Gartner Blog Network

Understanding “Why” Aids Policy Conformance

by Ben Tomhave  |  September 17, 2013  |  1 Comment

When it comes to writing, I’m a bit of a traditionalist (and, frankly, snob;). I like the Oxford comma and I’m particularly fond of using “e.g.” and “i.e.”. However, in my recent past and current role, such things are frowned upon. As a matter of style guide writing convention, we prefer “for example” instead of “e.g.” Policies like this always make me bristle a bit; especially when the answer to “Why are we writing in this less formal manner?” is along the lines of “It’s policy.”

However, I now have easily adapted to the practice of writing “for example” and have quickly dropped the “e.g.” from my writing. It’s almost like a bit magically flipped, but it wasn’t without the initial trepidation. What was the trick? Quite simply, I learned the true “why.” I asked about this practice during “on boarding” a few weeks ago, and rather than getting the same old meaningless “it’s policy” response, I instead received a logical explanation. It turns out that we’re starting to translate many of our papers into other (non-English) languages, and it’s simply much easier to automate those translations if one uses actual words instead of (correct or incorrect) uses of “e.g.” and “i.e.”! This is a brilliant, simple example of what I think many organizations fail to realize about communicating policies.

This example really brought to mind the research study, “Compliance with Information Security Policies: An Empirical Investigation,” published in the IEEE Computer Society journal back in 2010. In the article, they talk about the importance of people wanting to comply with policies and tricks that can be used to lower that bar to acceptance and conformance. Fundamentally, if people understand the “why” behind a policy, then they are far more likely to accept it and conform. If, instead, they get the meaningless “it’s policy” response to their questions, then it will naturally foster a resistance to change.

I used to reference this study quite frequently when I worked as a consultant in the GRC space. A good GRC product will not only publish policies, but will also provide better contextual information for the policies and their rationales. Moreover, the policy content no longer needs to be focused on prose (as the dusty tomes of old have used), but instead can be oriented toward being highly searchable, and thus should simply focus on a) concisely communicating the requirement and expected level of performance, and b) communicating the rationale for the requirements, up to and including a (very) brief risk analysis statement.

For example:

  • Requirement: All passwords must have a minimum length of 12 characters, and should not be based on a single, easily-guessed word.
  • Reason: The average length of an English word is slightly more than 5 characters. Setting a 12 character minimum encourages the use of 2 or more words, including spaces.
  • Risk Analysis: The primary goal of requiring “strong” passwords is to reduce guessability. Most authentication systems are protected by several other security mechanisms that reduce the number of password failures and retries that can be attempted. Requiring a password of at least 12 characters greatly diminishes the ease of guessing within a few attempts a correct password, thus allowing the other protective measures to engage and prevent an account from being compromised.

This is a simple example, and one that could easily be made all that much better by spending a little more time refining it (especially the language in the risk analysis – for example, what’s the business impact?). Consider, however, that this is just one small change that can lead to broader cultural change. Simply making sure that every policy-related question is answered with a reasonable rationale can go a long way toward increasing human acceptance of the need for change. And, once you get that ball rolling, you might be surprised by where it may lead.

To close this post out, consider this (somewhat dated) post from Seth Godin back in 2010: “Resilience and the incredible power of slow change.” In it, he emphasizes that we set reasonable expectations for how quickly change can/will occur. It’s a good reminder that we cannot expect the world to change overnight, and that changes we see today were almost certainly set into motion long ago. This notion also ties well into Gartner’s recent research “Security Vision 2020.”

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Tags: change  explanation  grc  policy  rational  rationale  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Thoughts on Understanding “Why” Aids Policy Conformance

  1. […] colleague Ben Tomhave touched on this in his recent blog posting “Understanding “Why” Aids Policy Conformance“. There he discussed how linking policy statements with the “why” has a profound […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.