Many organizations have a formal set of information security policies covering everything from acceptable internet usage to security in software development to web application security. In fact, it’s hard to come across a business today that doesn’t have at least a policy or two in place. That’s fine and dandy but it’s not the existence of policies that determines the level of information risk, but it’s whether or not your users are actually complying with those policies.

A business can have the best-defined and articulate security policies in place that everyone is familiar with but that means very little in the grand scheme of things. As with laws and regulations, people are going to abide by them by default. The following are reasons why users violate security policies:

Users don’t appreciate the business reasons behind the policies

Simply telling people what they cannot do is like telling a four year old to stop playing with her food. You have to explain the reasons why policies exist and why it’s everyone’s job to adhere to them. In certain cases users aren’t even aware that certain policies exist, so without adequate training one can’t expect users to follow a set of rules to which I haven’t been initiated.

Users don’t buy into the policies

Even if you’ve laid out good reasons for your policies to exist, users may still disagree. They may not see the point of such nonsense, especially when they have the perception that they know what’s best.

Users know the policies won’t be enforced

Like speed limit and seat belt laws, people know that they’ll be able to get away with policy violations because there’s no possible way for IT and information staff to possibly monitor for and catch everything. Network complexity contributes to this problem and users are often correct – policies are indeed often suggestions with no real teeth. That still doesn’t mean you shouldn’t have the proper technologies in place to actually enforce your policies. You won’t catch everything but at least you can set your users up for success by using technology to your advantage where possible and reasonable.

Users are lazy

The ‘Must have it now!’ human desire for instant gratification is very powerful. People don’t want to take the time to do things right nor have the desire to jump through a bunch of hoops getting in their way of doing their jobs. The offending attitude is “maybe I’ll adhere to it like I’m supposed to next time…”

Users’ desire to violate policies outweighs their perception of the risks involved

Building on the laziness factor, users haven’t really thought about the consequences of their choices or assume that one bad decision every now and then won’t hurt. This mentality can spell disaster for the business. It’s up to you to convey why their risky behavior is bad for everyone.

Like the Art of War concept of “knowing your enemy”, understanding the basis for security policy violations is extremely important if you’re going to do something about it and (finally) fill the gap that’s too often overlooked in business today. Continuing to ignore the problem – or assuming that it’s a “management issue” will only prolong your web security woes.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.