Cybersecurity

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspxTrump’s Cybersecurity Executive Order Well Received by ExpertsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-05-12T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​After months of waiting and leaked drafts, U.S. President Donald Trump signed a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal" target="_blank">cybersecurity executive order </a>yesterday that aims to strengthen U.S. government networks and critical infrastructure.</p><p>The executive order is broken into three parts—securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation—and is an effort to change the course of the U.S. government’s cyber posture, said Tom Bossert, White House homeland security advisor, in a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/press-briefing-principal-deputy-press-secretary-sarah-sanders-and">press briefing on the order.</a><br></p><p>A key element of the executive order is looking at the U.S. government’s cybersecurity as a whole—not as 190 separate agencies, Bossert explained.<br></p><p>“We need to look at the federal government as an enterprise, so that we no longer look at the Office of Personnel Management (OPM) and think, ‘Well, you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “OPM, as you know, had the crown jewel, so to speak, of our information and all of our background and security clearances.<br></p><p>“What we’d like to do is look at that and say, ‘That is a very high risk, high cost for us to bear. Maybe we should look at this as an enterprise and put collectively more information in protecting them than we would otherwise put into OPM looking at their relevant importance to the entire government.”​<br></p><h4>Government Networks</h4><p>“The first priority for the president and for our federal government is protecting our federal networks,” Bossert explained. “I think it’s important to start by explaining that we operate those federal networks on behalf of the American people, and they often contain the American people’s information and data, so not defending them is no longer an option. We’ve seen past hacks and past efforts that have succeeded, and we need to do everything we can to prevent that from happening in the future.”</p><p>As part of that effort, the executive order said the president will hold executive department and agency heads accountable for managing cybersecurity risk to their enterprises. Under the order, they will implement risk management measures “commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”<br></p><p>Anthony J. Ferrante, senior managing director in the Global Risk & Investigations Practice at FTI Consulting and former director for cyber incident response at the National Security Council, says he’s glad to see this change in the federal government’s posture.<br></p><p>“In the years following the OPM attack, it is nice to see that the administration recognizes that it operates federal networks on behalf of the American people, and it is a strong move to say that the president is going to hold the heads of departments and agencies accountable for the cybersecurity of their networks,” Ferrante adds.<br></p><p>Additionally, agency and department heads are required to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their respective organization’s risk. Each agency has been instructed to provide a risk management report to the secretary of the Department of ​​Homeland Security and the director of the Office of Management and Budget (OMB) within 90 days.<br></p><p>“We have practiced one thing and preached another,” Bossert said. “It’s time for us now…to implement the NIST framework. It’s a risk-reduction framework.”<br></p><p>Requiring government agencies to adopt the NIST framework—like the private sector has been encouraged to do—is a positive step, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC).<br></p><p>“The acknowledgement of risk acceptance is significant,” Harrell explains. “Within all IT systems, we have the ability to accept, avoid, mitigate, or transfer risk.”<br></p><p>Also part of the executive order’s plan to modernize government IT and manage risk is a directive that agency heads show preference in their procurement for shared IT services, including e-mail, cloud, and cybersecurity services.<br></p><p>“We have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that that’s a wise approach.”<br></p><p>Utilizing shared IT services does come with risk, but it will put the federal government in a better position to manage those risks, Bossert added.<br></p><p>“I’m not here to promote for you that the president has signed an executive order and created a cybersecure world in a fortress USA,” he said. “That’s not the answer. But if we don’t move to secure services and shared services, we’re going to be behind the eight ball for a very long time.”<br></p><p>This is a positive step, says Will Ackerly, chief technology officer at Virtru and former lead security architect for the National Security Agency’s (NSA’s) first cross-domain cloud. <br></p><p>“It’s positive if managed well. The risk and threat change with on-premise to cloud,” Ackerly explains. “When you move to Google, you now all of a sudden have many security engineers online on a real-time basis available to essentially protect your data. The trade is, you don’t have the same kind of direct control or insight…into how your data is being accessed.”<br></p><p>Agencies and departments will also have to avoid creating a monoculture, or choosing the same platform across the board,​​ because if there is a problem with the technology or an attack on it, there could be a “massive issue,” Ackerly adds.