Defenses

 

 

https://sm.asisonline.org/Pages/How-to-Bridge-the-Gap.aspxHow to Bridge the GapGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-04-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​The U.S federal government had identified a vulnerability. It knew it needed to do more to address the potential threat of insiders and their access—both physically and electronically—to classified information.</p><p>So, in October 2011, U.S. President Barack Obama issued an executive order to require that all federal agencies that operate or access classified computer networks create insider threat detection and prevention programs. These programs would have to cover all users of classified computer networks, including contractors, to ensure that those networks were secure and protected.</p><p>“Our nation’s security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely,” Obama said in the order. “Computer networks have individual and common vulnerabilities that require coordinated decisions on risk management.”</p><p>Agencies and contractors were given several years to implement the executive order. And it would require the two sides of the security house, cyber and physical, to work together. </p><p>One company required to comply with the executive order is American Systems where Matthew Hollandsworth, CPP, CISSP, director of corporate security, facilities, and safety, is the head of the insider threat program. </p><p>Hollandsworth worked with colleagues to create an insider threat committee with representation from security, IT security, human resources, finance, legal, and client-facing verticals of the business. </p><p>“An example would be if security got an adverse information report on somebody that’s going through a bankruptcy,” Hollandsworth explains. “That would get reported to the committee. That makes them more of a risk—they are short on money; that makes them more susceptible to being bribed.”</p><p>The committee then created a process to ensure that the threat would be shared with the appropriate stakeholders, such as finance to monitor corporate credit cards and expense reports and human resources for potential job performance complaints.</p><p>“It required several meetings of sitting down and developing these communications paths and these processes,” Hollandsworth adds.</p><p>One of the key partners in this initiative, however, was IT security, which could be alerted to a potential insider threat and monitor that person’s activity on the corporate network. </p><p>“We’ve had an example where IT identified an individual that had downloaded around 100 gigs of data, taken that, and put it on their personal thumb drive,” Hollandsworth says. “There was no reason for that, so IT let me know about it. And it turned out to be something innocent—this guy was just moving data from one computer to another—but that communication path was there. That process was there.”</p><p>While the program was created to meet a U.S. federal government requirement, it also shows the benefits organizations can reap in reducing risk when cyber and physical security teams work together to address it.</p><h4>The Gap</h4><p>Traditionally, there has been a gap between cyber and physical security personnel in organizations. Physical security measures were already in place when computers and networks were first invented, eventually spawning the IT and cybersecurity fields. </p><p>And the personnel who filled these roles in organizations came from different backgrounds—cyber and IT often from technical backgrounds and college programs; physical security often with backgrounds in law enforcement, military, or government.</p><p>When he started working at a helpdesk at the Pentagon in 1998, Hollandsworth says that the IT and physical security teams were separate without much communication between the two.</p><p>“I think people saw IT security as kind of the new fad thing at the time; it wasn’t like it is today where one has a better understanding of it and can see the breaches that happen and the importance of it,” he adds. “And there was probably a bit of ego on the physical security side. ‘We’re the security people, you guys are just the computer people.’”</p><p>Dave Tyson, CPP, CISSP, CEO of CISO Insights, had a similar experience when he got his start in the profession as a security guard. His knowledge of cybersecurity was almost nonexistent prior to attending a luncheon in the mid-1990s where a speaker gave a presentation on the topic. A topic that for most, including Tyson, was indecipherable. </p><p>“We couldn’t imagine what digitization was—the filing cabinets not being relevant anymore,” Tyson says. “So, I said, ‘Hey, that doesn’t make sense to me. I need to know more.’”</p><p>Learning more about IT and the concepts behind it exposed Tyson’s frustrations in his own career in physical security at the time. </p><p>“I felt like I was doing the same thing over and over—getting a guard, getting a camera, trying to explain why our humans are better than someone else’s humans at reducing risk,” he says. “And it was frustrating because we really were not partnered with the business—the part of the organization that makes money.”