Americas

  • United States

When security procedures yield nothing but an illusion

Opinion
Mar 30, 20063 mins
NetworkingSecurity

* You can go through the motions, but are you really more secure?

Last week I received a copy of the following brief announcement from a colleague (let’s call him Xanax) at an unnamed university (say, Insecure U).

He got it from someone in the Office of Communications:

“This year tickets or credentials will be required for all faculty and staff attending the graduation ceremony in the [Big Place]. To obtain credentials or tickets please contact [Name Deleted] in the Office of Communications (ex. nnnn, or e-mail mailbombed@ insecureu.edu) by March 24th.”

Now why would _faculty_ need to get tickets? Most universities _require_ their faculty to attend the graduation ceremony as a matter of course. At Norwich, for example, we have to get permission from the Provost to skip graduation.

So using tickets to figure out who is coming doesn’t make sense – it’d be simpler just to ask those who _wouldn’t_ be coming to say so and then just distribute the tickets to everyone else.

Could it be a misguided attempt at a security measure? Curious, I called my buddy and learned more about this peculiar process.

When Xanax phoned Name Deleted to find out what was going on, he found that she was swamped with calls and her e-mail box was filling rapidly because EVERY faculty member had to call or write to confirm (mandatory) participation. However, she immediately agreed to put him on the list for a ticket and said he would receive it in his departmental mailbox (which, incidentally, has no cover and is open to anyone wandering through the faculty area of the departmental office).

Xanax called the Provost at Insecure U and he laughed about the whole situation, saying that he also had pointed out that the requirement for all faculty to _ask_ for tickets did not make sense and was not much of an improvement in security. However, he said, the higher-ups had decided that they had to do something to reassure people that they were improving security at the graduation and so this is what they had come up with.

Xanax and I discussed the policy. A secretary was issuing tickets to people, sight unseen, and distributing them via intra-campus mail to non-secure mailboxes. Result: one overloaded secretary and no net increase in security at all. The same degree of (in)security (minus the overload) could have been achieved by _not_ sending tickets to those few faculty who were not attending the graduation – a list known in advance to the Provost.

We agreed that someone with little understanding of security had devised a method that gave an _illusion_ of security to others with equally little understanding of security.

Moral: When devising new procedures to improve security, analyze the likely _results_, not just the procedures.

If you want to read about other procedures that are devised to give the mere illusion of security, see my analysis of airport safety here or here (PDF).