Global Security, Privacy, & Risk Management

More Security Theater – “CyberCops and Robbers” March 15, 2012

Today in my Google alerts, I had a story from FoxNews (…ahemm) titled “CyberCops and Robbers; Digital Posses to Bust Bank Robbers”  After reading the article, I had to write a post and discuss (rant?) about the fluff that is being proposed.  The article talks about a new initiative by the FBI and select banks where banks that comply with certain rules and agree to be involved in the program get to post a “badge” on their door like the one in this post.

There are so many flaws and issues with this approach, I don’t know where to start.  This is Security Theater at its finest.  For those who are unfamiliar with the term, Bruce Schneier, in his book Beyond Fear, coined the phrase security theater.  Security theater describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. First, lets look a the “numbers”.  According to the writer, bank robbers are “just as dangerous” as in the Wild West.  She quotes the following statistics: In 2010, 90 people were taken hostage and 16 killed in 5,546 bank robberies.  While anyone being killed is difficult to justify, we are looking at numbers that don’t tell the whole story.  In 2010, there were roughly 98,500 bank branches in the United States.  If one considers that, according to the FBI,  there were 5,546 robberies, this comes to 5.6%, assuming each was robbed only once.  It should be noted that, according to statistics, over 75% of bank robbers are caught. In those 5,546 robberies, there were 236 acts of violence which resulted in 16 killed, and 90 taken hostage.  So in less than .3%, or 3 out of every 1,000 robberies, someone was ‘killed’.  What her report fails to disclose is that 13 of the 16 people killed included the robber.  This means that 81% of the time, if someone is killed, it is the bad guy (or girl).  The other 19% was ‘undefined’ meaning it was not an employee, law enforcement officer, or customer. Again, using basic math, we can state that roughly 5 out of every 10,000 robberies will result in a person other than the perpetrator being killed.  Statistically, in 2010 not a single customer, employee, or law enforcement officer was killed in the US during a bank robbery.

According to the FBI,”loot” was taken in roughly 91% of the total cases (5,628, if larceny etc. is included) for a total of roughly $43 million US.  This comes to approximately $8,428 per robbery, if divided equally.  Of this, loot was recovered in 22% of the incidents for a total of approximately $8.1 million US.  The total averages to about $7,193 recovered from the 22 incidents.  So,  if a bank is robbed, they stand a roughly 70% chance (.91 x .22) of money being taken an not recovered. In these instances, they stand a chance of losing, on average, $8,428.  So for a little risk analysis…..

Annualized Loss Expectancy (ALE) = % x Impact or (5.6% x 70%) x ($8,428) = $330.776 per year.  (I didn’t carry decimals too far so it is off by some but you the point)

While this calculation does not account for large chains being victimized nor does it account for branches being robbed more than once, taken on average, every single branch (98,000) has an ALE of roughly $330 per year.

The point is that, without looking at the whole picture, the situation looks dire.  When you evaluate the numbers in context you realize that they are manageable.  The “Bandit Shield” requires banks to implement a number of controls.  There is no feasible way to get 98,000 branches in compliance.  The cost would certainly surpass the risk and the robbers would simply rob the banks that did not have a ‘bandit shield’ sign.  Finally, if 75% of robberies are being cleared today, then the cost of clearing the other 25% hardly justifies the expense.

This is security theater at its best.