Defenses

 

 

https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspxHow to Hack a HumanGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-01-01T05:00:00Z<p>​It all started innocuously with a Facebook friend request from an attractive woman named Mia Ash. Once her request was accepted, she struck up a conversation about various topics and showed interest in her new friend's work as a cybersecurity expert at one of the world's largest accounting firms.</p><p>Then, one day Mia shared her dream—to start her own company. She had one problem, though; she did not have a website and did not know how to create one. Surely her new friend could use his expertise to help her achieve her dreams by helping her make one? </p><p>Mia said she could send him some text to include on the new site. He agreed, and when he received a file from Mia he opened it—on his work computer. That simple act launched a malware attack against his company resulting in a significant compromise of sensitive data.</p><p>Mia was not a real person, but a care- fully crafted online persona created by a prolific group of Iranian hackers—known as Oilrig—to help this elaborate spear phishing operation succeed. </p><p>Due to his role in cybersecurity, the target was unlikely to have fallen for a standard phishing attack, or even a normal spear phishing operation. He was too well trained for that. But nobody had prepared him for a virtual honey trap, and he fell for the scheme without hesitation.</p><p>This case is a vivid reminder that when cybersecurity measures become difficult to penetrate by technical means, people become the weakest link in a cybersecurity system. It also illustrates how other intelligence tools can be employed to help facilitate cyber espionage.</p><p>While many hackers are merely looking to exploit whatever they can for monetary gain, those engaging in cyber espionage are different. They are often either working directly for a state or large nonstate actor, or as a mercenary contracted by such an actor tasked with obtaining specific information.</p><p>This targeted information typically pertains to traditional espionage objectives, such as weapons systems specifications or the personal information of government employees—like that uncovered in the U.S. Office of Personnel Management hack. </p><p>The information can also be used to further nondefense-related economic objectives, such as China's research and design 863 program, which was created to boost innovation in high-tech sectors in China. </p><p>Given this distinction and context, it is important to understand that hacking operations are just one of the intelligence tools sophisticated cyber espionage actors possess. Hacking can frequently work in conjunction with other intelligence tools to make them more efficient.</p><p>Hacking into the social media accounts or cell phone of a person targeted for a human intelligence recruitment operation can provide a goldmine of information that can greatly assist those determining the best way to approach the target. </p><p>For instance, hacking into a defense contractor's email account could provide important information about the date, time, and place for the testing of a revolutionary new technology. This information could help an intelligence agency focus its satellite imagery, electronic surveillance, and other collection systems on the test site.</p><p>Conversely, intelligence tools can also be used to enable hacking operations. Simply put, if a sophisticated cyber espionage actor wants access to the information contained on a computer system badly enough, and cannot get in using traditional hacking methods, he or she will use other tools to get access to the targeted system. A recent case in Massachusetts illustrates this principle.</p><p>Medrobotics CEO Samuel Straface was leaving his office at about 7:30 p.m. one evening when he noticed a man sitting in a conference room in the medical technology company's secure area, working on what appeared to be three laptop computers.</p><p>Straface did not recognize the man as an employee or contractor, so he asked him what he was doing. The man replied that he had come to the conference room for a meeting with the company's European sales director. Straface informed him that the sales director had been out of the country for three weeks.</p><p>The man then said he was supposed to be meeting with Medrobotics' head of intellectual property. But Straface told him the department head did not have a meeting scheduled for that time. </p><p>Finally, the man claimed that he was there to meet the CEO. Straface then identified himself and more strongly confronted the intruder, who said he was Dong Liu—a lawyer doing patent work for a Chinese law firm. Liu showed Straface a LinkedIn profile that listed him as a senior partner and patent attorney with the law firm of Boss & Young. </p><p>Straface then called the police, who arrested Liu for trespassing and referred the case to the FBI. The Bureau then filed a criminal complaint in the U.S. District Court for the District of Massachusetts, charging Liu with one count of attempted theft of trade secrets and one count of attempted access to a computer without authorization. After his initial court appearance, Liu was ordered held pending trial.