Defenses

 

 

https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspxCyber Goals: Past DueGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-08-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​On May 15, 2018, the U.S. Department of Homeland Security (DHS) released its cybersecurity strategy for the next five years.</p><p>"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen in a statement on the strategy's release. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself."</p><p>Between 2006 and 2015, the number of cyber incidents on U.S. federal government systems that were reported to DHS increased more than tenfold—including the massive Office of Personnel Management breach that compromised the records of more than 4 million U.S. federal employees and affected 22 million people.</p><p>"The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences," according to DHS. "For example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power."</p><p>More recent incidents, such as WannaCry and NotPetya, have also demonstrated the threat of using the Internet of Things to conduct cyberattacks with far-reaching consequences.</p><p>Because of this, Nielsen said DHS is "rethinking its approach" to cybersecurity to confront systemic risks by issuing its strategy guide. The guide was a requirement under the National Defense Authorization Act of 2017 and lays out a five-part approach to manage national cyber risk: identifying risk, reducing vulnerability, reducing threat, mitigating consequences, and enabling cybersecurity outcomes.</p><p>"Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties," DHS said.</p><p>To understand the cybersecurity landscape and its risks, and address vulnerabilities, threats, and consequences of DHS's cybersecurity activities, the department must first be able to identify risks. </p><p>The department's first goal in this pillar of its strategy is to assess cybersecurity risks so it understands the "evolving national cybersecurity risk posture to inform and prioritize risk management activities," according to the strategy.</p><p>To do this, DHS said it plans to work with stakeholders—sector-specific agencies, nonfederal cybersecurity firms, and others—to understand trends in threats, vulnerabilities, interdependencies, and potential consequences so the department can prioritize its activities and budget accordingly.</p><p>"DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts," the strategy explained. "We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a 'failure of imagination.'"</p><p>As part of this goal, DHS has set specific objectives, including identifying evolving cybersecurity risks that affect economic security, public health, and national security; identifying and creating plans to address gaps in analytic capabilities; and developing plans and scenarios for future technology deployments that could be disruptive.</p><p>Another pillar of DHS's strategy is to reduce the vulnerability of U.S. federal agencies across the board. </p><p>"DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity, commensurate with its own risks and with those of the larger enterprise," according to the strategy.</p><p>To assist the rest of the U.S. federal government, DHS will work with the Office of Management and Budget (OMB) to address systemic risks and interdependencies between agencies. </p><p>"DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities, tools, and services to protect legacy systems, as well as cloud and shared infrastructure," the strategy explained. "Within its own systems, DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices."</p><p>As part of this pillar, DHS laid out sub-objectives to more clearly define how it will achieve this goal. These include developing and implementing a clear governance model for U.S. federal cybersecurity; issuing new or revised policies and recommendations to ensure adequate cybersecurity across the enterprise; and providing agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk.</p><p>One example of this in action prior to the release of the strategy was DHS's binding operational directive 18-01, which required U.S. federal agencies to increase their email and Web security. Specifically, DHS mandated that agencies implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for their email systems. (See "Spoofing the CEO," Security Management, October 2016.)</p><p>Another goal of this pillar of the strategy is to protect critical infrastructure by partnering with stakeholders to ensure national cybersecurity risks are managed. This partnership is key because a majority of the critical infrastructure in the United States is owned and operated by the private sector.</p><p>"DHS must partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts," the strategy stated. </p><p>An example of this in action was DHS's response to the 2017 WannaCry ransomware attack. During the attack, DHS's National Protection and Programs Directorate partnered with other agencies and the private sector to help U.S. hospitals—a major target of WannaCry—ensure their systems were not vulnerable to the malware. It also released an unclassified technical alert to help defenders defeat the malware and prevent is spread.