐ Yes 3 points ☐ No 0 points 11. Do the people developing or promoting the STMP have significant real-world security experience (not just experience as bureaucrats or experience developing security technology)? ☐ Yes 0 points ☐ No 3 points 12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didn’t like, or have they ever found fault with their own security or (publicly) with their employer? ☐ Yes 0 points ☐ No 2 points 13. Is the person who ultimately decides that the STMP should be deployed often thought of as naïve, a bureaucrat, or less than astute, and/or did they get most of their information about STMP from promoters and vendors? ☐ Yes 2 points ☐ No 0 points 14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security strategy? ☐ Yes 0 points ☐ No 2 points 15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding of real-world security? ☐ Yes 2 points ☐ No 0 points 16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture, and practices that make one good at engineering aren’t optimal for thinking like the bad guys.) ☐ Yes 3 points ☐ No 0 points 17. Does the STMP rely primarily on complexity, advanced technology, the latest technological “fad”, and/or multiple layers? (High technology does not equal high security, and layered security isn’t always better.) ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points
4 18. Do the people using the STMP on the front lines substantially understand the technology or security strategy? ☐ Yes 0 points ☐ No 2 points 19. Are the use protocols, training materials, and manuals for the STMP non-existent, vague, poorly written, or ill-conceived, and/or is the terminology sloppy or misleading? ☐ Yes 3 points ☐ No 0 points 20. Is the STMP complicated or difficult to use? ☐ Yes 2 points ☐ No 0 points 21. Was the STMP forced on the end users from superiors? ☐ Yes 2 points ☐ No 0 points 22. Have the end users of the STMP ever been consulted about it? (These are people who understand the real-world implementation issues, and are the ones who will have to make the STMP actually work). ☐ A lot 0 points ☐ A little 1 point ☐ Not at All 2 points 23. Have vulnerability assessors, hacker types, devil’s advocates, question askers, or creative independent outsiders closely analyzed the STMP? ☐ No, Weren’t Allowed to 6 points ☐ No 4 points ☐ Yes 0 points 24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one)… ☐ Attacked Emotionally 7 points ☐ Attacked Unemotionally 4 points ☐ Ignored 2 points ☐ Vaguely Tolerated 1 point ☐ Listened to but Ignored 1 point ☐ Enthusiastically Listened to 0 points 25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes to improve the security for economic, political, timeliness, inertia, or psychological reasons). ☐ Yes, or Vulnerabilities Aren’t Considered at All 3 points ☐ No 0 points 26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without actually addressing the Achilles heel of the old STMP? ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points 27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical security? ☐ Yes 3 points ☐ No 0 points
5 28. Is the main tamper detection mechanism—if there even is one—a mechanical tamper switch, a light sensor, or an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.) ☐ Yes 2 points ☐ No 0 points ☐ There are no tamper detection mechanisms 3 points 29. Is the STMP directed against a specific, well-defined adversary with well-defined resources? ☐ Yes 0 points ☐ No 3 points 30. Is the STMP dominated by the desire to address security compliance, rather than true security? (Compliance-based security is a particularly pernicious type of Security Theater.) ☐ Yes 3 points ☐ No 0 points 31. Is deployment of the STMP really motivated more by a desire for control than for real security? ☐ Yes 2 points ☐ No 0 points 32. Is the operation of the STMP strongly dependent on rules that only the good guys will follow? (For example, don’t bring thumb drives into the facility.) ☐ Yes 2 points ☐ No 0 points 33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes that can’t be duplicated? (“Security by Obscurity” doesn’t really work long-term because people and organizations can’t keep secrets. See Manning and Snowden.) ☐ A lot 4 points ☐ A little 2 points ☐ Not at All 0 points INTERPRETATION Add up the total points for questions 1-33. If the sum is… 81-100 then: You have so much Theater going on that you ought to charge admission! 61-80 then: You’re pretty heavy into Security Theater, but there’s at least some Real Security. 41-60 then: This appears to be a mix of Security Theater and Real Security. 21-40 then: You apparently have more Real Security than Security Theater, but there’s still plenty of nonsense going on! 0-20 then: Good job! There’s likely still room for improvement but you’ve got serious security!
COUNTERMEASURES TO SECURITY THEATER Being alert for the presence of Security Theater, knowing its characteristic attributes, and applying common sense countermeasures can go a long way towards avoiding it. This survey might be a useful tool to at least get you thinking about some of these issues. The countermeasures for avoiding Security Theater are relatively straightforward, and some are not much different from countermeasures for groupthink and cognitive dissonance. Perform legitimate (not “rubber stamp”) vulnerability assessments and threat assessments early, often, and iteratively—not only after it is too late to make any changes. Focus on what the purpose is for the security technology/measure/program, and on the adversary’s mindset and goals. Early on, invite independent, skeptical, and creative people to analyze your security. Appoint a devil’s advocate if necessary. Don’t let the enthusiasm for solving the security problems steamroll over the realities of the task. The people developing or promoting a given security technology/measure/program should not be the ones to decide whether to implement it. And don’t automatically believe everything manufacturers and vendors say! Hold egos, hype, and boosterism in check. Talk (early!) to the end user and to the people (including low level personnel) who will actually be doing the security in the field, and learn from them. Always bear in mind that Security Theater is going to be seductive. It is easier, cheaper, and less painful than Real Security, and it takes a whole lot less thought. DISCLAIMER This submitted manuscript has been created by UChicago Argonne, LLC, Operator of Argonne National Laboratory (“Argonne”). Argonne, a U.S. Department of Energy Office of Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S. Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable worldwide license in said article to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, by or on behalf of the Government. The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy. 6

