Security theatre is the carrying out of actions which are designed to look as if they improve security whilst at the same time there is little improvement, or possibly even a loss of security through those actions. The term was coined by Bruce Schneier for his book Beyond Fear but has gained currency in security circles as a good term for a very common phenomenon and in particular for describing airport security measures¹ and by experts such as Edward Felten to describe the security measures imposed after the September 11, 2001 attacks on the World Trade Center². Security theatre gains importance both by satisfying and exploiting the gap between perceived risk and actual risk.

Definition of security theatre

Security theatre has been clearly defined as ostensible security measures which have little real influence on security whilst being publicly visible and designed to show that action is taken place. Security theatre has been related to and has some similarities with superstition.

Disadvantages of security theatre

Almost all issues in security are related to money and cost. Implementing security measures, even ineffective ones costs money. This money could be used for other purposes including, but not limited to effective security measures.

Security theatre can, in its self induce fear in those it is supposed to be protecting. People who had considered the activity they are indulging in may come to believe that it must be dangerous if they meet armed guards or see visible security measures which "prove" that those in authority believe that there is a real risk. Some air passengers have refused to fly after such incidents as the handcuffing of two women for "illegally" going to the toilet within the last half hour of flight; ironically this is likely to increase risk since the likely alternative, car travel, is more dangerous than air travel³.

Benefits of security theatre

Whilst it may seem that security theatre must always cause loss, there may actually be benefits, at least in a localised situation. This is because perception of security is sometimes more important than security its self. If the potential victims of an attack feel protected and feel safer then they may carry on their business which would otherwise not take place. On the other hand, if the potential attackers do not realise that the security measures in place are ineffective, they may in fact desist from attacking a target they would otherwise have attacked. In other words, there can be psychological benefits. Critics of some such schemes such as Schneier and the ACLU have pointed out, however, that these benefits are temporary and illusionary since, after such security measures inevitably fail, not only is the feeling of insecurity increased, but also loss of believe in the competence of those responsible for security ensues.

Examples of security theatre

It is inherently difficult to give examples of security theatre which are clear and uncontroversial. This difficulty is due to the fact that once it is agreed by all that a measure is ineffective, the measure seldom has any noticeable influence on perceived risk. As such these examples aim to give a broad range of things which could be considered by many as security theatre.

• Ancient Celts guarded their babies against fairies the threat of the evil eye by pinning luckenbooth brooch on their blankets[1] (http://www.celtarts.com/WEDDING/jewelry_is_an_excellent_way_to_e.htm). This must have been effective given the low number of documented fairy attacks.
• The American government has introduced a screening system called CAPPS. This system relies on static screening of passenger profiles to chose which people should be searched. This has been shown to actually reduce the effectiveness of searching below that of random searches since terrorists can test the system and use those who are searched least often for their operations.
• Biometric measurements are being introduced in many systems such as the ID Cards in the UK. All currently available biometric systems have been shown to be easy to mislead; further, it has been shown that having false biometric data matching a false identity is no more difficult than having a normal false identity.

Avoiding security theatre

Many security experts believe that avoiding security theatre is a desirable goal. They claim that by training people in risk acceptance and by educating people in the real risk levels of the activities they are involved in, security theatre and the waste associated with it could be made to go away. Needless to say, this would be a fairly large task.

An alternative and important approach would be for those in charge of security to attempt to the best of their ability to explain and be honest about security risks. This method may be considered difficult since those who are responsible for making decisions about risk may fear that their own words will be used against them, for example in lawsuits.

Notes

1. more on TSA Says It Can Decide Who Can Learn (http://www.interesting-people.org/archives/interesting-people/200410/msg00215.html), David Farber, Sun, 24 Oct 2004, Interesting People mailing list http://www.interesting-people.org/archives/interesting-people/200410/msg00215.html.
2. Security Theater, Secrecy and Hidden "Laws" (http://weblog.siliconvalley.com/column/dangillmor/archives/010816.shtml#010816), Dan Gillmor, September 21, 2004, http://weblog.siliconvalley.com/column/dangillmor/archives/010816.shtml#010816
3. ĘGIS e-journal Volume 6 Number 12 (http://www.lubrinco.com/ejournal/ej200312.pdf)], December 2003, Page 13 http://www.lubrinco.com/ejournal/ej200312.pdf

External links

• Crypt-o-gram, Bruce Schneier's newsletter (http://www.schneier.com/crypto-gram.html)
• stupidsecurity.com a site highlighting inefficient security measures (http://stupidsecurity.com/)