Defenses

 

 

https://sm.asisonline.org/Pages/Something-in-the-Water.aspxSomething in the WaterGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-11-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​With this access, the hacker obtained information about the status and operation of the dam, including the water levels, temperature, and status of the sluice gate that controls water levels and flow rates.</p><p>However, the hacker was prohibited from obtaining control of the gate because it had been manually disconnected for maintenance.</p><p>After a lengthy investigation, the U.S. Department of Justice indicted seven Iranians for their alleged roles in both the dam hacking and a broader series of distributed denial of service (DDoS) attacks on financial institutions in New York state. </p><p>"The infiltration of the Bowman Avenue Dam represents a frightening new frontier in cybercrime," said Preet Bharara, then U.S. attorney of the southern district of New York. "These were no ordinary crimes, but calculated attacks by groups with ties to Iran's Islamic Revolutionary Guard and designed specifically to harm America and its people."</p><p>Since the infiltration of the dam, the United States has made some progress in addressing cybersecurity threats to critical infrastructure. The U.S. Department of Homeland Security (DHS) designated critical infrastructure verticals, created information sharing and analysis centers for each vertical, and conducted extensive outreach to the private sector—which owns and operates most critical infrastructure in the United States.</p><p>DHS released a cybersecurity strategy for 2018 to 2022 over the past summer (see Security Management, August 2018, "Cyber Goals Past Due"). It also recently created the National Risk Management Center, which will focus on creating a cross-cutting approach to defending U.S. critical infrastructure.</p><p>The center "will employ a more strategic approach to risk management born out of the re-emergence of nation-state threats, our hyperconnected environment, and our survival and its need to effectively and continually collaborate within the private sector," said DHS Secretary Kirstjen Nielsen in a speech at the 2018 National Cybersecurity Summit. </p><p>A focal point of these efforts is addressing cybersecurity threats to the North American electric grid. However, some experts have expressed concerns about whether enough is being done to address vulnerabilities to water and wastewater systems.</p><p>"The power grid gets a lot of the news coverage because you can imagine what it's like to have no power," says Chris Grove, director of industrial security at Indegy. "But people don't think about water as much because they don't understand what a total outage looks like."</p><p>One recent example of this was in Washington, D.C., on July 12 when the District of Columbia Water and Sewer Authority issued a boil order for thousands of residents. The order was in response to the discovery that an open valve at a pumping station created a loss of pressure in parts of the district's distribution center for roughly one hour.</p><p>That loss of pressure could have allowed contaminants to enter the water system that 100,000 residents and visitors use to cook, clean, bathe, and drink. </p><p>The boil order was lifted 48 hours later after the district had conducted a thorough testing of its system to ensure that no contamination was present. But during this time, residents and businesses were forced to stock up on bottled water and take other measures to reduce the boil order's impact.</p><p>There was also a six-hour delay in issuing the boil order, which meant some individuals could have been exposed to contaminated water while the authority crafted its emergency alert. Officials later said the delay occurred because they were working to pinpoint the exact area affected.</p><p>The authority has since conducted a full audit of the incident and released an after-action report to improve its monitoring and alert process for future incidents, should they occur.</p><p>"This report makes good on our promise to be as open and transparent with our customers as we can," said D.C. Water CEO and General Manager David L. Gadis in a statement. "We can and will do better. Although I'm proud of how quickly our team restored water pressure, how infrequently these types of incidents occur at our facility, and the many ways we shared the information with our customers, I want us to constantly improve."</p><p>Included in the list of recommendations from the audit were valve restrictions, such as placing operational controls at pumping stations to prevent releases of pressure by requiring a supervisor to approve when divider valves are opened; a review of the authority's SCADA alarm protocols; and adding a second server to reduce the likelihood that the authority's website would be overwhelmed.</p><p>While the D.C. incident was the result of a physical system error, experts like Grove are concerned about how well water and wastewater systems are equipped to address cyber threats to their infrastructure.