</p><p>In addition to reducing vulnerability, DHS's strategy also outlines a goal to reduce threats in cyberspace overall. </p><p>"In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts," the strategy explained.</p><p>To do this, DHS will create investigative priorities related to illicit cyber activity, identify and conduct high-impact investigations of cybercrimes by transnational criminal organizations, disrupt online marketplaces for malicious cyber activity, and develop options to disrupt, counter, and deter transnational criminal organizations.</p><p>The final portions of the DHS strategy are to mitigate consequences and enable cybersecurity outcomes. </p><p>With the rise of cybercrime and illicit cyberactivity, DHS must have a role in limiting the impact of significant cyber incidents, the department said. </p><p>"Many cyber incidents do not require a national response," the strategy explained. "But when they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk and investigating the underlying crimes."</p><p>DHS took this role, for example, in July 2017 when the U.S. Secret Service—part of DHS—worked with international law enforcement to arrest a Russian national who allegedly operated BTC-e.</p><p>"From 2011 to 2017, BTC-e is alleged with facilitating over $4 billion worth of Bitcoin transactions worldwide for cyber criminals engaging in computer hacking, identity theft, ransomware, public corruption, and narcotics distribution," DHS said. "Researchers estimate approximately 95 percent of ransomware payments were laundered through BTC-e."</p><p>While the strategy is an important framework for the U.S. federal government, it has been met with criticism. </p><p>Ray DeMeo, chief operating officer of Virsec, says the DHS strategy is high-level and is missing an implementation plan.</p><p>"One of the document's guiding principles is to foster innovation and agility—this is a big ask, where existing time horizons must be reduced from years down to months," DeMeo says. "We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."</p><p>DeMeo also says he will be looking for more information from DHS—a department with a domestic mandate—about how it intends to address cybersecurity globally.</p><p>"The reality is that a large portion of Internet crime is driven from the international Wild West, from areas with lax law enforcement or actional nation-state sponsorship," he explains. "This problem is as much diplomatic as it is technological."</p><p>Two of the most vocal critics have been U.S. Representative Bennie G. Thompson (D-MS), ranking member of the House Homeland Security Committee, and U.S. Representative Cedric L. Richmond (D-LA), ranking member of the Cybersecurity and Infrastructure Protection Subcommittee and author of the legislation that originally mandated the strategy.</p><p>In a joint statement, Thompson and Richmond said the strategy is overly focused on policies and procedures that DHS needs to develop further. </p><p>"It also fails to mention—at any point—one of the most pressing cybersecurity challenges of the moment: election security," they said. "The fact is, because of the department's failure to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities."</p><p>The congressmen added that they hoped to see more information about how DHS plans to implement its strategy in another report, which is due to Congress by August 15, 2018.</p><p>"In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need," Thompson and Richmond said.</p><p>As of <em>Security Management</em>'s press time, DHS had not submitted an implementation plan to Congress. ​</p>

Defenses

 

 

https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspx2018-08-01T04:00:00ZCyber Goals: Past Due
https://sm.asisonline.org/Pages/Critical-Risk-Management.aspx2018-08-01T04:00:00ZCritical Risk Management
https://sm.asisonline.org/Pages/Bridging-Worlds.aspx2018-07-01T04:00:00ZBridging Worlds
https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/Missed-Deadline.aspx2018-03-01T05:00:00ZMissed Deadline
https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspx2018-02-01T05:00:00ZA Cyber Pipeline
https://sm.asisonline.org/Pages/Vote-Integrity.aspx2018-02-01T05:00:00ZVote Integrity
https://sm.asisonline.org/Pages/Rethinking-the-Intelligence-Cycle-for-the-Private-Sector.aspx2018-01-26T05:00:00ZRethinking the Intelligence Cycle for the Private Sector
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/Book-Review---Cybersecurity-Law.aspx2018-01-01T05:00:00ZBook Review: Cybersecurity Law
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage
https://sm.asisonline.org/Pages/How-to-Minimize-Cybersecurity-Vulnerabilities.aspx2017-11-28T05:00:00ZHow to Minimize Cybersecurity Vulnerabilities
https://sm.asisonline.org/Pages/How-to-Minimize-Cybersecurity-Vulnerabilities-Article.aspx2017-11-28T05:00:00ZHow to Minimize Cybersecurity Vulnerabilities
https://sm.asisonline.org/Pages/Minimize-Cybersecurity-Vulnerablilies.aspx2017-11-28T05:00:00ZHow to Minimize Cybersecurity Vulnerabilities
https://sm.asisonline.org/Pages/Book-Review-Art-of-Invisibility.aspx2017-11-01T04:00:00ZBook Review: Art of Invisibility
