Security Experts:

What Home Burglary Teaches You About Risk Management

Are You Doing What You Should to Effectively Manage Risk? How Much Security is Enough?

I hope all of my SecurityWeek readers are having a restful and pleasant summer. Mine started out fine: at work, we convened our first ever Customer Advisory Council — which was a blast. Outside of work, I attended my 20th year college reunion — also a blast. And nicest of all, I spent many languorous weekends with my wife, family and friends enjoying Cape Cod and the charms of Boston in the summer. (Not all together at the same time, mind you…)

Lessons in Risk ManagementBut one evening, the summer took a turn for the worse. I returned home from work and realized that we had been robbed. The tell-tale signs were obvious. Markings on our condo’s entry door showed that a thief had forced his way in, after having jimmied or social-engineered his way through the building’s front door. After checking around, we found that the thief had stolen thousands of dollars worth of valuables. I was thankful nobody was hurt. Perhaps most chilling was the fact that both of our upstairs and downstairs neighbors had apparently been at home when it happened — they had heard some noises, but hadn’t thought anything of it.

Suddenly, I knew what it felt like to be Sir Howard Stringer, Derek Smith or Robert Baldwin — the bosses of Sony, ChoicePoint and Heartland Payment Systems, respectively at the times of their well-publicized incidents. Like them, I’d been robbed, blagged, pinched, fleeced blind. After pinwheeling through the whole range of emotions — from disbelief to anger to hurt to sadness — my head stopped spinning and I started taking stock of the situation. My training kicked in. I wanted to know, How did this happen? What can I do to prevent it from happening again? And, going forward, how much protection will be enough to keep us safe?

The first question was easiest to answer. Upon examining the facts, it seemed clear that the thief had:

Exploited the most obvious weaknesses. The thief didn’t do anything tricky. He didn’t scale a wall, navigate a fire escape, or impersonate a UPS driver. He walked up to our building door, and our condo door — and popped both of their locks using common techniques that any common criminal would know.

Struck when no one was watching. The thief didn’t break in while we were sleeping, or on the weekend: he struck in the middle of the day, while my wife and I were at work. Smart.

Knew what to look for. The thief took all of the portable electronics he could carry and sell quickly: two laptops, an iPod, and all of the matching electrical adapters (fences don’t want gear they can’t charge, apparently). He took several sets of headphones, walked off with a jewelry box and raided a bureau drawer containing family heirlooms. Plus my wife’s gym bag to carry it all away in. But he didn’t take the stereo, TV or larger electronics. These were not as fungible, and removing them would have attracted too much attention.

Covered his tracks. In Hollywood movies, when someone’s house gets robbed, the whole thing inevitably looks like a wreck: turned over bookcases, broken glass, picture frames on the floor. That's not what happened here: other than a few marks on the door, nothing else was obviously disturbed or out of place. It was only after looking that we found that a few things were… missing. The theft had been as subtle as he had been surgical, which made it that much more disturbing.

In short, our thief exploited common weaknesses, waited for the moment when nobody was looking, went after only the most valuable things, and tried to cover his tracks. As TV’s Craig Ferguson says, does this remind you of anyone? Yep, it’s a lot like what happened to poor Sir Howard and company.

But wait, there’s more! After completing our own little “audit” of the thief’s techniques and means of ingress, I realized that we had made it much easier for him by neglecting some basics — just like in these other cases. In my own case, having lived in a city environment for nearly 15 years without an incident, I assumed “it would never happen to me.” Also, I had chosen to safeguard our unit, and all of the vast riches it contained, with a $25 residential lock and a soft wooden door. I had not lately been paying attention to the crime-blotter feature in my local neighborhood paper, which might have tipped me off that there had been multiple thefts in the neighborhood. We had not installed — and used — a home alarm. And we hadn’t shielded the building’s outside door lock to prevent someone from slipping tools in between the door and the jamb. These were all things we should have done, and been doing, all along.

Managing RiskNext, our thoughts turned to what we needed to do next. What did we need to fix? As it turns out, the fixes were the converse of our weaknesses. These included:

Increased vigilance: paying more attention to our neighborhood, neighbors and passers-by.

Shielding for the entry points: commercial grade locks, steel doors and strike protectors for our unit, plus similarly upgraded hardware for the building

Alarm system: motion sensors, entry sensors, a panic button and a siren.

Obfuscation: some clever apparata to disguise valuables.

Burglar-resistant safe: to protect our valuables when our outer layers of defense fail.

Testing and preparation: a thorough review of instructions to ensure we knew how everything works, especially the alarm. Plus: repetition, repetition, repetition to ingrain new habits.

Every one of these fixes has a direct parallel in information security: intrusion detection, firewalls, managed services, SIEM, tokenization, encryption, and security awareness training, just to name a few. It goes to show that burglary and industrial theft have quite a bit in common!

And just like with information security, we also had to answer the question, “when we fix our weaknesses, how much security is enough?” For example, how much did we want to pay for an alarm system? Did we want Brinks or ADT to come in, rip up our walls and install a complex alarm system? No: we concluded that we would get 90% of the benefit using a wireless system called SimpliSafe that has fewer features but is much less expensive. Similarly, we didn’t see the need to buy a TL-30-rated burglary safe that can resist hand tools, drills and power saws for a half hour or more. Not only do entry-level safes start at $2,500, but also they are required to weigh at least 750 pounds! That was a bit more than we planned to spend (and lift) — especially considering that we no longer had much worth protecting. A cheaper, lighter safe was a better choice for us, not least because it still protected us quite well from the one risk we rated higher than theft: fire. Guiding our decisions was an implicit budget of what we were willing to spend to shore up our weaknesses. Again, all of these things — budgets, trade-offs of protections and cost, risk prioritization — all have direct parallels in information security.

There is no polite way to put this: being burglarized sucked. We could have panicked, glossed over, over-spent in response, blamed others, wallowed in self-pity or beat our heads against the wall for neglecting some of the more obvious things. I could have even used the burglary as an excuse to wax philosophic about parallels to that glamorous chimera, the Advanced Persistent Threat!

But I did not. In these kinds of circumstances, it’s not what happened that matters. It’s how you respond. I’d like to think we chose a middle path that will keep us better prepared next time, and help us sleep more peacefully in the meantime.

view counter
Andrew Jaquith is CTO at SilverSky. Prior to his current role, he served as a senior analyst with Forrester Research where he led team coverage for data, endpoint and mobile security topics. Prior to joining Forrester, he was program manager in Yankee Group's enabling technologies enterprise group, with coverage of client security, digital identity, and web application security. Before joining Yankee Group, he co-founded @stake, a security consulting pioneer, which Symantec acquired in 2004. Before @stake, he held project manager and business analyst positions at Cambridge Technology Partners and FedEx. He is the co-developer of the Apache JSPWiki open source wiki software package, and the author of the 2007 Addison-Wesley Professional book "Security Metrics: Replacing Fear, Uncertainty and Doubt." Andrew holds a B.A. in Economics and Political Science from Yale University.