Users don’t get security policy because the don’t feel it directly relates to them. Users may wonder why would a removable media or email policy apply to them? I don’t really blame users for feeling this way. Most people are genuinely honest people trying to make a honest living. They are not trying to steal data or cause a data breach. I will go far as to say that the majority of data breaches were not the result of some willful action to release or steal the data.

I remember when I was just a user and I laughed at some of the of the policies thinking who would do that? It wasn’t until later I realized policies really are trying to catch the exception to the rule not the rule itself. I don’t feel that this is adequately communicated to most users. If we were to educate users that policies were there to help them do their job not to control or dominate them users may be more willing to accept policy. An analogy that I think could work is Monopoly. A normal game of Monopoly has rules and people police other players when it comes to rules. People normally are happy when it comes to playing within the rules and expect it while still enjoying the game. Why can’t this translate to security policy?

This however assumes is that everyone plays by the rules equally. If you are a user in the mail room or someone in a CXO position, everyone needs to follow the rules and help police everyone. No one, no matter who they are, is treated different. This sadly isn’t always the case.

Until the individual user experiences a negative effect of someone not playing by the rules, or policy, people don’t understand why the should care. I think if we spend more time thinking like users and educating them to why it is an advantage to them to follow the “rules” we might find our workplaces or organizations a more secure place.