Recommended

Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007David Whelbourn, MBA, PMP, PRINCE2, MSP
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Using Periodic Audits To Prevent Catastrophic Project Failure
Using Periodic Audits To Prevent Catastrophic Project FailureUsing Periodic Audits To Prevent Catastrophic Project Failure
Using Periodic Audits To Prevent Catastrophic Project Failureicgfmconference
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 

Recommended

Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007David Whelbourn, MBA, PMP, PRINCE2, MSP
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Using Periodic Audits To Prevent Catastrophic Project Failure
Using Periodic Audits To Prevent Catastrophic Project FailureUsing Periodic Audits To Prevent Catastrophic Project Failure
Using Periodic Audits To Prevent Catastrophic Project Failureicgfmconference
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
66Chapter 3Security Surveys and the AuditLawrence .docx
66Chapter 3Security Surveys and the AuditLawrence .docx66Chapter 3Security Surveys and the AuditLawrence .docx
66Chapter 3Security Surveys and the AuditLawrence .docxblondellchancy
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Vulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfVulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfinfosec train
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...Roberta Sheng-Taylor, BA, CRSP, CHSC, SMS, CSP
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Plus Consulting
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxSUBHI7
 
Accident inves
Accident invesAccident inves
Accident invesprince saisolo
 
In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityRoger Johnston
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Roger Johnston
 

More Related Content

Similar to Is it Security Theater?

Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
66Chapter 3Security Surveys and the AuditLawrence .docx
66Chapter 3Security Surveys and the AuditLawrence .docx66Chapter 3Security Surveys and the AuditLawrence .docx
66Chapter 3Security Surveys and the AuditLawrence .docxblondellchancy
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Vulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfVulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfinfosec train
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Plus Consulting
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxSUBHI7
 

Similar to Is it Security Theater? (20)

Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
66Chapter 3Security Surveys and the AuditLawrence .docx
66Chapter 3Security Surveys and the AuditLawrence .docx66Chapter 3Security Surveys and the AuditLawrence .docx
66Chapter 3Security Surveys and the AuditLawrence .docx
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
The human factor
The human factorThe human factor
The human factor
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your Decision
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Vulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfVulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdf
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
Accident inves
Accident invesAccident inves
Accident inves
 

More from Roger Johnston

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityRoger Johnston
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Roger Johnston
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyRoger Johnston
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Roger Johnston
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Roger Johnston
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020Roger Johnston
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentRoger Johnston
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability AssessmentsRoger Johnston
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Roger Johnston
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments Roger Johnston
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Roger Johnston
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Roger Johnston
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security DevicesRoger Johnston
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Roger Johnston
 
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Roger Johnston
 

More from Roger Johnston (20)

