Donut based security at Amazon

This is not a clever technical article where DONUT is some obscure new encryption algorithm. This is about getting people to lock their laptop screens. Using donuts.

In the early days of the Amazon San Diego office, we were in an unsecured, shared office space with other companies. As such, it was crucial that people remembered to lock their screens whenever they left their computers, even if only for a few minutes. But, humans forget, and we needed a way to actively catch them and help correct their behavior.

Cyber theft bad guy ooooo!

A normal company probably would have put up posters and sent out emails about the importance of locking screens – which would have been promptly deleted and ignored. Or had the managers reminding employees about the importance of security blah blah blah. Or created a 45-minute training video about the dangers of cybertheft with spooky looking cartoon bad guys.

What we did was this.

If we stumbled upon an unlocked laptop screen, we would send out an email from that person’s account:


Subject: Free donuts tomorrow!

Hey everyone, I realized we haven’t had donuts in a while, so I’ll bring in a box tomorrow for everyone!  Enjoy!

You had to be fast, since the person could come back at any moment. The key was to not get caught, so they had no idea who did it.

If your computer was used to send such an email, you were duty-bound to bring donuts the next day. No ifs, ands, or buts. You had been donuted.  We consumed some ungodly creations, like these from VG:


This was remarkably effective.  Over time the donuts decreased in frequency, which was a little disappointing from a stomachular perspective, but showed it was effective from a security perspective.

There are a few reasons why this worked:

  1. We made it a game. Everyone could participate. It was fun.
  2. Humans hate being embarrassed. This was a mild sting, but it still stung enough for people to remember.
  3. There was an inconvenience factor. Now you had to drive and buy donuts tomorrow.
  4. There was social pressure. Everyone knew what was expected. Nobody ever failed to bring in donuts.

The cool thing is this game spread organically. I remember sending the first email out. It was a coworker’s computer – a senior Amazonian who should have known better. He dutifully brought donuts in the next day.  From there it caught on like wildfire. (I also donuted him another half dozen times before he learned – I swear he was the worst at locking his screen!)

Once the precedent was set, the game was on. Who said enforcing security was no fun?