</p><p>IT was connected to what the business was doing, Tyson explains. Those teams were building databases and interacting with customer information, creating real impact that would affect the company. </p><p>But Tyson says he could also see where physical security could play a role in what IT was doing, by posing basic security questions, including “What data is going across this network? Who decides who gets to look at it? Who decides who gets access to what?”</p><p>This spurred Tyson’s interest in converging physical and cyber into one conversation to address risk. One hurdle to this convergence, however, was the difference in professional jargon that cyber and physical teams use in the workplace.</p><p>“The hard part is, sometimes the message doesn’t get across because of all the terminology,” Tyson says. “The terminology, and how it’s ex­plained, is more critical than what’s being said so people will engage and not tune it out.”</p><p>To help bridge this language barrier, Hollandsworth says that his teams have created a common lexicon so each side can understand the other. </p><p>“Developing a common lexicon for how they communicate with each other, like teaching the traditional security side what a root kit is, what spear phishing is, is important,” he explains. “And going the other direction with the IT side—what types of cameras work best in what type of lighting and how to process a background investigation for an individual—and getting them to understand the importance of that.”</p><p>One practical example of this was an instance where a company needed a computer system approved for use. The system required a documentation process, a certain type of configuration, and approval by the government before it could be used.</p><p>“Part of that documentation process was that we had to document the physical protections of the system,” Hollandsworth says. “So, is it in a secured area? What type of layered security do we have in place? All of that stuff.”</p><p>But the IT and physical security staff members working on the project were having trouble communicating with each other. The physical security employee did not understand why he had to provide this information to IT, and the IT staffer did not understand why security was not being cooperative.</p><p>“I sat down with the two of them and explained the need for both and tried to put some different language around what the IT security person was asking and what the traditional security person was asking to come up with common understanding and common terms,” Hollandsworth explains. </p><p>He told them to think of the computer system like the center of a bullseye with rings of protection around it that needed to be documented for approval of the system. Using this approach, they were able to have a successful dialogue centered around risk to the system—and ultimately the organization—that needed to be addressed.</p><p>“Risk is the common language between all sorts of security-esque organizations—whether it’s financial risk, legal risk, physical security, cyber, it really doesn’t matter—all of these things are about managing risk, and you do that effectively through the same process,” Tyson says. </p><h4>The Benefits</h4><p>Cyber and physical security are converging because of the changing way that organizations operate and implement technology. Physical protections—like cameras and access control systems—are running over corporate networks that need to be protected from intrusions looking to gain a foothold in the system.</p><p> “You have to have a physical security program, a personnel security program, an operations security program, and an information security program all working together to protect data,” says Hollandsworth.</p><p>For instance, when Tyson was at eBay, individuals would walk around the neighborhood and drop USB sticks or place fliers on employees’ windshields. </p><p>“People would take these things inside the office, and either plug the USB stick into the computer or look at the URL link on the flier that’s encouraging them to go to this website to win an iPhone. They would get infected with malware,” Tyson says. “Here we have a cyber threat against the organization using a physical device.”</p><p>To mitigate the threat, Tyson worked to educate his physical security leaders who were responsible for monitoring camera systems and access to the environment to detect who was leaving the malicious materials. He also worked with the cybersecurity team defending the network to ensure it had systems in place to defend against the malware to prevent it from being downloaded.</p><p>“All of those folks had to be working in harmony to protect that new risk that we had never seen before,” Tyson says.</p><p>Tyson also worked with physical and cybersecurity teams on detecting rogue wireless access points. Employees at the time were unhappy that corporate firewalls were blocking their access to certain websites and services. So, they would go out and buy the supplies to create their own Wi-Fi connection to the network—a violation of company policy. </p><p>“They were really easy to buy and really easy to plug in, but not so easy to find when your cybersecurity guy is sitting behind computers five buildings away,” Tyson says. “So, we trained the physical security team—the guards on general assignment—on what a wireless access point looks like, how it was used, and gave them a sniffer that beeped if you walked by and got a wireless signal.”</p><p>When they heard a beep, the guards were instructed to document where the device was and report it to the cybersecurity team. The next day, a cybersecurity staff member would go discuss the issue with the employee who had violated the policy and then remove the device.</p><p>“We found three of them in the first month,” Tyson says. “The marginal cost of this new security program to deal with this new risk was $80. And here we are detecting rogue wireless access points that are bypassing our firewall. And our guards are really happy because instead of just watching doors, they are actually solving business problems.”</p><h4>Relationship Building</h4><p>While putting programs and processes in place so cyber and physical security work together to address risk is important, so is building relationships with individuals across team lines. </p><p>Tim McCreight, CPP, CISSP, CISA (Certified Information Systems Auditor), manager of corporate security—cyber—for the City of Calgary, says that creating the opportunity for open dialogue between security professionals was critical to his work at the corporate information security office for the government of Alberta.</p><p>He was an executive director in the CISO’s office at the time and reached out to others in security roles for the government for a monthly meeting that eventually turned into a weekly coffee meeting to keep everyone in the loop. </p><p>“One of the best things I can suggest is to toss your egos out the door,” McCreight says. “You’re there to protect your people, property, and information. You have to appreciate what other people bring to the table…you can’t be the physical security guy operating in a silo protecting your company. You need to collaborate.”</p><p>Tyson agrees, saying that regardless of the side of the house a security professional operates in, all security leaders need to remember that they are information workers. </p><p>“Other than maybe arresting a few people now and then, for the most part we’re paid to have conversations with people and relationships with people,” Tyson says. </p><p>“We interact with so many people every day, sometimes we forget that our work environment is based on a semi-social environment,” he adds. “The first step is get to know the people that you have to work with. Understand the problems that they face—what the biggest risks are to them. And ask what you can do to help them be more successful at reducing those risks.”  </p><p><em>Megan Gates is senior editor at Security Management. Contact her at megan.gates@asisonline.org or follow her on Twitter @mgngates. </em></p>

Defenses

 

 

https://sm.asisonline.org/Pages/How-to-Bridge-the-Gap.aspx2019-04-01T04:00:00ZHow to Bridge the Gap
https://sm.asisonline.org/Pages/Book-Review-CISSP-Exam-Guide.aspx2019-04-01T04:00:00ZBook Review: CISSP Exam Guide
https://sm.asisonline.org/Pages/Book-Review-Hacking-for-Dummies.aspx2019-03-01T05:00:00ZBook Review: Hacking for Dummies
https://sm.asisonline.org/Pages/On-Duty-and-Vulnerable.aspx2019-03-01T05:00:00ZOn Duty and Vulnerable
https://sm.asisonline.org/Pages/Weapon-Weaknesses.aspx2019-02-01T05:00:00ZWeapon Weaknesses
https://sm.asisonline.org/Pages/A-Shock-to-the-System.aspx2018-12-01T05:00:00ZA Shock to the System
https://sm.asisonline.org/Pages/Census-Scrutiny.aspx2018-12-01T05:00:00ZCensus Scrutiny
https://sm.asisonline.org/Pages/Cyberthreats-Innovation-and-the-Future-of-AI.aspx2018-12-01T05:00:00ZCyberthreats, Innovation, And The Future Of AI
https://sm.asisonline.org/Pages/Access-With-A-Twist.aspx2018-12-01T05:00:00ZAccess With A Twist
https://sm.asisonline.org/Pages/Book-Review-Small-Wars,-Big-Data.aspx2018-11-01T04:00:00ZBook Review: Small Wars, Big Data
https://sm.asisonline.org/Pages/Something-in-the-Water.aspx2018-11-01T04:00:00ZSomething in the Water
https://sm.asisonline.org/Pages/Book-Review-Online-Danger.aspx2018-10-01T04:00:00ZBook Review: Online Danger
https://sm.asisonline.org/Pages/A-Stronger-Handshake.aspx2018-10-01T04:00:00ZA Stronger Handshake
https://sm.asisonline.org/Pages/Cybersecurity-and-Infrastructure.aspx2018-10-01T04:00:00ZQ&A: Cybersecurity and Infrastructure
https://sm.asisonline.org/Pages/Cyber-Trumps-Physical-as-Biggest-Threat.aspx2018-09-26T04:00:00ZCyber Trumps Physical as Biggest Threat
https://sm.asisonline.org/Pages/Election-Hardening.aspx2018-09-01T04:00:00ZElection Hardening
https://sm.asisonline.org/Pages/An-AI-State-of-Mind.aspx2018-09-01T04:00:00ZAn AI State of Mind
https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspx2018-08-01T04:00:00ZCyber Goals: Past Due
https://sm.asisonline.org/Pages/Critical-Risk-Management.aspx2018-08-01T04:00:00ZCritical Risk Management
