Some organizations have strict security policies, with processes and budgets in place to ensure that all devices, apps, networks and even the physical security perimeter are secure from threats. However, some organizations only go so far as to create the illusion that their assets are secure when in reality, they are not. This is called “security theater”: the practice of implementing superficial security measures for the purpose of achieving only the appearance of stronger or advanced security.

The term was first coined by the computer security expert Bruce Schneier in 2003 and has since been adapted to describe a variety of security measure scenarios. While actual security processes can be measured based on the probability of various risks, such as past attacks, vulnerability risks, or data garnered from peers and the industry, in addition to how equipped an organization is to handle them, security theater is based primarily on the creation of a psychological feeling or perception. 

Why Some Companies Choose Security Theater

IT security teams and security professionals are not purposely trying to deceive employees or make the organization more vulnerable. In reality, they may be doing the best security measure they can with what limited resources they are given. For instance, the license for an important piece of authentication software might have lapsed and management has refused to renew. Employees might continue to think that the authentication software is doing its job and is securing their devices and apps from vulnerability, but it’s not. 

“Security theater is the purposeful attempt to create more positive feelings of safety, even in the complete absence of implementing measures that actually improve safety,” explains Laura Fitzgibbons in TechTarget’s WhatIs.com glossary.

Unfortunately, the psychology of security theater measures can go either way. Incomplete or unmonitored security measures and security professionals can still help to thwart the spread of unnecessary fear among employees. However, if employees know that their company isn’t doing the best it can to secure assets, they could develop lower morale or a careless attitude toward the company’s cybersecurity

Examples of Security Theater

Some examples of measures that are considered security theater rather than authentic security include the following:

Complex Passwords No One Can Remember

Password policies are nothing new, but forcing employees to constantly replace complex passwords with new ones will only lead to frustration and no discernible improvement in security. Employees might simply write them down on a sticky note attached to the PC or laptop, which itself poses a security risk. 

A better approach involves the organization reducing its reliance on passwords through mechanisms such as multifactor authentication and single sign-on. This requires more labor, and most likely, more technology investment.

Security Alert Fatigue

Employees face a barrage of certificate warnings, cookie permissions alerts, software install/update requests and privacy warnings on all of their devices. How many of these are truly necessary? 

“Many users aren’t that great at understanding these technical messages, let alone following their advice,” cautions Danny Bradbury in InfoSecurity magazine. “On the other hand, alerts make managers feel more secure because they can claim that they’ve given people fair warning. All of this needs a rethink.”

Training Overload

Forcing the learning and development department to create and implement too much regular security training for every person will lead to boredom, confusion, and even anger. Senior management might think that by providing constant training, employees will not only improve their security behaviors but that the organization is demonstrating more concern about security. As with nonstop security alerts, employees would just feel fatigued, especially if the training is across the board and one size fits all. 

Some of these measures may have a slight benefit to security, but ultimately security theater measures are more about making a person, their managers and even the IT team itself feel better. “We human beings pride ourselves on our ability to reason, but the truth is we use our brains nine times out of ten to justify what our gut wants, not what is rational to do,” notes J.M. Porup, senior writer for CSO magazine. “In security this is fatal.”

How CapLinked Helps Investors

Document accessing, sharing and editing, especially for complex projects involving highly sensitive information, cannot rely on security theater measures to ensure privacy. Instead, secure document access for M&A and private equity need a virtual deal room with security measures that supersede those the organization usually relies on.

CapLinked has facilitated hundreds of transactions, helping bankers, lawyers, accountants, investors and company owners conduct due diligence and document review in a secure but accessible environment.

Start your free 14-day trial of CapLinked today!

Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, Jake covers such topics as security, mobility, e-commerce and IoT.

References:

TechTarget WhatIs.com – Security Theater

InfoSecurity – On With the Show: Examples of Cybersecurity Theater

CSO – 5 Examples of Security Theater and How To Spot Them

Security Trails – Security Theater: Are You Feeling Secure or Actually Being Secure?