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & Security
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)
 
Security Audits.pdf
Security Audits.pdfSecurity Audits.pdf
Security Audits.pdf
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/Privacy
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)
 
Want seals with that?
Want seals with that?Want seals with that?
Want seals with that?
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020
 
Security Assurance
Security AssuranceSecurity Assurance
Security Assurance
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability Assessment
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability Assessments
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical Security
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security Devices
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)
 
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Journal of Physical Security 10(1)
Journal of Physical Security 10(1)
 

Recently uploaded

operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementTulsiDhidhi1
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, MumbaiPooja Nehwal
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girladitipandeya
 
Continuous Improvement Infographics for Learning
Continuous Improvement Infographics for LearningContinuous Improvement Infographics for Learning
Continuous Improvement Infographics for LearningCIToolkit
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic managementharfimakarim
 
CALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual serviceanilsa9823
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Pooja Nehwal
 
Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024Alex Marques
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxSaqib Mansoor Ahmed
 

Recently uploaded (20)

Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdfImagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing management
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
 
Becoming an Inclusive Leader - Bernadette Thompson
Becoming an Inclusive Leader - Bernadette ThompsonBecoming an Inclusive Leader - Bernadette Thompson
Becoming an Inclusive Leader - Bernadette Thompson
 
LoveLocalGov - Chris Twigg, Inner Circle
LoveLocalGov - Chris Twigg, Inner CircleLoveLocalGov - Chris Twigg, Inner Circle
LoveLocalGov - Chris Twigg, Inner Circle
 
Continuous Improvement Infographics for Learning
Continuous Improvement Infographics for LearningContinuous Improvement Infographics for Learning
Continuous Improvement Infographics for Learning
 
Empowering Local Government Frontline Services - Mo Baines.pdf
Empowering Local Government Frontline Services - Mo Baines.pdfEmpowering Local Government Frontline Services - Mo Baines.pdf
Empowering Local Government Frontline Services - Mo Baines.pdf
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote SpeakerLeadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
 
CALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Charbagh Lucknow best sexual service
 
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdfImagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
 
Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptx
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Peak Performance & Resilience - Dr Dorian Dugmore
Peak Performance & Resilience - Dr Dorian DugmorePeak Performance & Resilience - Dr Dorian Dugmore
Peak Performance & Resilience - Dr Dorian Dugmore
 

Is it Security Theater?

