Security October 08, 2025 26 min read

Insecurity through Insecurity

In both digital and physical security, many well-intentioned security measures actually increase the very risks they're designed to prevent. Understanding why this happens—and how to avoid it—is crucial for effective protection strategy.

S

Security Engineer

Schild Technologies

Insecurity through Insecurity

Insecurity through Insecurity

In both digital and physical security, we face a troubling paradox: many of our most well-intentioned security measures actually increase the very risks they're designed to prevent. This phenomenon—where security implementations create insecurity—represents one of the most persistent and underexamined challenges in modern protection strategy.

From corporate password policies that encourage predictable user behaviors to elaborate access control systems that prompt employees to prop doors open, the security industry has developed a concerning pattern of implementing measures that look effective on paper but fail catastrophically in practice. Understanding why this happens—and how to avoid it—is crucial for anyone responsible for protecting digital or physical assets.

Security theater ethology

The fundamental problem often lies in designing security for theoretical threats rather than actual human behavior. In cybersecurity, consider the typical enterprise password policy: passwords must be at least 12 characters, include uppercase and lowercase letters, numbers, and special characters, and be changed every 90 days. This sounds rigorous and secure. In reality, these requirements virtually guarantee that users will create passwords like "Password123!" and update them incrementally each quarter to "Password124!"

Physical security exhibits an identical pattern. Organizations install sophisticated card reader systems with multiple authentication steps, biometric scanners, and automatic locking mechanisms. Then they wonder why employees consistently prop doors open or share access cards with colleagues. The security system becomes so cumbersome that it trains people to circumvent it rather than use it properly.

Research consistently shows that long, simple passphrases like "coffee mountain bicycle garden" provide superior digital security while being easier to remember and use. Similarly, physical security works best when it feels natural and convenient—turnstiles that flow smoothly, access controls that don't impede legitimate business activities, and emergency procedures that people can actually remember under stress.

Yet organizations continue implementing complex requirements in both domains because they appear more professional and satisfy compliance auditors, even though they demonstrably weaken security by encouraging circumvention behaviors.

The compliance trap

One of the biggest drivers of counterproductive security is the focus on compliance demonstration rather than risk reduction. Organizations spend enormous resources implementing security measures that look impressive to auditors while failing to address their actual threat vectors.

The annual security training charade

Most corporate security awareness programs exemplify this problem perfectly across both digital and physical domains. Employees sit through online modules about cartoonish phishing emails ("Congratulations! You've won $1,000,000 from the Nigerian lottery!") and presumed physical security threats (suspicious strangers lurking in parking lots) that bear no resemblance to the sophisticated, targeted attacks they actually face.

Real phishing attempts reference legitimate business relationships and use convincing organizational context. Real physical security threats often involve social engineering by individuals who appear legitimate and confident—people who look like they belong and act like they have every right to be there.

Yet training programs continue using obvious examples because they're easier to create and score, generating completion certificates that satisfy compliance requirements while providing minimal actual protection. Meanwhile, security managers look at 100% training completion rates and believe their workforce is prepared for real threats.

Physical security theater in action

Airport security provides perhaps the most visible example of physical security theater. Passengers remove shoes and submit to elaborate screening procedures that create the appearance of thorough protection while security experts consistently demonstrate fundamental vulnerabilities in the system. The visible security measures provide psychological comfort and satisfy regulatory requirements, but their effectiveness against determined attackers remains questionable.

Airport security checkpoint with long lines of passengers waiting to be screened
Visible security theater, like elaborate airport screening procedures, often prioritizes the appearance of protection over actual risk reduction.

Similarly, many corporate offices implement visitor badge systems that require guests to sign in, receive temporary badges, and be escorted—but then allow badged employees to hold doors open for anyone following behind them. The formal security process becomes meaningless when basic human courtesy undermines the access controls.

Technology proliferation without integration

Similar patterns emerge in both digital and physical technology implementations. Organizations often respond to security concerns by purchasing every available tool—multiple antivirus programs and surveillance cameras, various scanning systems and access control devices, different monitoring platforms and alarm systems.

This approach typically creates more problems than it solves:

  • Overlapping systems conflict with each other and degrade performance
  • Security staff become overwhelmed by thousands of daily alerts from both digital and physical monitoring systems
  • Critical warnings get buried in the noise
  • Systems become so complex that nobody understands how to manage them properly
  • Important configurations get overlooked or misconfigured

Training insecure behavior

Perhaps the most damaging aspect of poorly designed security is how it trains users to behave insecurely in both digital and physical environments. When security measures are excessively restrictive or inconvenient, they create predictable user adaptations that often negate any protective benefits.

