Today IT security controls are enforced on the end user without prejudice, all for the purpose of migrating the human risk. These controls, especially endpoint security controls, are typically applied because it is best practice to do so, and not as a result of a risk assessment.
What if the application
of technically enforced security controls was taken as an action of last resort? Can human responsibility be be just as affective as an enforced control? Can it be more advantageous in managing the same risk? These our my thoughts.
Lets take a English FA Premier League football match, there is a risk that spectators in the stands will invade the pitch, and impacting on the match and threatening safety Yet spectators rarely invade football pitches at English matches, even though they aren't fenced in. A fence is an example of an enforced control meant to prevent fans from accessing the
My argument is the fans are self responsible and trusted, meaning the control of fences is not required, further that the risk of pitch breach is less than when the fence control was in place.
No fences at English Football Grounds
In comparison to the English game, it is a very
different story at most football matches on the European continent, where
fans are fenced in from accessing the pitch.
It use to be that way at English football grounds, I remember attending football
matches all around the country in the late 1980s, and as a fan I was fenced in from
accessing the pitch at every ground, Chelsea FC even had an electric
fence, now that's what I call a enforced control. But even with the fencing I
recall there were many pitch invasions during that period of time than today, either on mass or by the sole persons.
European football ground fencing example
Q. How did English football clubs manage the
pitch invasion risk without using the enforced control of fences?
It was achieved by placing responsibility
onto the fans.
- Firstly a law was passed, providing a deterrent, making it a criminal offence for fans to encroach onto the
pitch, along with lifetime bans from matches for doing so.
- Then fans were educated, so they clearly
understood the new rule and why the rule was required. There was a consensus amongst the majority of fans at all clubs, that the rule was for their benefit, their safety, so was righteous.
- It was strictly enforced, so fans
knew there was a conscience for breaking the rules.
- There was a
perceived threat that the fences (the control) would come back if the fans didn't follow the rule they agreed with. This led to a peer pressure against anyone that broke the rule by the general mass of the fans. So when
a fan ran onto a pitch, a chorus boos and abuse from stands would occur,
followed by cheers when a steward or police officer would apprehend the pitch invader. Back in the 1980s, when the fences were in place,
they would be a chorus of cheers by crowd with such infractions, followed by boos once the
- The absence of a pitch side fence was regarded as responsibility and luxury by the fans, as the lack fences meant unrestricted viewing for the first few rows in the stands, and allowed fans to get closer to action. There was high degree of trust and responsibility placed on the fans, as there was nothing to prevent them invading pitches but their own self control and self regulation.
The point I am making, to mitigate risk, it may not always be the right and most effective solution to reach for the IT
control, but to first consider whether staff can be trusted and be self responsible to managing the risk. Affording responsibility can be regarded as a privilege, a privilege staff will actively seek to protect, as they seek to avoid the inconvenience that some security controls cause them. Group peer pressure of metaphoric boos can be effective against any minority of individuals that seek to stray from the rules, as they threaten the benefit and trust afforded to the majority.
I am not saying this will give 100%
security, nothing will, not even the strongest of enforced IT controls, but there are many additional benefits in having business staff
onside, responsible, trusted and security sharp, rather than fencing them in like
sheep with IT controls.