Defenses

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspxTrump’s Cybersecurity Executive Order Well Received by ExpertsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-05-12T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​After months of waiting and leaked drafts, U.S. President Donald Trump signed a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal" target="_blank">cybersecurity executive order </a>yesterday that aims to strengthen U.S. government networks and critical infrastructure.</p><p>The executive order is broken into three parts—securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation—and is an effort to change the course of the U.S. government’s cyber posture, said Tom Bossert, White House homeland security advisor, in a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/press-briefing-principal-deputy-press-secretary-sarah-sanders-and">press briefing on the order.</a><br></p><p>A key element of the executive order is looking at the U.S. government’s cybersecurity as a whole—not as 190 separate agencies, Bossert explained.<br></p><p>“We need to look at the federal government as an enterprise, so that we no longer look at the Office of Personnel Management (OPM) and think, ‘Well, you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “OPM, as you know, had the crown jewel, so to speak, of our information and all of our background and security clearances.<br></p><p>“What we’d like to do is look at that and say, ‘That is a very high risk, high cost for us to bear. Maybe we should look at this as an enterprise and put collectively more information in protecting them than we would otherwise put into OPM looking at their relevant importance to the entire government.”​<br></p><h4>Government Networks</h4><p>“The first priority for the president and for our federal government is protecting our federal networks,” Bossert explained. “I think it’s important to start by explaining that we operate those federal networks on behalf of the American people, and they often contain the American people’s information and data, so not defending them is no longer an option. We’ve seen past hacks and past efforts that have succeeded, and we need to do everything we can to prevent that from happening in the future.”</p><p>As part of that effort, the executive order said the president will hold executive department and agency heads accountable for managing cybersecurity risk to their enterprises. Under the order, they will implement risk management measures “commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”<br></p><p>Anthony J. Ferrante, senior managing director in the Global Risk & Investigations Practice at FTI Consulting and former director for cyber incident response at the National Security Council, says he’s glad to see this change in the federal government’s posture.<br></p><p>“In the years following the OPM attack, it is nice to see that the administration recognizes that it operates federal networks on behalf of the American people, and it is a strong move to say that the president is going to hold the heads of departments and agencies accountable for the cybersecurity of their networks,” Ferrante adds.<br></p><p>Additionally, agency and department heads are required to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their respective organization’s risk. Each agency has been instructed to provide a risk management report to the secretary of the Department of ​​Homeland Security and the director of the Office of Management and Budget (OMB) within 90 days.<br></p><p>“We have practiced one thing and preached another,” Bossert said. “It’s time for us now…to implement the NIST framework. It’s a risk-reduction framework.”<br></p><p>Requiring government agencies to adopt the NIST framework—like the private sector has been encouraged to do—is a positive step, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC).<br></p><p>“The acknowledgement of risk acceptance is significant,” Harrell explains. “Within all IT systems, we have the ability to accept, avoid, mitigate, or transfer risk.”<br></p><p>Also part of the executive order’s plan to modernize government IT and manage risk is a directive that agency heads show preference in their procurement for shared IT services, including e-mail, cloud, and cybersecurity services.<br></p><p>“We have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that that’s a wise approach.”<br></p><p>Utilizing shared IT services does come with risk, but it will put the federal government in a better position to manage those risks, Bossert added.<br></p><p>“I’m not here to promote for you that the president has signed an executive order and created a cybersecure world in a fortress USA,” he said. “That’s not the answer. But if we don’t move to secure services and shared services, we’re going to be behind the eight ball for a very long time.”<br></p><p>This is a positive step, says Will Ackerly, chief technology officer at Virtru and former lead security architect for the National Security Agency’s (NSA’s) first cross-domain cloud. <br></p><p>“It’s positive if managed well. The risk and threat change with on-premise to cloud,” Ackerly explains. “When you move to Google, you now all of a sudden have many security engineers online on a real-time basis available to essentially protect your data. The trade is, you don’t have the same kind of direct control or insight…into how your data is being accessed.”<br></p><p>Agencies and departments will also have to avoid creating a monoculture, or choosing the same platform across the board,​​ because if there is a problem with the technology or an attack on it, there could be a “massive issue,” Ackerly adds.<br></p><p>Overall, however, utilizing shared services is a step in the right direction as it will free agencies up to “focus on what they’re good at—their core mission—instead of having to figure out over and over the same IT programs,” he says.<br></p><p>The government’s ability to do this successfully, however, will depend on its ability to secure funding and change its purchasing constraints around technology—which may require Congressional action.<br></p><p>“The majority of [these agencies’] budget is spent on legacy systems,” says John Dickson, CISSP, principal at Denim Group and former U.S. Air Force officer who served in the Air Force Information Warfare Center. “If you are spending a lot of money, and 75 percent of that is to maintain what you have, you simply are not going to be able to put a dint in this problem.”