Policies: What I Learned From Being a “Dummy”

Thursday, February 10, 2011

Brad Bemis


Admit it, you love them as much as I do – you know; those “For Dummies” books with the black and yellow covers.

I mean, c’mon, there’s a Dummies book for almost everything imaginable these days – from taking your CISSP exam to Building Chicken Coops. It really is quite amazing.

You know what I love most about these books? That I don’t have to know anything at all about the subject matter when I pick one up, that I’m entertained while reading it, and that I actually walk away from the experience having learned something when I'm done.

This quote from the Dummies.com website really says it all:

“From the start, For Dummies was a simple, yet powerful concept: Relate to the anxiety and frustration that people feel about technology by poking fun at it with books that are insightful and educational and make difficult material interesting and easy. Add a strong dose of personality, a dash of comic relief with entertaining cartoons, and — voilá — you have a For Dummies book.”

What a fascinating concept – and one that has made the “For Dummies” brand one of the most recognized book series in the world. They took a market filled with stuffy, confusing, technical references and filled it with fun and educational references that anybody can use – and I mean ANYBODY.

But you know what I think about most when I consider the “For Dummies” line? I wonder what the world would be like if we wrote our policies and supporting documentation in a dummies-like format. Why? Because right now the common security policy fits the same bill that those stuffy, confusing, technical references once did – and they simply don’t work!

Almost every policy document I’ve ever read sounds more like a legal review than an educational resource. Think about it for a second – in a society that increasingly gets its news from "The Daily Show", reads blogs instead of books, and has everything made simpler every day, why on earth would we want to continue making our security policies read like the cliff notes for ‘War and Peace’.

The effects of humor on the cognitive learning process have been studied for eons now. Time and time again it’s been shown that humor can help better connect people to the materials they’re being exposed to, and they retain the information longer. The “For Dummies” books exemplify this approach and are a clear indicator of its success. Perhaps we can learn something from this lesson. Perhaps it’s time we take the stick out of our collective butts and have a little fun.

What do you think is more memorable?

1.  Surfing pornography or otherwise sexually explicit materials on corporate computer systems or other information assets is strictly prohibited. For the purpose of this policy, pornography is defined as “any sexually explicit or suggestive image that could be found offensive in the workplace… blah blah blah.


2.  Did you know that surfing pornography is the number one cause of manager’s heads exploding in the workplace? Think about it, if you get busted for surfing porn at work, your boss is going to have to do a bunch of paperwork, and maybe even fire you. It’s enough to make anyone’s head explode. So do us all a favor and leave your pervy habits at home. If you’re not sure if something qualifies as porn or not, the fact that you asked the question should be enough to answer it – I mean, is it really worth the risk of being splattered with brain matter?

Alright, to be fair this isn’t really a very good example of a policy statement to begin with. I also made the first example sound bad on purpose – then spent like 15 hours crafting the one I wanted to highlight (plus it's a bit too long, and a bit too silly), but you get the point.

This is not a suggestion to turn your policies into bit scripts for “Last Comic Standing”, but it does point to a legitimate issue in our industry – why do we make things harder than they need to be? I hear it all the time “users are the weakest link in the chain”. Well, what did we expect? These people just want to come in, drink 8 cups of coffee, get their work done, and go home to bad meatloaf and screaming kids (okay, maybe not so much on that last one). Do these folks really have the time or the interest in reading our litany of “Do This, but Not That” policies that are written like assembly code?

Maybe you should go grab a copy of your favorite “For Dummies” book off the shelf – you know, the one about ant farms; and give it a read with an eye towards policy writing. Pay especially close attention to the parts in the back that are entitled “The Parts of Tens” – maybe just that format right there would be enough to create a huge shift in your policy development process.

…and no, this approach won’t work for everyone – at least not scaled to the level of the ridiculous that I’ve escalated things to here, but I think every kind of organization can benefit from a change in philosophy when it comes to writing policies. Help your users better understand what’s expected of them and how they can help keep the company safe by injecting just a bit of humor… C’mon, just an intsy winsty bit?

Think about it will ya?

Cross-posted from SecureITExpert.com

Possibly Related Articles:
Policy Management Training Employees Business Workplace
Post Rating I Like this!
Robb Reck Really interesting post, and something I will have to give some more thought. It seems that having long, boring security policies is expected. Breaking away from the expected is often the best way to find new successes.

Thanks for your thoughts on this subject.
Brad Bemis Thanks Robb - it was a fun idea to explore... and something I really believe in. It's a bit over the top, but I have a sample of an 'entertaining' security policy on my website:

Allan Pratt, MBA Good post, Brad.
Brad Bemis I am currently working up a WebEx on policy development using a 'For Dummies' approach... more information to come later.
Brad Bemis You can register for my upcoming webinar on 'Writing Security Policies that People Can Actually Read' at http://bit.ly/guAIKW
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.