PoliceOne says that a 60% percent success rate is far (20%) below expectations:

Los Angeles’ $15 million high-tech camera system designed to catch red-light runners let four in 10 violators off the hook last year because the drivers couldn’t be identified, according to police data.

In other words, the cameras are highlighting another control gap — 40% of drivers suspected of violating a traffic law also operate without proper registration:

Police say they have made progress in the past few months in finding the drivers and ticketing them. They also note that glare from windshields and license plates interferes with about 2 percent of the images.

But they emphasize it’s not the technology that is allowing violators to get away with running red lights. By far the biggest obstacle to ticketing violators, they say, has been outdated or unidentifiable car registrations.

Security metrics are funny that way. You might find 40% of your suspects are getting away because they are using bogus identities, but this is not just a 40% failure. Knowing that bogus identities are prevalent is far better than not knowing and so the system is actually performing an important detection role where none existed prior. This is not a positive spin as much as an example of surveillance systems giving better information about identity controls and weaknesses.

The Deutsche Welle reports that security staff are accused of breaching privacy laws:

Security staff at telecoms giant Deutsche Telekom are suspected of breaching German data privacy laws during a secret attempt to identify the sources of high-level leaks to the media, the company said Saturday, May 24.

Using the company’s own records of millions of numbers dialed, the dates and the durations, the internal-security unit had hunted for possible matches between news reporters and Telekom directors.

Bad news for security staff when they abuse the trust they need to perform their duties effectively. The fallout from this scandal will be interesting to watch. Security has apparently not only breached privacy laws meant to protect customers, but has done so in a direct conflict with senior management.

The BBC story seems more interested in the fact that the SocGen trader was not acting alone, but I find this part the most revealing:

The bank’s management was accused of being “negligent” in not identifying the problem, the report said.

It also found that Mr Kerviel’s direct supervisor was inexperienced, with insufficient support to do his job properly.

“The fraud was facilitated, or its detection delayed, by supervisory weaknesses over the trader and the market activities checking,” it said.

“The trader’s hierarchy, which constituted the first control level, showed itself negligent in the supervision of his activities.”

Mr Kerviel’s supervisor “showed inappropriate tolerance to the positions taken”, it added.

Blaming this on his immediate supervisor is a lot like blaming it all on the perpetrator himself. Surely the controls for this kind of error should be visible at the highest levels. The consequences have been devastating, which suggests security information and event management at SocGen were not integrated into an executive’s view.