<br></p><p>Overall, however, utilizing shared services is a step in the right direction as it will free agencies up to “focus on what they’re good at—their core mission—instead of having to figure out over and over the same IT programs,” he says.<br></p><p>The government’s ability to do this successfully, however, will depend on its ability to secure funding and change its purchasing constraints around technology—which may require Congressional action.<br></p><p>“The majority of [these agencies’] budget is spent on legacy systems,” says John Dickson, CISSP, principal at Denim Group and former U.S. Air Force officer who served in the Air Force Information Warfare Center. “If you are spending a lot of money, and 75 percent of that is to maintain what you have, you simply are not going to be able to put a dint in this problem.”<br></p><p>Another area that gives some experts pause, however, is that the agency risk management reports may be classified in full—or in part—and not available to the public. <br></p><p>“Particularly when you’re talking about trying to manage risk across many, many agencies, that requires good information sharing,” Ackerly adds. “I think it can be a lot harder when there isn’t transparency, at least at the core level.”<br></p><p>He also raised concerns about the number of reports and assessments the executive order has asked government officials to compile to analyze the federal government’s cybersecurity posture and path forward. <br></p><p>“A lot of these reports end up sitting on shelves; a lot of work is going to go into producing these things and updating them,” Ackerly says, adding that it might have been a better idea to create a position of a cybersecurity czar to manage this process so there’s “clear central authority that coordinates actions that the CISOs are accountable to…I worry that this might be another paper exercise.”​<br></p><h4>Critical Infrastructure</h4><p>The second portion of the executive order focuses on critical infrastructure cybersecurity and calls for reports to identify ways that agencies could support the cybersecurity efforts of critical infrastructure entities that are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.</p><p>In particular, the order asks for the secretaries of energy and homeland security, with the director of national intelligence and local authorities, to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident.<br></p><p>Harrell says electric utilities are well positioned to aid the government in this effort and provide a report to the president. <br></p><p>“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell explains. “I would strongly recommend that the Department of Energy reach out to NERC, utilities, and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”<br></p><p>The executive order also calls for the secretaries of commerce and homeland security to identify and promote action by stakeholders to improve the resilience of the telecommunications industry to “dramatically” reduce the number of botnet attacks in the United States. <br></p><p>This will require cooperation from the private sector, particularly from Sprint, AT&T, Verizon, and other carriers, Dickson says. “All the people that are essentially providing Internet and phone connectivity, because there’s certain things they can do in real-time to make it harder for those types of attacks to propagate.”<br></p><p>Not to be ignored, however, are potential strides the government could make with device manufacturers, Ackerly says, who could be encouraged to create devices that are inherently more secure and less likely to be compromised and part of a botnet.​<br></p><p>One action Ackerly says he thinks would be a risky choice for the government would be to encourage active attacks to prevent botnet attacks.</p><p>“The military has authority to do active attacks,” he explains. “I don’t think we want to encourage companies to break the law and respond directly to take down systems that are not their own that are trying to interfere with their services.”</p><h4>National Security</h4><p>The final section of the executive order deals with ensuring that the Internet remains valuable for future generations by deterring cyberattacks and investing in the nation’s future workforce. </p><p>The order calls for the secretaries of state, treasury, defense, commerce, homeland security, and the attorney general, amongst others, to submit a report to the president on the nation’s strategic options for deterring adversaries and protecting Americans from cyber threats. It also requires the secretaries to document a strategy for international cooperation in cybersecurity.<br></p><p>“The Russians are not our only adversary on the Internet, and the Russians are not the only people that operate in a negative way on the Internet,” Bossert said. “The Russians, the Chinese, the Iranians, other nation states are motivated to use cyber capacity and cyber tools to attack our people and our governments and their data.<br></p><p>“That’s something we can no longer abide. We need to establish the rules of the road for proper behavior on the Internet, but we also then need to deter those who don’t want to abide by those rules,” he said.<br></p><p>The executive order also calls for an assessment of the scope of current efforts to educate and train the American cybersecurity workforce of the future to maintain the United States’ competitive advantage.<br></p><p>Harrell says he found this inclusion in the executive order encouraging. “In a world of constant cyberattacks and massive data breaches, cybersecurity is more important today than ever before,” he adds. “As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”</p>