https://sm.asisonline.org/Pages/The-Zero-Day-Problem.aspx2017-11-01T04:00:00ZThe Zero Day Problem
https://sm.asisonline.org/Pages/Driving-the-Business.aspx2017-10-01T04:00:00ZDriving the Business
https://sm.asisonline.org/Pages/FBI-Director-Focused-on-Cyber-Threats.aspx2017-09-26T04:00:00ZFBI Director Focused on Cyber Threats

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/New-Ways-to-Manage-Risk.aspxNew Ways to Manage Risk<p>​</p><p>WITH A GROWING CONSENSUS on the need to better protect utilities from the risk of cyberattacks, there is a push for utilities to implement a type of risk management used in the IT world. It is called Governance-Risk-Compliance (GRC) management. When looking at GRC management as an expanded security risk assessment platform, it is most important to put GRC into the proper context. Let us first consider what is leading us to this shift in utilities security practices and then how GRC could work if properly expanded and adapted to the industry.</p><p>Shifting Landscape<br>One of the main reasons for this shift—apart from an obvious need to bring utilities security practices into the 21st century—is a proliferation of IT-based systems now used to manage the integrated electricity grid, water systems, gas supplies, and other daily operations. In addition, allowing customers interactivity with their utility and providing conservation tools online has become the norm. Next generation energy consumers expect nothing less than mobility and information at their fingertips, and utilities will have to comply.</p><p>To meet all of these needs, utilities and others are creating virtual pathways, through inter-connected systems, to core information technology (IT) and operational technology (OT) assets. These OT assets include the core Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to manage daily grid operations.</p><p>The problem is that compromise of these ICS/SCADA systems could lead to loss of electricity to millions of individuals, businesses, and public-safety systems resulting in massive socio-economic and environmental damage. And various malware vendors that collect and analyze cyberattacks have found evidence that these systems are, indeed, targets of attacks already. Thus, the way in which IT traffic is restricted and controlled across this system becomes of primary importance.</p><p>A Move to GRC<br>Enter GRC management. When we think about more traditional methods of security risk assessment (or threat-risk assessment, as it has also been known), we see a fairly common assessment methodology for physical assets. This includes: categorization of assets with criticality rankings, identification of all prevailing threats (all-hazards approach), identification of vulnerabilities based on detailed examinations of the asset environment (includes people and processes), and assignment of impact/disruption values based on criticality and overall risk ranking. Ultimately, the risk assessment leads to prioritized mitigation planning that ultimately leads into a business case development cycle.</p><p>GRC, having been developed as an IT tool, pulls risk information out of a detailed view of governance structures. This would include risks related to system management, IT-related responsibilities of various groups throughout the enterprise, and IT risks stemming from the utility’s business relationships with partners, vendors, and other stakeholders. It would also include IT risks related to standards and policy compliance (leading to vulnerability assessment) and may include data received from automated vulnerability scans, such as logs of unauthorized login attempts. In brief, the assessment indicates where IT risk exists based on an evaluation of policy and process management desired to keep the IT system healthy, usually as aligned to an adopted standard set like ISO 27000. Depending on the maturity of the organization, there may be multiple standards against which GRC is applied, including more detailed IT management standards based on those established by respected entities, such as NIST.</p><p>GRC does not assess compliance based on some standards frameworks, such as NISTIR 7628. Moreover, GRC does not assess risk in the same manner as a traditional security assessment. For example, there is no ability in the GRC model to assess threat actors or their capabilities and no ability to demonstrate enterprise risk based on things like physical security requirements and similar inputs. Criticality is not even called out as a priority in all cases. One is led to ask, then, what risk is really being measured through this GRC platform, and is the IT GRC platform comprehensive enough to address a smart grid environment?</p><p>But a follow-up question would be if not GRC, then what? There is the North American Electric Reliability Corporation, Critical Infrastructure Protection, or NERC CIP compliance model, which has historically not used GRC. But as helpful as NERC CIP is in addressing critical cyber asset identification, security, and management, NERC CIP does not apply to the distribution grid (which delivers electricity to consumers and comprises most of what we call the smart grid), and it is, therefore, an incomplete standard for addressing smart grid (distribution) complexity.