Digital circumvention patterns

A three-year study of email security implementations across 15 organizations revealed systematic patterns where the most restrictive security policies correlated with the worst security outcomes:

  • Overly aggressive spam filtering led to widespread domain whitelisting that created new phishing vectors
  • Complex email authentication procedures resulted in credential sharing among colleagues
  • Restrictive email policies drove 78% of business communications to unmonitored consumer platforms like personal Gmail accounts

Organizations with the most restrictive email security showed higher rates of successful phishing attacks than those with moderate security measures.

Physical security circumvention

Physical security exhibits identical behavioral patterns. Buildings with overly complex access procedures see systematic circumvention:

  • Employees prop open secured doors rather than navigate cumbersome card reader sequences for routine activities
  • Tailgating becomes standard practice when legitimate access procedures are too slow or unreliable
  • Staff create informal access sharing arrangements (lending key cards, sharing door codes) when official procedures impede productivity
  • Emergency exits get propped open because normal egress routes are too inconvenient

A corporate campus study found that buildings with the most sophisticated access control systems had the highest rates of security policy violations. Employees faced with 30-second authentication delays for each door developed systematic workarounds that effectively bypassed all access controls.

These aren't character flaws—they're rational responses to security designs that prioritize theoretical protection over practical usability. The security measures literally train users to behave less securely in both digital and physical environments.

The integration challenge

Modern organizations face unique challenges when their digital and physical security systems operate in isolation. This segregation often creates vulnerabilities that sophisticated attackers exploit by moving between digital and physical attack vectors.

The convergence problem

Many successful attacks combine digital and physical elements. An attacker might:

  • Use social engineering via phone or email to gather information about physical locations and access procedures
  • Gain physical access to facilities to install network hardware or access unlocked computers
  • Use digital reconnaissance to identify when buildings are less occupied or when specific individuals will be present

Yet most organizations manage digital and physical security as separate domains with different teams, different budgets, and different compliance frameworks. This separation creates blind spots that attackers exploit systematically.

Badge access and network security

Consider how physical access cards often integrate poorly with network security systems. An employee's network access might remain active for weeks after their physical access is revoked, or vice versa. Visitor badges might provide network access without appropriate digital security controls, or temporary network accounts might lack corresponding physical access limitations. These integration failures create attack vectors that purely digital or purely physical security measures cannot address effectively.

The vendor-driven complexity problem

Both cybersecurity and physical security industries contribute to implementation problems through business models that incentivize complexity over effectiveness. Vendors in both domains differentiate their products by adding features rather than improving core functionality, leading to solutions that exceed most organizations' ability to implement correctly.

Feature creep across domains

Modern enterprise security platforms—whether digital or physical—often include hundreds of configuration options, advanced analytics capabilities, and integration features that sound impressive in sales presentations but prove overwhelming in practice. Organizations purchase sophisticated access control systems with biometric readers, proximity cards, PIN codes, and mobile app integration, then configure them incorrectly because the complexity exceeds their technical expertise.

Similarly, cybersecurity platforms with threat intelligence feeds, behavioral analytics, machine learning capabilities, and automated response features often get deployed with default settings that provide minimal protection because proper configuration requires expertise that organizations lack.

The emergency response cycle

Both industries exploit cultures of constant emergency response. After high-profile physical security incidents (workplace violence, terrorist attacks) or cyber breaches make headlines, organizations rush to purchase solutions that address specific attack vectors from recent news rather than conducting thoughtful assessments of their actual risk profiles. This reactive approach leads to collections of disconnected security tools that don't integrate well and may duplicate existing protections while creating new vulnerabilities through complexity and poor implementation.

Building integrated security that actually works

Breaking the cycle of insecurity through insecurity requires fundamental changes in how we approach both digital and physical security implementation. The most effective security measures are often those that users never notice because they operate seamlessly in the background while providing robust protection.

Risk-based implementation

Effective security starts with honest risk assessment that considers both digital and physical threat probabilities along with organizational capabilities. Rather than implementing every recommended security control in both domains, organizations should prioritize measures that address their most significant actual risks while remaining within their operational capacity to maintain properly. This means acknowledging that perfect security is impossible and that attempting comprehensive protection often results in worse outcomes than focusing on achievable, maintainable improvements across both digital and physical environments.

User-centric design

Security controls should enhance rather than hinder productivity in both digital and physical environments:

  • Single sign-on systems that provide seamless access to multiple digital applications
  • Physical access controls that flow naturally with building usage patterns
  • Automatic security updates that happen transparently in digital systems
  • Physical security measures that feel like natural building features rather than imposed restrictions
  • Clear policies that people can actually remember and follow consistently across both domains

The best security implementations feel invisible to users while providing strong protection. When security makes people's work easier rather than harder in both digital and physical contexts, compliance rates increase dramatically and circumvention behaviors decrease.