</p><p>Many systems operators perceive that they are protected from cyberattacks because they use air gaps—meaning there's no direct connection between the system that controls the operations of the water or wastewater system and the Internet. </p><p>But with advancements in technology, many systems are not as isolated from the Internet as their operators might perceive, Grove says. </p><p>"Maybe in the old days, but nowadays it's not," he explains. "They tend to need to update systems, or they want to get data from a remote plant to a central facility for accounting purposes or to find out how many gallons of water they treated. All those things have evaporated the air gap."</p><p>Another vulnerability is the inability to regularly update systems inside the treatment facilities themselves—sometimes because of the air gap or because the system always needs to be operational.</p><p>"These systems on the industrial side, they're meant to be running stagnant for 10, 20, or 30 years so they aren't updated," Grove says. </p><p>"They don't take them down and patch them, and the end result is once an attacker gets past that mythical air gap…there's nothing to stop them from moving laterally, embedding themselves to stay there, and doing the things they want to do," he explains.</p><p>For instance, many of these systems—along with treating wastewater—also produce fresh water. In a worst-case scenario, a plant could be compromised and forced to begin dumping wastewater into creeks and rivers. Then, customers would turn on their taps and no water would come out.</p><p>"After a few days, when all the bottled water runs out, most people believe they'd just go to the mountains and live off the earth," Grove explains. "But if the places where we get our fresh water have been polluted, now we're going to have a tough time meeting that demand. "</p><p>"And without water, everything stops. You can't run a factory without water. You can't even make gasoline without water."</p><p>The perception of an air gap can also play against security professionals who are seeking to get funding to create a more layered approach to enhance the security of the system. </p><p>According to the U.S. Environmental Protection Agency's (EPA's) Cybersecurity Guide for States, one of the main challenges for water and wastewater utilities is the lack of resources for information technology and security specialists to assist with creating a cybersecurity program.</p><p> The entire threat landscape is hard to grasp, especially if the system relies on physical security stop gaps to avoid cyberattacks.</p><p>"Utility personnel may believe that cyberattacks do not present a risk to their systems or feel that they lack the technical capability to improve their cybersecurity," according to the guide. </p><p>In his conversations with security teams at water treatment facilities, Grove says he often finds that executives believe the air gap is a failsafe system, so additional security measures aren't needed to protect it from attack. </p><p>"Then it works against them and ends up causing them to struggle getting what they need to make a true, layered security model," Grove adds.</p><p>For instance, this would include mapping to determine what assets are in the system and how they're vulnerable, along with a monitoring system to detect when an infiltration has occurred—such as in the Bowman Avenue Dam attack.</p><p>The EPA's Cybersecurity Guide also offers a worksheet for water and wastewater treatment facility operators to create an effective cybersecurity program. Action items include auditing IT systems and identifying vulnerabilities, implementing secure remote access practices, improving physical security for IT equipment, and conducting cybersecurity training for utility staff and contractors.</p><p>"Talk to your IT service providers and others who manage your IT systems about how to carry out these actions at your utility," the guide suggested.</p><p>The guide also includes a section offering seven suggested steps for responding to a suspected cyber incident at a water utility. These include actions such as disconnecting compromised computers from the network, rather than rebooting systems; isolating all affected systems; and alerting customers as needed. </p><p>And while some are slow to take this advice, Grove says he has seen perceptions changing over the last year as cyberattacks have become more mainstream and understanding of the vulnerabilities in critical infrastructure deepens.</p><p>"If something as simple as a drip of water can actually take our society down, then people become much more interested in addressing it," he adds. ​</p>

Defenses

 

 

https://sm.asisonline.org/Pages/Something-in-the-Water.aspx2018-11-01T04:00:00ZSomething in the Water
https://sm.asisonline.org/Pages/Book-Review-Online-Danger.aspx2018-10-01T04:00:00ZBook Review: Online Danger
https://sm.asisonline.org/Pages/A-Stronger-Handshake.aspx2018-10-01T04:00:00ZA Stronger Handshake
https://sm.asisonline.org/Pages/Cybersecurity-and-Infrastructure.aspx2018-10-01T04:00:00ZQ&A: Cybersecurity and Infrastructure
https://sm.asisonline.org/Pages/Cyber-Trumps-Physical-as-Biggest-Threat.aspx2018-09-26T04:00:00ZCyber Trumps Physical as Biggest Threat
https://sm.asisonline.org/Pages/Election-Hardening.aspx2018-09-01T04:00:00ZElection Hardening
https://sm.asisonline.org/Pages/An-AI-State-of-Mind.aspx2018-09-01T04:00:00ZAn AI State of Mind
https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspx2018-08-01T04:00:00ZCyber Goals: Past Due
