If you work in IT security and haven’t read Franz Kafka’s The Trial, you need to. One of the themes from the novel is that when the rules are unclear, authorities have only as much authority as you give them. This doesn’t make for good law or security. Although life is full of gray areas, you should minimize them when you can.
Tell users what is not allowed and be specific, and give examples.
A university student was criminally charged in this story for allegedly testing out the student access card system, and later emailing the personal information he found to the university and the students involved. To his credit, the student didn’t go evil and sell the information. The student was quoted as saying that he was doing this in the interests of students.
When the norms for acceptable use are vague or unclear, you get behavior proportionally straying form the center line in both directions. Positive change is hindered, unacceptable behavior is winked at, and the really bad behavior can proceed under the cover of a wide gray line. Being unclear lowers the trust in the IT security function. On the other side, security going all medieval on what is well intended and non-dangerous behavior is also a problem. Anomie is a $5 sociology word for the stress you feel when you don’t know what norms apply.
Tell your users that freelance white hat penetration is not allowed, but only if you have a mechanism to report and react to suspected weaknesses. Without the responsive element of the contract (and having it be more than lip service), it won’t work. Instead of your enemy, make the tech-savvy users your neighborhood watch.
Be very specific across your acceptable use policy (AUP) about what is and isn’t good and bad, and challenge your company’s AUP if it is a placebo or has the weight of a set of encyclopedias. Oh yeah – and don’t rely on policy alone. Policy is the weakest lever, and you need technology and people with it to make security work.