</p><p>Straface caught Liu while he was presumably attempting to hack into the company's Wi-Fi network. The password to the firm's guest network was posted on the wall in the conference room, and it is unclear how well it was isolated from the company's secure network. It was also unknown whether malware planted on the guest network could have affected the rest of the company's information technology infrastructure.</p><p>The fact that the Chinese dispatched Liu from Canada to Massachusetts to conduct a black bag job—an age-old intelligence tactic to covertly gain access to a facility—indicates that it had not been able to obtain the information it desired remotely.</p><p>China had clear interest in Medrobotics' proprietary information. Straface told FBI agents that companies from China had been attempting to develop a relationship with the company for about 10 years, according to the FBI affidavit. Straface said he had met with Chinese individuals on about six occasions, but ultimately had no interest in pursuing business with the Chinese.</p><p>Straface also noted that he had always met these individuals in Boston, and had never invited them to his company's headquarters in Raynham, Massachusetts. This decision shows that Straface was aware of Chinese interest in his company's intellectual property and the intent to purloin it. It also shows that he consciously attempted to limit the risk by keeping the individuals away from his facilities. Yet, despite this, they still managed to come to the headquarters.</p><p>Black bag attacks are not the only traditional espionage tool that can be employed to help facilitate a cyberattack. Human intelligence approaches can also be used. </p><p>In traditional espionage operations, hostile intelligence agencies have always targeted code clerks and others with access to communications systems. </p><p>Computer hackers have also targeted humans. Since the dawn of their craft, social engineering—a form of human intelligence—has been widely employed by hackers, such as the Mia Ash virtual honey trap that was part of an elaborate and extended social engineering operation.</p><p>But not all honey traps are virtual. If a sophisticated actor wants access to a system badly enough, he can easily employ a physical honey trap—a very effective way to target members of an IT department to get information from a company's computer system. This is because many of the lowest paid employees at companies—the entry level IT staff—are given access to the company's most valuable information with few internal controls in place to ensure they don't misuse their privileges.</p><p>Using the human intelligence approaches of MICE (money, ideology, compromise, or ego), it would be easy to recruit a member of most IT departments to serve as a spy inside the corporation. Such an agent could be a one-time mass downloader, like Chelsea Manning or Edward Snowden. </p><p>Or the agent could stay in place to serve as an advanced, persistent, internal threat. Most case officers prefer to have an agent who stays in place and provides information during a prolonged period of time, rather than a one-time event.</p><p>IT department personnel are not the only ones susceptible to such recruitment. There are a variety of ways a witting insider could help inject malware into a corporate system, while maintaining plausible deniability. Virtually any employee could be paid to provide his or her user ID and password, or to intentionally click on a phishing link or open a document that will launch malware into the corporate system. </p><p>An insider could also serve as a spotter agent within the company, pointing out potential targets for recruitment by directing his or her handler to employees with marital or financial issues, or an employee who is angry about being passed over for a promotion or choice assignment.</p><p>An inside source could also be valuable in helping design tailored phishing attacks. For instance, knowing that Bob sends Janet a spreadsheet with production data every day, and using past examples of those emails to know how Bob addresses her, would help a hacker fabricate a convincing phishing email.</p><p>Insider threats are not limited only to the recruitment of current employees. There have been many examples of the Chinese and Russians recruiting young college students and directing them to apply for jobs at companies or research institutions in which they have an interest.</p><p>In 2014, for instance, the FBI released a 28-minute video about Glenn Duffie Shriver—an American student in Shanghai who was paid by Chinese intelligence officers and convicted of trying to acquire U.S. defense secrets. The video was designed to warn U.S. students studying abroad about efforts to recruit them for espionage efforts.</p><p>Because of the common emphasis on the cyber aspect of cyber espionage—and the almost total disregard for the role of other espionage tools in facilitating cyberattacks—cyber espionage is often considered to be an information security problem that only technical personnel can address. </p><p>But in the true sense of the term, cyber espionage is a much broader threat that can emanate from many different sources. Therefore, the problem must be addressed in a holistic manner. </p><p>Chief information security officers need to work hand-in-glove with chief security officers, human resources, legal counsel, and others if they hope to protect the companies and departments in their charge. </p><p>When confronted by the threat of sophisticated cyber espionage actors who have a wide variety of tools at their disposal, employees must become a crucial part of their employers' defenses as well. </p><p>Many companies provide cybersecurity training that includes warnings about hacking methods, like phishing and social engineering, but very few provide training on how to spot traditional espionage threats and tactics. This frequently leaves most workers ill prepared to guard themselves against such methods. </p><p>Ultimately, thwarting a sophisticated enemy equipped with a wide array of espionage tools will be possible only with a better informed and more coordinated effort on the part of the entire company.  </p><h4>Sidebar: The Mice and Men Connection</h4><p> </p><p>The main espionage approaches that could be used to target an employee to provide information, network credentials, or to introduce malware can be explained using the KGB acronym of MICE.</p><p>M = Money. In many cases, this does equal cold, hard cash. But it can also include other gifts of financial value—travel, jewelry, vehicles, education, or jobs for family members. Historic examples of spies recruited using this hook include CIA officer Aldrich Ames and the Walker spy ring.</p><p>A recent example of a person recruited using this motivation was U.S. State Department employee Candace Claiborne, who the U.S. Department of Justice charged in March 2017 with receiving cash, electronics, and travel for herself from her Chinese Ministry of State Security handler, as well as free university education and housing for her son.</p><p>I = Ideology. This can include a person who has embraced an ideology such as communism, someone who rejects this ideology, or who otherwise opposes the actions and policies of his or her government.</p><p>Historical examples of this recruitment approach include the Cambridge five spy ring in the United Kingdom and the Rosenbergs, who stole nuclear weapons secrets for the Soviet Union while living in the United States.</p><p>One recent example of an ideologically motivated spy is Ana Montes, who was a senior U.S. Defense Intelligence Agency analyst recruited by the Cuban DGI, who appealed to her Puerto Rican heritage and U.S. policies toward Puerto Rico. Another ideologically motivated spy was Chelsea Manning, a U.S. Army private who stole thousands of classified documents and provided them to WikiLeaks.</p><p>C = Compromise. This can include a wide range of activities that can provide leverage over a person, such as affairs and other sexual indiscretions, black market currency transactions, and other illegal activity. It can also include other leverage that a government can use to place pressure on family members, like imprisoning them or threatening their livelihood.</p><p>Historic examples of this approach include U.S. Marine security guard Clayton Lonetree, who was snared by a Soviet sexual blackmail scheme—a honey trap—in Moscow, and FBI Special Agent James Smith who was compromised by a Chinese honey trap.</p><p>More recently, a Japanese foreign ministry communications officer hung himself in May 2004 after falling into a Chinese honey trap in Shanghai.</p><p>E = Ego. This approach often involves people who are disenchanted after being passed over for a promotion or choice assignment, those who believe they are smarter than everyone else and can get away with the crime, as well as those who do it for excitement.</p><p>Often, ego approaches involve one of the other elements, such as ego and money—"I deserve more money"—or ego and compromise—"I deserve a more attractive lover."</p><p>A recent example is the case of Boeing satellite engineer Gregory Justice, who passed stolen electronic files to an undercover FBI agent he believed was a Russian intelligence officer. While Justice took small sums of money for the information, he was primarily motivated by the excitement of being a spy like one of those in the television series The Americans, of which he was a fan.​</p><p>​<br></p><p><em><strong>Scott Stewart</strong> is vice president of tactical analysis at Stratfor.com and lead analyst for Stratfor Threat Lens, a product that helps corporate security professionals identify, measure, and mitigate risks that emerging threats pose to their people, assets, and interests around the globe.</em></p>

Defenses

 

 

https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/Book-Review---Cybersecurity-Law.aspx2018-01-01T05:00:00ZBook Review: Cybersecurity Law
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage
https://sm.asisonline.org/Pages/How-to-Minimize-Cybersecurity-Vulnerabilities.aspx2017-11-28T05:00:00ZHow to Minimize Cybersecurity Vulnerabilities
https://sm.asisonline.org/Pages/How-to-Minimize-Cybersecurity-Vulnerabilities-Article.aspx2017-11-28T05:00:00ZHow to Minimize Cybersecurity Vulnerabilities
https://sm.asisonline.org/Pages/Minimize-Cybersecurity-Vulnerablilies.aspx2017-11-28T05:00:00ZHow to Minimize Cybersecurity Vulnerabilities
https://sm.asisonline.org/Pages/Book-Review-Art-of-Invisibility.aspx2017-11-01T04:00:00ZBook Review: Art of Invisibility
https://sm.asisonline.org/Pages/The-Zero-Day-Problem.aspx2017-11-01T04:00:00ZThe Zero Day Problem
https://sm.asisonline.org/Pages/Driving-the-Business.aspx2017-10-01T04:00:00ZDriving the Business
https://sm.asisonline.org/Pages/FBI-Director-Focused-on-Cyber-Threats.aspx2017-09-26T04:00:00ZFBI Director Focused on Cyber Threats
https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data
https://sm.asisonline.org/Pages/Book-Review---Weakest-Link.aspx2017-09-01T04:00:00ZBook Review: Weakest Link