</p><p>On the other hand, the more traditional risk assessment (physical) model, while it is comprehensive enough in its methodology, and while it works well with regard to the inspection of physical IT asset protection, does not even contemplate IT standards, IT governance, and compliance components and, therefore, it cannot produce an adequate risk reporting across the enterprise.</p><p>Expanding GRC<br>Recognizing all of these factors, the answer to assessing the risk for the new smart grid environment may be a much more advanced form of GRC to include the attributes of comprehensive physical asset protection assessment and those of the IT governance and compliance model.</p><p>Risk assessment in this new cyber-risk environment must have a complex means of assessing risk in a dynamic and continuous process, and it must produce real-time risk reporting since threat profiles can change rapidly. Situational awareness inputs, including utility security incident and event management inputs (SIEM), log information, and system-wide alerts need to be funnelled into such an engine to provide appropriate risk indicators for management on the fly.</p><p>Other data points, such as staff training metrics, personnel changes, access privileges, and environmental indicators, are equally important for understanding risk across the system. Risk assessments must factor in external threatscape information, such as what other utilities are reporting, and news about relevant activities of cyber-criminal groups and their capabilities. Some advanced GRC engines are currently the best vehicles for adapting to these needs.</p><p>Transition<br>Assessment of IT risk and physical risk must be integrated with information flowing to a single assessment engine. But even this is not enough. A vastly expanded GRC platform is needed. Furthermore, this expanded GRC assessment must be a continuous process, using as much automation as possible and including manual inputs for information that cannot be scanned in.</p><p>This objective is a daunting, complex goal to consider. But it is absolutely necessary in this complex environment we are now called to manage within the utilities sphere. Getting to this goal will require some fundamental changes, including the development of new skill-sets in the area of security expertise, the development of more comprehensive security software, and the development of utility operations paradigms to accommodate these changes. Attitudes, skill-sets, and processes need to change quickly to meet the expanding operational risk.</p><p>Fortunately, there has already been recognition of and movement on the need to develop new skill-sets. We have seen increased uptake in IT certifications held by utilities security professionals. The agenda of the ASIS International Utilities Security Council has shifted to include more cyber-focused issues. Collaboration between the ASIS Utilities Security Council and the ASIS IT Security Council has increased over a relatively short time, indicating both a desire and a need for traditional security professionals within the utility sphere to learn more and apply more IT security practices to their daily security management practices.</p><p>The Critical Infrastructure Working Group, a collaborative body of numerous ASIS council leaders and others, has started developing a cyber-education initiative to help traditional security professionals transition to a more IT-savvy security knowledge base. Priorities for ASIS education program development and certification requirements have also clearly shifted more toward the cybersecurity end of the spectrum.</p><p>The Utilities Security Council’s recognition of the need to become more IT-centric has also been reflected in its white paper series. All of the papers issued in 2012—including those that covered smart grid security, integrated security, and a future view on certification requirements for utilities—addressed IT-based issues. This represents a key tipping point for what remains a primarily “traditional” group of security professionals who have usually been labelled by their IT counterparts as “physical” security professionals.</p><p>As for the tools needed to adapt an expanded GRC model, GRC software products exist today, and one or two of the developers of those products are trying to address utility needs. The best avenue for adopting this risk-assessment process today may be to apply the most comprehensive GRC software package available, one that has demonstrated the concept of real-time, diverse feeds, and work with that vendor (the author prefers not to identify specific vendors) to develop a more customized model of what your enterprise needs, with a view to the future.</p><p>Compliance management will need to take a dominant position in this development, because regulatory compliance is important for utilities, and because it is possible that the enterprise does not yet fully understand it. A compliance exercise using a robust GRC engine can help flesh this out.