https://sm.asisonline.org/Pages/Bridging-Worlds.aspx2018-07-01T04:00:00ZBridging Worlds

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/New-Ways-to-Manage-Risk.aspxNew Ways to Manage Risk<p>​</p><p>WITH A GROWING CONSENSUS on the need to better protect utilities from the risk of cyberattacks, there is a push for utilities to implement a type of risk management used in the IT world. It is called Governance-Risk-Compliance (GRC) management. When looking at GRC management as an expanded security risk assessment platform, it is most important to put GRC into the proper context. Let us first consider what is leading us to this shift in utilities security practices and then how GRC could work if properly expanded and adapted to the industry.</p><p>Shifting Landscape<br>One of the main reasons for this shift—apart from an obvious need to bring utilities security practices into the 21st century—is a proliferation of IT-based systems now used to manage the integrated electricity grid, water systems, gas supplies, and other daily operations. In addition, allowing customers interactivity with their utility and providing conservation tools online has become the norm. Next generation energy consumers expect nothing less than mobility and information at their fingertips, and utilities will have to comply.</p><p>To meet all of these needs, utilities and others are creating virtual pathways, through inter-connected systems, to core information technology (IT) and operational technology (OT) assets. These OT assets include the core Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to manage daily grid operations.</p><p>The problem is that compromise of these ICS/SCADA systems could lead to loss of electricity to millions of individuals, businesses, and public-safety systems resulting in massive socio-economic and environmental damage. And various malware vendors that collect and analyze cyberattacks have found evidence that these systems are, indeed, targets of attacks already. Thus, the way in which IT traffic is restricted and controlled across this system becomes of primary importance.</p><p>A Move to GRC<br>Enter GRC management. When we think about more traditional methods of security risk assessment (or threat-risk assessment, as it has also been known), we see a fairly common assessment methodology for physical assets. This includes: categorization of assets with criticality rankings, identification of all prevailing threats (all-hazards approach), identification of vulnerabilities based on detailed examinations of the asset environment (includes people and processes), and assignment of impact/disruption values based on criticality and overall risk ranking. Ultimately, the risk assessment leads to prioritized mitigation planning that ultimately leads into a business case development cycle.</p><p>GRC, having been developed as an IT tool, pulls risk information out of a detailed view of governance structures. This would include risks related to system management, IT-related responsibilities of various groups throughout the enterprise, and IT risks stemming from the utility’s business relationships with partners, vendors, and other stakeholders. It would also include IT risks related to standards and policy compliance (leading to vulnerability assessment) and may include data received from automated vulnerability scans, such as logs of unauthorized login attempts. In brief, the assessment indicates where IT risk exists based on an evaluation of policy and process management desired to keep the IT system healthy, usually as aligned to an adopted standard set like ISO 27000. Depending on the maturity of the organization, there may be multiple standards against which GRC is applied, including more detailed IT management standards based on those established by respected entities, such as NIST.</p><p>GRC does not assess compliance based on some standards frameworks, such as NISTIR 7628. Moreover, GRC does not assess risk in the same manner as a traditional security assessment. For example, there is no ability in the GRC model to assess threat actors or their capabilities and no ability to demonstrate enterprise risk based on things like physical security requirements and similar inputs. Criticality is not even called out as a priority in all cases. One is led to ask, then, what risk is really being measured through this GRC platform, and is the IT GRC platform comprehensive enough to address a smart grid environment?</p><p>But a follow-up question would be if not GRC, then what? There is the North American Electric Reliability Corporation, Critical Infrastructure Protection, or NERC CIP compliance model, which has historically not used GRC. But as helpful as NERC CIP is in addressing critical cyber asset identification, security, and management, NERC CIP does not apply to the distribution grid (which delivers electricity to consumers and comprises most of what we call the smart grid), and it is, therefore, an incomplete standard for addressing smart grid (distribution) complexity.