Ok, I don’t believe that. It’s just a catchy title (at least to me) that fits with what I have to say. Burce Schneier has a post up today that talks about this very thing. Every user has a differnet level of risk that they are willing to take and a different level of intuition that they use in determing what is a risk. A good example is a policy that says you can’t copy corporate data onto a USB stick. Yet they have a deadline to meet that will have severe consequences to them personally and/or to the company if it is missed. The only way to meet the deadline is to work on it over the weekend. Now they could spend all weekend at the office or they could take it home on the USB stick and work on it there. Let’s go so far as to say that working at the office is not possible for any of a number of reasons. So the risk to them isn’t possible data loss but definate job or business loss. They take the data home and break policy.

Now maybe this is a bit of an extreme example but it gets the point across (I hope). The thing that I want to stress is that we have policy for a reason and if it is to be followed, useful and relevant then it has to be enforced and regularly assessed for relevance. In the above example the user could have contacted security and gotten a approved, temporary exception. He could have been briefed on how to maintain security at home and given an encrypted USB stick. This would have met his requirements, protected the data and kept everyone informed and happy. Not to mention that it’s a big pat on the back for security. It allows them to be seen as enablers and not just “Team NO!”

Years ago I had a much harder stance on things like this. I would expect the user to comply or face the consequences. I didn’t take time to consider their perspective. My job was to secure and their job was to follow my directives. (It’s great for the ego, but not much else) I’ve softened my stance a bit in regards to this. I understand now that usability is very important to getting the job done and that it’s my job to keep the data secure and usable. It’s also my job to understand how others do their job and to ensure that I make that as easy as possible while maintaining security.

While I do this the users also have to realize that they have a part to play in this as well. Like it or not they too are responsible for security of the data that they are entrusted with. They have to act in a reasonable manner and they can’t have a blase attitude of “My Risk, My Choice”. It will become their choice only if their risk totally disconnects them from the rest of the company and world. Hmmm, I don’t see that happening. Nothing they do will only impact them. Their actions will and do affect others whether they realize it or even like it. There is no “My X, My Choice” because your “X” impacts and affects others.