A recent Seattle Times article offers an interesting case-study for security professionals. The headline: "After 6 months, drivers ignoring cellphone ban." Can we learn anything from law enforcement's implementation of this new law? I think so.
The Seattle Times article covers a variety of important policy implementation steps that were used:
1) A PR campaign was initiated and initially worked.
Cindy Baker-Williams held a "Hang Up and Drive" banner over Aurora Avenue North in Fremont when Washington's handheld cellphone ban for drivers began on the first of July. She and her family hoped the new law would change drivers' behavior. It did at first.
2) Over time, people started to ignore the ban.
Sgt. Freddy Williams of the State Patrol (said), "We see about one in three drivers talking on a cellphone. People seem to be ignoring the law."
3) Enforcement penalties were real, but somewhat limited.
Statewide, troopers handed out 746 tickets for illegal driving-and-talking through November.... Troopers also issued 1,345 written and verbal warnings.... But driving-and-talking is a secondary offense, meaning the police have to stop a driver for another violation before they can write a $124 ticket for holding a cellphone.
4) Metrics were available, but the meaning of the data could be argued.
The pioneering law — only six states have such a ban — might have contributed to a drop in car crashes on state roads this year. It's impossible to know, though, Williams notes, whether the drop resulted from the cellphone ban or other factors such as high gas prices and less travel.
5) Next steps are controversial.
The public appears to support a tougher law. Baker-Williams expects it will take a similarly long time — and lots of statistical evidence and personal tragedies — before the cellphone law is strengthened and drivers change their habits.
Perhaps you're wondering, what does this cellphone ban law have to do with security or other technology policy enforcement? Can't we just "impose our policies" on corporate or government networks and PCs, laptops and other devices? Can't security policy enforcement be automatically implemented in ways that cell phone bans in cars cannot?
No doubt there are differences, but in some ways the cellphone ban for drivers is a best case scenario. For one, everyone "get's it." They understand the law (policy), and they understand the potential risks and life/death consequences of not complying. Of course, the trouble is that they don't think the bad things (like an accident) will happen to them - which is just the same risk/reward equation that is faced with violating security policies.
In addition, the penalties were real and in place in this case. The metrics were available, and the ways of hiding behavior were somewhat limited. One could easily argue that enforcing a drivers cellphone ban is an easier task than enforcing security policy on work networks.
In my opinion, there are quite a few similarities that CSOs should take note of here. First, policy enforcement requires a look at people, process and technology - NOT JUST TECHNOLOGY.
(Sorry for shouting, but many in the industry just can't seem to understand this fact.)
For example, I've seen staff bring in their own web-enabled cellphones to bypass security measures on government or corporate networks. Strong "built-in" technology controls can't stop users from using personal devices to access external networks and websites that pose risk.
The temptation may be to ban all personal cellphones (or other devices) at work, but after governments and companies take away cellphones from staff to save money, you may face a backlash from such moves. Every action causes an opposite reaction and needs to be weighed carefully.
Bottom line, policy enforcement is hard - but needs to be done. My point in this blog is to illustrate some of the difficult aspects that CSOs and others face after they implement a network or security policy. Oftentimes, this is a long road. Just like cellphone bans for drivers, it takes years to change people's habits.
Ending on a more positive note, there are several examples where we have seen long-term behavioral change after policy change. Two such areas include the use of seat belts and smoking bans. In both cases, we needed to change the public opinion and not just the law/policy. CSOs need to keep the ongoing training/awareness aspects of new policies in mind.
What are your thoughts on policy enforcement?
There may be another similarity between the cellphone ban and security policies - the failure to more directly connect the policy to the objective. Talking on cellphones is not inherently evil; it may not be much different than talking to a passenger in the car. The core issue is lack of attention to the business of driving and there are many equally dangerous acts that are not explicitly illegal (e.g., eating, reading, personal grooming, rubber-necking, etc.). The inconsistent treatment of all poor practices weakens the connection to the ultimate goal and, thus, the argument for compliance.
Seat belt compliance, I suspect, is much higher because that campaign was more about the objective (safety) than a traffic violation - and there were rewards for compliance like reduced insurance rates.
Security policies need to be more about the objectives and positive behaviors, and less about specific instances that are subsets of poor behaviors. While there may be no equivalent of reduced insurance rates, metrics of success can emphasize the objective (e.g., xx days without a virus attack or breach).
A couple of thoughts on the ban, and how it relates to security. First, do we need 95% compliance to claim that a security policy is a success? Does the inevitable compliance drop mean the policy doesn't work? (No and no, but always shoot for 100%. And just like software, we need to budget for a maintenance fee...)
Second - fully agree seat belt laws and smoking bans are policy and culture change success stories, but I think both have a strong element of self-interest that has been far more influential than enforcement efforts alone.
Enforcement is always going to be needed. But we can make that road a bit easier by looking at issues from the user perspective and improving the fit between policy, technology and the people we protect.
Jeff,
I concur on both of your points. The best overall strategy is to win over the hearts and minds of people and help them understand why security is in their best (self) interest.
My only but, is that this is very hard. Humans (including me) can be lazy and want the easiest way out and less "work." As with seatbelts, it often takes a close call (or sometimes even a breach or identity theft) to get someone's attention on security.
I tend to blog so much about integrity, reputation and culture for the very reasons you list.
Thanks for your comment,
Dan
I agree that awareness is definitely a part of the equation. My take on this policy discussion comes down to a question of managment involvement and oversight. What I mean to say is that regardless of automated monitoring of systems, etc. it is still incumbent upon management to enforce existing policies. I think that in the IT field there exists a large number of managers that are not trained or proficient in managing people. They may have been proficient technologists that were moved up the ladder without consideration of their managment abilities. Managers need to be involved and engaged with their staff and know how their staff is spending their time. Additionally management needs to consistently enforce and model positive behavior themselves. By doing so an expectation of integrity and accountability is fostered.
Post new comment