Gartner Blog Network


The Difference Between Awareness and Enforcement

by John Pescatore  |  April 17, 2009  |  5 Comments

AWARENESS

30 mile per hour speed limit signs every 1/4 mile on a stretch of road that goes past the elementary school where my wife works. Result: everyone knows the speed limit and drives 40-50 mph.

ENFORCEMENT

Traffic cameras that automatically issue $40 tickets if you exceed 39 mph were installed. Result: everyone obeys the speed limit and drives 25 – 35 mph.

So, about 40 years of awareness and education training plus periodic enforcement failed to change driving behavior. Installing a technical control with continual monitoring and enforcement changed the behavior in a day.

Category: 

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio


Thoughts on The Difference Between Awareness and Enforcement


  1. […] perspective regarding awareness vs. enforcement/controls. The Difference Between Awareness and Enforcement Tags: ( awareness enforcement […]

  2. […] The Difference Between Awareness and Enforcement […]

  3. Dennis Groves says:

    Actually, Enforcement doesn’t lead to compliance. It leads to people working around the system – for example taping passwords to their monitors.

    Security systems must be useful and usable to those who are subject to them or people will silently cirumvent the ‘enforcement’ in Phoenix, people have come up with all manner of ‘camera’ defeating technologies – like vasaline on the plates; allowing them to continue to to ignore enforcement.

    If on the otherhand, security provided tangeble benefits to the users of the system they would automatically comply since it was in their best interest to do so!

    How we might accomplish this in terms of automotive speed limit metaphors I haven’t a clue – if I did I would change lines of work where I can have a posative impact in saving lives.

    We need to rethink how we are approaching the ‘problem’ of security if we hope to find real solutions to the ‘issues.’

    Dennis Groves

  4. working girl says:

    Heisenberg demonstrated that watching something influences its behavior. But the change is localized. So, all these people slowing down right where the camera is haven’t really changed their behavior, they’ve just adapted temporarily to a localized set of circumstances. Presumably they speed up again as soon as they pass the camera. In localized situations such as this enforcement does seem to work better than awareness but it’s not a real behavior change.

  5. Security is quite often all about stopping people from doing what they would naturally do – that is why electrical equipment has interlocks, cars have interlocks, etc. People will often do illegal and criminal things – thinking the “answer” to security “issues” is security always having tangible incentives, or in “changing” human nature is and will always be a failed strategy. It is like those posters in the lunch room.

    The people slowing down where the camera is have changed their behavior where the camera is – which is in front of the school, which is where society has determined the speed limit is most critical. Doing 50mph in a 30mph zone on an empty country road and you might kill yourself. Do 50mph in a 30 mph zone in front of a school and you might kill some children. Yet most drivers ignore speed limits in both areas – putting enforcement in the school zone is a classic risk management decision. Putting up more signs or having ad campaigns to pretend awareness will changing anything is classic responsibility avoidance behavior.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.