This seems like an insane metric. For any large enough organization that is difficult to identify who actually works for $company and who is there on "business" - and given that its rare for every developer to have a locked door, you can easily have a situation where a "guest" (maybe a software vendor, or partner, or friend of coworker) is on their way to the bathroom and decides to poke around on your machine.
Barring myself from working at an company with more than ~150 people (Dunbar's number) because I'm too pompous to lock my laptop doesn't seem like a metric one would be wise to follow.
> This seems like an insane metric. For any large enough organization that is difficult to identify who actually works for $company and who is there on "business" - and given that its rare for every developer to have a locked door, you can easily have a situation where a "guest" (maybe a software vendor, or partner, or friend of coworker) is on their way to the bathroom and decides to poke around on your machine.
This is like bricking up all your windows against thieves when you live in sleepy, low-crime suburbia.
Site security needs to have a balance between paranoia and practicality. For public-facing code, history has shown us that it's impossible to be too paranoid. If you work in national security, or your industry is known to be a target for industrial espionage, then certainly strong precautions are in order.
But if you're just building social media sites or whatever, and you're firing people because they failed to stand ever vigilant against the possibility that Bob the visiting vendor rep might stalk the corridors waiting for you to take a bathroom break so he can rifle through your code for exploits to sell to teh haxxorz, you are being absurd.
Barring myself from working at an company with more than ~150 people (Dunbar's number) because I'm too pompous to lock my laptop doesn't seem like a metric one would be wise to follow.