Thursday, February 7, 2013

Corp Security - Part 3 - The early days (months)

Eve Online Corporation Security

Part 3

The early days of employment

Well your applicants have made it through your rigorous (or not so rigorous) screening and now they are in your corp. Time to give them some access and set them on their way right?

Your corp, while a lot safer if after the steps outlined in part 2, is still never going to be totally safe. Smart and experienced corp thiefs and spy's can get around all current security with minimal work, and avoid or mislead your best recruiters with some effort. Every time you let someone join the corp, you still accept the risks from Part 1, but at least at this point you have weeded out all but the most determined. This usually leaves you free of most AWOXers, low level theif, part time spys, and your petty thief.

Problematically you are left with the worst of all, if you are left with a spy at all. These people either have it out directly for your corp, alliance, or maybe both. Let's see how we can mitigate, or at least continue to make it difficult for them. Remember, the first rule of security is being a harder target than the next guy can save your corp or if you aren't it can doom it. However the reverse is true. Be too strict with your security policy and people will go find somewhere else to play. It's about finding the balance that you are okay with. Where the risk and loss doesn't outweigh the fun of the game.

Let's talk about the "trial" membership tag. Trial/newbie memberships really will determine how a new recruit fits in. If you don't have a Title called "trial" or "initiate" or "noobie" go make one. This title should have zero permissions to anything. It serves as a visible badge for several reasons. First it clearly marks them to the other members of your corp as a new guy. Meaning they can expect to need a little extra help, have no access, etc. Next, It also points them out as kind of a gentle reminder to the rest of the corp. "Hey, this guy is new and doesn't have access to stuff for a reason." Last, it points them out to outside players that just because this trial guy is doing X that doesn't mean the whole corp does. For any value of X, ie smacktalking in local, scamming, etc.

Ideally in the interview process you find out when this player is most often active, and in doing so you can identify a current trusted player to play mentor or at least a supporting role to the new guy. Help them move their crap to the new location, let them know information about voice comms. Get them in on the loop with ops. Explain channels. Explain the Rules of Engagement(RoE). Set them up with good fits, etc.

I'll do ya one better. Create a form letter, in this letter you include corp Forums url, methods of acces, ie how-to create a username and password, Alliance forums (if you have one), it's use and access. Information about the channels used by the corp and what ones the member should join/stay in. Voice comms information, even if they already know it, send it again. Add contacts, like directors, experienced members, places to go for help, ie Eve Mon links, battleclinic, helpful blogs etc. And a short blurb about where the corp is currently, and where it is headed. Include information about the Corp's HQ, ships that the avg member should have, and a reoccurring OPS schedule if you have one.

That seems like a lot of information to hand out in the first email, but it's all information you are most likely going to hand out anyways and if you don't some helpful member of your corp will. But this email really has another motive, it answers all those first timer questions and gives you and the member something to reference.

Okay, that's mostly just procedural, let's get back to security. Don't bandy about information about infrastructure pieces and get your membership out of the habit of doing the same. Just by lurking in channel, a spy can find out hordes of useful information with little to no effort. Things like "our research POS" location, you shouldn't have people broadcasting that information in the clear. People who should know, will, and everyone else can be ignorant. 90% of membership level security resolves down to "loose lips sink ships." In Eve's case, they can sink corps.

The best way to "turn" the risk of a spy is to include them as much as possible in everything that is being done within reason. What I mean is - Mining op going on? ask them specifically to come. Hanging out in chat? ask them to come join you. Be inclusive and friendly. Sure a spy is looking for information, but if you make him enjoy his stay he is less likely (though not by much) to betray you. After all, if they come to spy on you for one corp and then you make being in your corp much more fun, the chances of betrayal becomes much less likely.

The Trial Period

There's a lot of differing opinions here. Some people say 30 days, some 60, others until the member proves themselves "useful" which can be anywhere from a few hours to a few months depending on their definition of useful. Honestly, the time frame doesn't matter. For instance, if I say 30 days, then people will come up with reasons why their standard is better. So let's break it down into sections.

"Until useful" - this is usually the most often used phrase for smaller corps. IE until the person puts skin in the game or proves themselves of-use, or has something useful. This can be as simple as a battle cruiser to help with l4 missions or an Orca or even just a mining barge for corp mining ops. Not only does this not give corp mates a specific time frame to look for, but it also tends to favor the infiltrator who likely has something of use he can put into the game immediately. On the up side, it does allow for faster expansion on a day by day basis as players new to the corp can come in and make a difference quickly. In my opinion it is far to easy a standard to game for an infiltrator. There is rarely a baseline of activity taken and worse, this lends to the practice of giving too much access too quickly to new members.

30 days - This is a fairly common standard. However, how it's actually IMPLEMENTED makes the most difference. There are a lot of corps out there who say they have this policy, and then at the end of 30 days do nothing. IE never review the person, never let them know where they stand. Never review their activity or overall usefulness. This is very risky! Without any review of the player, how can you or the corp address if that player is working in the place they were brought in for, or if they are even still active? How can you tell if they even have met the requirements for passing the trial? Honestly you can't. Did I say passing the trial? yes, there should be standards, possibly not solid standards, but standards with regards to logging in, being active, participating in fleets and with other corp members that a new addition to the corp has to live up to. At the 25-28 day mark members need to be reviewed, activity gauged, see how they are fitting in, see where they are headed. Then another decision has to be made. Are they still a fit for the corp? If yes, then move them up to your next best rank, give them access to t1 mods, or a low level corp hangar. Obviously you want to wait before going buck wild with access even beyond 30 days, but give them some access at this point.

60 days or more - The long end of the stick. Once again the implementation of this can change the entire way it's looked at. I mean honestly, members should always be reviewed and kept an eye on throughout their career. If a member goes inactive for a year, it might just be time to drop them out after all. But I digress. sixty days needs to be handled just right, or the corp has to be so desirable that run of the mill people will be okay with waiting that long to become anything but a trial member. There are ways to limit this kind of burn-out / discouragement before a new members trial finishes, but most of those methods involve using the 30 day trial period methodology and then just following up again at the 60/90/whatever day mark, something that should be done anyways. Once again a review of the new recruit is essential. It's good so that recruiters can take a look and see who's successful and then give them the ability to judge why that person fit is/was successful or why they were not. It also lets the person know that at least for the first part of their stay in a corp they aren't alone, and that they need to work to gain access and not just sit afk until the end of the trial period and hope for full access. Instead people who can't even be active during their trial are removed from the corp at the end of their trial or near to it.

At least monthly the CEO or the recruitment officers should give a kind of state of the corp to the members of the corp. Include people who are passing and failing trials, point out places where the corp is doing well, and what it can do to do better. Messages like these keep everyone in the loop. Later I will go on into explaining what to do when things go south.

Corp Security - Part 4 - Post-spai recovery
Corp Security - Addendum - Errata   (coming soon)


  1. Good post this has been a great series man.

  2. Great posts.

    keep it up and just a reminder :) Update the links on your first and second posts.