</p><p>On the other hand, the more traditional risk assessment (physical) model, while it is comprehensive enough in its methodology, and while it works well with regard to the inspection of physical IT asset protection, does not even contemplate IT standards, IT governance, and compliance components and, therefore, it cannot produce an adequate risk reporting across the enterprise.</p><p>Expanding GRC<br>Recognizing all of these factors, the answer to assessing the risk for the new smart grid environment may be a much more advanced form of GRC to include the attributes of comprehensive physical asset protection assessment and those of the IT governance and compliance model.</p><p>Risk assessment in this new cyber-risk environment must have a complex means of assessing risk in a dynamic and continuous process, and it must produce real-time risk reporting since threat profiles can change rapidly. Situational awareness inputs, including utility security incident and event management inputs (SIEM), log information, and system-wide alerts need to be funnelled into such an engine to provide appropriate risk indicators for management on the fly.</p><p>Other data points, such as staff training metrics, personnel changes, access privileges, and environmental indicators, are equally important for understanding risk across the system. Risk assessments must factor in external threatscape information, such as what other utilities are reporting, and news about relevant activities of cyber-criminal groups and their capabilities. Some advanced GRC engines are currently the best vehicles for adapting to these needs.</p><p>Transition<br>Assessment of IT risk and physical risk must be integrated with information flowing to a single assessment engine. But even this is not enough. A vastly expanded GRC platform is needed. Furthermore, this expanded GRC assessment must be a continuous process, using as much automation as possible and including manual inputs for information that cannot be scanned in.</p><p>This objective is a daunting, complex goal to consider. But it is absolutely necessary in this complex environment we are now called to manage within the utilities sphere. Getting to this goal will require some fundamental changes, including the development of new skill-sets in the area of security expertise, the development of more comprehensive security software, and the development of utility operations paradigms to accommodate these changes. Attitudes, skill-sets, and processes need to change quickly to meet the expanding operational risk.</p><p>Fortunately, there has already been recognition of and movement on the need to develop new skill-sets. We have seen increased uptake in IT certifications held by utilities security professionals. The agenda of the ASIS International Utilities Security Council has shifted to include more cyber-focused issues. Collaboration between the ASIS Utilities Security Council and the ASIS IT Security Council has increased over a relatively short time, indicating both a desire and a need for traditional security professionals within the utility sphere to learn more and apply more IT security practices to their daily security management practices.</p><p>The Critical Infrastructure Working Group, a collaborative body of numerous ASIS council leaders and others, has started developing a cyber-education initiative to help traditional security professionals transition to a more IT-savvy security knowledge base. Priorities for ASIS education program development and certification requirements have also clearly shifted more toward the cybersecurity end of the spectrum.</p><p>The Utilities Security Council’s recognition of the need to become more IT-centric has also been reflected in its white paper series. All of the papers issued in 2012—including those that covered smart grid security, integrated security, and a future view on certification requirements for utilities—addressed IT-based issues. This represents a key tipping point for what remains a primarily “traditional” group of security professionals who have usually been labelled by their IT counterparts as “physical” security professionals.</p><p>As for the tools needed to adapt an expanded GRC model, GRC software products exist today, and one or two of the developers of those products are trying to address utility needs. The best avenue for adopting this risk-assessment process today may be to apply the most comprehensive GRC software package available, one that has demonstrated the concept of real-time, diverse feeds, and work with that vendor (the author prefers not to identify specific vendors) to develop a more customized model of what your enterprise needs, with a view to the future.</p><p>Compliance management will need to take a dominant position in this development, because regulatory compliance is important for utilities, and because it is possible that the enterprise does not yet fully understand it. A compliance exercise using a robust GRC engine can help flesh this out.