Coined by cybersecurity technologist Bruce Schneier in the early 2000s, “security theater” describes any security efforts that make one seem more secure but do very little to enhance security in the practical sense despite the costs associated with them. The concept is reliant upon the notion that security exists in two forms: the emotional feeling of being secure, and the quantifiable mathematical and scientific improvements that one can make to their protections.
For an example, let’s look to a personal anecdote that Schneier shared in a 2007 blog article.
In this article, Schneier shared an observation from his visit to the maternity ward after a friend’s child had just been born. The infant had been outfitted with an RFID tag bracelet, the purpose of which being cited as a preventative measure against infant theft.
However, at the time that Schneier visited the ward, infant abduction was remarkably rare.
This led Schneier to hypothesize that the bangles weren’t adopted as an actual security measure, but instead as a performance of security theater. By “protecting” an infant against “abduction,” the new parents could spend a few moments away from their baby without too much worry.
Let’s review the hospital anecdote. While they certainly weren’t free, the tags that were used to “track” the infants were available at an extraordinarily low cost. As a result, making the investment to mitigate an incredibly unlikely issue was considered more acceptable, because it improved the experience of the parents.
Schneier also cites an even more recognizable example: the tamper-resistant packaging that was introduced on over-the-counter medications in the 1980s. Poisonings were getting a lot of attention in the press at the time, and despite the statistical likelihood of an actual incident being so low and the tamper-resistant packaging not being all that tamper resistant, the impression it made was thoroughly positive.
This is because, in both cases, the performance of security theater helped to make the perceived threat level more in line with the actual threat level. Of course, while the benefits that security theater can offer are very real, so are the costs of putting on such a show.
Is Security Theater Worth the Price of Admission?
I want you to consider a very real potential outcome of these kinds of displays: what if the piece of security theater you invest your money in is actually making your real security measures less effective?
Consider what happened to Target in 2013. The company was hacked when their security teams overlooked the warning signs of a breach as they were buried in a deluge of other notifications. Let’s dive deeper into the threat of “overacting” in your security theater, starting with the situation that Target created.
Too Many Alerts
I want you to consider what happens when your company chat is a flurry of activities that ultimately don’t involve you. Eventually, you tune out the notifications to try and stay productive, right? The same thing happens with your security notifications if there are far too many of them that ultimately mean nothing. As a result, you and your team will gradually stop paying attention to them, allowing the actual threats to come in. Recruiting an MSP to assist you can help sort out these notifications, with the real threats attended to and interruptions minimized.
Too Many Password Changes
Password security is important, but believe it or not, there are some measures that are more counterproductive than anything else. Take, for instance, monthly password updates. With these requirements forced on them, your employees may resort to password patterns or keeping a written note of their password to keep track of them all. It is better to instead use a moderate password policy and supplement it with options like single-sign-on and multi-factor authentication (MFA).
Of course, passwords should be changed sometime down the line, but you have to be sure that you aren’t driving your employees into bad habits.
Insufficient User Awareness
One of the biggest reasons that user vulnerabilities are such a serious cybersecurity issue is because many users don’t know any better, as they were not effectively trained to respect cybersecurity policies. Rather than including their team in regular security-based training forums, many companies will instead devote an afternoon to a long, ineffective lecture.
SRS Networks has the means to close the gap between your security theater and your functional security. To learn more about the solutions we can offer, reach out to us today by calling (831) 758-3636.