In 2003, thieves broke into the reputedly impenetrable vault of Belgium's Antwerp Diamond Center and made off with hundreds of millions of dollars worth of diamonds, gold, cash and other valuables. The heist involved sneaking past police officers less than 200 feet away at the front entrance, keycard scanners to get into the building, a two-story descent to a guard-controlled gate, a magnetic seal on the vault door, motion and infrared detectors within the vault, and seismic sensors to catch anyone trying to tunnel in. In the end, the Saturday night robbery was executed with such stealth that it was not discovered until the subsequent Monday.

Sophisticated heists aren't just for movies such as Ocean's 11, The Italian Job, and The Thomas Crown Affair. And the best real heists can teach lessons about national security, according to researchers at U.S. national labs who investigated multi-million-dollar thefts around the world over the past three decades to figure out better ways to defend against smooth criminals.

Sandia National Laboratories systems analyst Jarret Lafleur and his colleagues are rather coy as to the specifics of what heists can tell us about national security. But bear in mind that Sandia National Laboratories are sponsored by the U.S. Department of Energy's National Nuclear Security Administration, which is entrusted with the security of the U.S. nuclear weapons stockpile.

The team analyzed 23 heists notable for their innovation and complexity. In the Vastberga helicopter heist in 2009 in Sweden, for example, thieves descended from a helicopter into a cash depot by smashing through a skylight. All but one of these heists involved a target less than $1 million; the largest successful robbery the researchers studied was the Gardner Museum art heist in 1990 in Boston, when thieves made off with $440 million in art, while the failed Millennium Dome Raid in 2000 in London sought to seize $666.1 million in diamonds, including the 203-carat Millennium Star diamond.

The typical criminal in these heists is man in his 30s, an experienced career criminal who is native to the country where the heist happens. The robberies usually involved teams consisting of two to eight accomplices. Roughly three-quarters of the heists involved violence or the threat of violence either to people or property—for instance, thieves in the Carlton Hotel diamond heist in 1994 used machine gun fire to threaten employees and customers before stealing $69 million in jewels, never to be seen again. (Intriguingly, they fired blanks.)

And here's something interesting about the one-quarter of the heists with minimal violence against people and property: They tended to involve exceptionally well-planned infiltrations, averaging nearly twice as much planning time as violent heists. For instance, in the Brazil Central Bank Cash Heist in 2005, more than a dozen men spent three months digging a 656-foot-long tunnel to steal $81.9 million worth in cash. "In some cases, there was up to two years of planning before heists," Lafleur says.

The researchers found that thieves often defeated keyed locks, cameras, and unarmed guards, which suggests security systems that rely principally on such measures may be at high risk. Robbers also often used creative and innovative methods to defeat security systems. For example, during the Antwerp diamond heist, they created a custom tool to hold the magnetic contacts of the vault door together while they were separated from the door. Even among the creative and innovative heists, none made significant use of high-tech gadgets. "The sophistication came in learning security vulnerabilities over long periods of time, not in Mission: Impossible high technology," Lafleur says.

Instead, thieves often used tactics such as gaining control of the camera monitoring stations, threatening guards or other employees with keys or combinations to locks, and using employees to enter or vouch for entry. All three involve attacking segments of the security system in which humans are in the loop, suggesting we humans are the weak link in security—surely a lesson for national security.

Nearly two-thirds of the time, heists involved insiders, either willing, unwitting or coerced. The researchers found nearly three times as many examples of coerced insiders as any other type of insider, and suggested that designers of security systems might want to find ways to help people defeat such coercion. For instance, in the failed Chase Manhattan Bank Robbery in 1972, the bank manager successfully alerted authorities that something was wrong when answering a phone call from the bank's downtown headquarters during the attempted heist.

"While the thieves were listening to ensure the manager did not call for help, the manager began talking to headquarters about transferring one of his tellers to another branch," Lafleur says. "However, both parties knew the request was absurd, since the teller had been fired four months earlier. As a result, headquarters realized something was amiss and alerted the police to the robbery."