<br></p><p>Another area that gives some experts pause, however, is that the agency risk management reports may be classified in full—or in part—and not available to the public. <br></p><p>“Particularly when you’re talking about trying to manage risk across many, many agencies, that requires good information sharing,” Ackerly adds. “I think it can be a lot harder when there isn’t transparency, at least at the core level.”<br></p><p>He also raised concerns about the number of reports and assessments the executive order has asked government officials to compile to analyze the federal government’s cybersecurity posture and path forward. <br></p><p>“A lot of these reports end up sitting on shelves; a lot of work is going to go into producing these things and updating them,” Ackerly says, adding that it might have been a better idea to create a position of a cybersecurity czar to manage this process so there’s “clear central authority that coordinates actions that the CISOs are accountable to…I worry that this might be another paper exercise.”​<br></p><h4>Critical Infrastructure</h4><p>The second portion of the executive order focuses on critical infrastructure cybersecurity and calls for reports to identify ways that agencies could support the cybersecurity efforts of critical infrastructure entities that are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.</p><p>In particular, the order asks for the secretaries of energy and homeland security, with the director of national intelligence and local authorities, to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident.<br></p><p>Harrell says electric utilities are well positioned to aid the government in this effort and provide a report to the president. <br></p><p>“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell explains. “I would strongly recommend that the Department of Energy reach out to NERC, utilities, and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”<br></p><p>The executive order also calls for the secretaries of commerce and homeland security to identify and promote action by stakeholders to improve the resilience of the telecommunications industry to “dramatically” reduce the number of botnet attacks in the United States. <br></p><p>This will require cooperation from the private sector, particularly from Sprint, AT&T, Verizon, and other carriers, Dickson says. “All the people that are essentially providing Internet and phone connectivity, because there’s certain things they can do in real-time to make it harder for those types of attacks to propagate.”<br></p><p>Not to be ignored, however, are potential strides the government could make with device manufacturers, Ackerly says, who could be encouraged to create devices that are inherently more secure and less likely to be compromised and part of a botnet.​<br></p><p>One action Ackerly says he thinks would be a risky choice for the government would be to encourage active attacks to prevent botnet attacks.</p><p>“The military has authority to do active attacks,” he explains. “I don’t think we want to encourage companies to break the law and respond directly to take down systems that are not their own that are trying to interfere with their services.”</p><h4>National Security</h4><p>The final section of the executive order deals with ensuring that the Internet remains valuable for future generations by deterring cyberattacks and investing in the nation’s future workforce. </p><p>The order calls for the secretaries of state, treasury, defense, commerce, homeland security, and the attorney general, amongst others, to submit a report to the president on the nation’s strategic options for deterring adversaries and protecting Americans from cyber threats. It also requires the secretaries to document a strategy for international cooperation in cybersecurity.<br></p><p>“The Russians are not our only adversary on the Internet, and the Russians are not the only people that operate in a negative way on the Internet,” Bossert said. “The Russians, the Chinese, the Iranians, other nation states are motivated to use cyber capacity and cyber tools to attack our people and our governments and their data.<br></p><p>“That’s something we can no longer abide. We need to establish the rules of the road for proper behavior on the Internet, but we also then need to deter those who don’t want to abide by those rules,” he said.<br></p><p>The executive order also calls for an assessment of the scope of current efforts to educate and train the American cybersecurity workforce of the future to maintain the United States’ competitive advantage.<br></p><p>Harrell says he found this inclusion in the executive order encouraging. “In a world of constant cyberattacks and massive data breaches, cybersecurity is more important today than ever before,” he adds. “As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”</p>

Defenses

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Insuring-Data-Loss.aspx2017-05-01T04:00:00ZInsuring Data Loss
https://sm.asisonline.org/Pages/Cyber-Travel-Tips.aspx2017-05-01T04:00:00ZCyber Travel Tips
https://sm.asisonline.org/Pages/Security-Alerts.aspx2017-05-01T04:00:00ZSecurity Alerts
https://sm.asisonline.org/Pages/A-Conversation-with-the-Director-of-the-U.S.-NBIB.aspx2017-04-01T04:00:00ZA Conversation with the Director of the U.S. NBIB
https://sm.asisonline.org/Pages/Cyber-War-Games.aspx2017-04-01T04:00:00ZCyber War Games
https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspx2017-03-24T04:00:00ZOutdated Protocols and Practices Put the IoT Revolution at Risk
https://sm.asisonline.org/Pages/Five-SSH-Facts.aspx2017-03-01T05:00:00ZFive SSH Facts
https://sm.asisonline.org/Pages/Stopping-the-Cyber-Buck.aspx2017-03-01T05:00:00ZStopping the Cyber Buck
https://sm.asisonline.org/Pages/No-One-at-the-Wheel.aspx2017-02-01T05:00:00ZNo One at the Wheel
https://sm.asisonline.org/Pages/Book-Review---Secrets.aspx2017-01-01T05:00:00ZBook Review: Secrets
https://sm.asisonline.org/Pages/Pesky-Passwords.aspx2017-01-01T05:00:00ZPesky Passwords
https://sm.asisonline.org/Pages/The-Hunt-for-Talent.aspx2016-12-01T05:00:00ZThe Hunt for Talent
https://sm.asisonline.org/Pages/An-Integrated-Defense.aspx2016-11-01T04:00:00ZAn Integrated Defense
https://sm.asisonline.org/Pages/Are-Third-Parties-Posing-a-Risk-to-Your-Corporate-Network.aspx2016-10-28T04:00:00ZQ&A: Are Third Parties Posing a Risk to Your Network?
