The Polite
Breach.
Background & Inject 01: The Approach
Your office occupies the 3rd and 4th floors of a multi-tenant commercial building. The building lobby has a security desk staffed by building management. Your company's floors are accessed via a badge-controlled elevator. Employees badge in at the elevator panel; visitors must be met in the lobby and escorted. It is 12:35 PM. Employees are returning from lunch in clusters.
You are walking back with two colleagues. As you approach the elevator and badge in, you notice a person behind you wearing a delivery uniform carrying a large box labeled with your company's name and suite number. They are struggling with the heavy box. As you hold the elevator door for your colleagues, the delivery person says: "Hey, could you hold that? This one's for the fourth floor. My hands are kind of full."
Decision Gates
- 01
What do you do? Be specific. Not what you *should* do, but what would you *actually* do in this moment?
- 02
Why is saying "no" difficult here? What specific social pressures are operating (reciprocity, fear of rudeness, assumption of legitimacy)?
- 03
If you hold the elevator, what have you just done in security terms? (You have authenticated this person with your badge and taken personal responsibility for their access).
Inject 02: The Variations
Present these variations and evaluate how the response changes based on appearance profiling.
Variation A
The delivery person is a young woman who is visibly pregnant and struggling with the box. She makes eye contact and smiles warmly.
Variation B
The delivery person is a large man in a plain black t-shirt with no visible uniform or company branding. He does not make eye contact.
Variation C
The delivery person is someone you have seen before. They wave at you casually and say, "Same drop as last time, fourth floor."
Decision Gates
- 01
The Bias Check: If you would challenge the man in Variation B but not the woman in Variation A, your access control is based on profiling, not protocol. How do you build a protocol that applies uniformly?
- 02
Variation C introduces familiarity. Recognition is not authentication. How do repeat visitors become trusted insiders without ever being formally vetted?
- 03
In all three variations, the correct action is the same. What is it? (Redirection to process: "I can't let you through on my badge, let me call reception to meet you.")
Inject 03: The Aftermath
The delivery person was not a real driver. They were a penetration tester hired by your security team. During the 8 minutes they spent on the 4th floor, they photographed a propped-open server room door, placed a rogue USB keystroke injector in a conference room, collected three sensitive documents from an unlocked printer tray, and noted the WiFi password written on a break room whiteboard. The total cost of the physical breach was $0.
Decision Gates
- 01
None of the access required technical skill. What does this tell you about the relationship between physical security and cyber security?
- 02
The server room door was propped open. Why? Who is responsible for this culture failure?
- 03
A WiFi password on a break room whiteboard gives an adversary network access from the parking lot. Is this a technology problem or a culture problem?
System-Level Fixes
- › Install anti-tailgating sensors on badge-controlled entry points that alert when multiple bodies pass through on a single badge swipe.
- › Eliminate propped-open doors with alarmed door contacts that trigger after 60 seconds of a sustained open state.
- › Implement a clean printer policy: printed documents not retrieved within 5 minutes are automatically purged from the print queue.
- › Remove WiFi passwords from whiteboards. Use a QR-code-based guest network with rotating credentials.
- › Conduct quarterly physical penetration tests using social engineering methods and share the results (anonymized) with all staff as training.
The Core Lesson & Script
Physical security is not the responsibility of the security team alone. It is the responsibility of every person who carries a badge. Every badge-holder is a gatekeeper. If any single gatekeeper fails, the perimeter is compromised.
Give every employee a simple, scripted response for tailgating situations:
"I'm sorry, I can't badge you in. It's policy for everyone. Let me call the front desk so they can get someone to meet you. It'll only take a minute."
This script works because it blames the system (not the person), it offers an alternative (not a rejection), and it normalizes the behavior (everyone follows this rule, including the CEO).