• United States



Why policy enforcement is so hard

Jan 03, 20094 mins
Data and Information Security

A recent Seattle Times article offers an interesting case-study for security professionals. The headline: “After 6 months, drivers ignoring cellphone ban.” Can we learn anything from law enforcement’s implementation of this new law? I think so.

The Seattle Times article covers a variety of important policy implementation steps that were used:

1) A PR campaign was initiated and initially worked.  

Cindy Baker-Williams held a “Hang Up and Drive” banner over Aurora Avenue North in Fremont when Washington’s handheld cellphone ban for drivers began on the first of July. She and her family hoped the new law would change drivers’ behavior. It did at first.

2) Over time, people started to ignore the ban.

Sgt. Freddy Williams of the State Patrol (said), “We see about one in three drivers talking on a cellphone. People seem to be ignoring the law.”

3) Enforcement penalties were real, but somewhat limited.

Statewide, troopers handed out 746 tickets for illegal driving-and-talking through November…. Troopers also issued 1,345 written and verbal warnings…. But driving-and-talking is a secondary offense, meaning the police have to stop a driver for another violation before they can write a $124 ticket for holding a cellphone.

4) Metrics were available, but the meaning of the data could be argued.

The pioneering law — only six states have such a ban — might have contributed to a drop in car crashes on state roads this year.  It’s impossible to know, though, Williams notes, whether the drop resulted from the cellphone ban or other factors such as high gas prices and less travel.

5) Next steps are controversial.

The public appears to support a tougher law. Baker-Williams expects it will take a similarly long time — and lots of statistical evidence and personal tragedies — before the cellphone law is strengthened and drivers change their habits.

Perhaps you’re wondering, what does this cellphone ban law have to do with security or other technology policy enforcement? Can’t we just “impose our policies” on corporate or government networks and PCs, laptops and other devices? Can’t security policy enforcement be automatically implemented in ways that cell phone bans in cars cannot?  

No doubt there are differences, but in some ways the cellphone ban for drivers is a best case scenario. For one, everyone “get’s it.” They understand the law (policy), and they understand the potential risks and life/death consequences of not complying. Of course, the trouble is that they don’t think the bad things (like an accident) will happen to them – which is just the same risk/reward equation that is faced with violating security policies.

In addition, the penalties were real and in place in this case. The metrics were available, and the ways of hiding behavior were somewhat limited. One could easily argue that enforcing a drivers cellphone ban is an easier task than enforcing security policy on work networks.    

In my opinion, there are quite a few similarities that CSOs should take note of here. First, policy enforcement requires a look at people, process and technology – NOT JUST TECHNOLOGY.

(Sorry for shouting, but many in the industry just can’t seem to understand this fact.)

For example, I’ve seen staff bring in their own web-enabled cellphones to bypass security measures on government or corporate networks. Strong “built-in” technology controls can’t stop users from using personal devices to access external networks and websites that pose risk. 

The temptation may be to ban all personal cellphones (or other devices) at work, but after governments and companies take away cellphones from staff to save money, you may face a backlash from such moves. Every action causes an opposite reaction and needs to be weighed carefully.

Bottom line, policy enforcement is hard – but needs to be done. My point in this blog is to illustrate some of the difficult aspects that CSOs and others face after they implement a network or security policy. Oftentimes, this is a long road. Just like cellphone bans for drivers, it takes years to change people’s habits.

Ending on a more positive note, there are several examples where we have seen long-term behavioral change after policy change. Two such areas include the use of seat belts and smoking bans. In both cases, we needed to change the public opinion and not just the law/policy. CSOs need to keep the ongoing training/awareness aspects of new policies in mind.    

What are your thoughts on policy enforcement?   


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author