“Security is not what you buy, it’s what you get. And too often, what organizations get is performance over protection.”
The Mirage of Safety
In an era marked by cyberattacks, geopolitical instability, insider threats, and disruptive technologies, the demand for security has never been greater. Yet, in many organizations—especially at the executive level—the line between feeling secure and being secure has blurred.
This is the central thesis behind Bruce Schneier and John Kelsey’s essay, “Rational Astrologies and Security”, which explores how companies and institutions often adopt security practices not because they work, but because they’re expected, reassuring, or legally defensible.
These practices—what Schneier calls “rational astrologies”—are often close cousins to what’s become known as security theater: visibly reassuring but functionally hollow measures. Together, they form a pervasive, dangerous trend in enterprise risk management—where ritual replaces resilience.
Defining the Terms
Security Theater
Measures implemented more for optics and reassurance than actual risk reduction.
Rational Astrology
The internalized belief in ineffective security rituals because they provide bureaucratic comfort or symbolic control—even in the face of contrary evidence.
Historical and Contemporary Examples
Security theater and rational astrology are not new. They’ve simply evolved in sophistication.
TSA’s SPOT Program: After 9/11, the U.S. Transportation Security Administration introduced “behavioral detection officers” trained to spot potential terrorists using non-verbal cues. Despite hundreds of millions spent, no meaningful increase in threat detection has ever been proven.
Cold War Duck-and-Cover Drills: Children hiding under desks during a nuclear attack provided no real protection but offered a comforting illusion of preparedness.
COVID-19 Surface Disinfection Routines: As late as 2021, organizations were still engaged in deep-cleaning practices despite overwhelming evidence that fomite transmission was negligible.
Stadium Clear Bag Policies: Widely adopted across sports venues, these rules signal order and deterrence but do little to stop someone intent on harm.
Mandatory Password Rotation: Despite updated NIST guidance and academic research showing it increases password predictability, many corporations still enforce it for compliance.
Infant-Matching Bracelets in Hospitals: The statistical risk of a baby being switched at birth is vanishingly tiny. However, hospitals maintain high-tech solutions to manage parental perception and institutional liability.
These examples all share a common trait: they prioritize reassurance over effectiveness.
“Executives prefer doing something ineffective over being accused of doing nothing at all.”
Why This Happens: The Psychological Drivers
1. The Availability Heuristic
When a risk is fresh in our minds (e.g., a breach or a terror attack), it seems more likely. This skews decision-making toward performative responses.
2. The Illusion of Control
People crave order in the face of chaos. Security rituals provide a sense of mastery, even when the threat landscape is far more complex.
3. Fear of Blame
Executives and managers will often choose a visible action over an effective one—because visibility shields them from accusations of negligence.
4. Reassurance Signaling
Security theater is a social signal: “We’re taking this seriously.” The appearance of vigilance satisfies shareholders, the board, and the public—even if the substance is lacking.
The Real Cost to Business
While security theater may satisfy regulatory checkboxes or calm anxious employees, it comes at a steep price:
• Misallocated Budgets
Millions are spent on optics-based solutions, while critical areas like endpoint hardening, insider threat mitigation, or incident response are underfunded.
• False Confidence
Organizations with robust-looking programs often lull themselves into complacency, resulting in real vulnerabilities going undetected or unaddressed.
• Cultural Drift
Security becomes performative. Staff become cynical. Compliance becomes an exercise in ritual rather than risk thinking.
• Opportunity Cost
Time and strategic bandwidth are squandered on symbolic fixes, draining leadership attention from more pressing or systemic risks.
“When the security function becomes a theater, the attackers become the only ones reading from a real script.”
What Security Leaders Must Do
Security professionals must become translators, mythbusters, and reformers—pushing back against empty rituals and advocating for evidence-based practices. That starts with how we brief the board, allocate resources, and measure effectiveness.
1. Redefine Success
Move away from activity metrics (number of audits, number of badges issued) and toward outcome metrics (mean time to detect, attack path elimination, dwell time).
2. Break the Compliance Trap
Compliance is the floor, not the ceiling. Reassess policies that persist because of habit or outdated regulation.
3. Stress Test Optics-Based Programs
Red team your procedures. If your “high visibility” protocols fall apart under stress or simulation, they aren’t proper security.
4. Educate the C-Suite
Use narratives and simulations to make the threat landscape visceral to executives. Distinguish between security that feels good and security that works.
5. Audit the Rituals
Every year, challenge one longstanding practice with a zero-based approach: “If we weren’t doing this already, would we start now?”
Conclusion: Toward a Post-Theater Security Culture
Rational astrology and security theater persist not because they’re effective but because they serve psychological, social, and bureaucratic needs. In the short term, they calm nerves, satisfy regulators, and deflect blame.
However, in the long term, they create brittle organizations that look secure until the moment of breach.
Security professionals and enterprise leaders must call out these illusions, separate ritual from resilience, and build systems, cultures, and strategies that are not only seen but also work.
Author Bio:Tim Reed is a 26-year security executive with experience across corporate, supply chain, and technology protection. He founded Ice Station Zebra, a bespoke design and consulting firm, and frequently advises C-level leaders on operational security and strategic risk.