  • 1. 1 First appeared in Security Magazine, September 2013, http://www.securitymagazine.com/articles/84691-­‐is-­‐your-­‐program-­‐security-­‐theater But is it Security Theater? Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D. Vulnerability Assessment Team, Argonne National Laboratory rogerj@anl.gov 630-252-6168 http://www.ne.anl.gov/capabilities/vat INTRODUCTION Security guru Bruce Schneier coined the term “Security Theater” to describe phony security measures, procedures, or technologies that give the superficial appearance of providing security without actually countering malicious adversaries to any significant degree. As an example, much of the activities undertaken by airport screeners have been characterized by some as little more than Security Theater. As vulnerability assessors, we frequently find Security Theater across a wide range of different physical security and nuclear safeguards devices, systems, and programs. It’s important to realize, however, that Security Theater is not automatically a bad thing. It can present the appearance (false though it may be) of a hardened target to potential adversaries, thus potentially discouraging an attack (at least for a while). Security Theater can reassure the public while more effective measures are under development, and help encourage employees and the public to stay focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get inspectors inside nuclear facilities where their informal observations and interactions with host facility personnel can be of great value to disarmament, nonproliferation, and international cooperation. The real problem occurs when Security Theater is not ultimately recognized as such by security officials or the public, or creates cynicism about security, or stands in the way of Real Security, or wastes resources and energy, or is actually preferred over Real Security (because it is usually easier and less painful). HOW TO TELL SECURITY THEATER FROM THE REAL THING The best way to determine if a given security technology, measure, or program (STMP) is primarily Security Theater is to conduct comprehensive vulnerability assessments and threat assessments to determine how easily the STMP can be defeated, and what threats and attacks it might have to stand up to. But this can be time consuming and expensive. In our experience, STMPs that eventually prove to be very easy to defeat and/or not particularly effective—to the point of being Security Theater—almost always exhibit certain common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even before beginning the vulnerability assessment.
  • 2. As a public service, we offer the following survey that you can take to determine how likely it is that your security technology, measure, or program (STMP) is Security Theater. This survey is about as scientific as a “how’s your love life?” survey in a teen magazine, but we think it may nevertheless have some value. The survey questions being asked, along with our comments associated with some of the questions can at least help suggest warning signs and countermeasures for Security Theater. Add up your total points for all 33 survey questions and then see the interpretation for your score below. (If you’re between 2 choices on any question, split the difference on the points.) 1. Is the security application quite complex and/or challenging? 2 ☐ A lot 2 points ☐ A little 1 point ☐ Not at All 0 points 2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace? ☐ Yes 2 points ☐ No 0 points 3. Has substantial time, funding, and political capital already been spent developing, promoting, or analyzing the security technology, measure, or program (STMP)? ☐ Yes 2 points ☐ No 0 points 4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from bureaucrats, a committee, or senior non-security managers? ☐ Yes 2 points ☐ No 0 points 5. Is there considerable excitement, exuberance, pride, ego, and/or strong emotions associated with the proposed (or fielded) STMP? ☐ A lot 5 points ☐ A little 3 points ☐ Not at All 0 points 6. Is the STMP viewed with great confidence, arrogance, and/or characterized as “impossible to defeat”, “tamper proof”, etc.? (Effective security is very difficult to achieve. Generally, if developers, promoters, and end users of a given security approach or product have carefully considered the real-world security issues, they will not be in such a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.) ☐ A lot 5 points ☐ A little 3 points ☐ Not at All 0 points 7. Does the STMP in question have a feel good “aura” or make people quite comfortable with their security risk? (In general, Real Security doesn’t make people feel better, it makes them feel worse. This is because it is almost always more expensive, time-consuming, and painful than Security Theater. Moreover, when security is carefully thought-through—as Real Security must be—the difficulty of the task, the unknowns, and the knowledge of the unmitigated vulnerabilities will cause alarm. If you’re not running scared, you probably have bad security or a bad security product.) ☐ A lot 6 points ☐ A little 3 points ☐ Not at All 0 points
  • 3. 3 8. Do the promoters and developers of the technology or the STMP earnestly—even desperately—want it to solve the security problems at hand, and/or are they highly idealistic? (Strong desires to achieve a valuable goal can sometimes lead to wishful thinking.) ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points 9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates via careful analysis? ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points 10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial, psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly enthusiastic/optimistic? ☐ Yes 3 points ☐ No 0 points 11. Do the people developing or promoting the STMP have significant real-world security experience (not just experience as bureaucrats or experience developing security technology)? ☐ Yes 0 points ☐ No 3 points 12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didn’t like, or have they ever found fault with their own security or (publicly) with their employer? ☐ Yes 0 points ☐ No 2 points 13. Is the person who ultimately decides that the STMP should be deployed often thought of as naïve, a bureaucrat, or less than astute, and/or did they get most of their information about STMP from promoters and vendors? ☐ Yes 2 points ☐ No 0 points 14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security strategy? ☐ Yes 0 points ☐ No 2 points 15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding of real-world security? ☐ Yes 2 points ☐ No 0 points 16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture, and practices that make one good at engineering aren’t optimal for thinking like the bad guys.) ☐ Yes 3 points ☐ No 0 points 17. Does the STMP rely primarily on complexity, advanced technology, the latest technological “fad”, and/or multiple layers? (High technology does not equal high security, and layered security isn’t always better.) ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points