Integrated threat response

Organizations should develop security operations that address both digital and physical threats through coordinated response capabilities:

  • Security operations centers that monitor both network activity and physical access patterns
  • Incident response teams trained to address attacks that span digital and physical domains
  • Threat intelligence that incorporates both cyber threat indicators and physical surveillance information
  • Risk assessments that consider how digital and physical vulnerabilities might compound each other

Outcome-focused measurement

Organizations should measure actual risk reduction rather than implementation activity across both security domains. Traditional metrics like "number of security policies implemented" or "percentage of staff completing security training" don't correlate with improved security outcomes in either digital or physical contexts. Better metrics focus on measurable security improvements across integrated environments: reduction in successful attacks (both digital and physical), decreased incident response times, improved threat detection rates, and lower rates of security policy circumvention in both domains.

The path forward

The most insidious aspect of security theater is that it feels like progress whether implemented in digital systems, physical facilities, or both. Organizations implementing comprehensive security policies and purchasing advanced security technologies in both domains can point to substantial investments in protection. Yet these investments may actually increase vulnerability if they exceed organizational capabilities or create user behaviors that undermine security objectives. Breaking this pattern requires security leaders to prioritize effectiveness over appearances across all security domains, even when that means choosing simpler solutions or acknowledging that certain security measures may not be appropriate for their organizations.

Key effective security principles

  1. Simplicity often beats sophistication. Security measures that people can use correctly in both digital and physical contexts provide better protection than complex systems that get misconfigured or circumvented
  2. User behavior is a feature, not a bug. Security designs must account for how people actually behave in real environments rather than how they theoretically should behave
  3. Compliance and security are different goals. Measures that satisfy auditors may not reduce actual risk in either domain
  4. Integration reduces complexity. Coordinated security across digital and physical domains often proves simpler and more effective than managing separate systems
  5. Perfect is the enemy of good. Achievable security improvements often provide better protection than comprehensive solutions that exceed implementation capacity

In both cybersecurity and physical security, the most sophisticated solution is often not the most effective one. Organizations that focus on achievable, maintainable security measures tailored to their specific risks and capabilities consistently achieve better security outcomes than those pursuing impressive but impractical security transformations.

The goal isn't to implement the most security measures across the most domains—it's to implement security measures that actually work in the real world, with real people, facing real constraints in both digital and physical environments. When security genuinely makes organizations safer while preserving their ability to function effectively, everyone wins. When it doesn't, everyone loses, regardless of how impressive the security architecture looks on paper.

True security emerges from thoughtful implementation of appropriate controls that work together seamlessly across all threat vectors, not from the accumulation of security-labeled processes and technologies in isolation. The path forward requires acknowledging this fundamental truth and building integrated security programs around it.

References

Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40-46.
Beautement, A., Sasse, M. A., & Wonham, M. (2008). The compliance budget: Managing security behaviour in organisations. Proceedings of the 2008 New Security Paradigms Workshop, 47-58.
Florêncio, D., & Herley, C. (2007). A large-scale study of web password habits. Proceedings of the 16th International Conference on World Wide Web, 657-666.
Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). Digital identity guidelines: Authentication and lifecycle management (NIST Special Publication 800-63B). National Institute of Standards and Technology.
Herley, C. (2009). So long, and no thanks for the externalities: The rational rejection of security advice by users. Proceedings of the 2009 Workshop on New Security Paradigms, 133-144.
Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., & Egelman, S. (2011). Of passwords and people: Measuring the effect of password-composition policies. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2595-2604.
Schneier, B. (2003). Beyond fear: Thinking sensibly about security in an uncertain world. Springer.
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487-502.
Stanton, B., Theofanos, M. F., Prettyman, S. S., & Furman, S. (2016). Security fatigue. IT Professional, 18(5), 26-32.
Ur, B., Segreti, S. M., Bauer, L., Christin, N., Cranor, L. F., Komanduri, S., Kurilova, D., Mazurek, M. L., Melicher, W., & Shay, R. (2015). Measuring real-world accuracies and biases in modeling password guessability. 24th USENIX Security Symposium, 463-478.
Whitten, A., & Tygar, J. D. (1999). Why Johnny can't encrypt: A usability evaluation of PGP 5.0. Proceedings of the 8th USENIX Security Symposium, 14, 169-184.
Zurko, M. E., & Simon, R. T. (1996). User-centered security. Proceedings of the 1996 Workshop on New Security Paradigms, 27-33.
cybersecurity ethology physical security risk management security design

Features

Resources

Legal

© 2025 Schild Technologies