https://sm.asisonline.org/Pages/Critical-Risk-Management.aspx2018-08-01T04:00:00ZCritical Risk Management
https://sm.asisonline.org/Pages/Bridging-Worlds.aspx2018-07-01T04:00:00ZBridging Worlds
https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/Missed-Deadline.aspx2018-03-01T05:00:00ZMissed Deadline
https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspx2018-02-01T05:00:00ZA Cyber Pipeline
https://sm.asisonline.org/Pages/Vote-Integrity.aspx2018-02-01T05:00:00ZVote Integrity
https://sm.asisonline.org/Pages/Rethinking-the-Intelligence-Cycle-for-the-Private-Sector.aspx2018-01-26T05:00:00ZRethinking the Intelligence Cycle for the Private Sector
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/Book-Review---Cybersecurity-Law.aspx2018-01-01T05:00:00ZBook Review: Cybersecurity Law
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/New-Ways-to-Manage-Risk.aspxNew Ways to Manage Risk<p>​</p><p>WITH A GROWING CONSENSUS on the need to better protect utilities from the risk of cyberattacks, there is a push for utilities to implement a type of risk management used in the IT world. It is called Governance-Risk-Compliance (GRC) management. When looking at GRC management as an expanded security risk assessment platform, it is most important to put GRC into the proper context. Let us first consider what is leading us to this shift in utilities security practices and then how GRC could work if properly expanded and adapted to the industry.</p><p>Shifting Landscape<br>One of the main reasons for this shift—apart from an obvious need to bring utilities security practices into the 21st century—is a proliferation of IT-based systems now used to manage the integrated electricity grid, water systems, gas supplies, and other daily operations. In addition, allowing customers interactivity with their utility and providing conservation tools online has become the norm. Next generation energy consumers expect nothing less than mobility and information at their fingertips, and utilities will have to comply.</p><p>To meet all of these needs, utilities and others are creating virtual pathways, through inter-connected systems, to core information technology (IT) and operational technology (OT) assets. These OT assets include the core Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to manage daily grid operations.</p><p>The problem is that compromise of these ICS/SCADA systems could lead to loss of electricity to millions of individuals, businesses, and public-safety systems resulting in massive socio-economic and environmental damage. And various malware vendors that collect and analyze cyberattacks have found evidence that these systems are, indeed, targets of attacks already. Thus, the way in which IT traffic is restricted and controlled across this system becomes of primary importance.</p><p>A Move to GRC<br>Enter GRC management. When we think about more traditional methods of security risk assessment (or threat-risk assessment, as it has also been known), we see a fairly common assessment methodology for physical assets. This includes: categorization of assets with criticality rankings, identification of all prevailing threats (all-hazards approach), identification of vulnerabilities based on detailed examinations of the asset environment (includes people and processes), and assignment of impact/disruption values based on criticality and overall risk ranking. Ultimately, the risk assessment leads to prioritized mitigation planning that ultimately leads into a business case development cycle.</p><p>GRC, having been developed as an IT tool, pulls risk information out of a detailed view of governance structures. This would include risks related to system management, IT-related responsibilities of various groups throughout the enterprise, and IT risks stemming from the utility’s business relationships with partners, vendors, and other stakeholders. It would also include IT risks related to standards and policy compliance (leading to vulnerability assessment) and may include data received from automated vulnerability scans, such as logs of unauthorized login attempts. In brief, the assessment indicates where IT risk exists based on an evaluation of policy and process management desired to keep the IT system healthy, usually as aligned to an adopted standard set like ISO 27000. Depending on the maturity of the organization, there may be multiple standards against which GRC is applied, including more detailed IT management standards based on those established by respected entities, such as NIST.</p><p>GRC does not assess compliance based on some standards frameworks, such as NISTIR 7628. Moreover, GRC does not assess risk in the same manner as a traditional security assessment. For example, there is no ability in the GRC model to assess threat actors or their capabilities and no ability to demonstrate enterprise risk based on things like physical security requirements and similar inputs. Criticality is not even called out as a priority in all cases. One is led to ask, then, what risk is really being measured through this GRC platform, and is the IT GRC platform comprehensive enough to address a smart grid environment?