I heard an interesting term the other day “desire path” it is a term used to describe the side paths that often pop up in parks away from the main path that people use as a short cut between the main path and a favoured destination. This got me thinking as to the similarities between desire paths and security policy ( I am starting to sound like BBC R4 “Thought for the day” here) and the ways that we deal with them .
Basically a desire path ( in a park for example) is an unplanned / un authorised path between a main path and a common destination. It can lead to damage to the grass as people cut from the main path ( that may be paved) to another location in the park. You will often see park authorities use barriers to prevent people from leaving the path and causing damage to the grass / grounds, these barriers can be seen in the same way as security controls. Users want to do something that to them may not seem that risky ( connect a personal Iphone for example) but the more that do it the greater the damage.
So what do we do as security pros ? well yes we erect fences that prevent the users doing what they want. However, is there another way ? perhaps we should use the non compliance of our users to what we think are perfectly sensible policies to guide how we should implement controls ? Instead of erecting a fence preventing users from taking a short cut perhaps in some cases creating a new path would be more appropriate ? If we really can’t create a new path, then educating the users as who why walking over this piece of ground is a “bad idea” is probably the next avenue of attack. Putting up barriers should be the last direction we explore, as Elbert Hubbard once said – “Fences are made for those who cannot fly.” and your users will be able to fly at some point.