Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Layer 8: Debating policy vs. technology

Control Quagmire

This article can also be found in the Premium Editorial Download: Information Security magazine: Keeping on top of risk management and data integrity essentials
Enterprises can't afford to get caught up in the technology vs. policy enforcement debate.

It's always difficult to exert control over your IT systems' use. Unfortunately, many decision makers have only...

a dim understanding of the effects their control mechanisms have on the enterprise and their users.

In Code and Other Laws of Cyberspace, Lawrence Lessig suggests a four-factor model to help security managers understand the issues that establish IT system activity. According to Lessig, user activity is shaped by policy, culture, economics and technology. To varying degrees, controls can be implemented within each factor, yet effective risk reduction is accomplished through the overlapping of these factors as synergistic layers. If you assume that control is determined solely by policy and technology without taking into account the cultural and economic factors, you'll have a classic recipe for frustration. Likewise, you can't presume that technology or policy alone will compel good behavior or policy compliance.

In Lessig's model, policy refers not only to internal rules, but to regulations or requirements the organization must follow, such as government regulations and contractual obligations. Policy is cheap and easy to create, which explains why there's so much of it. But, policies don't function in a vacuum and are very dependent upon an enterprise's cultural environment.

The culture of an enterprise isn't only dependent on policy awareness, but also on users' knowledge, values and skill level. Compliance is affected both by the priority the culture places upon rule compliance and by the perceived consistency of the specific policy with other organizational goals. And, as in most organizations, money is a marvelous way to set priorities.

Economic motivations are helpful, but they can have their drawbacks. Positive reinforcement is effective only to the extent that the culture is influenced by money, and usually the budget is too small to significantly influence behavior through monetary rewards. However, noncompliance resulting in a contract cancellation or job loss is quite effective in influencing cultural change and user behavior.

Unlike the other influence factors, technical controls are effective because they don't rely on human cooperation. Simply put, computers are unable to support an infinite range of activity. There's an absolute limit on what can be done on a microchip, and these limits can help either curb the user's activity or show them the light.

So, how can you effectively impose control on your enterprise users? Suitable, layered technical controls aren't always available; and culture change is an ambiguous exercise that takes years of effort. Policies can be applied very quickly, but they can't be effective until they have been acclimated to the environment; and some policies can be strengthened through the use of economic incentives.

Don't get trapped in the fruitless policy vs. technology debate. Take off your blinders and see the big picture: Using a model like Lessig's will help you craft a portfolio of complementary controls that have offsetting weaknesses and advantages.

This was last published in April 2005

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.