The article was based on a paper written a year ago by Microsoft researcher Cormac Herley. The article was called "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." Great title for a research paper. But is it worth reading? Absolutely.
Serious security nerds will have already heard of the article. Still, IT professionals charged with securing company networks will be less than thrilled to have their users told that one of their policies isn't necessary in some general-circulation newspaper.
The Globe zeroed in on one small aspect of Herley's research: Changing passwords. The point of the paper was that in real life, users resist a whole range of enterprise security policies imposed on them by IT staff, and that their rejection is rationally explained by the "dismal science" of economics.
The oversimplified version of Herley's conclusion is that making users jump through all those hoops (including the monthly changing of passwords) has a monetary cost. And loss due to users ignoring security policies also has a cost.
However, the cost of security is actually much higher than the cost of insecurity, at least the part of security provided by user-implemented activities like changing passwords.
This is how economists think. It's not how enterprises think. But maybe they should.
Larger businesses tend to think of employees as an expensive resource, to be sure, but one that is "already paid for." In other words, the cost of salaries is fixed. Since we're paying these people anyway, its OK to make them do stuff unrelated to their own departmental goals, right?
Unfortunately, it seems that at big companies, one major barrier to success is that employees tend to be saddled with such mandates. Security policies, sure. But also training, meetings, business travel and a host of other things that on some days can take up 100% of the employees' time.
Unfortunately, the less time employees have to complete their goals, the more they'll need to hire additional staff and consultants and work overtime.
What's missing is a cost-benefit analysis on these mandates.
Let's take a single meeting, for example. For the sake of simplicity, let's say the meeting has 10 employees who each makes $100,000 per year. The company is paying them an hourly rate of $50 per hour. That means a one-hour meeting costs the company $500.
Did the meeting actually produce $500 in benefits for the company? Probably not. Although the benefits of most meetings are not measurable in monetary terms, the most likely outcome in the meeting is nothing of value.
What about those all-hands meetings with 100 people at the company headquarters? They might cost hundreds of thousands of dollars in lost staff time, travel, expenses and so on, and product next to nothing in real value for the company.
The point is that from a cost-benefit point of view, most enterprises are wasting incredible amounts of money on employee and user mandates.
Enterprise security theater that is, big presentations and the like is just one tiny, relatively insignificant area where, according to Herley, the cost-benefit doesn't add up.
The massive loss is in the area of communication: Meetings, training, e-mail and business travel represent the flushing of millions of dollars per year down the toilet for most companies -- if you assume as economists do that employee time is money.
Companies mandate meetings, training and business travel for a variety of reasons. Some of this communication is required by government regulation. Some of it attempts to achieve "business alignment" -- getting everyone on the same page in terms of goals. But most of it can and should be replaced by something better.
That something better is social networking.
Google plans to roll out this year an enterprise or business version of Google Buzz, its newish social networking tool. Microsoft is planning a competitive offering called OfficeTalk. There will be many other tools as well.
Unlike the consumer offerings, these services will live inside the firewall. The company will own the data. And they'll be radically extensible with standard programming tools.
IT managers and executives in some quarters are dreading the introduction of social networking into the enterprise. In addition to e-mail, IM, intranets and all the rest, here comes another bloated diversion -- yet another thing to manage, backup, monitor and support.
That's how enterprises think about enterprise social networking. How would economists think about it?