</p><p>But a follow-up question would be if not GRC, then what? There is the North American Electric Reliability Corporation, Critical Infrastructure Protection, or NERC CIP compliance model, which has historically not used GRC. But as helpful as NERC CIP is in addressing critical cyber asset identification, security, and management, NERC CIP does not apply to the distribution grid (which delivers electricity to consumers and comprises most of what we call the smart grid), and it is, therefore, an incomplete standard for addressing smart grid (distribution) complexity.</p><p>On the other hand, the more traditional risk assessment (physical) model, while it is comprehensive enough in its methodology, and while it works well with regard to the inspection of physical IT asset protection, does not even contemplate IT standards, IT governance, and compliance components and, therefore, it cannot produce an adequate risk reporting across the enterprise.</p><p>Expanding GRC<br>Recognizing all of these factors, the answer to assessing the risk for the new smart grid environment may be a much more advanced form of GRC to include the attributes of comprehensive physical asset protection assessment and those of the IT governance and compliance model.</p><p>Risk assessment in this new cyber-risk environment must have a complex means of assessing risk in a dynamic and continuous process, and it must produce real-time risk reporting since threat profiles can change rapidly. Situational awareness inputs, including utility security incident and event management inputs (SIEM), log information, and system-wide alerts need to be funnelled into such an engine to provide appropriate risk indicators for management on the fly.</p><p>Other data points, such as staff training metrics, personnel changes, access privileges, and environmental indicators, are equally important for understanding risk across the system. Risk assessments must factor in external threatscape information, such as what other utilities are reporting, and news about relevant activities of cyber-criminal groups and their capabilities. Some advanced GRC engines are currently the best vehicles for adapting to these needs.</p><p>Transition<br>Assessment of IT risk and physical risk must be integrated with information flowing to a single assessment engine. But even this is not enough. A vastly expanded GRC platform is needed. Furthermore, this expanded GRC assessment must be a continuous process, using as much automation as possible and including manual inputs for information that cannot be scanned in.</p><p>This objective is a daunting, complex goal to consider. But it is absolutely necessary in this complex environment we are now called to manage within the utilities sphere. Getting to this goal will require some fundamental changes, including the development of new skill-sets in the area of security expertise, the development of more comprehensive security software, and the development of utility operations paradigms to accommodate these changes. Attitudes, skill-sets, and processes need to change quickly to meet the expanding operational risk.</p><p>Fortunately, there has already been recognition of and movement on the need to develop new skill-sets. We have seen increased uptake in IT certifications held by utilities security professionals. The agenda of the ASIS International Utilities Security Council has shifted to include more cyber-focused issues. Collaboration between the ASIS Utilities Security Council and the ASIS IT Security Council has increased over a relatively short time, indicating both a desire and a need for traditional security professionals within the utility sphere to learn more and apply more IT security practices to their daily security management practices.</p><p>The Critical Infrastructure Working Group, a collaborative body of numerous ASIS council leaders and others, has started developing a cyber-education initiative to help traditional security professionals transition to a more IT-savvy security knowledge base. Priorities for ASIS education program development and certification requirements have also clearly shifted more toward the cybersecurity end of the spectrum.</p><p>The Utilities Security Council’s recognition of the need to become more IT-centric has also been reflected in its white paper series. All of the papers issued in 2012—including those that covered smart grid security, integrated security, and a future view on certification requirements for utilities—addressed IT-based issues. This represents a key tipping point for what remains a primarily “traditional” group of security professionals who have usually been labelled by their IT counterparts as “physical” security professionals.</p><p>As for the tools needed to adapt an expanded GRC model, GRC software products exist today, and one or two of the developers of those products are trying to address utility needs. The best avenue for adopting this risk-assessment process today may be to apply the most comprehensive GRC software package available, one that has demonstrated the concept of real-time, diverse feeds, and work with that vendor (the author prefers not to identify specific vendors) to develop a more customized model of what your enterprise needs, with a view to the future.</p><p>Compliance management will need to take a dominant position in this development, because regulatory compliance is important for utilities, and because it is possible that the enterprise does not yet fully understand it. A compliance exercise using a robust GRC engine can help flesh this out.