Why people violate security policies

Many organizations have a formal set of information security policies covering everything from acceptable internet usage to security in software development to web application security. In fact, it’s hard to come across a business today that doesn’t have at least a policy or two in place. That’s fine and dandy but it’s not the existence of policies that determines the level of information risk, but it’s whether or not your users are actually complying with those policies.

A business can have the best-defined and articulate security policies in place that everyone is familiar with but that means very little in the grand scheme of things. As with laws and regulations, people are going to abide by them by default. The following are reasons why users violate security policies:

Users don't appreciate the business reasons behind the policies
Simply telling people what they cannot do is like telling a four year old to stop playing with her food. You have to explain the reasons why policies exist and why it’s everyone’s job to adhere to them. In certain cases users aren’t even aware that certain policies exist, so without adequate training one can’t expect users to follow a set of rules to which I haven't been initiated.

Users don't buy into the policies
Even if you’ve laid out good reasons for your policies to exist, users may still disagree. They may not see the point of such nonsense, especially when they have the perception that they know what’s best.

Users know the policies won't be enforced
Like speed limit and seat belt laws, people know that they’ll be able to get away with policy violations because there’s no possible way for IT and information staff to possibly monitor for and catch everything. Network complexity contributes to this problem and users are often correct – policies are indeed often suggestions with no real teeth. That still doesn’t mean you shouldn’t have the proper technologies in place to actually enforce your policies. You won’t catch everything but at least you can set your users up for success by using technology to your advantage where possible and reasonable.

Users are lazy
The 'Must have it now!' human desire for instant gratification is very powerful. People don’t want to take the time to do things right nor have the desire to jump through a bunch of hoops getting in their way of doing their jobs. The offending attitude is “maybe I’ll adhere to it like I’m supposed to next time…”

Users' desire to violate policies outweighs their perception of the risks involved
Building on the laziness factor, users haven’t really thought about the consequences of their choices or assume that one bad decision every now and then won’t hurt. This mentality can spell disaster for the business. It’s up to you to convey why their risky behavior is bad for everyone.

Like the Art of War concept of “knowing your enemy”, understanding the basis for security policy violations is extremely important if you’re going to do something about it and (finally) fill the gap that’s too often overlooked in business today. Continuing to ignore the problem – or assuming that it’s a “management issue” will only prolong your web security woes.

Leave a Reply


  1. wifihead

    I appreciate the fact that #1 stated “Users don’t appreciate the business reasons behind the policies”. This to me is the major reason for failures and non-compliance. When we analyze the implications, it falls directly on the lap of upper management. Too many times things, both hardware and software, solutions, rules, regulations and a myriad of others are introduced into the network without communication. People are innately sensible. If a user is presented with a proposed change and is educated as to the why, how, when and where, most will fall in.The problems show up when there was no structure before, everything went everywhere, and suddenly users are told to buckle up.Any user who values his/her job will comply if they are educated and are aware of the consequences of non-compliance.I agree that in most environments the users are aware that policies will not be enforced because they are cognizant that the network is understaffed.I think that incentives can go a long way in having users comply. Just sayin.

    November 4, 2011 at 4:52 am Reply