Monday, March 2, 2009

Broken Windows – System Administration and Security

A recent study confirms that the ‘Broken Windows’[1] crime theory might be valid. As reported in the Boston Globe:

“It is seen as strong scientific evidence that the long-debated "broken windows" theory really works—that disorderly conditions breed bad behavior, and that fixing them can help prevent crime”[2]

Does the theory also apply to system administration, security, servers, networks and firewalls? How about application code?

I grew up knowing that you always cleaned and washed your car before you took it to the mechanic. Why? Because if the mechanic saw that you had a neat, well kept car, he’d do a better job of fixing it. I’ve seen that in other places, like when you visit someone with a neat house versus a messy house, or hang out in a messy, smoky bar with cigarette butts and peanut shells on the floor, or a gated community versus a slum. Let’s assume that it’s simply part of human nature.

Quoted in the Boston Globe article:

""One of the implications certainly is that efforts that invest in improving the environment in terms of cleanliness may actually help in reducing moral transgressions because people perceive higher moral standards," said Chen-Bo Zhong, assistant professor of management at the Rotman School of Management at the University of Toronto.”

Higher moral standards reduce moral transgressions. Disorderly conditions breed bad behavior.

Does the theory apply to applications, servers, networks and firewalls?

  • If system administrators, developers and network administrators consistently and carefully maintain a system or application by tracking down and cleaning up all the little bugs, error messages and minor day to day cruft will the system perform better, have higher availability and better security?
  • If a firewall rule set is organized, systematic, structured instead of random and disordered, will the firewall administrators pay closer attention to the firewall and be less likely to cause an error that results in misconfiguration or unavailability?
  • If a server has applications and data neatly organized instead of scattered all over the file system, if the root directory has only system files in it instead of random leftovers from past projects, will the sysadmin pay closer attention to configuration, change management and security?
  • If and applications code base is organized, structured, and generally neat, will the code maintainers do a better job of maintaining the code?

I speculate that this is true, based only on observation and anecdote.


[1] Broken Windows, George L. Kelling and James Q. Wilson, the Atlantic, March 1982
[2]
Breakthrough on Broken Windows, The Boston Globe, Feb 8 2009

Via: The "Broken Windows" Theory of Crimefighting, Bruce Schneier

3 comments:

  1. Certainly it applies to programming. The Pragmatic Programmer dealt with broken windows at length, suggesting putting the equivalent of police tape around known bad code to warn others away. I don't know of any studies that bear this out, though there no doubt are some, but I have seen it in practice again and again.

    I also see code that I wish I'd put police tape around being copied and re-used.

    ReplyDelete
  2. I think the cleanliness factor - whether it's in the analog world or in the digital world - brings with it just a hint of a "panopticon effect". The mort sublte version being the old adage that folks _generally_ live up to expectations others have of them.

    ReplyDelete
  3. Panopticon - I had to look that one up ;-)

    @Sam - We have servers that should have police tape around them too. The worst is one that I built a decade ago. We've never cleaned itup and started over. Nobody has the guts to take it on.

    I've found 'living up to expectations' to be generally true also, and the cleanliness factor might simply raise expectations.

    ReplyDelete