Non-technical Hurdles to
Implementing Effective Security Policies

Gary C. Kessler
January 2001

An edited version of this paper appeared in the Perspectives column of the March/April 2001 issue of IEEE ITPro Magazine. Copyright © 2001, IEEE.

Most industry observers will agree that the computer and network security processes actually implemented at most sites are inadequate. But it is not the lack of security technology, tools, and products that is the main hurdle to adequate security, but rather undereducated network administrators, corporate managers, and users. A large number of articles, books, white papers, Web sites, and conferences are devoted to the design, development, and implementation of good computer and network security policies, for all types and sizes of organizations. With all of these guidelines available, one would think that all networks, either private or attached to the public Internet, would have adequate protections in place. But we all know that this is not the case. While attackers are always coming up with new ways to defeat improved security protection, the truth is that sophisticated attacks are often unnecessary because a large percentage of sites have only the most rudimentary security measures in place. While new and additional security protections and protocols are, indeed, necessary, particularly in this era of Internet-based electronic commerce, automated hacking tools, and distributed denial-of-service attacks, one very real challenge for the computer and network security community is at the other end of the spectrum; namely, to backfill the lack of security that is currently in place. Well-known tools and highly-publicized security incidents notwithstanding, many companies still need education about security risks and why secure systems are important to all of us. Both system administrators and corporate managers need this education, because security policies, to be effective, have to be implemented and enforced from the top down.

So, what are some of the common "reasons" that organizations do not practice safe networking. Exploring and understanding an organization's history, culture, politics, and social structure often help understand why they operate as they do.

1) Distributed Computing Makes it Harder to Implement Central Policies

One fundamental problem in implementing good security processes is that these policies and procedures must be formulated centrally but, in today's networking environment, implemented in a distributed fashion. In the "old" days, centralized computing meant that a single administrator could be responsible for computer and network operations for an entire organization. One machine, one system manager.

Today, everyone with a desktop or laptop computer is a system manager. Therefore, centralized security policies, such as the use of anti-virus tools or the blocking of Java, must be managed separately by every single user. In almost all cases, these systems are on the corporate network; therefore, if even one user is not vigilant, a virus, for example, can be let loose on the network, affecting everyone. If the corporate network is attached to the Internet, one non-vigilant user can make every local user vulnerable to attack.

And the management of even simple systems has become increasingly complex as the software has become so feature-rich that it is difficult to track necessary protections; e.g., Word macro virus protection inexplicably comes turned off out of the box and Internet Explorer defaults to allow cookies and ActiveX regardless of previous version settings. We have also cultivated computer illiteracy; it's not that too few of our users are power users, it's that too many use a computer and still feel inept.

Although centralized resources such as routers, firewalls, virus walls, bastion hosts, and information servers are still managed centrally, the problem can still remain. Network administrators are constantly juggling the security needs of the network with the business needs of the organization and the individual needs of the users.

2) Users Do Not Take the Problem Seriously

Many users view all this talk about security as paranoia by the network manager or, in a truly political organization, an attempt for the Information Systems Group to seize more control. And too many users view security protections as a hindrance to doing their job. This is often a result when network and corporate managers do not place enough emphasis on explaining why security policies are in place.

In the case of a network connected to the Internet, many users just do not realize that in cyberspace, they can no longer think of their site as a physical location. While my network in Vermont is physically pretty safe (I think!), once attached to the Internet, my network resources are no longer "in" Vermont — they are in cyberspace. While I might not lock the doors of my car in my parking lot, I'd better lock the services on my server!

The situation may actually be worse in those environments where users had access to an organization's hosts and/or network prior to connecting to the Internet. Being on the Internet requires a different philosophy and trust model than being connected only to an internal network. Finger, for example, was a favorite and useful tool on the ARPANET because it reports who is currently using a host, what they are doing, and provides other useful information about remote users. On today's Internet, however, finger is a potentially dangerous weapon precisely for the same reasons — it provides an attacker with too much information. Meanwhile, physical site security is important regardless of where you are. Many companies focus on protection from cyberspace without paying adequate attention to the machine room door. Firewalls are like the Maginot Line; they may protect you from a predictable outside attack but they are not flexible and are generally not configured to protect the outside world from your users.