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---Moving-to-the-Cloud-Repositions-Security.aspx2016-08-16T04:00:00ZSeminar Sneak Peek: Moving to the Cloud Repositions Security
https://sm.asisonline.org/Pages/New-Data-Rules.aspx2016-08-01T04:00:00ZNew Data Rules

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Insuring-Data-Loss.aspx2017-05-01T04:00:00ZInsuring Data Loss
https://sm.asisonline.org/Pages/Cyber-Travel-Tips.aspx2017-05-01T04:00:00ZCyber Travel Tips

 

 

https://sm.asisonline.org/Pages/Book-Review---Social-Media-Risk-and-Governance.aspx2016-11-01T04:00:00ZBook Review: Social Media Risk and Governance
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO

 

 

https://sm.asisonline.org/Pages/IT-Security-Professionals-Admit-To-Hiding-Data-Breaches,-Survey-Finds--.aspx2017-05-09T04:00:00ZIT Security Professionals Admit To Hiding Data Breaches in New Survey
https://sm.asisonline.org/Pages/Cyber-War-Games.aspx2017-04-01T04:00:00ZCyber War Games
https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspx2017-03-24T04:00:00ZOutdated Protocols and Practices Put the IoT Revolution at Risk

 

 

https://sm.asisonline.org/Pages/DHS-Warns-Congress-Of-Security-Threats-to-Government-Mobile-Devices.aspx2017-05-05T04:00:00ZDHS Warns Congress Of Security Threats to Government Mobile Devices
https://sm.asisonline.org/Pages/Cyber-Travel-Tips.aspx2017-05-01T04:00:00ZCyber Travel Tips
https://sm.asisonline.org/Pages/Book-Review---Secrets.aspx2017-01-01T05:00:00ZBook Review: Secrets

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Flying-Solo.aspxFlying Solo<p>​Senior executives routinely travel the globe without security and rarely are there any incidents of concern, but when things go wrong from a protective security perspective, they usually go wrong quickly and can snowball into disaster. </p><p>Most failures stem from a lack of proper advance work, logistical foul-ups, and lost luggage. Robust protective intelligence and countersurveillance programs, along with comprehensive threat assessments, can greatly reduce the risk to executives who travel. But when a security detail will not be included in the trip, basic training and preparedness for those executives can go a long way.</p><p>Many executives want to run under the radar, whether they are attending a meeting on the other side of town or traveling around the world. Few CEOs travel surrounded by visible security personnel with earpieces and shoulder holsters because the optics are deemed bad for business. Few executives need or seek that level of security. And although it’s rare for an armed robbery or a Kardashian-style hotel invasion to occur, it’s on every protection officer’s mind.</p><p>A more thoughtful approach to protection for senior government personnel, executives, and high-net-worth families was created by a group of former government agents in the private sector. They adopted a different model of protection, focused heavily on protective intelligence and countersurveillance. </p><p>The model is now used by many Fortune 500 companies and takes a nuanced approach to empower the executives themselves. Even though security staff may not be in tow on any given trip, there are several key principles that executives can practice that will dramatically increase their level of safety and security wherever they are in the world. ​</p><h4>Situational Awareness</h4><p>With enough will and discipline, executives can use situational awareness to stay ahead of threats while traveling. To successfully practice situational awareness, executives must be mindful of a few basic facts. </p><p>First, they must acknowledge that a threat exists, because bad things do happen to good people. Executives traveling solo must also take care of themselves because they are ultimately responsible for their own safety and welfare. Finally, they must heed their instincts. If something doesn’t look or seem right, chances are it’s not, and executives need to be comfortable identifying and acting on that intuition. </p><p>When discussing situational awareness with an executive, it is important to stress that this does not mean being paranoid or obsessively concerned about security. Still, there are periods where enhanced awareness levels are needed. </p><p>Solo executives can learn to practice enhanced observation skills with simple exercises, like paying attention to the cars behind them in traffic, or by challenging themselves to see if they can remember automobile license plate letters and numbers. </p><p>One best practice is to have executives pay special attention to their departure points and destinations, scanning the area with an eye for vehicles and people that could be watching. If the same vehicle, bicycle, or person is spotted over time and distance, someone may be conducting surveillance. </p><p>For example, a blue van glimpsed at the point of departure and then seen later near a business meeting means someone could be watching. Not all watchers are criminals or possible kidnappers—in some locations, the watchers could be state security services or private detectives hired by competitors.​</p><h4>Countersurveillance</h4><p>Burglars, kidnappers, assassins, and any manner of criminals all follow an attack cycle, including some level of preoperational surveillance. Attacks don’t happen in a vacuum. In most cases, criminal and terrorist surveillance tradecraft is the least well-developed skill in the hostile operator’s toolbox. </p><p>When persons with hostile intentions are engaged in preoperational surveillance, they are also highly vulnerable to detection. Professional countersurveillance teams are trained to recognize operatives conducting surveillance on a target. However, an individual practicing good situational awareness can often spot preoperational surveillance on his or her own, especially if the surveillant is sloppy, as many are. </p><p>If suspects realize that their surveillance efforts have been detected, they will become anxious and may decide against acting—or at least redirect their attention to an easier target. The detection also lets the executive know he or she must take further protective steps, such as changing routes or vehicles, switching hotel rooms, notifying local authorities or staff, alerting corporate headquarters, and calling for backup. Monitoring for surveillance needs to be part of executives’ ongoing situational awareness practice. </p><p>One terrorist plot uncovered in 2003 revealed how an al Qaeda cell used preoperational surveillance when targeting financial institutions in Washington, D.C.; New York City; Newark, New Jersey; and potential targets in Singapore. In one instance, several operatives sat in a Starbucks cafe across from their intended target, recording information like security measures and building access. Their notes, videos, and practices were uncovered when the terrorist cell was broken up by authorities­—fortunately before an attack took place.​</p><h4>Fire Safety</h4><p>While traveling, executives may obsess over the potential threat posed by terrorist attacks, political violence, or other incidents that result in news headlines, but they tend to discount the less exciting but more likely threat posed by fire. </p><p>Fire kills thousands of people every year, and there are instances where fire has been used as a weapon in terrorist attacks. During the November 2008 Mumbai attacks, a group of attackers holed up in the Taj Mahal Palace Hotel started fires in various parts of the hotel. </p><p>Anarchists and radical environmental and animal rights activists have conducted arson attacks against a variety of targets, including banks, department stores, ski resorts, and the homes and vehicles of research scientists.</p><p>It is common to find items stored in emergency stairwells that render them obstructed or sometimes impassable. This is especially true outside the United States, where fire codes may not be strictly enforced, if they exist at all. In some instances, fire doors have been chained shut due to criminal threats.</p><p>To mitigate the threat from fire, executives should note whether emergency exits at their hotel are passable. This applies to apartments and office buildings as well. </p><p>In the August 2011 Casino Royale attack in Monterrey, Mexico, the attackers ordered the occupants out of the building before dousing it with gasoline and lighting it on fire, but 52 people died because they were trapped inside the building by a fire exit that had been chained shut.