Category Archives: Uncategorized

How do penalties affect your security policies effectiveness?

One of the requirements of any decent policy (and law) is having a penalty link to its non-respect. In penal law, “Nulla lege sine poena” (no law without punishment) is one of the corollary of the famous principle “Nulla crimen, Nulla poena sine lege ” (no crime, no punishment without a law).

From a behavioural point of view, it is often more efficient (and more humane) to use the carrot (and even more the intrinsic motivation to do the things right) instead of the stick. However, knowing there is a stick helps to give some consistency to the rule, some consequences. So, when we are drafting policies, we always insist on the necessity to clearly define the consequences of any non-compliance with the rules. Organizations may be fined for it, so should their employees.

It’s often a difficult part of the policies drafting process, moreover in large organization, as we must find a proportionate response and it must be, in some countries, negotiated beforehand with trade unions and social partners.

But there is more to say about it. First, the consequences mentioned are quite often individual ones: loss of privileges, impact of financial bonuses or removal from offices. Though, there is more to it. Breaking rules can lead to huge monetary losses for the organization, resulting in cost cutting and having colleagues losing their jobs, putting families in financial and personal difficulties. It’s a bigger picture; it’s not a systematic consequence, although more likely than ever, but mainly it is a foreseeable consequence that might trigger more emotional response than the one of the person’s own demise (although it might have some opposite effect if the person has a grudge against the entire company, including its workers). Emotions are leading our choices more than rationality.

The second point is that it must be fair. As suggested by Herath & rao (2009), too severe punishment will have an adverse effect and increase the likelihood of the infringement. This effect is likely similar to the one observed with the pictures of sick lunges of cigarettes pack: they tend to increase the consumption of cigarettes (mostly with young adults and adolescents).

The third point is that the rule must be the same for everybody, in theory and in effect. So, we must ensure that we can systematically detect these infringements (see Herath & Rao, 2009) to increase the compliance.

But how often do we see people in organization breaking the rules willingly without any consequence? Sometimes because this person is an expert in his/her field and we believe we need her/his knowledge more than we would. Sometimes it’s for some internal political reasons. Sometimes because (s)he’s a relative of someone high in the food chain.  Whatever the reason, this is not fair and it has some huge impact on the behaviour of your employees. Worse, it becomes part of your culture and that’s something that you will have a lot of difficulties to change after.

So, mind your punishment twice.


Fappening 2.0: You should mind who you trust!

It seems that one of the trendy subject of the moment is the return of the fappening (a portmanteau of the words “fap”, a slang term for masturbation, and the word “happening”[according to Wkikipedia]). As most sequel, the second one is not better than the first one. But my point isn’t to make a parallel with the cinema industry.

For the Fappening 2, it seems that this time two young actresses have been the new victims of hackers disclosing some intimate or sexy pictures. It is not necessary, I hope, to remind that this kind of behaviour is not only illegal as an illegal hacking but that it is aggravated by its intimate implications for the victims.

According to the journalists, there is not yet an explanation on how these pictures have been compromised. There is already a lot of advises given by newspapers and blogs on what to do and not do to avoid such situation. However, one thing that seems to be a common point to these pictures is that they have been taken by someone else than the victims themselves.

When you share information with a third party, you need to ensure that they are at least as careful as you are in their handling of your information.

In this case (and it is just a theory, I have no evidence or clue so far), if friends of these young ladies have taken pictures of them in some more intimate context, even if they trust their friends with their lives, they should ensure that their beloved friends were (also) careful and were following good practices with their phones and their “cloud” storage accounts. It is what we (should) do with our suppliers or any third party in a corporate context, and it is also the right thing to do with your friend (if you want to take intimate pictures of yourself).

In the future, Fashion stores will likely be equipped with interactive mirrors encompassing cameras and allowing them to display an image of yourself in any outfit available in the store (yes, it already exist). This will be the next IoT (Internet of Things) nightmare that will likely cause more Fappening if we don’t add a S for Security to the IoT accronym.


Related sources: