Is security theatre costing us our personal freedom?

As suggested, it's not just in the workplace that time-wasting security procedures can be found. Look around on your desktop and you don't have to look far to see some more examples of security software indulging in a little theatre at your possible expense.

For example, a lot of the older and more established paid-for antivirus software systems regularly waste your time, by telling you when it's time to get new security updates, telling you when they are doing a scan and showing you the possible threat positives they've found (which most people don't know what to do with even if they are told - and shouldn't need to, surely it's the antivirus software's job to say whether something is a threat or not).

Each of these processes can be described as security theatre. Why do you need to know? Surely all this should just happen in the background without it wasting your time telling you what it's doing?

However, looked at another way, it's doing something. It's reassuring you that you're protected, that you're safe. Those official-looking 'Your system is clean from all infection' messages make you feel secure, even if what the software is telling you isn't actually true.

What average computer user is going to question the authority of a security program? Who has the time? Sadly though, a clever virus, key logger or Trojan that has bypassed your security software, usually due to something as simple as it not being in your antivirus's database yet, will ensure that you keep receiving those reassuring messages while it causes havoc with your machine. But due to how we're psychologically wired, if you take all those reassuring messages away, we find it very hard to take it on trust that we're protected.

For example, Microsoft's free antivirus tool Security Essentials approaches this from the other direction. Once it's installed it just sits quietly on your machine protecting it from internet nasties. Perfect. Except we're so used to being told that antivirus programmes are running, what updates they're getting, what scans they are performing, that when that noise suddenly stops we aren't totally confident that the program is doing its job. Without the security theatre we aren't reassured.

Questions creep in. 'Has Microsoft abandoned the project?' 'Am I really protected?' Clearly a balance between the security being provided and the advertisement of that security is needed if we're going to be confident in our security software.

Backing up badly

Another place where a lot of people wrongly feel more secure, even smug, is when they remember to back up their important files to an external hard drive due to the belief that those files are now protected. However, most people keep their external storage connected to their machines (all the better for those regular scheduled back-ups), which means that if the worst happens that 1TB drive offers no protection at all.

In the case of a fire, the drive is in the same place as your PC - usually on top of it! - so clearly will go up with your computer. Similarly, should your computer be infected by a malicious piece of software that infection is likely to spread to all connected drives, including your back-up drive.

Everyone knows that backed-up material should be stored at another site, but most back-up routines make that, at best, impractical. Instead we go through the rigmarole of regular updates, waiting for files to be copied, without there being any real-world benefit if a typical catastrophe were to occur.

Of course, the rise of cloud-based back-up services should cut out this problem (in fact, many new hard drives ship with such a service, possibly in recognition of their hardware's upcoming obsolescence) but until people become proper adopters of this relatively new technology they're going to lose data even while congratulating themselves that they're doing everything they need to do to protect it.

Sadly, too, cloud-based services are still viewed by a lot of people with suspicion. Why should you trust a large faceless corporation with all your personal files? Or, if you choose a new start-up, who's to say they'll be here in a couple of years' time?

Again, it's how we perceive things that becomes the problem. If you can't see something, like an external drive flashing its LEDs at you, if it isn't tangible, people start to worry if it's there at all. This is compounded by the much highlighted but actually very rare stories of people losing all their Googlemail emails due to someone at Google headquarters pressing the wrong button or people's personal files suddenly being viewable to everybody online due to a software glitch.

Although uncommon, the way the media report these stories is designed to strike fear into people's hearts and this causes distrust in cloud-based storage options, even though the percentage risk compared to the possibility of something going wrong on your own PC is minuscule.

Government involvement

Where security theatre really takes off in terms of cost and implementation of flawed security procedures on a major scale is when governments get involved.

With multi-billion pound budgets at their disposal and where knee-jerk reactions to crises both real and perceived can be huge vote winners, the potential to indulge in security theatre is enormous.

Kapersky Lab's David Emm agrees. "Things are perhaps different for governments [as opposed to companies], where public perception is very important," he says. "Here there is, I believe, much more scope for security theatre. The growing realisation of the potential dangers of cyberattacks - in a world where we have all become heavily dependent on the internet - means that governments are forced to be seen to respond to the perceived risks. But even here, there may only be a problem if there's a cost in addressing the perceived problem at the expense of investing in solutions to real threats."

Further to this, we asked Graham Cluley how much of the world's governments' response to hacking threats is security theatre? "We certainly see a lot of grandstanding when it comes to state response to computer security threats," he says. "For instance, we see finger-pointing at certain nations, blaming them for hack attacks or writing malware when in fact it's incredibly difficult to prove such accusations. We know that hackers can leapfrog around the world, using multiple compromised computers to launch their attacks

"The true nature of threats is much more complicated and less appealing perhaps to the general non-technical audience. People don't want to hear that a large amount of the problem might be poorly protected home computers in their own country, which have been compromised... and instead may prefer a story that talks about a bogeyman in an enemy state."

If this is so, we asked him how much of the need to monitor all internet communications is security theatre? "I certainly worry that fear of security threats is being used as a justification for greater monitoring by governments of communications. Often terrorism is cited as a reason why a government might want to know every website you visit, or every time people email each other or have an instant messaging chat. But how many people have been killed by terrorists in the UK in the last five years? Is the fear of terrorism being used as a smokescreen for greater online monitoring and a loss of liberties?"

It certainly seems to be used to justify some rather intrusive data-mining techniques, which if they really are being implemented must be a massive drain on government resources for what must be a remarkably small success rate.

For example, the US Department of Homeland Security is monitoring blogs, news channels and social media networks such as Twitter and Facebook for certain keywords that may highlight 'Items of Interest'. These IOIs could be indicators of emerging situations worthy of the government's attention in 14 different areas including, among others, terrorism, weather, natural disasters, fire, border control issues, immigration, hazardous and nuclear materials, transport security, cyber security and reports on the Department of Homeland Security and other Federal Agencies themselves.

Remember, that's just the areas the keywords cover. Each area monitors its own range of keywords, usually over 30 in each, covering everything from 'Dirty bomb' and 'Ammonium nitrate' under terrorism to 'Botnet and 'Cain and Abel' under cyber security.

One way of viewing this is that it makes sense for the US government to monitor for upcoming national disasters, health crises or emerging threats and, as the information is already out there for people to see, why not utilise it? Another is that this is no doubt a costly operation, which must throw up so many false positives as to make it a virtually useless piece of security theatre.

But if you believe the latter, we don't recommend you tweet about it, just in case.

The future of security theatre

So with all these examples of security theatre around us providing the general populace a nice warm feeling that companies, governments and even ourselves are doing all we can to make the world a securer place, while in fact doing nothing of the sort, is there any hope for the future? What can we do to combat security theatre and just how big a problem is it?

"I think security theatre becomes a problem only if the cost of putting on the production diverts investment (and not just financial) away from solutions to real problems," says Kaspersky Lab's David Emm. "One of the problems, however, is that we may only recognise something as security theatre retrospectively, not at the time the show is going on."

We'll leave the last word to Graham Cluley, who we asked whether we really need to worry about security theatre if it gives people peace of mind? After all, is that such a bad thing?

"I think we should worry about it," he says. "There are real security threats out there, but only limited resources and time to deal with them. If we get distracted by theatre, there's a risk that we won't put the right effort, technology and people behind the things that really matter."