Saturday 14 September 2013

Security by Staff Responsibility instead Enforced IT Controls

Today IT security controls are enforced on the end user without prejudice, all for the purpose of migrating the human risk. These controls, especially endpoint security controls, are typically applied because it is best practice to do so, and not as a result of a risk assessment. 
What if the application of technically enforced security controls was taken as an action of last resort? Can human responsibility be be just as affective as an enforced control? Can it be more advantageous in managing the same risk?  These our my thoughts.

Lets take a English FA Premier League football match, there is a risk that spectators in the stands will invade the pitch, and impacting on the match and threatening safety  Yet spectators rarely invade football pitches at English matches, even though they aren't fenced in. A fence is an example of an enforced control meant to prevent fans from accessing the pitch. 

My argument is the fans are self responsible and trusted, meaning the control of fences is not required, further that the risk of pitch breach is less than when the fence control was in place.


No fences at English Football Grounds

In comparison to the English game, it is a very different story at most football matches on the European continent, where fans are fenced in from accessing the pitch.  It use to be that way at English football grounds, I remember attending football matches all around the country in the late 1980s, and as a fan I was fenced in from accessing the pitch at every ground, Chelsea FC even had an electric fence, now that's what I call a enforced control. But even with the fencing I recall there were many pitch invasions during that period of time than today, either on mass or by the sole persons.
European football ground fencing example

One of the darkest days in the English game occurred at Hillsborough in 1989, when 96 Liverpool fans died after being crushed, this was partly due to presence of the pitch side fences, which prevented the fans from escaping. After the disaster, and quite rightly, all the fences were removed from all football grounds in England.

Q. How did English football clubs manage the pitch invasion risk without using the enforced control of fences? 

It was achieved by placing responsibility onto the fans.
  • Firstly a law was passed, providing a deterrent, making it a criminal offence for fans to encroach onto the pitch, along with lifetime bans from matches for doing so.
  • Then fans were educated, so they clearly understood the new rule and why the rule was required. There was a consensus amongst the majority of fans at all clubs, that the rule was for their benefit, their safety, so was righteous.
  • It was strictly enforced, so fans knew there was a conscience for breaking the rules.
  • There was a perceived threat that the fences (the control) would come back if the fans didn't follow the rule they agreed with. This led to a peer pressure against anyone that broke the rule by the general mass of the fans.  So when a fan ran onto a pitch, a chorus boos and abuse from stands would occur, followed by cheers when a steward or police officer would apprehend the pitch invader. Back in the 1980s, when the fences were in place, they would be a chorus of cheers by crowd with such infractions, followed by boos once the police intervened.
  • The absence of a pitch side fence was regarded as responsibility and luxury by the fans, as the lack fences meant unrestricted viewing for the first few rows in the stands, and allowed fans to get closer to action. There was high degree of trust and responsibility placed on the fans, as there was nothing to prevent them invading pitches but their own self control and self regulation.
The point I am making, to mitigate risk, it may not always be the right and most effective solution to reach for the IT control, but to first consider whether staff can be trusted and be self responsible to managing the risk. Affording responsibility can be regarded as a privilege, a privilege staff will actively seek to protect, as they seek to avoid the inconvenience that some security controls cause them. Group peer pressure of metaphoric boos can be effective against any minority of individuals that seek to stray from the rules, as they threaten the benefit and trust afforded to the majority.

I am not saying this will give 100% security, nothing will, not even the strongest of enforced IT controls, but there are many additional benefits in having business staff onside, responsible, trusted and security sharp, rather than fencing them in like sheep with IT controls.

No comments: