The article was based on a paper written a year ago by Microsoft researcher Cormac Herley. The article was called "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." Great title for a research paper. But is it worth reading? Absolutely.
Serious security nerds will have already heard of the article. Still, IT professionals charged with securing company networks will be less than thrilled to have their users told that one of their policies isn't necessary in some general-circulation newspaper.
The oversimplified version of Herley's conclusion is that making users jump through all those hoops (including the monthly changing of passwords) has a monetary cost. And loss due to users ignoring security policies also has a cost.
However, the cost of security is actually much higher than the cost of insecurity, at least the part of security provided by user-implemented activities like changing passwords.
This is how economists think. It's not how enterprises think. But maybe they should.
Larger businesses tend to think of employees as an expensive resource, to be sure, but one that is "already paid for." In other words, the cost of salaries is fixed. Since we're paying these people anyway, its OK to make them do stuff unrelated to their own departmental goals, right?
Unfortunately, it seems that at big companies, one major barrier to success is that employees tend to be saddled with such mandates. Security policies, sure. But also training, meetings, business travel and a host of other things that on some days can take up 100% of the employees' time.
Unfortunately, the less time employees have to complete their goals, the more they'll need to hire additional staff and consultants and work overtime.
What's missing is a cost-benefit analysis on these mandates.
Let's take a single meeting, for example. For the sake of simplicity, let's say the meeting has 10 employees who each makes $100,000 per year. The company is paying them an hourly rate of $50 per hour. That means a one-hour meeting costs the company $500.
Did the meeting actually produce $500 in benefits for the company? Probably not. Although the benefits of most meetings are not measurable in monetary terms, the most likely outcome in the meeting is nothing of value.
What about those all-hands meetings with 100 people at the company headquarters? They might cost hundreds of thousands of dollars in lost staff time, travel, expenses and so on, and product next to nothing in real value for the company.
The point is that from a cost-benefit point of view, most enterprises are wasting incredible amounts of money on employee and user mandates.
Here Comes Social Networking
Enterprise security theater that is, big presentations and the like is just one tiny, relatively insignificant area where, according to Herley, the cost-benefit doesn't add up.
The massive loss is in the area of communication: Meetings, training, e-mail and business travel represent the flushing of millions of dollars per year down the toilet for most companies -- if you assume as economists do that employee time is money.
Companies mandate meetings, training and business travel for a variety of reasons. Some of this communication is required by government regulation. Some of it attempts to achieve "business alignment" -- getting everyone on the same page in terms of goals. But most of it can and should be replaced by something better.
That something better is social networking.
Google plans to roll out this year an enterprise or business version of Google Buzz, its newish social networking tool. Microsoft is planning a competitive offering called OfficeTalk. There will be many other tools as well.
Unlike the consumer offerings, these services will live inside the firewall. The company will own the data. And they'll be radically extensible with standard programming tools.
IT managers and executives in some quarters are dreading the introduction of social networking into the enterprise. In addition to e-mail, IM, intranets and all the rest, here comes another bloated diversion -- yet another thing to manage, backup, monitor and support.
That's how enterprises think about enterprise social networking. How would economists think about it?
The big picture here is that these tools are a timely opportunity to replace the incredibly costly communication habits of meetings, training, e-mail and business travel with very cost-effective social networking.
In a controlled economy like the old Soviet Union -- you know, the kind that inevitably collapses under the weight of its inefficiencies -- everything happens by mandate. The information is sent to the top. The leaders make the decisions. Orders are handed down. People at the bottom follow the orders or end up in a labor camp.
The leaders decide to increase the consumption of rye bread this year by 3.5%, so the orders are sent down from Moscow, and the bakers go through the motions to comply.
This is how enterprises work internally. The whole culture of meetings, mandatory training and e-mail is based on the Soviet model. Everyone is so busy following mandates and covering their own behind that the culture of innovation, creating thinking and rapid execution of goals is suppressed.
In a capitalist economy, the information remains at the bottom. Decisions are made at the bottom. And the success of the economy depends on the availability of information to the decision-makers at the bottom.
The baker notices that people aren't really buying rye bread anymore, but are really starting to gravitate toward sourdough. Great! Let's offer three new kinds of sourdough. Use the Internet to study traditional European methods, plus learn about how a burgeoning subculture of innovative new sourdough breads are taking off in San Francisco and Oregon farmer's markets, and learn from them.
People want sourdough? I'll give them the best sourdough in the city, and beat my competition.
This is how capitalism works, and how enterprises should work internally. Notice how the information is flowing here. The person at the bottom of the economic system is achieving his or her own goals, and going and finding information that's freely but passively available. The training is self-directed. The communication happens on an as-needed basis. Those with the required knowledge are findable, and contactable. Actual contact happens only when the knowledge can be put to use.
Now is the ideal time for enterprise social networking to take hold. We're coming out of a brutal recession, humbled by the excesses and wasteful spending that nearly wrecked the global economy.
It's time to re-think all the waste, and embrace efficient alternatives. Some meetings, training, e-mail and business travel are necessary. But most of it represents real money wasted.
It's time to replace Soviet-style corporate mandated communication with American-style free-flowing innovation in the form of social networking tools from Google, Microsoft and others.
At least, that's what an economist would advise.