How Checklists Can Reduce Security

How Checklists Can Reduce Security

If you’re trying to maintain a secure environment, then working through a checklist might seem a useful way of ensuring you’ve covered everything and are meeting compliance requirements. However, that kind of thinking can be dangerous.

Picture: Chip Somodevilla/Getty Images

Speaking at the at the Digital Security Summit in Canberra last week, security veteran Howard Schmidt (his resume includes a stint as the cyber-security advisor for the Obama and Bush administrations) argued that trying to stick too closely to compliance mandates was often counter-productive:

When people have a checklist, they will gravitate towards ‘What is the minimum thing I need to do to tick the box?’

Rather than focusing on individual compliance issues, Schmidt recommends looking at security at a more fundamental level: “By becoming secure, you become compliant.”

That said, Schmidt sympathises with the difficulty in ensuring sufficient funding for security initiatives. “We’re asking them to make an investment so something doesn’t happen, and it’s really difficult for CEOs and boards to get their head around that.” In that context, playing the compliance card is sometimes an effective if unfortunate compromise.


  • This is true but I think it only applies to high achievers.

    I used to be a security guard and trust me, the average person I worked with NEEDED that checklist like oxygen. You would NOT be wanting to trust them to be using their brain to secures premises.

    Different things I know, but the problem is universal. Dumb people need their checklists. And dumb people gravitate towards gatekeeper like positions.

  • The problem with any checklist or even routine based approach is that its known and predictable, if you’re trying to stop a person then they’ll just plan around this. If you take a game thoery approach introducing an element of randomness should improve security i.e. its easy to plan around every 5th person getting searched, much less so if its based on the roll of a dice

Comments are closed.

Log in to comment on this story!