Let someone break the rules to improve security

“Daddy, can I stay up late tonight?”

Already approaching bedtime, the easy response was a quick, ‘no’ and reminder of “the rules.” One night, I simply asked my son how late he wanted to stay up.

“I want to stay up all night long!” was the enthusiastic reply.

My first thought was how tired I was, and how I really didn’t want to stay up late. And then, for a second, I remembered what it was like to be a kid who wanted the experience to stay up late, to feel special. So I said yes.

As his grin consumed his face, I further explained the conditions of breaking the rules: he needed to be quiet, and no complaining the next day when he was tired.

He agreed, I went to bed and he stayed up long past I expected, finally crashing (literally) around 3 or 4 in the morning. He got up with the rest of us, and even though he was tired, didnt complain.

[Three reasons why asking risky questions reduces risk]

It was a good experience for both of us, and in the process, I learned that allowing him to break the bedtime rule actually improved his future compliance with it. Instead of arguing, his experience staying up all night and subsequent exhaustion helped him understand why we had the rule in the first place.

The lessons I learned letting my son break the rules hold true for security, too. Here’s why sometimes breaking a rule leads to better compliance:

1. It creates an opportunity for an individual to practice autonomy, on the condition that they live with the consequences. This allows an individual to be recognized, and feel respected.

2.The experience created a unique, shared context to discuss the reason for the rule. Generally this leads to a better understanding of the rule; sometimes, it actually creates a better understanding of why the rule needs to change.

3. It creates a better bond between people; individuals get closer to the consequences of their actions, and everyone improves their relationship.

As a parent, my responsibility is to teach my children right from wrong. In security, however, we’re not the parents and our job is a bit more nuanced. Letting someone “break” a rule might help build a bond that improves compliance.

[Finding security’s opportunity to engage]

To make this work in a business setting:

• Select the ‘right’ rule to break: find something that is not likely to cause damage while allowing individuals to get the experience necessary to understand the outcome (the consequences of their actions)
• Make it a special event (and not a routine): acknowledge that they get a shot to break a rule because they are respected, but that it comes with conditions (some structure)
• Engage in a conversation, not a lecture; learn from their experience and use it as a basis to reach a common understanding on the purpose of the rule.

For example, a global organization recently implemented web filtering. Anticipating backlash, they instituted a policy that allowed anyone to request a blanket exemption for up to five days.

Surprisingly, just the existence of the policy — of the potential to break the rule — increased compliance few people made temporary requests, and even fewer sought permanent exemptions.

But it gets better: the common reason for an exemption was the inability to reach common sites (like google, LinkedIn and FaceBook). Those requests got a personal, signed response explaining that the sites weren’t actually blocked and some potential reasons (spyware, adware, virus, misconfiguration, etc.) the attempt failed.

This generally led to a brief, engaging conversation about the problem and guidance on how to get resolution. As a result, a problem was solved, the value of the system understood and the request for exemption withdrawn.

Letting someone break the rules, or just offering them the chance, is a simple way to increase contextual understanding of the purpose of the rule in the first place. With better understanding comes better compliance. Follow the three simple steps above, and let me know how it works for you when you try it.

About Michael SantarcangeloHelping people effectively communicate value improves the organizations that work with Michael, a modern raconteur — writer, speaker and catalyst. Learn more at securitycatalyst.com or engage with Michael on twitter @catalyst.