• United States




Security is More Than a Feeling

Aug 01, 20063 mins
CSO and CISOData and Information SecurityIT Leadership

Where should real security take over for the appearance of security? How much of security is truly about protecting people, as opposed to making those same people feel safe?

By the appearance of security, I mean the use of CCTV cameras that aren’t really monitored or even connected, or the demand to use strong passwords for online transactions when the site isn’t on a secured server. This is an often-used and successful way to increase a general feeling of security. I would even argue that much of the security that has been put in place since 9/11 is really about making people feel more secure. The average person doesn’t want to hear about risk analyses and the low likelihood and difficulty of deterring, say, a terrorist incident. They want to feel that they are safe and secure. If we make everyone at least feel more secure, then aren’t we achieving at least some of what we have set out to accomplish?

One of the most obvious examples of this is in building security.

Gone are the days when one can just waltz into a high-rise and hop onto an elevator. The screening method du jour involves checking your photo ID at the lobby desk. Most security professionals would agree that checking an ID, when you cannot confirm the validity of that ID, is really quite useless. It is intended to make us feel more secure in our offices and in those we visit. But how about those facilities that, because of their nature, are targets for those who would do us harm? Where should the appearance of security leave off and real security take over?

Airports are another example. Since 9/11 the United States has put armed guards into our nation’s airports to prevent another 9/11-style terrorist attack. These actions would almost never prevent a hijacking, but they are intended to make us feel more secure when we travel. Some may argue that they are truly more of a reaction to terrorist attacks of the 1970s, ’80s and ’90s. (And think of the shooting at the El Al Terminal at LAX in 2002.) These moves are certainly a step in the right direction. But what else should we be doing to address airport security? One place to start could be the Transportation Security Administration’s efforts to look for signs of dangerous behavior among airport travelers. (See “Sharp Object Lessons,”, for more on that.)

At some high-profile buildings in New York—significant targets for all sorts of crime—one would expect to see a high level of real security screening and monitoring. There are cameras and guards and X-ray machines, but almost no one is stopped and subjected to further screening. Are they really screening these visitors or are they just trying to make the tourists feel more secure? Has security been placed on the back burner in order to facilitate the sale of souvenir photos and statues to tourists? Maybe. Is that appropriate? Maybe for them it is.

Security professionals practice risk assessments all the time. What is the likelihood of this incident happening? What would the impact of that event be? How much would it cost to mitigate the threat? Is it worth it, or do we just accept that there is always some level of risk inherent in whatever we do?

At the end of the day I have to ask that question again: “Where should real security take over for the appearance of security?” It’s a question not easily answered. And in some cases, I suspect, not being asked.