Human factors: Protection load: How is security load managed?
Option 1: Protection load is not considered in the protection program.
Protection load is not considered in the
protection program. Programs with no maturity typically ignore
protection load as too sophisticated an activity to be considered.
Protection load is considered on an ad-hoc
basis when identified as a problem. As issues arise, they are
addressed on an ad-hoc basis, usually by heroic actions of individuals
who see conditions become intolerable and stand up to take the risk
of changing things on their own. This is an undesirable situation, but
is to be expected in an initial maturity-level environment.
Protection load is considered as part of
business efficiency. The load associated with protection can be
substantial. For example, measured load in micro-businesses operating
US government classified environments part time can range into 50% of
the overhead of the organization. These tend to be mandatory
activities and, as such cannot be substantially mitigated except be
avoiding activities requiring the load. In other cases, duties to
protect are over-zealously applied or applied in ways that put an
excess of effort on individuals. This increased load leads to a
variety of negative outcomes including disgruntlement, quitting,
inefficiency, retribution, malicious compliance, and complaints. As a
matter of business efficiency, decisions about how to implement
protection can have substantial effects, and thus it should be
considered worthy of attention in most environments today.
Protection load is traded off with delays,
frustration, ease of use, and similar concerns as a matter of
course. Within the protection program, all activities involving
the use of user resources are thought through. Tradeoffs are
identified between alternatives for protection and the implications to
operations, personnel issues, and related matters. Better approaches
are sought whenever protection is seen as excessive or inconvenient.
This is sometimes implemented by requiring top executives to have the
same protective mechanisms as other workers, or requiring management
to live under the same constraints at all levels. This tends to drive
down tolerance for excessive protection load.
Protection load is considered across the protection program and integrated into decision-making. Ideally, as maturity increases, protection load is taken into account as part of every aspect of the protection program, integrated into lifycycle considerations, and used to help optimize human performance and the protection program as a whole. This requires some level of measurement and thus tends to be more expensive than more ad-hoc methods or methods based on the perceptions of users alone. Thus it is normally associated with the managed or optimizing maturity level.