to S e c u r IT y,
our free E-newsletter on Information
Technology, Security, and their intersection with Business.
my readers who stopped by to say hello at the SANS Network Security last
month in Las Vegas where I was teaching a seminar on "Security Policy
and Awareness Programs." SANS has been keeping me pretty busy.
to all the new subscribers, including the large influx of .mil
adopted a daughter and written another book,
What No One Ever Tells You About
Blogging and Podcasting, which includes sections from such
security notables as Bruce Schneier, Pierre Noel of The Arial Group and Martin McKeay of
the Network Security Podcast.
The Visible Employee
Employee monitoring is a hot issue. Some monitoring may be necessary to
audit compliance with security policy, and can also be required by various
regulations such as GLBA, Sarbanes-Oxley, and HIPAA, but employee monitoring
can also potentially overstep the bounds of reasonable. For example, no one
wants video cameras installed in the bathroom stalls!
I believe that privacy is a fundamental human right, yet some workplace
employee monitoring is necessary. Technology alone can only go so far in
securing information assets – the human element is incredibly important.
An Interview with Dr. Jeffrey Stanton, Syracuse University
Dr. Jeffrey Stanton is co-author of
The Visible Employee, a book I highly recommend, and a security
researcher at The University of Syracuse. Before entering academia and
research, Jeffrey spent over a decade in IT, both in technical and
management roles, and is very active in consulting with impressive, bottom
line oriented results.
(Here is a great resource on
Ted Demopoulos: So what’s employee monitoring all about anyway?
Jeffrey Stanton: The basic idea is that many companies are doing the best
they can with technology solutions to information security problems, but if
you want to go to the next level with making a company secure, you have to
work on the behavior of your computer users. When the employees of a company
are doing the right things with their computers, they can help to prevent
security disasters from happening. The Visible Employee is all about
influencing employees to do those positive things.
Ted Demopoulos: So how do you influence them?
Jeffrey Stanton: There are two issues to deal with – know how and
motivation. You use training and awareness programs to inform people about
the set of practices and policies that your IT folks think will work the
best to protect the company. Then you motivate people to follow those
practices and policies. The book mainly deals with the motivation piece. We
claim that this is a scenario where you need to get individuals to follow a
set of guidelines or rules that have been designed to benefit them
collectively. Most people don’t want to be bothered with following rules;
they want to do their own thing. So you have to have a way of watching for
rule breaking and then following through to do something about it.
Ted Demopoulos: Among other things, you’re talking about firing anybody who
surfs for porno while at work, right?
Jeffrey Stanton: That’s the kind of behavior we’re talking about, yes.
Basically we think that workplace computers should generally not be used for
“entertainment” purposes. But we don't recommend firing people, at least not
for a first offense. If your policy is that harsh you’re not going to be
able to enforce it. What if your absolute best salesperson – responsible for
half of your profit margin – gets caught doing one goofy thing, say playing
poker on his lunch hour (which should be against the rules)? You have the
Hobson’s choice of looking weak or unfair if you don't fire the guy or of
screwing up your company by getting rid of someone who is a huge asset to
the success of your business.
Ted Demopoulos: What kinds of attitudes do you see about employee
Jeffrey Stanton: Let's look at the employer and employee viewpoint, and then
the view from the person doing the monitoring and perhaps enforcement.
Unfortunately employers often use monitoring in a reactive fashion. There is
an incident, say with pornography, the poster child for monitoring in many
ways, and there is a knee jerk reaction from management to monitor for
possible pornography issues. Of course reactive security is less than ideal,
and among other things tends to create isolated databases of monitoring
Employees don't want to be monitored, but most employees have the view that
"I'm not doing anything wrong so it doesn't matter that much." I think this
is a somewhat dangerous view, and it'll take a major incident such as
someone falsely accused of crime based on monitoring data to change this
It's very troubling from the point of view of IT people. IT people are often
told to monitor employees, but those employees usually include colleagues
and friends. When a company has harsh policies, an IT person is really
tempted to overlook evidence of policy violations, in order to keep
employees out of trouble.
Ted Demopoulos: Where do you think employee monitoring is going.
Jeffrey Stanton: I think monitoring – surveillance in general, for better or
for worse will be a growth industry for the foreseeable future.
Ted Demopoulos: Thanks Jeff. More information of The Visible Employee is
Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
This newsletter is Copyright © 2006 by Demopoulos Associates, Durham, New
Hampshire, USA. All rights are reserved, except that it may be freely
redistributed if unmodified.
Sharing securITy is encouraged if the copyright and
attribution are included.
The free newsletter of Demopoulos Associates,