</p><p>Travelers staying at hotels in countries with lax fire codes should stay above the second floor to avoid break-ins, but not above the sixth floor. That puts them within range of most fire department rescue ladders. </p><p>Smoke inhalation is also a concern. It is the primary cause of fire deaths and accounts for 50 to 80 percent of all deaths from indoor fires. </p><p>The U.S. diplomatic facility in Benghazi, Libya, that was attacked on September 11, 2012, is an apt example. A video of the building after the attack showed that fire had not badly damaged the building’s structure. The two diplomats killed in the attack did not die from gunfire or even rocket-propelled grenade strikes—they died from smoke inhalation. </p><p>At minimum, a smoke hood should be a key piece of safety equipment carried by the executive while traveling. These hoods can be easily carried in a purse or briefcase and can provide the wearer with 15 to 30 minutes of safe air to breathe. That time makes a world of difference when caught in a burning building, a subway tunnel, or an aircraft while trying to escape. </p><p>Many executive protection experts encourage executives to place smoke hoods next to their hotel bed. Another useful tool in such situations is a small, high-intensity flashlight to help them find their way through the smoke or dark once they have donned their smoke hood. ​</p><h4>Identifying Risks</h4><p>While executives may not appreciate the security team’s efforts to scare them ahead of a trip, they do need to know the inherent risks during travel and after reaching their destination. This will require advanced research by protective intelligence analysts to gather hard data on a range of issues appropriate to the destination. Alternatively, security can use a service that consistently tracks that data. This type of research involves analyzing everything from the latest street crime trends in London to the prevalence and nature of recent express kidnappings in certain Latin American cities, and incorporates that data into the executive briefing.</p><p>The briefing can also include the advance work of the corporate security team: analyzing the executive’s schedule, transportation routes, and destinations to determine the times and places where he or she is most vulnerable. By identifying the moments most likely to be used by a hostile actor, an executive can understand when to raise his or her level of situational awareness for greatest effect. This will also make it more difficult for assailants to conduct preoperational surveillance without detection.</p><p>On September 28, 2016, a group of assailants abducted Abid Abdullah, the executive director of Pakistan’s largest publishing group, during a business trip to Peshawar. Abdullah was in Peshawar to check on the status of a company facility under construction and did not return to his hotel until the early hours of the morning. </p><p>Several armed men in two vehicles stopped Abdullah and his driver around 3:15 a.m. in the city’s industrial area. Peshawar is dangerous even by Pakistan’s standards, and, based on his driver’s statements, Abdullah was traveling without a protective detail to an industrial park where the kidnapping team had likely been watching him while he conducted business late into the night. The industrial area made a good intercept point because it was likely to be deserted at that hour. On such visits, a robust security plan is needed. </p><p>There are always incidents that are more difficult to detect ahead of time. In July 2016, Jeff Shell, chairman of the Universal Filmed Entertainment Group, was briefly detained and forced to leave Russia hours after arriving in the country. </p><p>Russian authorities pulled Shell out of the immigration line shortly after he arrived at Moscow’s Sheremetyevo Airport from Prague. After hours of interrogation, Shell was told he had been barred from Russia and was placed on a flight to Amsterdam. </p><p>The Russian Foreign Ministry later explained that it barred Shell from Russia because of his involvement with the Broadcasting Board of Governors, a group that oversees U.S. government broadcasters. </p><p>Before July 13, there was no indication that Shell or anyone affiliated with the Broadcasting Board of Governors was included on any list. Russia’s lack of transparency on who is barred from the country and why is troubling for traveling corporate executives and can become highly disruptive, embarrassing, or potentially dangerous for those involved. Executives and their protection teams should take these sorts of threats into account long before they begin travel.​</p><h4>Liaisons </h4><p>Once executives are well-versed in these skills and practices, they may feel prepared to travel solo around the world. However, the work of the corporate security team doesn’t end there. </p><p>Whether the protective intelligence team is working for the government or in the private sector, it is critical to maintain frequent contact with the appropriate authorities and security counterparts where executives are likely to travel. </p><p>Beyond maintaining a close liaison with their counterparts and industry partners at the travel destination, corporate security officers should work with local, state, and federal law enforcement agencies that would be called on to prosecute the case should someone commit an illegal act against an executive. </p><p>If an executive is traveling to another city or country on business, be sure to establish a line of communication with the counterpart at that company ahead of time. If an incident does occur, a liaison will provide a shared interest in executive safety or concern about the potential optics around incidents affecting executives who are visiting their company. </p><p>These counterparts should also have efficient lines of communication with their local law enforcement contacts. In that case, they can become an executive protection advocate on-site, or at least connect the team back home with the right people until the situation is fully resolved. </p><p>Executives can travel safely abroad with minimal intrusions on privacy, as long as corporate security teams establish proper procedures and baselines. Building trust with the executives and their administrative staff goes a long way to ensure that business travel functions without security disruptions. </p><p>Not every executive needs visible security officers on travel; however, every executive traveling abroad does require a good security team behind the scenes to properly balance risk and facilitation.  </p><p><em><strong>Fred Burton </strong>is chief security officer at geopolitical intelligence platform Stratfor.com and a lead analyst for Stratfor Threat Lens. He has authored three books, including </em>Under Fire: The Untold Story of the Attack in Benghazi.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review--Beyond-Cybersecurity.aspxBook Review: Beyond Cybersecurity<p>​<span style="line-height:1.5em;">Wiley; Wiley.com; 256 pages; $40</span><span style="line-height:1.5em;">​</span></p><p>An excellent overview of IT issues, Beyond Cybersecurity: Protecting Your Digital Business offers a progressive approach to tackling the evolving landscape of cybersecurity. It’s not at all technical and extremely readable for security professionals at every level. </p><p>The book references historical attacks and uses them to provide recommendations for organizations to implement to protect themselves. The five authors bring different perspectives together to explore the benefits of a holistic, business-led approach. </p><p>Because many organizations struggle to coordinate efforts between the CIO office and business operations, it is critical to review and establish appropriate controls and policies. The authors recommend practical actions that make sense and assist with designing an organization’s digital resilience. The authors argue that corporations must change their mindset: cybersecurity is not necessarily a technology problem—it is an overall business problem. </p><p>Because the authors do an excellent job of explaining concepts and challenges, this book is a valuable resource for all security practitioners, even if cybersecurity is not part of their job. I recommend it to business leaders. It will help executives understand the problems at hand, as well as how organizations that protect themselves may get ahead of the competition.</p><p>--</p><p><em><strong>Reviewer: Mark H. Beaudry, Ph.D., CPP</strong>, is chair of the ASIS Foundation Research Council.</em></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465