Upvoted for reviewing this important safety technique.
Doughnutting gives cover to unauthorised access
fair point, but that cover is low as you now have a plausible suspect.
admitting these things is incredibly vulnerable. You want a culture where people can openly talk about security for other reasons
yes, such a culture is essential and doughnutting if done in a shaming way can interfere with that. The problem is more the culture than the specific device, though.
I’m very much in favor of a better way, but I’m not sure what your alternative proposal is.
Hm. I’m reminded of the way of reporting transients introduced by Marquet in Turn the Ship Around. Maybe instead of making it public, there should be a way to report security breaches to a specific security/whistleblower channel.
If the only objective is this specific behavior, then private reporting is preferable. If the objective is awareness and open discussion about the fact that we’re imperfect but still have to strive for safety, then doing it publicly is best. In practice, the second has overwhelmed the first in teams I’ve been part of.
Upvoted for reviewing this important safety technique.
fair point, but that cover is low as you now have a plausible suspect.
yes, such a culture is essential and doughnutting if done in a shaming way can interfere with that. The problem is more the culture than the specific device, though.
I’m very much in favor of a better way, but I’m not sure what your alternative proposal is.
Hm. I’m reminded of the way of reporting transients introduced by Marquet in Turn the Ship Around. Maybe instead of making it public, there should be a way to report security breaches to a specific security/whistleblower channel.
If the only objective is this specific behavior, then private reporting is preferable. If the objective is awareness and open discussion about the fact that we’re imperfect but still have to strive for safety, then doing it publicly is best. In practice, the second has overwhelmed the first in teams I’ve been part of.