  • 4. 4 18. Do the people using the STMP on the front lines substantially understand the technology or security strategy? ☐ Yes 0 points ☐ No 2 points 19. Are the use protocols, training materials, and manuals for the STMP non-existent, vague, poorly written, or ill-conceived, and/or is the terminology sloppy or misleading? ☐ Yes 3 points ☐ No 0 points 20. Is the STMP complicated or difficult to use? ☐ Yes 2 points ☐ No 0 points 21. Was the STMP forced on the end users from superiors? ☐ Yes 2 points ☐ No 0 points 22. Have the end users of the STMP ever been consulted about it? (These are people who understand the real-world implementation issues, and are the ones who will have to make the STMP actually work). ☐ A lot 0 points ☐ A little 1 point ☐ Not at All 2 points 23. Have vulnerability assessors, hacker types, devil’s advocates, question askers, or creative independent outsiders closely analyzed the STMP? ☐ No, Weren’t Allowed to 6 points ☐ No 4 points ☐ Yes 0 points 24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one)… ☐ Attacked Emotionally 7 points ☐ Attacked Unemotionally 4 points ☐ Ignored 2 points ☐ Vaguely Tolerated 1 point ☐ Listened to but Ignored 1 point ☐ Enthusiastically Listened to 0 points 25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes to improve the security for economic, political, timeliness, inertia, or psychological reasons). ☐ Yes, or Vulnerabilities Aren’t Considered at All 3 points ☐ No 0 points 26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without actually addressing the Achilles heel of the old STMP? ☐ A lot 3 points ☐ A little 1 point ☐ Not at All 0 points 27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical security? ☐ Yes 3 points ☐ No 0 points
  • 5. 5 28. Is the main tamper detection mechanism—if there even is one—a mechanical tamper switch, a light sensor, or an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.) ☐ Yes 2 points ☐ No 0 points ☐ There are no tamper detection mechanisms 3 points 29. Is the STMP directed against a specific, well-defined adversary with well-defined resources? ☐ Yes 0 points ☐ No 3 points 30. Is the STMP dominated by the desire to address security compliance, rather than true security? (Compliance-based security is a particularly pernicious type of Security Theater.) ☐ Yes 3 points ☐ No 0 points 31. Is deployment of the STMP really motivated more by a desire for control than for real security? ☐ Yes 2 points ☐ No 0 points 32. Is the operation of the STMP strongly dependent on rules that only the good guys will follow? (For example, don’t bring thumb drives into the facility.) ☐ Yes 2 points ☐ No 0 points 33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes that can’t be duplicated? (“Security by Obscurity” doesn’t really work long-term because people and organizations can’t keep secrets. See Manning and Snowden.) ☐ A lot 4 points ☐ A little 2 points ☐ Not at All 0 points INTERPRETATION Add up the total points for questions 1-33. If the sum is… 81-100 then: You have so much Theater going on that you ought to charge admission! 61-80 then: You’re pretty heavy into Security Theater, but there’s at least some Real Security. 41-60 then: This appears to be a mix of Security Theater and Real Security. 21-40 then: You apparently have more Real Security than Security Theater, but there’s still plenty of nonsense going on! 0-20 then: Good job! There’s likely still room for improvement but you’ve got serious security!
  • 6. COUNTERMEASURES TO SECURITY THEATER Being alert for the presence of Security Theater, knowing its characteristic attributes, and applying common sense countermeasures can go a long way towards avoiding it. This survey might be a useful tool to at least get you thinking about some of these issues. The countermeasures for avoiding Security Theater are relatively straightforward, and some are not much different from countermeasures for groupthink and cognitive dissonance. Perform legitimate (not “rubber stamp”) vulnerability assessments and threat assessments early, often, and iteratively—not only after it is too late to make any changes. Focus on what the purpose is for the security technology/measure/program, and on the adversary’s mindset and goals. Early on, invite independent, skeptical, and creative people to analyze your security. Appoint a devil’s advocate if necessary. Don’t let the enthusiasm for solving the security problems steamroll over the realities of the task. The people developing or promoting a given security technology/measure/program should not be the ones to decide whether to implement it. And don’t automatically believe everything manufacturers and vendors say! Hold egos, hype, and boosterism in check. Talk (early!) to the end user and to the people (including low level personnel) who will actually be doing the security in the field, and learn from them. Always bear in mind that Security Theater is going to be seductive. It is easier, cheaper, and less painful than Real Security, and it takes a whole lot less thought. DISCLAIMER This submitted manuscript has been created by UChicago Argonne, LLC, Operator of Argonne National Laboratory (“Argonne”). Argonne, a U.S. Department of Energy Office of Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S. Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable worldwide license in said article to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, by or on behalf of the Government. The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy. 6