First

appeared in Security Magazine, September 2013, http://www.securitymagazine.com/articles/84691-is-your-program-security-theater

But is it Security Theater? Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D. Vulnerability Assessment Team, Argonne National Laboratory http://www.ne.anl.gov/capabilities/vat INTRODUCTION Security guru Bruce Schneier coined the term Security Theater to describe phony security measures, procedures, or technologies that give the superficial appearance of providing security without actually countering malicious adversaries to any significant degree. As an example, much of the activities undertaken by airport screeners have been characterized by some as little more than Security Theater. As vulnerability assessors, we frequently find Security Theater across a wide range of different physical security and nuclear safeguards devices, systems, and programs. Its important to realize, however, that Security Theater is not automatically a bad thing. It can present the appearance (false though it may be) of a hardened target to potential adversaries, thus potentially discouraging an attack (at least for a while). Security Theater can reassure the public while more effective measures are under development, and help encourage employees and the public to stay focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get inspectors inside nuclear facilities where their informal observations and interactions with host facility personnel can be of great value to disarmament, nonproliferation, and international cooperation. The real problem occurs when Security Theater is not ultimately recognized as such by security officials or the public, or creates cynicism about security, or stands in the way of Real Security, or wastes resources and energy, or is actually preferred over Real Security (because it is usually easier and less painful).

HOW TO TELL SECURITY THEATER FROM THE REAL THING The best way to determine if a given security technology, measure, or program (STMP) is primarily Security Theater is to conduct comprehensive vulnerability assessments and threat assessments to determine how easily the STMP can be defeated, and what threats and attacks it might have to stand up to. But this can be time consuming and expensive. In our experience, STMPs that eventually prove to be very easy to defeat and/or not particularly effectiveto the point of being Security Theateralmost always exhibit certain common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even before beginning the vulnerability assessment. 1

As a public service, we offer the following survey that you can take to determine how likely it is that your security technology, measure, or program (STMP) is Security Theater. This survey is about as scientific as a hows your love life? survey in a teen magazine, but we think it may nevertheless have some value. The survey questions being asked, along with our comments associated with some of the questions can at least help suggest warning signs and countermeasures for Security Theater. Add up your total points for all 33 survey questions and then see the interpretation for your score below. (If youre between 2 choices on any question, split the difference on the points.)
1. Is the security application quite complex and/or challenging? A lot 2 points A little 1 point Not at All 0 points 2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace? Yes 2 points No 0 points 3. Has substantial time, funding, and political capital already been spent developing, promoting, or analyzing the security technology, measure, or program (STMP)? Yes 2 points No 0 points 4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from bureaucrats, a committee, or senior non-security managers? Yes 2 points No 0 points 5. Is there considerable excitement, exuberance, pride, ego, and/or strong emotions associated with the proposed (or fielded) STMP? A lot 5 points A little 3 points Not at All 0 points 6. Is the STMP viewed with great confidence, arrogance, and/or characterized as impossible to defeat, tamper proof, etc.? (Effective security is very difficult to achieve. Generally, if developers, promoters, and end users of a given security approach or product have carefully considered the real-world security issues, they will not be in such a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.) A lot 5 points A little 3 points Not at All 0 points 7. Does the STMP in question have a feel good aura or make people quite comfortable with their security risk? (In general, Real Security doesnt make people feel better, it makes them feel worse. This is because it is almost always more expensive, time-consuming, and painful than Security Theater. Moreover, when security is carefully thought-throughas Real Security must bethe difficulty of the task, the unknowns, and the knowledge of the unmitigated vulnerabilities will cause alarm. If youre not running scared, you probably have bad security or a bad security product.) A lot 6 points A little 3 points Not at All 0 points

8. Do the promoters and developers of the technology or the STMP earnestlyeven desperatelywant it to solve the security problems at hand, and/or are they highly idealistic? (Strong desires to achieve a valuable goal can sometimes lead to wishful thinking.) A lot 3 points A little 1 point Not at All 0 points 9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates via careful analysis? A lot 3 points A little 1 point Not at All 0 points 10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial, psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly enthusiastic/optimistic? Yes 3 points No 0 points 11. Do the people developing or promoting the STMP have significant real-world security experience (not just experience as bureaucrats or experience developing security technology)? Yes 0 points No 3 points 12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didnt like, or have they ever found fault with their own security or (publicly) with their employer? Yes 0 points No 2 points 13. Is the person who ultimately decides that the STMP should be deployed often thought of as nave, a bureaucrat, or less than astute, and/or did they get most of their information about STMP from promoters and vendors? Yes 2 points No 0 points 14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security strategy? Yes 0 points No 2 points 15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding of real-world security? Yes 2 points No 0 points 16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture, and practices that make one good at engineering arent optimal for thinking like the bad guys.) Yes 3 points No 0 points 17. Does the STMP rely primarily on complexity, advanced technology, the latest technological fad, and/or multiple layers? (High technology does not equal high security, and layered security isnt always better.) A lot 3 points A little 1 point Not at All 0 points

