[psysec] psychological deterrence, security by obscurity and security theater.

Gadi Evron ge at linuxbox.org
Tue May 5 17:36:10 UTC 2009 

About a year ago I wrote an article about "Security Theater" together 
with a friend, Imri Goldberg, which shows a case study where security 
theater in fact works and prevents and/or mitigates suicide bombing 
attacks in Israel. It is based on the idea of psychological deterrence 
and how an attacker reacts to opposition.

What's security theater?

In security we have a concept called Security by Obscurity. It is 
self-explanatory. You obscure something to make it less of a target. 
Mostly by making sure people are not aware your security process exists, 
or hiding knowledge about the system.

Security by obscurity can be confused by many with secrecy, but while 
similar, they are not exactly the same. Security by obscurity for 
example can be used as a strong tool for an attacker, to hide in the crowd.

In the industry security by obscurity is often laughed at as useless as 
many who employ it simply have no security to speak of. But the fact is, 
it can ve a useful part of the over-all strategy.

In the last few years new terminology emerged called Security Theater, 
which discusses how some security measures are fake, and built only to 
make the people who see them feel safe (think TSA in the States).

Below is the case study I discussed above. I'd be happy for any opinion 
and input on this subject matter as I find it an important part of the 
security strategic process, which today is lacking in most places.

-----
Sometimes, Security Theater Really Works
By Gadi Evron and Imri Goldberg

http://www.csoonline.com/article/468569/Sometimes_Security_Theater_Really_Works
(URL may break, so: http://tinyurl.com/5u2qmq)

Security theater isn't necessarily as ineffective as the security 
community believes. In Israel, there is a guard at the entrance to every 
store. The guard isn't very useful to stop an attacker, and yet in 
several cases the guards' presence does make a difference, often at the 
cost of their lives.

..
..
-----



-- 
Gadi Evron,
ge at linuxbox.org.

Blog: http://gevron.livejournal.com/
Security blog: http://gadievron.blogspot.com/

More information about the psysec mailing list