In Praise of Security Theater
By Bruce Schneier
While visiting some friends and their new baby in the hospital last week, I noticed an interesting bit of security. To prevent infant abduction, all babies had RFID tags attached to their ankles by a bracelet. There are sensors on the doors to the maternity ward, and if a baby passes through, an alarm goes off.
Infant abduction is rare, but still a risk. In the last 22 years, about 233 such abductions have occurred in the United States. About 4 million babies are born each year, which means that a baby has a 1-in-375,000 chance of being abducted. Compare this with the infant mortality rate in the U.S. -- one in 145 -- and it becomes clear where the real risks are.
And the 1-in-375,000 chance is not today's risk. Infant abduction rates have plummeted in recent years, mostly due to education programs at hospitals.
So why are hospitals bothering with RFID bracelets? I think they're primarily to reassure the mothers. Many times during my friends' stay at the hospital the doctors had to take the baby away for this or that test. Millions of years of evolution have forged a strong bond between new parents and new baby; the RFID bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.
Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.
The RFID bracelets are what I've come to call security theater: security primarily designed to make you feel more secure. I've regularly maligned security theater as a waste, but it's not always, and not entirely, so.
It's only a waste if you consider the reality of security exclusively. There are times when people feel less secure than they actually are. In those cases -- like with mothers and the threat of baby abduction -- a palliative countermeasure that primarily increases the feeling of security is just what the doctor ordered.
Tamper-resistant packaging for over-the-counter drugs started to appear in the '80s, in response to some highly publicized poisonings. As a countermeasure, it's largely security theater. It's easy to poison many foods and over-the-counter medicines right through the seal -- with a syringe, for example -- or to open and replace the seal well enough that an unwary consumer won't detect it. But in the '80s, there was a widespread fear of random poisonings in over-the-counter medicines, and tamper-resistant packaging brought people's perceptions of the risk more in line with the actual risk: minimal.
Much of the post-9/11 security can be explained by this as well. I've often talked about the National Guard troops in airports right after the terrorist attacks, and the fact that they had no bullets in their guns. As a security countermeasure, it made little sense for them to be there. They didn't have the training necessary to improve security at the checkpoints, or even to be another useful pair of eyes. But to reassure a jittery public that it's OK to fly, it was probably the right thing to do.
Security theater also addresses the ancillary risk of lawsuits. Lawsuits are ultimately decided by juries, or settled because of the threat of jury trial, and juries are going to decide cases based on their feelings as well as the facts. It's not enough for a hospital to point to infant abduction rates and rightly claim that RFID bracelets aren't worth it; the other side is going to put a weeping mother on the stand and make an emotional argument. In these cases, security theater provides real security against the legal threat.
Like real security, security theater has a cost. It can cost money, time, concentration, freedoms and so on. It can come at the cost of reducing the things we can do. Most of the time security theater is a bad trade-off, because the costs far outweigh the benefits. But there are instances when a little bit of security theater makes sense.
We make smart security trade-offs -- and by this I mean trade-offs for genuine security -- when our feeling of security closely matches the reality. When the two are out of alignment, we get security wrong. Security theater is no substitute for security reality, but, used correctly, security theater can be a way of raising our feeling of security so that it more closely matches the reality of security. It makes us feel more secure handing our babies off to doctors and nurses, buying over-the-counter medicines and flying on airplanes -- closer to how secure we should feel if we had all the facts and did the math correctly.
Of course, too much security theater and our feeling of security becomes greater than the reality, which is also bad. And others -- politicians, corporations and so on -- can use security theater to make us feel more secure without doing the hard work of actually making us secure. That's the usual way security theater is used, and why I so often malign it.
But to write off security theater completely is to ignore the feeling of security. And as long as people are involved with security trade-offs, that's never going to work.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.