</p><p>Finally, given that even transmission line checks and substation maintenance schedules form part of utility compliance, and assist overall utility security, along with dozens of other requirements across the company, a GRC engine should be adapted to include this type of issue. And making it inclusive of these considerations can also help to build a business case for acquiring funding approvals. After all, if any task is important for the ongoing resiliency of the utility, it should be measured in terms of compliance management and as a contributor to overall risk. GRC management can assist with this.</p><p>This article has not explored many of the other factors that will feed into heightened cybersecurity concerns for the utility, like continued adoption of cloud services and expansion of mobility tools, not to mention a complete set of security concerns related to social media and Bring Your Own Device policies. Each will impact the security stability of the utility and electricity grid in new ways and add complexity to security management. Managing vendors to ensure appropriate technologies have security “by design” will be equally important in the overall, ongoing risk assessment. There are many vulnerability points in utility operations separate from and contributing to security management issues. Each must be factored into the daily security risk management cycle.</p><p>Doug Powell, CPP, PSP, is manager of security, privacy and safety governance and risk for smart metering at BC Hydro in British Columbia, Canada. He serves as vice chair of the ASIS International Utilities Security Council and chair of the Critical Infrastructure Working Group. He is also an associate to the Infrastructure Resiliency Research Group at Carleton University in Ottawa, Ontario. He has more than 30 years’ experience in the industry and has been recognized with numerous awards. The Utilities Security Council has written white papers on many of the topics discussed in this article as well as others not addressed here. These papers are excellent resources to begin understanding the scope of security risk management issues today.<br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Role-of-School-Resource-Officers.aspxThe Role of School Resource Officers<p>​Mo Canady, executive director of the National Association of School Resource Officers (NASRO), discusses the security implications of an SRO’s role in today’s educational environment.</p><p class="p1"><i>Q. What are school resource officers (SROs) and what are some of their job functions?  </i></p><p class="p1"><b>A. </b>SROs are sworn law enforcement officers assigned by their employing law enforcement agency to work with schools. They go into the classroom with a diverse curriculum in legal education. They aid in teaching students about the legal system and helping to promote an awareness of rules, authority, and justice. Outside of the classroom, SROs are mentoring students and engaging with them in a variety of positive ways.</p><p class="p1"><i>Q. What are some of the standards and best practices your organization teaches? </i></p><p class="p1"><b>A. T</b>here are three important things that need to happen for an SRO program to be successful. Number one, the officers must be properly selected. Number two, they have to be properly trained. And thirdly, it has to be a collaborative effort between the law enforcement agency and the school district. This can’t just be a haphazard approach of, “We have a drug problem; let’s put some police officers in there and try to combat it.” It needs to be a community-based policing approach.</p><p class="p1"><i>Q. Some SROs have come under fire for being too aggressive in the classroom. What’s your take?</i></p><p class="p1"><b>A. </b>There have been a handful of incidents that have played out in the media. But, it is up to the investigating agency to determine right and wrong. I’ve been very happy with the fact that the majority of those officers involved in these incidents have not been trained by us.</p><p class="p1"><i>Q. How does NASRO train officers to deal with potential threats? </i></p><p class="p1"><b>A. </b>In our training, we certainly talk about lockdown procedures and possible responses to active shooter situations, but we don’t get too detailed. It’s really up to each agency to make those kinds of decisions. In the case of an active shooter, I don’t believe most SROs are going to wait for additional backup to get there. Most of them are so bought into their schools and their relationships with their students, that if they hear gunfire, they’re going to go try to stop whatever is happening. </p><p class="p1"><i>Q. Do SROs consider themselves security officers? </i></p><p class="p1"><b>A. </b>We’re engaged in security and it’s a big part of what we do—but it’s just one piece of what we do. Sometimes when people think about physical security, the idea of relationship building doesn’t necessarily come in there, and yet it’s the lead thing for us. We know that through those relationships, if we’re building them the right way, we may get extremely valuable information from students, parents, faculty, and staff. It’s what leads to SROs in many cases being able to head off bad situations before they happen.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465