Upvoted for thinking about the question of mixed-equilibrium and both pros and cons for mechansisms of enforcement and education, I wish I could separately mark my disagreement. I think this misses a lot of nuance and context-specificity around the good and the bad of the practice. On the teams I’ve been on, it’s more beneficial than risky. I think it’s especially beneficial NOT in the enforcement of behavior, but in the cultural normalizing of openly discussing human failures (and chiding each other) about security thinking.
Having a routine hook to have office chatter about it can really matter a lot—it’s one of few ways that “makes it salient” for workers in a way that walks the line between unbelievable fake-over-seriousness (OMG, the phishing tests from corportate infosec!) and actual practice. It’s not the behavior itself (though that’s a fine reason—it really does reduce open workstations), but the perception of importance of personal activity around infosec.
Yes, it could normalize snooping, but not by that much—it would still be a huge norm violation and draw unwanted attention if someone went far out of their way to find unlocked stations. It really is only acceptable in groups of peers who all have roughly-equal access, not in truly differential or importantly-restricted-between-coworkers cases.
I’ve been in senior-IC leadership positions long enough that I do get to pretty much decide whether to encourage or ban the practice in my teams. I generally encourage it, as just an example of practical things we should all be careful of, not as a make-or-break object-level requirement that we hit 100% compliance.
If it were actually important on the specific object level, we’d just make it automatic—there have long been wearable /transportable technology that locks when you walk away. I wasn’t on the team, but was adjacent to one in the late ’90s that used an old version of smartcards to unlock the computers, and the requirement was the card had to be on a lanyard to your person—you literally couldn’t walk away without taking it with you and locking your station. More often and more recently, the setup is that everyone in that section of the office has similar clearance, and they secure the area—no visitors, no badging someone else in even if you recognize them, with 24⁄7 security guard to help enforce that.
Upvoted for thinking about the question of mixed-equilibrium and both pros and cons for mechansisms of enforcement and education, I wish I could separately mark my disagreement. I think this misses a lot of nuance and context-specificity around the good and the bad of the practice. On the teams I’ve been on, it’s more beneficial than risky. I think it’s especially beneficial NOT in the enforcement of behavior, but in the cultural normalizing of openly discussing human failures (and chiding each other) about security thinking.
Having a routine hook to have office chatter about it can really matter a lot—it’s one of few ways that “makes it salient” for workers in a way that walks the line between unbelievable fake-over-seriousness (OMG, the phishing tests from corportate infosec!) and actual practice. It’s not the behavior itself (though that’s a fine reason—it really does reduce open workstations), but the perception of importance of personal activity around infosec.
Yes, it could normalize snooping, but not by that much—it would still be a huge norm violation and draw unwanted attention if someone went far out of their way to find unlocked stations. It really is only acceptable in groups of peers who all have roughly-equal access, not in truly differential or importantly-restricted-between-coworkers cases.
I’ve been in senior-IC leadership positions long enough that I do get to pretty much decide whether to encourage or ban the practice in my teams. I generally encourage it, as just an example of practical things we should all be careful of, not as a make-or-break object-level requirement that we hit 100% compliance.
If it were actually important on the specific object level, we’d just make it automatic—there have long been wearable /transportable technology that locks when you walk away. I wasn’t on the team, but was adjacent to one in the late ’90s that used an old version of smartcards to unlock the computers, and the requirement was the card had to be on a lanyard to your person—you literally couldn’t walk away without taking it with you and locking your station. More often and more recently, the setup is that everyone in that section of the office has similar clearance, and they secure the area—no visitors, no badging someone else in even if you recognize them, with 24⁄7 security guard to help enforce that.