Few security countermeasures offer as much value-added per unit cost (i.e., high benefit-cost ratios) as strategic signage. What does signage do in the security sense? Simply put, security (as well as safety) signage communicates risk or suggests actions to mitigate risk. For example, advisories about the health hazards associated with the use of a particular product inform potential users about the risks associated with use (e.g., Surgeon General’s warning on cigarette cartons).
As another example, signage is often used to help reduce the probability and severity of accidents by urging a participant in some particular activity to take simple measures to lessen overall risk exposure (e.g., “Hard Hat Area”).
And who could forget the vintage signage of historic WWII operational security (OPSEC) and information security (INFOSEC) campaigns. The American Merchant Marine at War website provides images of a host of vintage WWII signage for security and other matters (have you ever seen the ones for VD?). A sampling of my current favorites from among the USMM.org collection is linked below:
Also, one might encounter signs stating that “all employees must display proper identification,” or in weaker form, “authorized personnel only.” These measures serve to suggest that someone is watching, such policies are enforced, and that bad things might happen if one doesn’t oblige. These three suggestions, regardless of whether they are in fact true for the particular organization, form a deterrent of sorts that seeks to lessen the probability that an unauthorized individual will attempt to enter into a protected area. It is also a deterrent for users that are careless about, for example, wearing their ID badge; if the policies suggested by such a sign were enforced, then the trouble of having to wait in line to obtain a temporary badge, having to go through the less efficient visitor’s entrance, or in the worst case having to drive another 1.5-hours in horrible traffic to go home and get it (readers in DC know what I am talking about) might “encourage” people to be careful not to forget their badge when they leave their house in the morning (one could even make the temporary badge bright red and ugly looking to exaggerate self-consciousness, thereby further decreasing the likeliness of future non-compliance). Thus for this example, signage strengthens security also from the standpoint of encouraging full compliance by those with access to a particular space.
No security professional can deny that strategic signage has value in the sense of lessening the chances of a targeted undesirable security event. Yet, I have not seen or read about any attempts to actually quantify the deterrence value of strategic signage. Perhaps this is due to the precarious nature of signage. Signage only works if the Threat actually believes what is said is true and enforced. If the adversary has credible information to suggest the sign is providing a false message, then the signage merely asserts an empty threat (save for a slight residual doubt that is closely tied to the credibility of the Threat’s information).
For example, consider a fixed sign affixed to a wall that reads “WARNING: These Premises are Protected by Closed Circuit Television” (see below). For sake of discussion, let’s assume that this sign is situated nearby what appears to be a sophisticated camera system. This sign could serve as a deterrent in the sense that a potential human Threat might heed its warning of being detected and recorded and abort any illicit or unauthorized activities. But what if this sign is actually the most expensive part of a Protector’s security system? (many organizations have tight budgets, especially when it comes to security). That is, what if the sign is affixed adjacent to decoy security cameras (see here for an example or google the underlines keywords for a more extensive listing)? Well, the signage would still be as effective as they would be in the presence of real cameras provided the Threat believed the cameras were real and monitored. However, absent a good operational security (OPSEC) plan that protects knowledge that the camera is fake renders such signage ineffective and useless. If an attentive adversary can easily discover your security system is comprised of fake cameras, then what good is a warning sign asserting that the cameras are real? The precarious nature of deterrence measures such as signage make it difficult, if not near impossible, to quantify its value.
(BTW: I do recognize that decoy cameras are more often used to augment an otherwise real visual surveillance system by creating the appearance of more “eyes on the lookout” than there really are. But this does not mean that some organization don’t take the use of decoys to the extreme…)
I find the use of signage very interesting, and do appreciate its value as a deterrent in the context of mitigating security risks. And me being the quantitative type that I am would love to be able to integrate empirical signage performance measures into an overarching security risk analysis framework (I currently have such a model in hand that accommodates deterrence, but without empirical evidence or even credible expert judgment on the effectiveness of a particular deterrence measure, this model is as best conceptual in nature). But a meaningful quantitative measure of deterrence is elusive, and I suspect it will require a significant amount of research to even beginning talking about how to predict signage effectiveness well enough to inform security investment decision making.
