Donutting is bad
TL;DR pranking unlocked computers undermines security by providing cover for real breaches and creating a culture of shame that discourages open reporting of security issues.
It’s a common rule in companies that employees must lock their device when it is unattended, to prevent people from using your access in unauthorised ways. Screen locking is a common compliance requirement, and a good security practice.
People new to these company environments can take a while to learn the locking behaviour. It’s not an intuitive reaction. There was no ancestral selection process. Most people don’t take that level of security precautions with their personal laptop. Seasoned people sometimes forget.
Doughnutting is the practice of seeing that a colleague isn’t at their computer and has left it unlocked, then seizing the opportunity to use their device. The classic procedure is to use the internal communication systems to announce a promise to buy doughnuts for the office, but there are similar pranks such as displaying the Windows 98 update screen or reversing the mouse scroll direction. These pranks are sometimes celebrated by security practitioners as a fun way to teach security hygiene.
I’m not claiming doughnutting fails to make people lock their devices. Shame and peer accountability can be a powerful motivator for people to learn behaviours. But there are hidden costs that I believe make it detrimental overall.
Doughnutting gives cover to unauthorised access, the very risk you were trying to address! Imagine catching someone nosing around in someone else’s emails—“I was just doughnutting them” gives plausible cover to an actual security breach.
Creating an environment where people are publicly flagged for making security mistakes is a bad idea. You want to hear about when people suspect they have been socially engineered or accidentally emailed a sensitive document, but admitting these things is incredibly vulnerable. You want a culture where people can openly talk about security for other reasons, such as people wondering aloud whether a thing they’re already doing is secure, or reporting weird events from a colleague’s account.
My recommendation is to treat helping people learn to lock their devices as you would handle giving any other piece of feedback. Giving feedback is a big topic on its own[1] and depends on the recipient and your relationship with the recipient. In general you want it to be private, tactful and in a way that shows you are invested in helping them learn. My guess on the best way to learn is trigger action planning, e.g. practicing getting out of your chair and then locking your device.
Some people have reported to me that donutting was helpful as a fun, light hearted way to instill security culture and I don’t think this is impossible with high psychological safety. But it’s easy for people who are setting the security culture to overestimate the overall psychological safety, or underestimate social embarrassment, because they personally feel comfortable. The newer or younger employees that are disproportionately doughnutted as they learn how to work in a corporate environment may be experiencing it closer to a hazing ritual.
- ↩︎
The best guide I’ve seen was in Dare to Lead.
Perhaps a better option would be leaving a token of shame on their desk. Over even just a sticky note saying “hey, I walked by and your computer was unlocked—love, your coworker”.
That way they get the reminder to lock their screen, feel a little shame that will motivate them, but also don’t create cover for unauthorized access.
Upvoted for thinking about the question of mixed-equilibrium and both pros and cons for mechansisms of enforcement and education, I wish I could separately mark my disagreement. I think this misses a lot of nuance and context-specificity around the good and the bad of the practice. On the teams I’ve been on, it’s more beneficial than risky. I think it’s especially beneficial NOT in the enforcement of behavior, but in the cultural normalizing of openly discussing human failures (and chiding each other) about security thinking.
Having a routine hook to have office chatter about it can really matter a lot—it’s one of few ways that “makes it salient” for workers in a way that walks the line between unbelievable fake-over-seriousness (OMG, the phishing tests from corportate infosec!) and actual practice. It’s not the behavior itself (though that’s a fine reason—it really does reduce open workstations), but the perception of importance of personal activity around infosec.
Yes, it could normalize snooping, but not by that much—it would still be a huge norm violation and draw unwanted attention if someone went far out of their way to find unlocked stations. It really is only acceptable in groups of peers who all have roughly-equal access, not in truly differential or importantly-restricted-between-coworkers cases.
I’ve been in senior-IC leadership positions long enough that I do get to pretty much decide whether to encourage or ban the practice in my teams. I generally encourage it, as just an example of practical things we should all be careful of, not as a make-or-break object-level requirement that we hit 100% compliance.
If it were actually important on the specific object level, we’d just make it automatic—there have long been wearable /transportable technology that locks when you walk away. I wasn’t on the team, but was adjacent to one in the late ’90s that used an old version of smartcards to unlock the computers, and the requirement was the card had to be on a lanyard to your person—you literally couldn’t walk away without taking it with you and locking your station. More often and more recently, the setup is that everyone in that section of the office has similar clearance, and they secure the area—no visitors, no badging someone else in even if you recognize them, with 24⁄7 security guard to help enforce that.
Upvoted for reviewing this important safety technique.
fair point, but that cover is low as you now have a plausible suspect.
yes, such a culture is essential and doughnutting if done in a shaming way can interfere with that. The problem is more the culture than the specific device, though.
I’m very much in favor of a better way, but I’m not sure what your alternative proposal is.
Hm. I’m reminded of the way of reporting transients introduced by Marquet in Turn the Ship Around. Maybe instead of making it public, there should be a way to report security breaches to a specific security/whistleblower channel.
If the only objective is this specific behavior, then private reporting is preferable. If the objective is awareness and open discussion about the fact that we’re imperfect but still have to strive for safety, then doing it publicly is best. In practice, the second has overwhelmed the first in teams I’ve been part of.