During HiTB Dubai (2008) I attended Bruce Schneier’s keynote speech based on his "The Feeling and Reality of Security" post. The fundamental premise is, “You can feel secure even though you're not, and you can be secure even though you don't feel it.” Most of the time in the infosec industry we’re transfixed on what activities truly make things more secure and tend to ignore/ridicule what provides the latter, commonly known as “security theater”. We argue over what solutions should fall into which bucket.
There was a particular point in Bruce’s speech that peeked my interest in that there really is value in learning how to create good security theatre. For example, most of us are familiar with the comedy that is airport security. Flying by all measurable factors is much safer than others forms of transportation such as driving, but we expect certain precautions to be taken even though they really don’t reduce security risk. So we consent to metal detector searches, X-rays, pat downs, shoe and laptop removal, ID check points, etc. Because if we didn’t the general public would not “feel” safe enough to fly.
As I was discussing with Bruce over lunch afterwards, security theater does in fact add a lot value to the business and consumer by helping people make the right risk decisions albeit for the wrong reasons. People will feel safe enough even though they are not and go about their daily lives. I wasn’t expecting Bruce to agree with this characterization, but he did. This was further enforced by another story example he gave of tamper-proof bottle caps.
Apparently some time ago there was an incident where pill bottle were secretly opened, poisoned, and placed back on the store shelf. People died and a lot of news resulted (because it was rare) causing a state of fear. While the odds of anyone meeting an untimely death in this way in astronomically low, people stayed away because they no longer felt safe and sales dropped. Something had to be done.
To combat the situation the bottle manufactures introduced something called the tamper-proof cap. The way it was marketed, because they now have this new innovative secure design, this type of thing could never happen again. Despite a number of ways the tamper proof cap could be defeated, a syringe being one, people felt safe and went back to buying even though “real” security did not change. Amazing.
I then began to think what really makes for good security theater. Can a generic strategy or methodology be developed? We need something describing the fundamental aspects that must be in place to influence people to feel safe while behind the scenes we g about implementing the truly effective solutions. Something like th 7 strategies of effective security theater. Maybe this has already been written and I just missed it. If so, let me know. If not, we should be aware and familiar with these technique as it might make us more valuable overall.