</p><p>Finally, given that even transmission line checks and substation maintenance schedules form part of utility compliance, and assist overall utility security, along with dozens of other requirements across the company, a GRC engine should be adapted to include this type of issue. And making it inclusive of these considerations can also help to build a business case for acquiring funding approvals. After all, if any task is important for the ongoing resiliency of the utility, it should be measured in terms of compliance management and as a contributor to overall risk. GRC management can assist with this.</p><p>This article has not explored many of the other factors that will feed into heightened cybersecurity concerns for the utility, like continued adoption of cloud services and expansion of mobility tools, not to mention a complete set of security concerns related to social media and Bring Your Own Device policies. Each will impact the security stability of the utility and electricity grid in new ways and add complexity to security management. Managing vendors to ensure appropriate technologies have security “by design” will be equally important in the overall, ongoing risk assessment. There are many vulnerability points in utility operations separate from and contributing to security management issues. Each must be factored into the daily security risk management cycle.</p><p>Doug Powell, CPP, PSP, is manager of security, privacy and safety governance and risk for smart metering at BC Hydro in British Columbia, Canada. He serves as vice chair of the ASIS International Utilities Security Council and chair of the Critical Infrastructure Working Group. He is also an associate to the Infrastructure Resiliency Research Group at Carleton University in Ottawa, Ontario. He has more than 30 years’ experience in the industry and has been recognized with numerous awards. The Utilities Security Council has written white papers on many of the topics discussed in this article as well as others not addressed here. These papers are excellent resources to begin understanding the scope of security risk management issues today.<br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Role-of-School-Resource-Officers.aspxThe Role of School Resource Officers<p>​Mo Canady, executive director of the National Association of School Resource Officers (NASRO), discusses the security implications of an SRO’s role in today’s educational environment.</p><p class="p1"><i>Q. What are school resource officers (SROs) and what are some of their job functions?  </i></p><p class="p1"><b>A. </b>SROs are sworn law enforcement officers assigned by their employing law enforcement agency to work with schools. They go into the classroom with a diverse curriculum in legal education. They aid in teaching students about the legal system and helping to promote an awareness of rules, authority, and justice. Outside of the classroom, SROs are mentoring students and engaging with them in a variety of positive ways.</p><p class="p1"><i>Q. What are some of the standards and best practices your organization teaches? </i></p><p class="p1"><b>A. T</b>here are three important things that need to happen for an SRO program to be successful. Number one, the officers must be properly selected. Number two, they have to be properly trained. And thirdly, it has to be a collaborative effort between the law enforcement agency and the school district. This can’t just be a haphazard approach of, “We have a drug problem; let’s put some police officers in there and try to combat it.” It needs to be a community-based policing approach.</p><p class="p1"><i>Q. Some SROs have come under fire for being too aggressive in the classroom. What’s your take?</i></p><p class="p1"><b>A. </b>There have been a handful of incidents that have played out in the media. But, it is up to the investigating agency to determine right and wrong. I’ve been very happy with the fact that the majority of those officers involved in these incidents have not been trained by us.</p><p class="p1"><i>Q. How does NASRO train officers to deal with potential threats? </i></p><p class="p1"><b>A. </b>In our training, we certainly talk about lockdown procedures and possible responses to active shooter situations, but we don’t get too detailed. It’s really up to each agency to make those kinds of decisions. In the case of an active shooter, I don’t believe most SROs are going to wait for additional backup to get there. Most of them are so bought into their schools and their relationships with their students, that if they hear gunfire, they’re going to go try to stop whatever is happening. </p><p class="p1"><i>Q. Do SROs consider themselves security officers? </i></p><p class="p1"><b>A. </b>We’re engaged in security and it’s a big part of what we do—but it’s just one piece of what we do. Sometimes when people think about physical security, the idea of relationship building doesn’t necessarily come in there, and yet it’s the lead thing for us. We know that through those relationships, if we’re building them the right way, we may get extremely valuable information from students, parents, faculty, and staff. It’s what leads to SROs in many cases being able to head off bad situations before they happen.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465