Bruce Schneier's latest Cryptogram has a thought-provoking story:
The other week I visited the corporate headquarters of a large financial institution on Wall Street; let's call them FinCorp. FinCorp had pretty elaborate building security. Everyone — employees and visitors — had to have their bags X-rayed.
Seemed silly to me, but I played along. There was a single guard watching the X-ray machine's monitor, and a line of people putting their bags onto the machine. The people themselves weren't searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just didn't put my bag onto the machine, no one noticed.
It was all good fun, and I very much enjoyed describing this to FinCorp's VP of Corporate Security. He explained to me that he got a $5 million rate reduction from his insurance company by installing that X-ray machine and having some dogs sniff around the building a couple of times a week.
I thought the building's security was a waste of money. It was actually a source of corporate profit.
The point of this story is one that I've made in “Beyond Fear” and many other places: security decisions are often made for non-security reasons. When you encounter a security risk that people worry about inordinately, a security countermeasure that doesn't counter the threat, or any security decision that makes no sense, you need to understand more of the context behind the decision. What is the agenda of the person who made the decision? What are the non-security considerations around the decision? Security decisions make sense, as long as you understand them properly.
There's loads more good stuff in Bruce's latest newsletter by the way.
Actually, our Defender of the Homeland, Tom Ridge, more or less admitted the whole thing was just theater. Denying that his recent terror warnings were politically motivated, Ridge said, “Our goal is to deter any potential attack with multiple layers of security.”
Note his word choice. He didn’t say “prevent,” “intercept,” “disrupt,” or even (pessimistically) “attempt to stop” any terrorist attack. His goal is to “deter.” From the perspective of deterrence, theater is more important than reality. A million under-cover officers aren’t going to scare away any attacks if Al Qaeda doesn’t know about them. For Ridge’s purposes, the more noise and the weirder the defenses the better. He apparently wants to confuse terrorists enough that they won’t know if they have to dodge metal detectors, dogs, random searches, hidden cameras, sleeping security guards, or nothing at all. It’s apparently an application of the principle that you can’t be outwitted if you aren’t using your wits.
Its not perverse. Its common sense.
Many, but not all, criminals are just plain lazy. As well some terrorists. Sometimes, the mere appearance of security does deter an attack. A good crook takes the path of least resistance.
That’s why statistics show that an alarm sticker on your window is as effective as an actual alarm system. A barking poodle is as effective a deterrent as a german shepherd. Its simply a hassle the burglar would just as soon avoid so he moves on to the next house to rob.
A sophisticated thief can pick the locks of your home, but you still lock your doors, don’t you?
So given a choice, despite Bruce’s chuckle, why would a terrorist or thief take a chance on that building when the one right across the street has no security?