18. Do the people using the STMP on the front lines substantially understand the technology or security strategy? Yes 0 points No 2 points 19. Are the use protocols, training materials, and manuals for the STMP non-existent, vague, poorly written, or illconceived, and/or is the terminology sloppy or misleading? Yes 3 points No 0 points 20. Is the STMP complicated or difficult to use? Yes 2 points No 0 points 21. Was the STMP forced on the end users from superiors? Yes 2 points No 0 points 22. Have the end users of the STMP ever been consulted about it? (These are people who understand the real-world implementation issues, and are the ones who will have to make the STMP actually work). A lot 0 points A little 1 point Not at All 2 points 23. Have vulnerability assessors, hacker types, devils advocates, question askers, or creative independent outsiders closely analyzed the STMP? No, Werent Allowed to 6 points No 4 points Yes 0 points 24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one) Attacked Emotionally 7 points Attacked Unemotionally 4 points Ignored 2 points Vaguely Tolerated 1 point Listened to but Ignored 1 point Enthusiastically Listened to 0 points 25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes to improve the security for economic, political, timeliness, inertia, or psychological reasons). Yes, or Vulnerabilities Arent Considered at All 3 points No 0 points 26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without actually addressing the Achilles heel of the old STMP? A lot 3 points A little 1 point Not at All 0 points 27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical security? Yes 3 points No 0 points

 28. Is the main tamper detection mechanismif there even is onea mechanical tamper switch, a light sensor, or an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.) Yes 2 points No 0 points There are no tamper detection mechanisms 3 points 29. Is the STMP directed against a specific, well-defined adversary with well-defined resources? Yes 0 points No 3 points 30. Is the STMP dominated by the desire to address security compliance, rather than true security? (Compliancebased security is a particularly pernicious type of Security Theater.) Yes 3 points No 0 points 31. Is deployment of the STMP really motivated more by a desire for control than for real security? Yes 2 points No 0 points 32. Is the operation of the STMP strongly dependent on rules that only the good guys will follow? (For example, dont bring thumb drives into the facility.) Yes 2 points No 0 points 33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes that cant be duplicated? (Security by Obscurity doesnt really work long-term because people and organizations cant keep secrets. See Manning and Snowden.) A lot 4 points A little 2 points Not at All 0 points

INTERPRETATION Add up the total points for questions 1-33. If the sum is 81-100 then: You have so much Theater going on that you ought to charge admission! 61-80 then: Youre pretty heavy into Security Theater, but theres at least some Real Security. 41-60 then: This appears to be a mix of Security Theater and Real Security. 21-40 then: You apparently have more Real Security than Security Theater, but theres still plenty of nonsense going on! 0-20 then: Good job! Theres likely still room for improvement but youve got serious security!

COUNTERMEASURES TO SECURITY THEATER Being alert for the presence of Security Theater, knowing its characteristic attributes, and applying common sense countermeasures can go a long way towards avoiding it. This survey might be a useful tool to at least get you thinking about some of these issues. The countermeasures for avoiding Security Theater are relatively straightforward, and some are not much different from countermeasures for groupthink and cognitive dissonance. Perform legitimate (not rubber stamp) vulnerability assessments and threat assessments early, often, and iterativelynot only after it is too late to make any changes. Focus on what the purpose is for the security technology/measure/program, and on the adversarys mindset and goals. Early on, invite independent, skeptical, and creative people to analyze your security. Appoint a devils advocate if necessary. Dont let the enthusiasm for solving the security problems steamroll over the realities of the task. The people developing or promoting a given security technology/measure/program should not be the ones to decide whether to implement it. And dont automatically believe everything manufacturers and vendors say! Hold egos, hype, and boosterism in check. Talk (early!) to the end user and to the people (including low level personnel) who will actually be doing the security in the field, and learn from them. Always bear in mind that Security Theater is going to be seductive. It is easier, cheaper, and less painful than Real Security, and it takes a whole lot less thought.

DISCLAIMER This submitted manuscript has been created by UChicago Argonne, LLC, Operator of Argonne National Laboratory (Argonne). Argonne, a U.S. Department of Energy Office of Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S. Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable worldwide license in said article to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, by or on behalf of the Government. The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy.