I have been watching an aggressive panhandler, sometimes with a second person, approach and threaten people (mostly old ladies, young girls, and tourists) at the corner of Church and Chambers Streets in New York City for the past month or so. While a nuisance, and problematic for the people he threatens, this is not terribly unusual in large cities although does seem to have become more prevalent based on what are likely a number of factors (including notably a down economy and a change in police enforcement). The problem in this case though, is that an NYPD police officer directs traffic at this intersection every day, watches and ignores what’s happening. What I’m observing unfold plays itself out similarly in every information security department in every company on a daily basis.
Actually it is worse than just one officer ignoring a crime, it is that it is different officers on a daily basis watching people be yelled at and threatened. The approach did not start that way of course, the panhandling started simply as this person asking for change for the subway and being mindful of the police officer standing there. But as the month wore on, and he saw that clearly the police had no intention of addressing what he was doing, he became more aggressive.
A little History…
Around 1994 New York City’s police forces adopted an Order-Maintenance Policing strategy, popularly known as Broken Windows theory. Under this approach laws that deal with social disorder are enforced using a low tolerance approach. In other words, infractions that are generally considered low level such as graffiti, panhandling, jumping subway turnstiles, public urination, and so forth are used as grounds for arrest.
The theory had one of its most well known implementations in New York under William Bratton the then head of the NYC Transit Police. The policy was adopted more widely under Mayor Rudy Giuliani and police commissioner Howard Safir, and in many objective measurements the crime rates dropped for both nuisance and violent crimes. Most would also agree that if multiple officers with the duty to enforce the laws of the city directly observe something happen but take no punitive action that the law while on the books is not an enforced law. When the law is obviously not enforced, people are led to the conclusion that it can be broken without consequence, and thus because of uneven or non-existent enforcement the law becomes a paper tiger, largely not worth the paper it is written on.
Whatever you think of it…
Not everyone subscribes to this theory, which as a zero-tolerance style policy does likely over reach. In general though, most will concede that even if panhandling itself should not be a crime, aggressive panhandling does become problematic under its most extreme variations including: approaching individuals as a group, using veiled threats or insults, following individuals, blocking or touching a person, or approaching a person using an ATM. If you can concede that, and it is against the law, then law officers not addressing the situation is tacitly accepting the behavior.
I keep using officers in plural because one police officer ignoring something could be taken as an outlier, someone who just is not doing his or her job but not characteristic of what other officers would do. In this case I have waited a month to observe multiple officers, to see what the reaction would be.
What does this have to do with Information Security?
Security Policies
People who write information security policies are loath to have their effort be completed in vain. Most texts and experienced security professionals will tell you that anything that is overly technically specific, patently unenforceable, or subject to major variation in interpretation should be taken out of a security policy. The best practice generally put forth is to carefully divide the security requirements of the organization into the direction and context (policy level) and put the specifics for achieving those policies into standards, procedures, and guidelines which can be updated often and are more fungible.
Security folks write what are sometimes complex exception mechanisms and risk acceptance methods to deal with the rare occasion that a security policy must be overridden. Good security policies are usually the result of much iteration, regular update, and reviewed in consult with business, technical, and legal leadership within the organization.
Finally a good security policy contains a corrective action clause. That is the policy details the consequences of non-compliance. This is the part of the policy that usually includes a clause that reads “actions up to and including termination”.
In this context, security policies are like the law. They describe “the what” on what’s prohibited but exclude “the how”, the enforcement itself.
Policy Enforcement
Most security professionals can also quote what should be on the policy books of your Human Resources department, that there can be no difference between individuals in the way policies are enforced or the risk of a downstream law suit that is more difficultly defensible is incurred. In the imperfect reality of the enterprise, corporate policies are enforced differently across different people all the time, but the goal and stated practice generally remains the same. Policy is to be enforced uniformly in all cases. For this reason, a security policy that does not have a reasonable enforcement mechanism (technology products and people processes to detect violation) will generally be difficult to enforce. Further a policy where detection mechanisms do exist but corrective actions never followed communicates clearly to corporate citizens the lack of importance of the policy.
Unenforced policies are difficult to resurrect to being enforceable, and further weaken the overall set of security policies. As soon as the reader comes across a policy instance that they know to either be unenforceable or that clearly is not enforced because it is observed by security personnel but nothing comes of it, that reader comes to question the entire set of security policies in place. It is similar to what happens when reading a newspaper article, if you come across one glaring inaccuracy that you know to be untrue based on your personal experience it draws all of the facts of the article in question.
So what have we learned?
If you know you can’t enforce it, or know your company will not enforce it, fight like hell to keep it out of your security policies. And if you want to threaten people into giving you money, south of Canal Street is the place to do it.
Related Posts:
i hate panhandlers! ya were really mean to me and i used to give them money but now forgeet it. im not giving them anything
well actually i might give them food instead of money. they’re poor and have nothing to eat. i feel bad for them and im sorry i said i hate them. i have anger issues and i had to have counciling…..i try to control my temper but its useless…. okay well, from now on i will give you panhandlers food
mother!!! why would you write that!!! your ruining me!!!! uggg!!!