Broken Windows – System Administration and Security

A recent study confirms that the ‘Broken Windows’[1] crime theory might be valid. As reported in the Boston Globe:

“It is seen as strong scientific evidence that the long-debated "broken windows" theory really works—that disorderly conditions breed bad behavior, and that fixing them can help prevent crime”[2]

Does the theory also apply to system administration, security, servers, networks and firewalls? How about application code?

I grew up knowing that you always cleaned and washed your car before you took it to the mechanic. Why? Because if the mechanic saw that you had a neat, well kept car, he’d do a better job of fixing it. I’ve seen that in other places, like when you visit someone with a neat house versus a messy house, or hang out in a messy, smoky bar with cigarette butts and peanut shells on the floor, or a gated community versus a slum. Let’s assume that it’s simply part of human nature.

Quoted in the Boston Globe article:

""One of the implications certainly is that efforts that invest in improving the environment in terms of cleanliness may actually help in reducing moral transgressions because people perceive higher moral standards," said Chen-Bo Zhong, assistant professor of management at the Rotman School of Management at the University of Toronto.”

Higher moral standards reduce moral transgressions. Disorderly conditions breed bad behavior.

Does the theory apply to applications, servers, networks and firewalls?

  • If system administrators, developers and network administrators consistently and carefully maintain a system or application by tracking down and cleaning up all the little bugs, error messages and minor day to day cruft will the system perform better, have higher availability and better security?
  • If a firewall rule set is organized, systematic, structured instead of random and disordered, will the firewall administrators pay closer attention to the firewall and be less likely to cause an error that results in misconfiguration or unavailability?
  • If a server has applications and data neatly organized instead of scattered all over the file system, if the root directory has only system files in it instead of random leftovers from past projects, will the sysadmin pay closer attention to configuration, change management and security?
  • If and applications code base is organized, structured, and generally neat, will the code maintainers do a better job of maintaining the code?

I speculate that this is true, based only on observation and anecdote.

[1] Broken Windows, George L. Kelling and James Q. Wilson, the Atlantic, March 1982
Breakthrough on Broken Windows, The Boston Globe, Feb 8 2009

Via: The "Broken Windows" Theory of Crimefighting, Bruce Schneier