</p><p>Finally, given that even transmission line checks and substation maintenance schedules form part of utility compliance, and assist overall utility security, along with dozens of other requirements across the company, a GRC engine should be adapted to include this type of issue. And making it inclusive of these considerations can also help to build a business case for acquiring funding approvals. After all, if any task is important for the ongoing resiliency of the utility, it should be measured in terms of compliance management and as a contributor to overall risk. GRC management can assist with this.</p><p>This article has not explored many of the other factors that will feed into heightened cybersecurity concerns for the utility, like continued adoption of cloud services and expansion of mobility tools, not to mention a complete set of security concerns related to social media and Bring Your Own Device policies. Each will impact the security stability of the utility and electricity grid in new ways and add complexity to security management. Managing vendors to ensure appropriate technologies have security “by design” will be equally important in the overall, ongoing risk assessment. There are many vulnerability points in utility operations separate from and contributing to security management issues. Each must be factored into the daily security risk management cycle.</p><p>Doug Powell, CPP, PSP, is manager of security, privacy and safety governance and risk for smart metering at BC Hydro in British Columbia, Canada. He serves as vice chair of the ASIS International Utilities Security Council and chair of the Critical Infrastructure Working Group. He is also an associate to the Infrastructure Resiliency Research Group at Carleton University in Ottawa, Ontario. He has more than 30 years’ experience in the industry and has been recognized with numerous awards. The Utilities Security Council has written white papers on many of the topics discussed in this article as well as others not addressed here. These papers are excellent resources to begin understanding the scope of security risk management issues today.<br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Role-of-School-Resource-Officers.aspxThe Role of School Resource Officers<p>​Mo Canady, executive director of the National Association of School Resource Officers (NASRO), discusses the security implications of an SRO’s role in today’s educational environment.</p><p class="p1"><i>Q. What are school resource officers (SROs) and what are some of their job functions?  </i></p><p class="p1"><b>A. </b>SROs are sworn law enforcement officers assigned by their employing law enforcement agency to work with schools. They go into the classroom with a diverse curriculum in legal education. They aid in teaching students about the legal system and helping to promote an awareness of rules, authority, and justice. Outside of the classroom, SROs are mentoring students and engaging with them in a variety of positive ways.</p><p class="p1"><i>Q. What are some of the standards and best practices your organization teaches? </i></p><p class="p1"><b>A. T</b>here are three important things that need to happen for an SRO program to be successful. Number one, the officers must be properly selected. Number two, they have to be properly trained. And thirdly, it has to be a collaborative effort between the law enforcement agency and the school district. This can’t just be a haphazard approach of, “We have a drug problem; let’s put some police officers in there and try to combat it.” It needs to be a community-based policing approach.</p><p class="p1"><i>Q. Some SROs have come under fire for being too aggressive in the classroom. What’s your take?</i></p><p class="p1"><b>A. </b>There have been a handful of incidents that have played out in the media. But, it is up to the investigating agency to determine right and wrong. I’ve been very happy with the fact that the majority of those officers involved in these incidents have not been trained by us.</p><p class="p1"><i>Q. How does NASRO train officers to deal with potential threats? </i></p><p class="p1"><b>A. </b>In our training, we certainly talk about lockdown procedures and possible responses to active shooter situations, but we don’t get too detailed. It’s really up to each agency to make those kinds of decisions. In the case of an active shooter, I don’t believe most SROs are going to wait for additional backup to get there. Most of them are so bought into their schools and their relationships with their students, that if they hear gunfire, they’re going to go try to stop whatever is happening. </p><p class="p1"><i>Q. Do SROs consider themselves security officers? </i></p><p class="p1"><b>A. </b>We’re engaged in security and it’s a big part of what we do—but it’s just one piece of what we do. Sometimes when people think about physical security, the idea of relationship building doesn’t necessarily come in there, and yet it’s the lead thing for us. We know that through those relationships, if we’re building them the right way, we may get extremely valuable information from students, parents, faculty, and staff. It’s what leads to SROs in many cases being able to head off bad situations before they happen.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465