https://sm.asisonline.org/Pages/Uber-Agrees-To-20-Years-Of-Audits-To-Settle-Deceptive-Privacy-Charges.aspx2017-08-15T04:00:00ZUber Agrees To 20 Years Of Audits To Settle Deceptive Privacy Charges
https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspx2017-07-21T04:00:00ZVulnerability Rediscovery Occurs At More Than Twice The Previously Reported Rate
https://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspx2017-07-14T04:00:00ZReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are Outdated
https://sm.asisonline.org/Pages/Survey-Of-InfoSec-Professionals-Paints-A-Dark-Picture-Of-Cyber-Defenses.aspx2017-07-07T04:00:00ZSurvey Of InfoSec Professionals Paints A Dark Picture Of Cyber Defenses
https://sm.asisonline.org/Pages/It-Takes-a-Network.aspx2017-07-01T04:00:00ZIt Takes a Network
https://sm.asisonline.org/Pages/Seeking-a-Cyber-Agenda.aspx2017-07-01T04:00:00ZSeeking a Cyber Agenda
https://sm.asisonline.org/Pages/Most-U.S.-Hospitals-Have-Not-Deployed-DMARC-To-Protect-Their-Email-Systems.aspx2017-06-16T04:00:00ZMost U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems
https://sm.asisonline.org/Pages/Most-Companies-Take-More-Than-A-Month-To-Detect-Cyberattackers.aspx2017-06-02T04:00:00ZMost Companies Take More Than A Month To Detect Cyberattackers

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/New-Ways-to-Manage-Risk.aspxNew Ways to Manage Risk<p>​</p><p>WITH A GROWING CONSENSUS on the need to better protect utilities from the risk of cyberattacks, there is a push for utilities to implement a type of risk management used in the IT world. It is called Governance-Risk-Compliance (GRC) management. When looking at GRC management as an expanded security risk assessment platform, it is most important to put GRC into the proper context. Let us first consider what is leading us to this shift in utilities security practices and then how GRC could work if properly expanded and adapted to the industry.</p><p>Shifting Landscape<br>One of the main reasons for this shift—apart from an obvious need to bring utilities security practices into the 21st century—is a proliferation of IT-based systems now used to manage the integrated electricity grid, water systems, gas supplies, and other daily operations. In addition, allowing customers interactivity with their utility and providing conservation tools online has become the norm. Next generation energy consumers expect nothing less than mobility and information at their fingertips, and utilities will have to comply.</p><p>To meet all of these needs, utilities and others are creating virtual pathways, through inter-connected systems, to core information technology (IT) and operational technology (OT) assets. These OT assets include the core Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to manage daily grid operations.</p><p>The problem is that compromise of these ICS/SCADA systems could lead to loss of electricity to millions of individuals, businesses, and public-safety systems resulting in massive socio-economic and environmental damage. And various malware vendors that collect and analyze cyberattacks have found evidence that these systems are, indeed, targets of attacks already. Thus, the way in which IT traffic is restricted and controlled across this system becomes of primary importance.</p><p>A Move to GRC<br>Enter GRC management. When we think about more traditional methods of security risk assessment (or threat-risk assessment, as it has also been known), we see a fairly common assessment methodology for physical assets. This includes: categorization of assets with criticality rankings, identification of all prevailing threats (all-hazards approach), identification of vulnerabilities based on detailed examinations of the asset environment (includes people and processes), and assignment of impact/disruption values based on criticality and overall risk ranking. Ultimately, the risk assessment leads to prioritized mitigation planning that ultimately leads into a business case development cycle.</p><p>GRC, having been developed as an IT tool, pulls risk information out of a detailed view of governance structures. This would include risks related to system management, IT-related responsibilities of various groups throughout the enterprise, and IT risks stemming from the utility’s business relationships with partners, vendors, and other stakeholders. It would also include IT risks related to standards and policy compliance (leading to vulnerability assessment) and may include data received from automated vulnerability scans, such as logs of unauthorized login attempts. In brief, the assessment indicates where IT risk exists based on an evaluation of policy and process management desired to keep the IT system healthy, usually as aligned to an adopted standard set like ISO 27000. Depending on the maturity of the organization, there may be multiple standards against which GRC is applied, including more detailed IT management standards based on those established by respected entities, such as NIST.</p><p>GRC does not assess compliance based on some standards frameworks, such as NISTIR 7628. Moreover, GRC does not assess risk in the same manner as a traditional security assessment. For example, there is no ability in the GRC model to assess threat actors or their capabilities and no ability to demonstrate enterprise risk based on things like physical security requirements and similar inputs. Criticality is not even called out as a priority in all cases. One is led to ask, then, what risk is really being measured through this GRC platform, and is the IT GRC platform comprehensive enough to address a smart grid environment?