Friday, July 16, 2004

Security Vs. "Security"

Bruce Schneier relates a parable about the value of security measures:
The other week I visited the corporate headquarters of a large financial institution on Wall Street; let's call them FinCorp. FinCorp had pretty elaborate building security. Everyone -- employees and visitors -- had to have their bags X-rayed.

Seemed silly to me, but I played along. There was a single guard watching the X-ray machine's monitor, and a line of people putting their bags onto the machine. The people themselves weren't searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just didn't put my bag onto the machine, no one noticed.

It was all good fun, and I very much enjoyed describing this to FinCorp's VP of Corporate Security. He explained to me that he got a $5 million rate reduction from his insurance company by installing that X-ray machine and having some dogs sniff around the building a couple of times a week.

I thought the building's security was a waste of money. It was actually a source of corporate profit.
Bruce's point is that, while every security measure is implemented for a good reason, the good reason involved often has nothing to do with security. The canonical modern example is the requirement that all airline passengers show a photo ID. There's nothing about showing photo ID that makes us safer, as was demonstrated on 9/11: every one of the hijackers had an acceptable photo ID. But the photo ID requirement does put the airlines in a better financial position. Prior to the ID requirement, it was possible to resell tickets you didn't plan to use, which meant lost revenue for the airlines. Now, private resale of airline tickets is impossible. The "security" measure was implemented to solve an economic problem, not a security problem.

Bruce was nice enough to send me a copy of his new book about security, Beyond Fear, after I posted about risk estimation a while back. I've been meaning to review it forever - maybe tomorrow evening? - but in the meantime, this story is a good sample.

