• United States



The Paranoia Paradox

Jul 31, 20024 mins
CSO and CISOData and Information Security

Recently, a product pitch landed here from a company called Rovia. Rovia makes what the company calls (three-letter acronym alert!) IUM (information use management) solutions. Marketese-to-English translation: software tools that limit what a user can do with a document. Rovia’s software can prevent the printing of a file, or the forwarding of an e-mail. It can watermark documents with “confidential.” It can bar users from the save and copy/paste functions. It can even track how a document is used once received.

Rovia targets a flourishing trade: vigilante exposurewhen teed-off employees embarrass their company by offering up sensitive corporate information to the world, nakedly displaying the documents on the Web. Lately they’ve been using the website, which is a spinoff of f*** Since there are very few new economy companies left to be f***ed, creator Philip Kaplan has latched on to the newest currency of cynicism: the corporate memo, rife with platitudes and often packed with embarrassing details about corporate gaffes. For example, a Genuity memo that detailed Verizon’s choice not to reintegrate Genuity’s business, which was “as much of a surprise to us as it is to you,” is one of the latest postings.

Kaplan hopes the voyeuristic pleasure derived from these missives is enough to sustain a small subscription-based business. Rovia hopes it scares enough CIOs and CSOs into buying its software.

On the surface it seems to make sense to be paranoid about what your employees do with documents. The overwhelming majority of security breaches occur from within, after all, and they are often the most costly incidents. Of course, buying and using “paranoiaware” (credit for the term to CIO and CSO Editorial Director Lew McCreary) can also make employees feel like untrusted little children. And sometimes, psychologists say, this causes said employees to behave in a way that matches how they feel they’re being treated.

In other words, not trusting your employees can lead to having employees who should not be trusted. This is the paranoia paradox.

Kenneth Niemi experienced this. As CIO of Minnesota State Colleges and Universities, he had to manage staff members after they returned from a strike. He said the worst part of it was finding a balance between trusting his workers and monitoring their network usage for misbehavior. Niemi understood the paranoia paradox; he wasn’t sure if he was monitoring disgruntled employees or creating disgruntled employees by monitoring them. Morale, he says, reached all-time lows.

Software like Rovia’s will, on a technical level and to a certain degree, work. It will limit the capabilities of employees to post memos to a website like But don’t fool yourself into thinking it’s a “solution.” The software can’t stop a digital camera from taking a picture of a screen. It won’t stop the truly motivated from sidestepping the software somehow, or if all else fails, simply writing something down in longhand.

And, taking away basic functions like copy and paste or save, or tracking document use, even if it’s for a good reason, is such granular behavior modification that one shouldn’t be surprised if employees perceive it as a slight. Or as management saying, You are not to be trusted.

Rovia’s CEO, Jeffrey Melvin, said that right now this paradox is real, and a real problem. He said that, so far, people perceive Rovia’s products as “protection” from bad guys and not “policy” for good employees to follow, which is how he hopes one day we’ll all understand his software.

He said Rovia’s not really about monitoring employee behavior, but about controlling sensitive documents. “Just like defined policies on Internet usage, we need to communicate corporate policies on information usage,” Melvin said. “It might be perceived as eavesdropping today, but it’s no different than sending cookies on the Web to personalize Web pages. People will eventually understand, all of this information is being used to better serve the client. I mean, that’s what CRM is all about.”

It’s a good spin, but many people still have reservations about CRM’s privacy implications. And Rovia’s technology is different from CRM and cookies. Those technologies passively collect and use data, often without the user knowing (of course, that’s another issue in itself). Rovia, though, is interrupting indeed changinguser behavior. It’s the difference between setting up speed traps and rigging an engine so it won’t go more than 65.

I’m not sure the paranoia paradox can be solved with software. This doesn’t seem like a technology issue, but rather a human resources issue. If a company really wants to protect its sensitive documents from ending up on, maybe the company should focus on hiring the right people in the first place, and then treating them in such a way that they have no desire to screw their own company.