Did you ever wonder why businesses put up silly signs that say “If we do not offer you a receipt, your purchase is free” at the checkout counter? There’s a very good reason for this, and many other seemingly useless signs. Have you noticed the sign that says “There is never more than $50 in the safe”, which tells thieves that it’s not likely to be worth robbing the convenience store? It’s a lot cheaper than trying to implement technology to prevent every possible attack with “Preventative Safeguards”. These signs, and other types of warnings, are called “Deterrent Safeguards”.

The reason for the sign at the checkout counter is actually to deter store clerks from doing some sleight of hand and pocketing the cash from a transaction without ringing it in. So, in a very clever…AND CHEAP… move, some store owner decided to change the economic model slightly. This makes all the difference. If the clerk knows the customer has an incentive to ask for the receipt, they are much less likely to try to cheat the system.

This is so effective, some people might call it a preventative safeguard, but it doesn’t actually prevent the theft by an employee. It just makes it much less likely. If the customer doesn’t notice the sign, or has seen it so many times that they forget to ask for the receipt, or they just feel silly asking for a receipt for a pack of gum… the clerk can get away with it. But it does stop most clerks from going there on larger items.

If you look around you will see many signs that state rules or warnings that are so obvious you have to wonder why anybody bothers. These warnings can also be effective for defending the seriousness of a security program in court. If a judge notes that there are no warning signs around an open pit, the mining company can be deemed liable for not taking action to warn of the danger. Similarly, when you see a login screen that has a bunch of legal mumbo-jumbo on it, the business is saying to the courts “Look, I’ve told the guy he shouldn’t abuse my system. So if he does, I have a right to go after him, even if he’s my own employee.”

Laws can also provide deterrent by stating consequences such as fines or prison penalties for offenders.

This brings me to a sad and timely issue that arose for all of us yesterday. After the Virginia Tech shootings, the first thing on many people’s minds was probably related to the gun laws in the USA; some for tightening them, and some for defending the status quo. I understand the freedom philosophy, and that it sometimes is in conflict with the public interest. There are many conflicts like this in the security field. They can go both ways. But the point I want to make here is that for a relatively small cost, there is almost always something you can do to deter the majority of people.

I don’t want to get into a long political debate, but I happen to like the gun laws in Canada better than in the USA. It is much harder for an idiot with a grudge to walk around with a firearm in Canada looking for revenge; not that the laws had much effect last fall in Montreal at Dawson College. It could have been just as bad as Virginia Tech in that situation. But when something is illegal, the attitudes that people have around would-be criminals bragging about their gun collection change to become more of a deterrent. If anyone had noticed Kimveer Gill’s VampireFreaks page with his posed photos holding guns and knives, he might well have had the police at his door before he started shooting. In this case, the laws and public attitudes as deterrents could have been successful. Unfortunately, it didn’t happen that way. My sympathies are with all the victims of these crimes.

There will always be people who will argue until the cows come home that stronger gun laws will not prevent the Virginia Techs or the Columbines from happening. However, this logic, while strictly true, is rarely valid. Deterrent safeguards are so much more cost effective in many cases that not implementating them as a first step in a security program (in addition to prevention, detection and response safeguards) usually results in continued escalating losses. It is sad that more has not been done to avoid the suffering and loss on such a large scale.

While those issues will be discussed ad nauseum in news and forums, I’d like to take this back into the business context.  Deterrent safeguards can often provide a greater return than trying to prevent or detect attacks technologically.  But they are usually in a much more “human” context, and often deal with the psychology of potential attackers, including insiders.  So, there is no black and white, right or wrong, and you certainly can’t depend on only using deterrents.  There has to be a balance.

The bottom line is, with an intelligently designed configuration, and properly worded communications, you can save a lot of money, and maybe sometimes lives, with deterrent safeguards.