When looking at security practices across many industries, one of the most widespread yet ineffective approaches is to establish poor mechanisms that are visible to larger numbers of people instead of establishing more effective mechanisms that are visible to fewer people. One of the most widely known examples of this practice is the TSA spending $14.7 billion on passenger screening compared to the $100 million spent on securing the cockpit doors in planes (Anderson, 2001). Bruce Schneier has coined the term “Security Theater” to describe a situation where the security is designed to produce a feeling of security rather than a reality (Anderson, 2001).
Another example is the security theater employed by most banking branches. The bank employs security measures at the public-facing access points that give the customers the feeling that the bank is securing their money, when in reality the measures employed in the physical centers are actually weak and do not really have much physical security preventing theft (Anderson, 2001).
While it becomes more common for security theater to become used, the massive costs that come with the ineffective security become an excuse for many executives or government officials with the decision-making authority to then rationalize not expanding cybersecurity or in the other extreme exerting the need to militarize control over a vector/sector. In this context the security theater poses even more of a threat, as it becomes a seemingly logical reason for reduction or abandonment of spending on security when the point of security theater was never to actually secure a given perimeter. This distinction between perception and reality in the context of a framework that is not recognized universally creates a major problem in which lack of information can lead to incorrect conclusions being drawn from datasets that can be interpreted in multiple ways.
The notion of whether the security theater provides a false sense of security actually depends on the actual security infrastructure that exists in a given perimeter. Ultimately, the perception of a hardened perimeter by users that are not security professionals has no correlation to the actual security fitness. In this disconnect, it should be asserted that the security theater then has more to do with comforting the customer or user than actually securing a perimeter. In the setting where a perimeter is secured, there will be no activity visible and by proxy there is nothing to indicate to a customer that the securing party is “doing” anything. As a layperson does not understand the complexities of securing a given infrastructure, they are not equipped to determine if it is secure, but still need to get indicators of security that they can understand to trust a given organization with their property or data. This is only a contradiction to actual security if the mechanisms to give the perception of security contradict or conflict with the actual mechanisms to secure a perimeter.
While security specialists understand the costs and implications of what could happen in absence of proper security measures, non-specialists within organizations tend to only understand the monetary aspects of these systems. Even worse, it is extremely difficult to express the worst-case-scenario in which an organization will be losing significant sums of money or having their reputation impacted in an irreversible manner without sounding like it is fear-mongering for the sake of getting a contract.
On the one hand, it is the security analysts’ job to come up with the worst-case-scenario as well as understand the major risks and threats to an organization. On the other hand, the specialist tends to be the only individual within an organization that truly understands the complexities and long-term implications of the threats facing a company. It is this quandary that creates a situation where the security fitness is going to be determined by the security lead’s capacity to communicate with the decision-makers that control capital in order to ensure that security is not deployed as a way to make people feel secure and instead is a sound security infrastructure.
In very few cases do people actually need to use the entire Internet for their job. While some examples may exist, most jobs simply don’t need to access every single website that exists. In that context, blacklisting every website that is not helpful to a worker would be an impossible task, whereas whitelisting the sites that people need to use would be a more practical alternative. If workers bring their own devices to the organization this would likely be an impossible task, but would be necessary in an organization where the company owned all the computers.
When such a large portion of the Internet is dedicated to pornography, an organization is going to serve itself best in modern times by only limiting access to absolutely necessary sites. Social media is a threat for many reasons, the most basic being it is a waste of time unless it is specifically benefitting the organization. In the wake of the Cambridge Analytica/Facebook fallout, it would seem necessary for organizations to create policies that would only allow social media access when absolutely necessary as the associated risks are too high to be complacent about employee social media use with company computers (Cadwalladr & Graham-Harrison, 2018).
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems. 2001: Jonh Wiley & Sons. Inc., New York.
Cadwalladr, C., & Graham-Harrison, E. (2018). Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The guardian, 17, 22.