Human factors: Protection load: How is security load managed?

Options:

Option 1: Protection load is not considered in the protection program.
Option 2: Protection load is considered on an ad-hoc basis when identified as a problem.
Option 3: Protection load is considered as part of business efficiency.
Option 4: Protection load is traded off with delays, frustration, ease of use, and similar concerns as a matter of course.
Option 5: Protection load is considered across the protection program and integrated into decision-making.

Decision:

Protection load is considered as follows:

Basis:

Protection load is not considered in the protection program. Programs with no maturity typically ignore protection load as too sophisticated an activity to be considered.

Protection load is considered on an ad-hoc basis when identified as a problem. As issues arise, they are addressed on an ad-hoc basis, usually by heroic actions of individuals who see conditions become intolerable and stand up to take the risk of changing things on their own. This is an undesirable situation, but is to be expected in an initial maturity-level environment.

Protection load is considered as part of business efficiency. The load associated with protection can be substantial. For example, measured load in micro-businesses operating US government classified environments part time can range into 50% of the overhead of the organization. These tend to be mandatory activities and, as such cannot be substantially mitigated except be avoiding activities requiring the load. In other cases, duties to protect are over-zealously applied or applied in ways that put an excess of effort on individuals. This increased load leads to a variety of negative outcomes including disgruntlement, quitting, inefficiency, retribution, malicious compliance, and complaints. As a matter of business efficiency, decisions about how to implement protection can have substantial effects, and thus it should be considered worthy of attention in most environments today.

Protection load is traded off with delays, frustration, ease of use, and similar concerns as a matter of course. Within the protection program, all activities involving the use of user resources are thought through. Tradeoffs are identified between alternatives for protection and the implications to operations, personnel issues, and related matters. Better approaches are sought whenever protection is seen as excessive or inconvenient. This is sometimes implemented by requiring top executives to have the same protective mechanisms as other workers, or requiring management to live under the same constraints at all levels. This tends to drive down tolerance for excessive protection load.

Protection load is considered across the protection program and integrated into decision-making. Ideally, as maturity increases, protection load is taken into account as part of every aspect of the protection program, integrated into lifycycle considerations, and used to help optimize human performance and the protection program as a whole. This requires some level of measurement and thus tends to be more expensive than more ad-hoc methods or methods based on the perceptions of users alone. Thus it is normally associated with the managed or optimizing maturity level.