https://sm.asisonline.org/Pages/Book-Review---Cyber-Security.aspx2016-10-01T04:00:00ZBook Review: Cyber Security
https://sm.asisonline.org/Pages/Tech-Trends-1.aspx2016-09-01T04:00:00ZTech Trends
https://sm.asisonline.org/Pages/A-Conversation-with-the-FBI.aspx2016-09-01T04:00:00ZIlluminating Going Dark: A Conversation with the FBI
https://sm.asisonline.org/Pages/Book-Review---Protecting-Critical-Infrastructures-from-Cyber-Attack-and-Cyber-Warfare.aspx2016-07-01T04:00:00ZBook Review: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare
https://sm.asisonline.org/Pages/The-Cyber-Incident-Survival-Guide.aspx2016-07-01T04:00:00ZThe Cyber Incident Survival Guide

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-Security-Gender-Gap.aspxThe Security Gender Gap<p>From the 2016 ​ASIS International Compensation Survey​</p><p><img src="/ASIS%20SM%20Callout%20Images/11-15%20Snapshot%20C2.jpg" alt="11-15 Snapshot C2.jpg" style="margin:5px;width:880px;height:1160px;" /> </p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review---Investigative-Interviewing---Psychology,-Method-and-Practice.aspxBook Review: Investigative Interviewing: Psychology, Method and Practice<p><span style="line-height:1.5em;">The primary goal of any investigativ</span><span style="line-height:1.5em;">e interview is to arrive at the most accurate version of what happened in an incident—the factual details of who did what to whom, where, when, why, and how. Investigative Interviewing by Eugene Ferraro, CPP, PCI, raises the bar for the security literature with his ethical approach. This valuable book is destined for all security practitioners' bookshelves—both seasoned investigators and those just beginning their careers. Ferraro adeptly equips the reader with the essential knowledge and skills to reach this a priori investigative interviewing goal, and the book successfully achieves its primary purpose.</span></p><p>Based on sound investigative theory, the book is grounded in the actual practice and process of interviewing psychology and methods, which come from the author's years of professional experience. To this end, the book also succeeds in reinforcing the 21st century mantra we need to remember in dealing with the current information overload: Control the few controllables, and manage the remaining manageables.</p><p>The underlying message of the book is to control all the factors that impede or facilitate the truthful admission of an investigative interview, and then manage the rest of the process to remove as much of the natural uncertainty as possible, given time, legal, resource, and other practical constraints.</p><p>The pluses of this book are many. There are refreshingly new solutions to older problems and challenges in the practical "Tips" and "Traps" throughout the book. For example, the reader can learn the qualitative differences between admissions and confessions and the proper sequence of investigating and interviewing. Other successful elements include the distinctions between public and private sector investigative milieus; a guide to meeting legal challenges and avoiding litigation; and the specific techniques and variety of methods to assure a high success rate in interviewing and communication of results. Also enlightening are the important section on managing deception detection, the many useful appendices, a well-organized index and bibliography, and an encouraging look at the future of investigative interviewing. </p><p>One element missing from this book is coverage of cognitive biases that keep interviewers from discovering the real truth. (An excellent treatment of the subject can be found in The Psychology of Intelligence Analysis by former CIA Assistant Director Richards Heuer.)</p><p>Overall this is a successful book. Readers can journey into the male­volent minds of those who are intent in doing harm in this dangerous world, where truth is getting more complicated and muddled, but there is more urgency to uncover it.</p><p>Reviewer: William S. Cottringer, Ph.D., CHS-III (Certified in Homeland Security, Level III) is executive vice president of Puget Sound Security and an adjunct professor of criminal justice at Northwest University. He is also an expert security and corrections witness, sport psychologist, and success coach. He has been an active member of ASIS since 1990. Cottringer has published nine books and more than 300 professional articles. His most recent book is Reality Repair.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465