Beware of Security Theater

I've consulted at a lot of Fortune 500 companies, and I'm always amazed at the level of Security Theater that I see. Follow the link for a definition and commentary.

From Wikipedia:

Security theater has been defined as ostensible security measures which have little real influence on security whilst being publicly visible and designed to demonstrate to the lesser-informed that countermeasures have been considered. Security theater has been related to and has some similarities with superstition.

Let me provide a concrete example from a large financial institution:

When logging in to the mainframe, three failed password attempts lock your account.

Since the company can't really afford to have the downtime related to this (since it happens all the time, and there are thousands of accounts), they built an automated phone response system that would allow you to unlock your account with your employee identification number.

See the fallacy? Instead of removing the restriction, or limiting it to something reasonable (20 attempts), they spent--swag numbers--low 6-figures on an automated system.

There is a concern, of course, about brute force attacks on the passwords, but that can be detected at a network layer, or even just through a report on failed attempts with timestamps.

The best part is that the users became so desensitized to password lockouts, they did not consider it to be suspicious in any way, and would merrily dial in, and unlock their account without notifying anyone.

So, the so-called "security measures" actually reduced the overall level of security in the organization. Not good.

This is a specific example, but there are many that I can cite-- I'm sure that your organization has its fair share, too.