I recently took my daughter to a kid’s birthday party. The location had one of those kid’s gyms where you kick your shoes off and dive into the balls and have a great time. Risk never leaves my mind, so when I was reviewing the sign that was posted over the entrance to the area, I found an interesting parallel that I thought I’d share.

There was a sign posted that said, “How To Play,” followed by what is presumably a list of rules on how to play. The gate was guarded by a disinterested young man sketching on a pad and ostensibly enforcing the rules of play. What were those rules? See for yourself:

  1. No shoes or coats
  2. No running or jumping
  3. No throwing balls

What is missing from these list is exactly what the title of the sign said would be there: rules for playing. Instead, what we have is a list of how NOT to play. While my little one was playing she was having a difficult time getting up some of the ramps in her stockinged feet, so I slipped her socks off and sent her on her way. My wife chastised me because another sign somewhat out of sight indicated that socks were required. The disinterested young man from early failed to notice.

I think there are some clear parallels to corporate security polices in this brief example. First, information security policies rarely identify “How to Play.” Instead, like our sign example above, we frequently find a list of things you are not allowed to do. This is an example of security-centric thinking. Know this: the people in your company are interested in knowing How To Play. Tell them the approved technologies, processes, and systems that they are allowed to use without running afoul of the policy. This is the basic logic of a white vs black list, so help your organization know how to do the right thing (I’m assuming there’s more you don’t want them doing than otherwise, so save time and just tell them what to do).

Next, the metaphor of the disinterested enforcement agent I’m sure is not lost on most. Enforcement is tricky business, and worthy of longer treatment, but for today’s blog post focus on the economics of the situation. There was one guy at the entrance who ostensibly had responsibility for enforcing the rules in the entire area (it was very large with between 30-50 kids). Clearly he was going to fail at 100% enforcement. But just like in other areas of life, its often just as effective to selectively offer enforcement for those areas that are high-risk.

Lastly, don’t forget the allure of the one-stop-shop. Having everything you need someone to know in one place is valuable. Don’t make them hunt for that hidden sign to find out that bare feet are not allowed. Everything should be clearly visible and in one place.

In summary, we as security practitioners can make it easy or hard for people to comply. You get to decide, “How To Play” for your organizations. Choose wisely.