</p><p>But a follow-up question would be if not GRC, then what? There is the North American Electric Reliability Corporation, Critical Infrastructure Protection, or NERC CIP compliance model, which has historically not used GRC. But as helpful as NERC CIP is in addressing critical cyber asset identification, security, and management, NERC CIP does not apply to the distribution grid (which delivers electricity to consumers and comprises most of what we call the smart grid), and it is, therefore, an incomplete standard for addressing smart grid (distribution) complexity.</p><p>On the other hand, the more traditional risk assessment (physical) model, while it is comprehensive enough in its methodology, and while it works well with regard to the inspection of physical IT asset protection, does not even contemplate IT standards, IT governance, and compliance components and, therefore, it cannot produce an adequate risk reporting across the enterprise.</p><p>Expanding GRC<br>Recognizing all of these factors, the answer to assessing the risk for the new smart grid environment may be a much more advanced form of GRC to include the attributes of comprehensive physical asset protection assessment and those of the IT governance and compliance model.</p><p>Risk assessment in this new cyber-risk environment must have a complex means of assessing risk in a dynamic and continuous process, and it must produce real-time risk reporting since threat profiles can change rapidly. Situational awareness inputs, including utility security incident and event management inputs (SIEM), log information, and system-wide alerts need to be funnelled into such an engine to provide appropriate risk indicators for management on the fly.</p><p>Other data points, such as staff training metrics, personnel changes, access privileges, and environmental indicators, are equally important for understanding risk across the system. Risk assessments must factor in external threatscape information, such as what other utilities are reporting, and news about relevant activities of cyber-criminal groups and their capabilities. Some advanced GRC engines are currently the best vehicles for adapting to these needs.</p><p>Transition<br>Assessment of IT risk and physical risk must be integrated with information flowing to a single assessment engine. But even this is not enough. A vastly expanded GRC platform is needed. Furthermore, this expanded GRC assessment must be a continuous process, using as much automation as possible and including manual inputs for information that cannot be scanned in.</p><p>This objective is a daunting, complex goal to consider. But it is absolutely necessary in this complex environment we are now called to manage within the utilities sphere. Getting to this goal will require some fundamental changes, including the development of new skill-sets in the area of security expertise, the development of more comprehensive security software, and the development of utility operations paradigms to accommodate these changes. Attitudes, skill-sets, and processes need to change quickly to meet the expanding operational risk.</p><p>Fortunately, there has already been recognition of and movement on the need to develop new skill-sets. We have seen increased uptake in IT certifications held by utilities security professionals. The agenda of the ASIS International Utilities Security Council has shifted to include more cyber-focused issues. Collaboration between the ASIS Utilities Security Council and the ASIS IT Security Council has increased over a relatively short time, indicating both a desire and a need for traditional security professionals within the utility sphere to learn more and apply more IT security practices to their daily security management practices.</p><p>The Critical Infrastructure Working Group, a collaborative body of numerous ASIS council leaders and others, has started developing a cyber-education initiative to help traditional security professionals transition to a more IT-savvy security knowledge base. Priorities for ASIS education program development and certification requirements have also clearly shifted more toward the cybersecurity end of the spectrum.</p><p>The Utilities Security Council’s recognition of the need to become more IT-centric has also been reflected in its white paper series. All of the papers issued in 2012—including those that covered smart grid security, integrated security, and a future view on certification requirements for utilities—addressed IT-based issues. This represents a key tipping point for what remains a primarily “traditional” group of security professionals who have usually been labelled by their IT counterparts as “physical” security professionals.</p><p>As for the tools needed to adapt an expanded GRC model, GRC software products exist today, and one or two of the developers of those products are trying to address utility needs. The best avenue for adopting this risk-assessment process today may be to apply the most comprehensive GRC software package available, one that has demonstrated the concept of real-time, diverse feeds, and work with that vendor (the author prefers not to identify specific vendors) to develop a more customized model of what your enterprise needs, with a view to the future.</p><p>Compliance management will need to take a dominant position in this development, because regulatory compliance is important for utilities, and because it is possible that the enterprise does not yet fully understand it. A compliance exercise using a robust GRC engine can help flesh this out.</p><p>Finally, given that even transmission line checks and substation maintenance schedules form part of utility compliance, and assist overall utility security, along with dozens of other requirements across the company, a GRC engine should be adapted to include this type of issue. And making it inclusive of these considerations can also help to build a business case for acquiring funding approvals. After all, if any task is important for the ongoing resiliency of the utility, it should be measured in terms of compliance management and as a contributor to overall risk. GRC management can assist with this.</p><p>This article has not explored many of the other factors that will feed into heightened cybersecurity concerns for the utility, like continued adoption of cloud services and expansion of mobility tools, not to mention a complete set of security concerns related to social media and Bring Your Own Device policies. Each will impact the security stability of the utility and electricity grid in new ways and add complexity to security management. Managing vendors to ensure appropriate technologies have security “by design” will be equally important in the overall, ongoing risk assessment. There are many vulnerability points in utility operations separate from and contributing to security management issues. Each must be factored into the daily security risk management cycle.</p><p>Doug Powell, CPP, PSP, is manager of security, privacy and safety governance and risk for smart metering at BC Hydro in British Columbia, Canada. He serves as vice chair of the ASIS International Utilities Security Council and chair of the Critical Infrastructure Working Group. He is also an associate to the Infrastructure Resiliency Research Group at Carleton University in Ottawa, Ontario. He has more than 30 years’ experience in the industry and has been recognized with numerous awards. The Utilities Security Council has written white papers on many of the topics discussed in this article as well as others not addressed here. These papers are excellent resources to begin understanding the scope of security risk management issues today.<br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Role-of-School-Resource-Officers.aspxThe Role of School Resource Officers<p>​Mo Canady, executive director of the National Association of School Resource Officers (NASRO), discusses the security implications of an SRO’s role in today’s educational environment.</p><p class="p1"><i>Q. What are school resource officers (SROs) and what are some of their job functions?  </i></p><p class="p1"><b>A. </b>SROs are sworn law enforcement officers assigned by their employing law enforcement agency to work with schools. They go into the classroom with a diverse curriculum in legal education. They aid in teaching students about the legal system and helping to promote an awareness of rules, authority, and justice. Outside of the classroom, SROs are mentoring students and engaging with them in a variety of positive ways.</p><p class="p1"><i>Q. What are some of the standards and best practices your organization teaches? </i></p><p class="p1"><b>A. T</b>here are three important things that need to happen for an SRO program to be successful. Number one, the officers must be properly selected. Number two, they have to be properly trained. And thirdly, it has to be a collaborative effort between the law enforcement agency and the school district. This can’t just be a haphazard approach of, “We have a drug problem; let’s put some police officers in there and try to combat it.” It needs to be a community-based policing approach.</p><p class="p1"><i>Q. Some SROs have come under fire for being too aggressive in the classroom. What’s your take?</i></p><p class="p1"><b>A. </b>There have been a handful of incidents that have played out in the media. But, it is up to the investigating agency to determine right and wrong. I’ve been very happy with the fact that the majority of those officers involved in these incidents have not been trained by us.</p><p class="p1"><i>Q. How does NASRO train officers to deal with potential threats? </i></p><p class="p1"><b>A. </b>In our training, we certainly talk about lockdown procedures and possible responses to active shooter situations, but we don’t get too detailed. It’s really up to each agency to make those kinds of decisions. In the case of an active shooter, I don’t believe most SROs are going to wait for additional backup to get there. Most of them are so bought into their schools and their relationships with their students, that if they hear gunfire, they’re going to go try to stop whatever is happening. </p><p class="p1"><i>Q. Do SROs consider themselves security officers? </i></p><p class="p1"><b>A. </b>We’re engaged in security and it’s a big part of what we do—but it’s just one piece of what we do. Sometimes when people think about physical security, the idea of relationship building doesn’t necessarily come in there, and yet it’s the lead thing for us. We know that through those relationships, if we’re building them the right way, we may get extremely valuable information from students, parents, faculty, and staff. It’s what leads to SROs in many cases being able to head off bad situations before they happen.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465