The Performance Before the Boarding Gate
Take off your shoes. Place your laptop in a separate tray. Step through the scanner. Hold your arms above your head.
You’ve done it dozens of times. It feels like security. It has the texture of security; the authority, the seriousness, the minor inconvenience that signals something important is happening. But a growing body of research suggests that much of what happens between the check-in desk and the departure gate is less about catching threats and more about managing the psychological state of the people passing through it.
In 2015, the US Department of Homeland Security ran covert tests on airport security screening. Undercover agents attempted to smuggle mock weapons and explosives through checkpoints. The failure rate, meaning the proportion of threats that got through, was reported at around 95%. The shoes came off. The laptops went in the tray. Almost nothing was caught.
What was achieved, however, was the sustained impression that something rigorous was taking place. That impression has a name: security theater.
Defining the Theater
The term was coined by security technologist Bruce Schneier in the late 1990s, and it has lost none of its precision since. Security theater refers to measures that are implemented primarily to make people feel safer rather than to make them actually safer. The distinction matters because the two goals, perceived safety and actual safety, often require completely different interventions, and optimizing for one can actively undermine the other.
This isn’t a niche observation about airport queues. Security theater is a pervasive feature of how institutions manage risk in the public imagination. Mandatory password expiration policies, a staple of corporate IT departments for decades, were quietly abandoned by the US National Institute of Standards and Technology after research showed they made security worse, not better: users responded to forced changes by incrementing a number at the end of a familiar password, producing weaker credentials with greater predictability. The performance of discipline had replaced the substance of protection.
Cookie consent banners, those ubiquitous pop-ups requiring users to acknowledge data practices, were designed under European privacy law to give individuals meaningful control over their data. In practice, most are engineered to extract consent as efficiently as possible, burying the actual opt-out several clicks deep inside a dark pattern interface. The ritual of consent replaced the reality of it.
Why We Prefer the Theater
Understanding security theater requires understanding something uncomfortable about human psychology: we are not primarily rational assessors of risk. We are emotional assessors of risk, and our emotional response to danger is shaped far more by visibility, narrative, and symbolism than by probability or evidence.
Daniel Kahneman’s work on System 1 and System 2 thinking illuminates the mechanism. Fast, intuitive thinking, System 1 responds to threat signals: uniformed officers, visible scanners, the act of removing shoes. It registers these as protective. Slow, deliberate thinking, System 2 might ask whether any of it actually works. But System 2 is effortful, and most people don’t activate it while queuing for a flight.
This isn’t a failure of intelligence. It’s a feature of how the human threat-response system was built. For most of evolutionary history, visible action in response to danger was adaptive. A community that responded to a predator threat with visible ritual, however symbolically, signaled social cohesion and collective resolve. The ritual was partly functional, even when it didn’t directly neutralize the threat.
What’s changed is the scale and sophistication of the threats we now face and the institutions responsible for addressing them. The same cognitive shortcuts that once served us reasonably well are now being systematically exploited, sometimes by well-meaning organizations managing public anxiety, and sometimes by actors with considerably less benign intentions.
Who the Theater Serves and Who It Doesn’t
Security theater is never politically neutral. The question of who benefits from the performance is at least as important as the question of whether the performance works.
Institutions benefit from the appearance of control. Governments that respond to a security crisis with visible, dramatic measures; new checkpoints, new legislation, new uniforms, signal competence and decisiveness regardless of whether the measures address the actual vulnerability. The political cost of appearing to do nothing after a high-profile incident is enormous. The political cost of implementing expensive but ineffective measures is comparatively low, because ineffectiveness is hard to prove and rarely investigated.
Private companies benefit from selling the theater. The airport security industrial complex, scanners, screening equipment, training programs, consulting services; is a multi-billion-dollar market built primarily around the mandate to do something rather than the evidence that any particular thing works. Compliance frameworks in cybersecurity operate on similar logic: organizations purchase certifications and conduct audits not because the specific requirements provably reduce breaches, but because the possession of a certificate shifts legal and reputational liability.
Meanwhile, the people who bear the cost of security theater without receiving its benefits are often those least able to absorb it. Passengers with disabilities spend additional time in manual screening. Travelers from specific ethnic and national backgrounds face disproportionate secondary scrutiny under systems that perform thoroughness while encoding bias. The theater of safety is not uniformly distributed; the friction concentrates on those who were already marginalized, while the reassurance flows primarily to those who weren’t.
The Opportunity Cost of Feeling Safe
There is a case to be made, and institutions regularly make it, that security theater isn’t entirely useless. Visible deterrence may discourage unsophisticated actors, even if it fails against determined and well-resourced ones. The experience of being checked, however performatively, may itself convey norms. And public trust in institutions, even when partially manufactured, has genuine social value.
These arguments deserve to be taken seriously. But they also deserve to be held against what security theater costs; not just in money, but in attention and in opportunity.
Resources spent maintaining a performance of security are resources not spent on measures that actually reduce harm. When IT security budgets are consumed by mandatory password rotation and compliance checkbox exercises, they are not being spent on behavioral analytics, threat modeling, or the kind of unglamorous infrastructure hardening that actually prevents breaches. When airport security focuses on theatrical screening, it diverts attention from intelligence-led approaches, profiling behavior and travel patterns rather than shoes, which security experts broadly agree are more effective.
Sociologist Robert Cialdini’s work on influence identifies social proof as one of the most powerful drivers of human behavior: we look to what others are doing to determine what we should do. Security theater exploits this mechanism at scale. The fact that everyone else is removing their shoes creates the impression that removing your shoes is the correct and necessary thing to do. Over time, the ritual becomes self-reinforcing; not because it works, but because the collective performance of it makes questioning it feel transgressive.
The Harder Question Behind the Curtain
Security theater persists because it answers a need that actual security often cannot: the need for legible protection. Real security is frequently invisible, probabilistic, and unglamorous. It involves intelligence work that can’t be discussed, systems that prevent events rather than responding to them, and the inherently unsatisfying truth that the most dangerous scenarios are often those we haven’t anticipated at all.
Theater, by contrast, is visible. It can be pointed to, photographed, and reported. It creates a narrative of action that institutional psychology and political incentive both desperately require. The problem is not that people want to feel safe; that impulse is entirely human. The problem is that the machinery built to manage that feeling has become largely decoupled from the machinery built to address the underlying risk.
Bruce Schneier has argued that the real work of security is rarely what we see. What we see is what’s left over after the actual mechanisms of protection have been designed; the public-facing layer built to manage perception rather than risk. That layer has expanded dramatically. The question worth sitting with is whether we’ve become so skilled at performing safety that we’ve quietly accepted the substitution of the performance for the thing itself.



