At a recent trip to an office building, in the restroom there was, up in the corner, a battery-powered air freshener that automatically sprays potpourri scent every half hour. It is a white box about the size of 2 stacked VHS tapes (remember those?) mounted up in the corner against crimson tile. And it had, to my amazement, a brass lock to keep the lid securely closed.
The lock was a simple, inexpensive brass lock anyone can buy at Home Depot for a few bucks, screwed into the plastic side with standard gold-colored screws. So, I was wondering...why was it locked? I don't know the history, nor do I deal with air fresheners often. I myself cannot think of a good reason for doing this. So I wanted to do some deconstruction of the impetus behind what I find to be a somewhat irrational act.
To set the stage, this bathroom is not located in a secure facility. It is a nondescript typical corporate office building in the suburbs. Therefore, the logic used for locking the device, as far as I can see, falls into one of two categories (or both):
- Security: so no one can steal the air freshener can or batteries
- Public safety: so no one can install a can of aerosol anthrax
And the lock down was probably facilitated by either:
- An overzealous organizational security policy
- An overzealous security officer
- An overzealous custodial engineer
But again, perhaps this is a wise practice, to lock down air fresheners in corporate restrooms, and it's me who is being naive. I would hate to be the one who has to answer why I didn't lock down the air freshener after such an attack (or theft) occurred. If I do start to see this more, I may chalk it up to a weak economy, where people steal air freshener parts similarly to how thieves steal copper pipe and wire from homes in economically-depressed areas. But for now, I tend to see this as an irrational act of security, the result of watching too much local news and crime dramas.
Also, some concerns:
- If someone who steals air freshener components is being allowed into the building, why and how? What else is at risk?
- The lock is cheap and easily compromised
- Has equal attention been made to other possible vectors of whatever attack the lock was intended to prevent?
I guess the point is, if you're going to implement a security measure, make sure it is in response to a definitive requirement, that it is effective, and that you don't let it eclipse other threats and vulnerabilities that also need to be mitigated.