Maybe the Policy Is the Problem

Imagine for a moment one of your company’s employees getting out of their car and arriving at your office building. It doesn’t really matter who it is, but for the sake of visualizing the scene more clearly, assume it’s someone conservative and maybe a bit socially inept. Maybe it’s one of the “suits” in accounting.

Now visualize this employee walking through the parking lot of your office. Just as he gets to the edge of the parking lot, he passes by a stranger — someone hobbling toward the door wearing two enormous leg casts. Maybe that stranger is walking with two large, unwieldy-looking crutches — maybe trying to hold onto a briefcase or coffee while at the same time climb up over the curb to get to the sidewalk. This stranger is moving slowly, obviously having a hard time.

Now imagine that your employee walks by that stranger — he passes him on the sidewalk and gets to the building door. He swipes his badge, opens the door, and lets himself in. The stranger comes up behind him, and just as this stranger is about to go follow the employee through the door, the employee closes the door in the stranger’s face and walks away.

How do you feel about that scene? What’s your initial “gut” reaction? Since there’s no context within which to understand the employee’s actions, the initial reaction is pretty clear for most people: They find the actions of the employee outrageous. Most people would — at the very least — hold the door open for the stranger on crutches. Some might even go the extra mile and hold the stranger’s briefcase so he could get in easier.

However, what if our firm has policy prohibiting “tailgating” into the building (i.e., letting two people through with only one badge-swipe)? If that was the case, maybe what our employee did would really be the “right” thing from a corporate security policy perspective. But despite that context — even if the corporate policy said you should close the door in that stranger’s face — how would you feel about actually doing it? Would it come naturally to actually do that? Or would you feel like a jerk?

What we in security oftentimes fail to realize is that, even though we recognize that we’d actually be doing the right thing, most of our employees still have the same visceral reaction about the “wrongness” of treating that stranger in that way. This visceral response — this facet of human nature — will slowly undermine our corporate policies and leave us in a worse situation than if we didn’t have any policy at all. However, by understanding the role of human nature, we can anticipate how employees will respond to our policies and set up controls that use human nature to reinforce themselves and make the policies stronger rather than weaker. It’s just a matter of planning it through ahead of time and keeping an open eye to how employees are behaving.

You Can’t Fight Human Nature

What’s really interesting to me (and the reason that I’m bringing all this up in the first place) is that I see company after company in the field making a similar mistake. Namely, they set expectations in their policies that require employees to act like pod-people from Mars — to behave in ways completely outside the realm of normal, routine behavior.

For example, in everyday life, it would be extremely rare for anyone to close the door in the face of a stranger — we open doors for each other at restaurants, at the movies, at the airport — wherever there’s a door, there’s someone opening it for someone else. However, many firms actually have no-tailgating policies: policies that require that employees do exactly the opposite. Now, we’re mandating that employees do something that would be absolutely inconceivable anywhere else, and we’re surprised when our employees just don’t behave that way.

No, in security we need to recognize that there’s a “pull” — or a natural tendency — for our employees to follow certain ingrained patterns of behavior. The pull to act in that certain way exists even when those patterns of behavior are inappropriate in the context of our security controls. Our employees are likely to share information (even when it’s information they shouldn’t be sharing), they’re likely to help others (even if they’re helping overcome a security control), and they’re likely to be courteous (even if that courtesy is misplaced). These are patterns of behavior that have been ingrained since childhood and aren’t likely to change just because we write a policy that says they should do something else.

In other words, since these actions are appropriate 90+ percent of the time, and since they’ve been reinforced our whole lives, we as humans feel uncomfortable when we’re called upon to respond in any other way. So when we set a corporate policy that runs counter to the innate behavior, it creates a dissonance. That dissonance will eventually wear down the desired behavior until employees no longer comply. However, what’s insidious about it is that it takes a while for that wearing-down process to happen — so we don’t realize that our policy is becoming weaker and weaker over time until it’s no longer effective.

It works like this: When employees learn about the policy, they’ll start off doing their best to adhere to it. But because the policy sets a completely different expectation than what’s expected from them in other circumstances, it’s not comfortable when they follow it. Because it’s not comfortable, employees will occasionally forget and do the wrong thing. Others in the organization will see others not following the policy — and since they themselves feel uncomfortable following the policy, they will start to follow it less and less.

Over time, the degree of adherence across everyone will lower until the new norm is not to follow the policy. At that point, you’ve lost; now you’ve got a policy that employees aren’t following. As you probably already know, the worst-case scenario is having a policy on the books where your firms’ expectation is that employees won’t follow it.

So Bake It In When You Can

So knowing and understanding this dynamic, how can we capitalize on it to set effective policies rather than policies that wear themselves down? The first and best thing you can do, in my opinion, is to make sure that policies do one of two things: either leverage human nature themselves to get the right result (the ideal case) or decouple the pattern of behavior from the control.

For example, requiring employees not to tailgate doesn’t work — but requiring that everyone funnel past a reception area to show their badge does. Why? Because we’ve structured the control in a way that it doesn’t matter if folks hold open the door or not. Since it’s human nature for people to open the door for each other, we’ve defused it by making the control objective (physical access to the building) unaffected by the employee action (opening the door). Instead, we’ve set up a framework where the control (the guard desk) leverages human nature to self-reinforce: Since we have somebody who’s singularly accountable for making sure badges get checked (and human nature drives people to do their best at their job), folks manning the reception desk are reinforced in their behavior of badge-checking to enforce the control. In the updated context, there’s no force acting counter to the desired outcome and no dissonance in how we’re asking people to behave.

The point being, you want to include human nature in your discussions when the time comes to actually set corporate policy. However, more important than that, you want to keep your eyes open to how folks are actually behaving in following that policy. If you see an area where policy isn’t getting followed, ask yourself if maybe human nature runs contrary to what you’re asking your employees to do. As long as you stay alert to these areas and aren’t afraid to update controls/policy as needed, you can save yourself many a headache over the long term.

Ed Moyle is currently a manager with CTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.