Stupid security policies

In which I am asked by my employer to incriminate myself in future crimes in the office

Published on Thursday, 24 February 2011

I recently discovered that my employer wants ALL employees to swipe their badge in the elevator, even if another employee is present. In response, I came up with these scenarios (without even doing much thinking):

Let's assume that I'm an honorable employee that has been complying with this policy. One day, a piece of equipment goes missing on the 6th floor, where I work. There are records to "prove" that I travelled to the 6th floor, and none to "prove" that I left. Therefore, I am on the list of suspects by default. This policy of consistently swiping my badge has left me at a disadvantage to the thief, who, given his obviously dishonest ways, would not have felt a need to comply with the policy.

Let's assume that I'm a dishonest employee seeking to steal a piece of equipment. As a dishonest employee, I feel no need to comply with the policy requiring me to swipe my badge, so I simply wait for someone else to enter the building, and enter behind them and catch their elevator going up. Even if they were an extremely honest employee and requested that I swipe my badge, they have no way to force the issue, and afterwards it's merely their word against mine that I was in the elevator. Given that I'm innocent until proven guilty, this situation presents no difficulty for me.

Let's assume that I'm a dishonest employee seeking to steal a piece of equipment. In this scenario, most if not all of the employees comply with the policy. All I need to do is steal the badge of a fellow employee, and use it to travel to a restricted floor, steal some equipment, and travel back. Now, I have quite neatly framed a fellow employee, and there is no evidence that points to me at all. Even worse, I could simply report my badge missing, and at some point later use it to steal a piece of equipment. Now, I have plausible deniability, because I reported my badge missing.

Let's assume that I'm a dishonest employee seeking to steal a piece of equipment. Even so, I generally comply with the policy. On the day I wish to carry out my theft, I travel as normal (swiping my badge) to the scene of my crime, and then use my badge to send the (empty) elevator to the basement. This way, I've "proven" that I am not at the scene of the crime. I can simply carry out my theft, call the elevator, and travel to the first floor without swiping my badge. I'm in the clear.

None of these scenarios even deal with a crime involving multiple collaborating employees (or an outsider willing to carry an employee's badge around the building to "prove" that they were elsewhere at the time of the crime). As far as I can see, it would take an extremely foolish criminal to be "caught" using this "evidence", and the risks to me as an honest employee greatly outweigh that possibility. Am I wrong in my reasoning?