John PescatoreAWARENESS
30 mile per hour speed limit signs every 1/4 mile on a stretch of road that goes past the elementary school where my wife works. Result: everyone knows the speed limit and drives 40-50 mph.
ENFORCEMENT
Traffic cameras that automatically issue $40 tickets if you exceed 39 mph were installed. Result: everyone obeys the speed limit and drives 25 – 35 mph.
So, about 40 years of awareness and education training plus periodic enforcement failed to change driving behavior. Installing a technical control with continual monitoring and enforcement changed the behavior in a day.
Category: Uncategorized Tags:
5 responses so far ↓
1 Interesting Information Security Bits for 04/17/2009 | Infosec Ramblings April 17, 2009 at 6:36 pm
[...] perspective regarding awareness vs. enforcement/controls. The Difference Between Awareness and Enforcement Tags: ( awareness enforcement [...]
2 Links 04/18/2009 April 18, 2009 at 3:29 am
[...] The Difference Between Awareness and Enforcement [...]
3 Dennis Groves April 18, 2009 at 8:36 am
Actually, Enforcement doesn’t lead to compliance. It leads to people working around the system – for example taping passwords to their monitors.
Security systems must be useful and usable to those who are subject to them or people will silently cirumvent the ‘enforcement’ in Phoenix, people have come up with all manner of ‘camera’ defeating technologies – like vasaline on the plates; allowing them to continue to to ignore enforcement.
If on the otherhand, security provided tangeble benefits to the users of the system they would automatically comply since it was in their best interest to do so!
How we might accomplish this in terms of automotive speed limit metaphors I haven’t a clue – if I did I would change lines of work where I can have a posative impact in saving lives.
We need to rethink how we are approaching the ‘problem’ of security if we hope to find real solutions to the ‘issues.’
Dennis Groves
4 working girl April 19, 2009 at 5:39 am
Heisenberg demonstrated that watching something influences its behavior. But the change is localized. So, all these people slowing down right where the camera is haven’t really changed their behavior, they’ve just adapted temporarily to a localized set of circumstances. Presumably they speed up again as soon as they pass the camera. In localized situations such as this enforcement does seem to work better than awareness but it’s not a real behavior change.
5 John Pescatore April 20, 2009 at 8:17 am
Security is quite often all about stopping people from doing what they would naturally do – that is why electrical equipment has interlocks, cars have interlocks, etc. People will often do illegal and criminal things – thinking the “answer” to security “issues” is security always having tangible incentives, or in “changing” human nature is and will always be a failed strategy. It is like those posters in the lunch room.
The people slowing down where the camera is have changed their behavior where the camera is – which is in front of the school, which is where society has determined the speed limit is most critical. Doing 50mph in a 30mph zone on an empty country road and you might kill yourself. Do 50mph in a 30 mph zone in front of a school and you might kill some children. Yet most drivers ignore speed limits in both areas – putting enforcement in the school zone is a classic risk management decision. Putting up more signs or having ad campaigns to pretend awareness will changing anything is classic responsibility avoidance behavior.
Leave a Comment