Computer Use Policy: Informing the User's Consent
by Dr. Rob Reilly
Once upon a time I was an ice hockey referee. I refereed at the college level and I refereed in a local youth hockey league. There were different rulebooks for both levels, but they were essentially very similar. The language in both rulebooks is very clear. For example, the wording dealing with 'tripping' is the same. College players and college coaches understand what 'tripping' is and what it is not---the rule is brief and these folks do not need further explanation of 'tripping.' However youth league players do not have a background in playing ice hockey; geesh…some of them are only 6 years old, and the coach, who is usually a parent of one of the players, typically does not have a deep background in ice hockey either!
It always seems that new coaches and new players believe that tripping over a stick that is merely laying on the ice because its owner has fallen down is a penalty. They usually demand that the stick-owner be penalized! The point is that the rulebook at the youth hockey level needs to provide something beyond a cut-and-dried statement of the rule. The novice coach and the novice player need more information than is given in the Ten Commandment-like rulebooks! Also, I'd like to add that a Ten Commandment-like rule presentation is quite user-UN-friendly---it sets a stage for a negative relationship.
Whether it's ice hockey or driving a car or using the Internet, when people are expected to abide by rules in an environment they are unfamiliar with, a brief statement that describes what the rule seeks to regulate (and why it seeks to regulate what it does) is a terrific idea. The novice ice hockey player and coach are best served by some examples of what 'tripping' is and what it is not. For example, "If a player trips over the stick of a player, that does not constitute a penalty---not being able to step over a stick that is just laying on the ice is a lack of skill, it's not a penalty."
It seems to me that computer use policy and ice hockey rules are not all that different. In both cases the people who must abide by rules (policy) need to understand their intent and not just their words.
For example, let's look at a policy where the powers-that-be do not want the computer users to share their passwords with others. They do not want unauthorized people coming into possession of passwords to their computer system. But typical policy statements don't provide this information---the powers-that-be through their policy statements do not tell the users what their desire is---they do not view 'policy' as a written statement of their position. Policy in regard to passwords is typically a Ten Commandment-like statement:
'Do not share your passwords with anyone else. Do not write your password down anywhere, do not show it to anyone, do not login in such a way that someone can see what you type-in when entering your password.'
This is a clear policy statement, and some may even consider this to be a very good policy statement. But by itself, in the face of a user who is left wondering what this policy is for and why it's so authoritarian, it is quite lacking! Such a policy statement needs should be prefaced (or preceded) by a conversational paragraph that informs the users as to its intent and the reason for its very existence. For example, it might say:
"In order to secure our systems from hackers and other unauthorized intruders, we need your support. If someone can access our system, they can do grievous harm to our company (e.g., they could destroy our payroll records, which could cause delays in you receiving your paycheck. They could access your personal/personnel records such as bank account numbers, credit card numbers and in turn use them to your detriment. They could acquire sensitive corporate information and hurt everyone in our company). To prevent this we need to have policy in regard to password security. This policy is intended to inform you about our reasons for implementing it. Therefore, we want you to be sure to secure your password in a place where it is safe from inappropriate discovery."
This policy statement, and the way in which it is offered, is informative, it's collegial, it's friendly…it's not confrontational. It simply tells everyone what the issue is and what the management's expectation is. I'd imagine that this is enforceable in the event that someone violates it. You have conveyed in a cordial way what your expectation of proper behavior is as opposed to taking a jack-boot approach.
Too often policy is dictatorial. While this may appear to be warranted, it seems to me that such policy statements only serve to alienate those who must serve/work under those rules. Policy statements, in many cases, should not just mandate things; they should inform the consent of those who are impacted by them, those who are protected by them.
Let me also add, that it's not always necessary to have a stated 'consequence' for violation of the policy. Certainly there are instances where 'consequences' need to be defined, but let me suggest that this is necessary in only a few circumstances. The remainder of the time, it may be appropriate to leave the policy without a stated 'consequence.' I certainly understand that some 'consequence' needs to be defined as leaving things open-ended could present a whole host of other problems. However there are ways to craft policy in which the consequences are not presented in an in-your-face manner.
When crafting policy statements, especially when technology is involved, always assume that there is a need to provide the user with an explanation of what you're trying to accomplish or inhibit or prevent.
Policy should be crafted in a way that will not alienate those who are subject to it. Policy should inform those who are subject to it. Policy, after all, should be much more than the 'law,' it should also provide information that will assist people in their quest to follow it.