Log in

No account? Create an account
Previous Entry Share Next Entry
What does this actually teach us about IT policies?
One more from Ars today: 12% of employees knowingly violate company IT policies. The fun part of the quote, though, and I suspect it is true, is "in order to get work done".

Take that at face value -- really, it doesn't surprise me. But the right conclusion to draw, I believe, isn't that employees are bad and are maliciously or carelessly violating policy. Rather, it is that IT policies are often short-sighted, and wind up hindering employees from doing their jobs. This happens all the time, in ways from overly-tight web-browsing enforcement to stupidly-frequent password-changing regulations. Overly broad or restrictive policies often necessarily force people to work around them -- and therefore wind up putting the company at *more* risk than a slightly looser (and more consistently followed) policy would have.

Okay, yes -- I'm probably preaching to the choir here. But it's a good illustration of the Law of Unintended Consequences, and why stricter rules can backfire very badly. The solution isn't tighter enforcement, it's better-chosen rules...

  • 1
(Deleted comment)
I suspect the key to that statistic is "knowingly." ;-) But even so, it seems low. Pretty much the only policies reliably followed at places where I've worked are those that are automatically enforced, like password changes.

Wouldn't surprise me if this is the proportion that *admits* to having done so.

(I actually think that most of the policies at my office are followed *relatively* reliably. But we're still a smallish company, and the security policies are, by and large, rational and well-targeted...)

One of the problems is measuring compliance...

Right. If the policy admins can't tell if people are breaking the rules, and the employees aren't sure if they are, then how is a survey going to know? I'd put the 12% as a lower bound.

  • 1