Security is the enemy of efficiency, or attention is a scarce resource

“Security is the enemy of efficiency”. I don’t know if anyone has said it before, but it has become clear to me that the primary outcome of most security systems is to make my (and others’) life less productive. Whether I am safer as a result I have no evidence to produce.

Case 1: Airports
Airports are more secure than they used to be. To enter an airport (get to the gates) I must wait in a long line at security, disrobe (well jacket and shoes and wallet and keys and cell phone and watch and change), unpack (removing laptop from the bag), and trash (any fluids in containers larger than 3 oz)go through a metal detector screener, perhaps be pulled aside for special treatment with a handheld screener and be frisked by agents.
My checked luggage is similarly interrogated, it is x-rayed and opened (on a recent trip I received such a note from TSA).
Complaint 1 of course is the additional delay imposed by the security. People are now required to get to the airport earlier because of the security, and those previously on the margin between flying and driving may now drive at considerably greater risk to themselves and others because of the hassle factor.
Complaint 2 is the issue of opportunity costs. Attention is a scarce resource. Attention to one type of threat takes away attention to others, given a fixed amount of resources devoted to security. By ensuring no shoe bombers, attention must be given to x-raying shoes. Where else could that attention be placed? I don’t know, but people who aim to do harm surely will figure out a different hole in the system (3 oz bottles cannot do harm, so all 3 oz or less are permitted through). The Transportation Security Administration is billing this as the 3-1-1 plan, an unfortunate name given the Madrid train bombings occurred on March 11, 2004.
Well, if I remember my physics correctly, I can pour the contents of 2 3 oz bottles into a 6 oz bottle, and 4 3 oz bottles into a 12 oz bottle, and so on. And bottles are easily available past security at McDonalds or the Duty-Free store. Not to be giving anyone any clues here, but the fluid restrictions don’t seem like they would likely to be effective. Assuming danger does come in fluid form, does this really have a point?
Security is the enemy of security. All the staff resources devoted to changing rules about carrying water bottles onboard do nothing except increase sales at McDonalds and maybe make some people who live lives of fear feel slightly reassured that the government is doing something. (And credit the government for doing something when in fact it is doing nothing). Is this really where we should be devoting scarce resources.
Case 2: Online banking
I have recently established, after much grief, an account at a British bank, to remain nameless, but whose customers will I suspect recognize the login screen information. To log into this account I need a customer number (not a social security number, or a national ID number, or a name, but a unique to that bank customer number). As it says on the website
“This is your date of birth (ddmmyy) followed by your unique number which identifies you to the Bank.”
My date of birth of course is public knowledge. The unique number is presumably not.
The likelihood of my remembering said number, were I not to have a fantastic memory, given all of the other numbers I remember is small, leading to it being highly likely that for the typical customer the number is recorded somewhere, perhaps on a slip of paper, somewhere near to the computer.
Next, on a new screen, I must enter my pin. I can remember my PIN, I use it to extract money from the bank machine. Well not quite,
“Log In – Step 2
Your PIN
Forgotten your PIN or Password?
Enter the third digit from your PIN
Enter the fourth digit from your PIN
Enter the second digit from your PIN
Your Password
Enter the second character from your Password
Enter the fifth character from your Password
Enter the seventh character from your Password”
So I have both a PIN and a Password. But it is not enough to enter those, I must select random digits from those words and enter those. How am I going to figure out what is the 97th digit of my password? By saying out loud the first 96 digits. Hardly secure.
Then I get to access my online account. After entering 16 digits out of 22 digits of information.
To access my US bank account in contrast, I enter a social security number (hardly secure, but one of the numbers you actually do remember since it is used in many places) at 9 digits, and a password at some number of digits between 4 and 8, which can be the same as the PIN. So the net burden of storage is only those 4 to 8 digits.
As a consequence, I can log on faster, be less likely to be locked out of my account for entering the wrong password 3 times in a row.
I believe the banking case illustrates, not only is security the enemy of efficiency, by putting an unreasonable burden on customers and causing information to be written down or said aloud, is causing the event to be in fact less secure. So we might again say security is the enemy of security.
The point of this is not that we can live in a security free society. However, security has its costs, both in efficiency, and in attention paid to other security issues. Security needs to succomb to benefit cost analysis like any other activity, and if the benefits of a particular scheme don’t outweight the costs, or worse, are negative, we ought not engage in that scheme.