Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Thursday, 15 April 2010

Staff ignore security policy to save time

Please do not change your password - The Boston Globe quotes from a Microsoft study that concludes that much of our security policy advice to users is pointless. In the article, Bruce Schneier is quoted as speculating that the employees knew following security policies would cut into their work time. They understood better than the IT department that the risks of not completing their assignments far outweighed any unspecified consequences of ignoring a security rule or three. “People do what makes sense and don’t do what doesn’t,”

This is just what I was talking about last month when I said that we should do more enabling and less eliminating. If you insist people use separate, strong passwords for them all without giving them a simple, secure means of storing and retrieving these passwords on demand wherever and whenever they are needed, then don't be surprised if they ignore the advice and/or write them down. It's gonna happen.