2

Security Theater, or Security Theatre in British English, has been mentioned in many posts on this site.

What does Security Theater mean?

What are some examples?

Is it the greatest threat to actual security?

NH.
  • 1,004
  • 1
  • 9
  • 20
  • See also: [Is a “security measure” that doesn't provide a security benefit actually harmful?](https://security.stackexchange.com/q/464/29865) – Ajedi32 Nov 21 '17 at 16:37
  • The tag offers explanations ... The tag was edited in 2011. You appear to have posted this just to answer it yourself. Your own answer duplicates much of what is in the tag description. – schroeder Dec 27 '17 at 23:55
  • @schroeder, the purpose of this is for a canonical post for an explained example. – NH. Dec 28 '17 at 00:07
  • Then edit the wiki and the tag? – schroeder Dec 28 '17 at 00:27
  • @schroeder, well if you want to close this as a duplicate of the tag wiki, be my guest. However, I don't think that is possible (especially not for me, I can't even cast close votes on my own stuff). – NH. Dec 28 '17 at 20:23

3 Answers3

5

One good example of security theater (which has now been taken down, probably due to the ridicule) is Wells Fargo's page which does nothing but state that it is establishing a secure connection, etc.

An even better example that is rife with many instances of security theater is United's PIN and Password FAQs:

  • The section "Why can't I type my own security answers?" indicates that there is a pre-defined list of answers for the security questions. This results (as explained) from their narrow focus on the one threat that they think must be the most important: Keyloggers. Thus, they present a theater of restriction on security answers (that don't need the keyboard), which are insecure in the first place due to Social attacks.
  • The section on marketing use of security questions indicates that the answers to the security questions are encrypted. This is complete security theater since, as mentioned above, the answers are pre-defined. What could you possibly be protecting by encrypting them?

As security blogger Bruce Schneier explains, security theater, or perceived security, is not necessarily a threat to real security if it is in place on top of real security (for instance, if all data at that Wells Fargo page is actually transmitted over a secure connection) instead of replacing real security (such as if they displayed that animation on a page with HTTP components). Security Theater can even be helpful at times, such as the RFID tags Schneier mentions, which don't do a lot to stop intelligent criminals, but do set people's minds at ease about a threat that was minimal to begin with.

However, if people begin to rely too much on a façade of security (without the real security underlying it), Security Theater can be worse than useless, because users will reveal private information or perform other trusted actions that can be disastrous in the wrong hands.

NH.
  • 1,004
  • 1
  • 9
  • 20
3

Security Theater is any process or mechanism which makes users, developers, managers, or other stakeholders perceive a system as "more secure" without actually providing significant protection against any real threat. (Or worse, the "security measure" may actually decrease security by opening the system up to new attacks.)

Notable examples include security seals on websites, overly complicated password complexity requirements, and disabling pasting on password fields.

Ajedi32
  • 4,637
  • 2
  • 26
  • 60
2

Security theater is a procession that in some sense or another let’s a person think this increases security while it actually doesn’t (or at least not much).

An example might be the security checks at air ports that have not yet stopped terrorists but make people perceive flying as safe.

This isn’t a threat to security for itself; it can lead to reduced security that really helps (because, well, „one is already safe, why the hassle?“) though.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58