I don’t actually know what the slang term for a 2 AUD coin is, but thanks to Bruce Schneier’s blog posting on an insider thief at the Australian Mint, I know that the prison term for stealing 130,000 AUD worth of them is three years in the Big House.

A judge has criticised security at the Royal Australian Mint while jailing a worker who stole more than $130,000 by hiding new $2 coins in his boots and lunchbox.

Justice Terry Connolly, in the ACT Supreme Court, said William Grzeskowiac had committed a significant breach of trust over a long period, and sent him to prison for three years, with a non-parole period of 18 months.

But Justice Connolly also criticised security at the mint, saying he was amazed a theft on this scale could happen.

When security fails, I’m not amazed; I’m interested.

The first question that comes to mind is, How much would it have cost to mitigate the risk of employee theft?

I’ll assume that there’s already physical security in place, so adding a couple of metal detectors, at $5,500 USD each (with free shipping!) is only $11,000 USD.

Even assuming that there were multiple points of entry into the mint, that’s still only $11,000 USD per entry point. If the metal detectors mean adding one guard per entry point, plus a floater or two to cover lunches and bathroom breaks, that’s probably a fully-loaded cost of $30-35,000 USD per entrance per year.

Compared to the value of the money the Mint produces each year, $137 million AUD in FY 2004-2005, that’s not much money for a significant countermeasure.

Going back to the news story…

Justice Connolly also said he was amazed the mint could give no indication of just how many coins had actually gone missing.

“I would like to think those working at the other mint factory printing $100 notes might be subject to a better system of security,” he said.

I don’t know why he was amazed. The Mint’s accounting system probably began when the coins left the manufacturing process. Until they crossed that threshold, probably the point at which the coins were packed into rolls and therefore getting turned into $100 units, they were probably considered to be raw metal and therefore valued as rolls of sheet metal, or however the base inputs to coin stamping are accounted for.

So why did he do it?

Justice Connolly said just why Grzeskowiac stole the coins was not clear.

Grzeskowiac said it started out of a sense of grievance following an argument with his boss and ended up as a challenge that produced a sense of empowerment. A psychological report said he was motivated by a need for security.

Grzeskowiac’s defence counsel, Steven Whybrow, said he was a person of previous good character and what had happened was a bizarre aberration.

“There is no evidence that this was for gambling or drinking or some other addiction or avarice. All the evidence is that he is a simple man with simple needs,” he said.

Much of the Mint’s security is probably centered around assumption of rational actors, just like the Judge. In the judge’s mind, the only reasonable motivator to steal money would be for its value. This leads to assumptions about what kinds of controls will be effective to prevent theft.

But even risk-averse people can be a little crazy and/or get angry with their bosses.

First, since Australian coinage would be fairly difficult to launder–legally, you can only spend ten $2 coins at a time (see #13)–coins are probably not a good target for theft. This fact was confirmed by the large amount of unspent coins recovered by the police.

Next, I’m sure the Mint tries very hard to only hire people who are quite risk-averse when it comes to things like going to jail, even if most of the population is descended from convicts ;-). The reasonableness of this assumption would be reinforced by what seems like some level of background checking of workers at the Mint.

Finally, we see that stealing the coins became a game. In his own mind, I think that Grzeskowiac wasn’t even stealing money. If he’d been working in a meat packing plant, he probably would have been stealing a steak every day. But since he worked in the Mint, he stole coins. When assessing security, never assume that people share your priorities or value assessments–if anything, you would probably be better-served to assume they don’t.

So what’s this going to mean for everyone at the Mint who’s not going to jail?

Justice Connolly said a consequence of Grzeskowiac’s breach of trust was that mint workers, once trusted, now faced a far more intrusive security regime.

“Your conduct is going to make life much more unpleasant for every other worker at the mint,” he said.

Which will, in turn, inspire the workers to develop new and different ways of making their lives easier by bypassing the security that will now make it hard.