Bad Policy vs. Bad Decisions and the Role of Individual JudgementBy Rich
Pete Lindstrom just posted a missive in support of the TSA.
Pete makes some good points about the limitations of policy- while you always need hard rules, you also always need exceptions and judgement.
In the information security world, we talk about the difference between “policy decision points” and “policy enforcement points” to express the different functions. In most computing environments, the PDP and PEP start off combined in a small set of instances but then get separated as networks grow while some central authority still wants to coordinate security efforts. The good news for security folks is that systems allow us to have the best of both worlds. PDPs can (basically) handle as many conditionals as you want — systems will scale and always make the same decision based on the same set of assumptions. I guess what I am saying is ridiculing airline security without understanding the monumental challenges they have is getting old. They’re PEPs, for crying out loud. Sure, I hate it as much as everyone else when they take my toothpaste, but it is only toothpaste. Get over it.
Pete identifies one of the most difficult problems in security of any type, from IT security, to physical security, to law enforcement. No blanket policy can effectively deal with every circumstance, yet exceptions are difficult to evaluate and can lead to failure.
When I managed a physical security organization this challenged us daily. Our conclusion was to start with strict policies and supervision, but as employees gained experience give them more freedom for individual decision making. Supervisors played the role of mentors, helping decide who was ready for more freedom and who needed strict monitoring. In the end I had an incredible team (some who read this blog, feel free to comment) capable of handling very dynamic situations with minimal direct supervision. Cops, firefighters, paramedics, doctors, lawyers, electricians, and so on all work in pretty much the same way.
It took me years to develop the judgement to make accurate, split-second decisions where there were policy gaps. Ask any of my physical security friends- early on I tended to fail in favor of always following policy. It created as many problems as it solved, requiring greater supervision. The world isn’t black and white, even when it is.
How is this relevant to Pete’s points?
Two ways. First, bad policy is bad policy. I don’t ridicule TSA employees, but it’s our job as security experts to identify policies that don’t improve security but increase costs. Pete doesn’t discuss the policy creation point, or the need for feedback from enforcement points to creation points to maintain effective policies.
The second is that over-reliance on policy enforcement points results in security failures. Policies can’t account for all situations, can’t manage appropriate exceptions, and don’t adapt for new threats.
My suggestions is the government develop more effective policies and stop treating airport security as a single enforcement point. I’ve written about it here and here. Create a hierarchy of TSA employees, beyond screeners, and embed security deeper into the aviation system in a less intrusive way.
I applaud the employees who are willing to deal with all the a$$holes running through airports. Screening is hard, thankless labor. But we need to look a little higher, and thus improve security while decreasing inconvenience and reducing costs.