I recently bought 2 tubes of toothpaste. I opened the sealed box of the first, unscrewed the cap…and I was surprised to see that there was NO tamper seal covering the opening. I opened the box and cap of the second tube, and it was the same: no safety foil to alert me if the product had been tampered with. And even though I no longer had this extra security control available, I have to admit I was a little relived.
Security controls can actually reduce our awareness. There is a concept called Risk Compensation. Per Wikipedia: “Risk compensation is a theory which suggests that people typically adjust their behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected.”
Tylenol put in extra tamper protections after the cyanide scare in ’82 (as discussed in a recent Slashdot post.) But despite the efforts and resources invested, did they actually help? And with protections measures like these in place, is it possible that we might actually miss other indications of tampering?
We can get overly-focused, and over-reliant, on single controls to provide all security. And when attackers know this, they work around these measures. We need to continue to be engaged and aware, and not just rely on specific indicators to tell us when something is wrong.
I was relieved because the lack of foil, to me, was an indicator that some sanity may be returning to the marketplace. Perhaps people will become more personally invested in the security of themselves and others. And if this carries over into PC and mobile security, where device owners keep their systems updated and stop clicking links to malicious content, then cyber security for everyone has a chance to improve.