top of page
Search

Politeness Is the New Vulnerability Why “I didn’t want to be rude” beats most access-control systems.

Updated: Feb 7

Authors:

Katarzyna Kałużny, Global Leader in Operations & Enabling Functions, Executive MBA

Capt. Ajesh Sharma, Global Security Strategist & Leader, Founder of Helix Security Advisors Tailgating. Holding doors. Smiling strangers.And how social norms override policy almost instantly.

Introduction Modern organizations take pride in being polite, open, and trusting..

We design workplaces to reduce friction. We encourage friendliness. We avoid confrontation.

And unintentionally, we create environments where security quietly erodes.

In polite cultures, questioning feels rude. Verifying access feels distrustful. Challenging familiarity feels awkward. So people choose the path of least personal friction: courtesy over control, assumption over verification, silence over challenge.

Security rarely collapses abruptly in such environments; it erodes gradually and quietly, often unnoticed.

How Politeness Gets Exploited (Every Day)?

These are not exotic attack techniques. They are social patterns.

  • The Helpful Colleague: Carrying lot of loads in both the hands and look struggling to swipe card on card reader. Empathy kicks in.. Someone  keeps the door  to be helpful ,and here you go – The door is held open. No badge is checked. No access is logged. Full entry achieved.


  • The Crowd Blend: Merge with large volume of people at peak login hours passing through monitored entrances.. Unless a site security team had taken remedial measures of funnelling large volumes, strangers have high probability of bypassing identity verification. Identity checks quietly disappear behind volume.


  • The Familiar Face: A friendly relationship with security staff becomes a credential of its own. “I left my badge inside.” “My access just stopped working.” This is common methodology to enter premises, especially effective immediately after employment termination.


A case involving Deutsche Bank shows how physical security can fail without any force or technical breach. An unauthorized individual repeatedly entered restricted server rooms simply by being escorted in by a contractor. Access was not hacked — it was assumed. Security staff did not challenge the presence, likely to avoid social friction rather than because controls were unclear

The most telling moment came afterward. The issue surfaced through an internal whistleblower. Instead of reinforcing verification and challenge, the organization dismissed the person who raised the concern. Politeness was tolerated at the perimeter. Disruption was not.

(Source: publicly reported court filings)


But why it works?


Politeness doesn’t destroy security by accident; it does exactly what societies designed it to do -  reduce social friction. Security, meanwhile, needs friction. That tension is the core problem.


Sociolinguistic research has shown that politeness is not a personality trait.

It is a structured system of rules designed to minimize what researchers call face-threatening acts - moments that risk embarrassing, challenging, or undermining another person.

From this perspective, asking someone to show a badge, stopping them at a door, or questioning their access is not a neutral action. It is a direct threat to social face.


That is why even well-trained employees instinctively soften, delay, or avoid challenges — unless the organization explicitly redefines challenge as normal and expected.

This Is Not About Breaking In


Most security intrusions do not occur through dramatic breaches or technical sophistication. They happen through approval. Doors are held open. Access is assumed rather than verified. Exceptions are granted in good faith and left unchallenged long after their relevance has expired. In many cases, nothing is “broken into.” Entry is simply allowed.

Real-world intrusion patterns consistently follow familiar routines. A visitor is escorted once and later left unattended. An individual tailgates through a secure door because challenging them feels awkward. A contractor’s access quietly persists beyond the contract period. A badge is trusted because the person wearing it looks like they belong. Each instance appears harmless in isolation, yet collectively they form a predictable pathway for exploitation. These are not failures of technology; they are outcomes of culture.



What Actually Needs to Change



Effective security requires designed friction. It must deliberately introduce moments of pause and verification—permission for employees to ask, “Can I verify this?” or “Why does this access still exist?” or “Who approved this exception?

Such friction is not inefficiency; it is risk awareness made visible. It slows assumptions, not business.

The real leadership question is not: “Do we have a polite culture?”

It is: “Have we given our people - across regions and cultures - permission to challenge without fear?”


Security does not need to be rude. But it cannot afford to remain unquestioned.

So, when was the last time you let someone in because it felt too awkward to stop them?






 
 
 

Comments

bottom of page