3) Corporate Management Does Not Support Any "Infringement" on Users' Activities

A corollary to the previous "excuse," some attempts by network managers to implement such common policies as account blacklisting/lockout (requiring that an account be reset by the network administrator after some number of consecutive invalid login attempts, a common defense against password-guessing attacks), minimum password lengths, forced password expiration, and password auditing are seen as invasions of users' privacy, limits to users' creativity, and/or inconvenient.

Although not directly related to the rights of users, there is a perception by many that increased security (e.g., firewalls, proxy agents, and packet filters as well as locked rooms and strong passwords) results in a decrease in the network's performance and, therefore, in users' productivity. In fact, these mechanisms rarely show serious performance degradation and, in fact, some security protections (such as caching proxy servers) probably enhance performance.

On a related note, some network, system, and information managers do not even know that they should want to implement these basic protections. They may not be aware that most host and network operating systems provide a number of security tools, such as the password protections mentioned above, as well as file and directory access control, event logs, and system auditing tools. They may not be aware of the security vulnerabilities of CGI, Java, ActiveX, not to mention some browser, operating system, and application implementations. If they don't know about the tools and the vulnerabilities, they cannot take the appropriate steps to defend themselves.

4) Strong Security May Run Counter to an Organization's Culture

This is particularly true in academia, where any restrictions may be viewed as anathema to the academic mission. Furthermore, many students (and their parents!) believe that the college or university should, for all intents and purposes, be the student's ISP while they are in residence. Academic sites didn't block Napster traffic because they were taking a position on copyrights but because it consumed too much bandwidth.

There are possible social costs to strong security mechanisms. Physical site security policies, for example, may require locked doors or limited access to computing resources, which might be viewed by some as implying mistrust. The social issues are insidious because they generally creep up on organizations unawares. When a company is very small, for example, everyone may play with various servers and system functions for the sake of expediency. As the company grows and creates an organizational chart, however, it also has to create corporate computing and network policies.

5) Belief That Current and Emerging Security Mechanisms are Adequate

For many years, people have been "happy" with password protection. But we all know how vulnerable password-protected systems are, particularly when users are allowed full freedom to chose their passwords and are not limited by rules about minimum length, choice of characters, and duration of password validity. It is also well known that people generally choose poor passwords; a number of references suggest that there is a 99% chance of successfully guessing at least one password on a system containing as few as 16 accounts.

Computer-generated passwords are no better if they are so obscure that people have to write them down (such as one I was once assigned: "B!cz$491aX"). The Web has added to this password-overload problem as an increasing number of sites require "free" username and password registration. (I am not proud to admit that I have at least eight such name/password pairs written on a piece of paper taped to my PC monitor at home.) In general, users are not given sufficient guidelines about choosing, protecting, and maintaining their passwords.

Emerging cryptographic protocols may not help as much as we think, either. While Pretty Good Privacy (PGP), Secure Multimedia Internet Message Extensions (S/MIME), and other secure electronic mail systems are already in use, they also all require management of private cryptographic keys and passphrases.

It is worth noting, however, that use of cryptographic mechanisms is not primarily intended for security, per se, but for authentication, privacy, and data integrity. These characteristics may be necessary for a secure environment, but are not sufficient for one.

Furthermore, companies employing public key cryptography may believe that they have a sufficient level of protection because it is too difficult to find the prime factors of a 300-digit number. Perhaps. But why do we think that a site with poor security otherwise can — or will — properly protect their private keys? Without that protection, the company really has a false sense of security and, perhaps, a resultant added level of vulnerability.

6) Difficulty Making the Business Case for Strong Security

While very few will argue against the need for some security, many companies are reluctant to pay for it. Most companies think they don't need to implement strong security because they don't have anything that anyone would want.

But there are major flaws with this reasoning. First, making a site secure protects an organization's customers and clients, as well as the rest of us on the Internet. Second, a majority of the attacks on a network or host come from the inside, not the outside, which should make one reevaluate from whom they are protecting their resources.

Third, security through obscurity is no security. Just because you don't think that your site has any information of value to an attacker doesn't mean that your site is not attractive; access to your network and hosts also offers a way of hiding one's tracks when attacking other sites or a place to cache stolen files. And, of course, your site can become a port of entry and base for other attacks.

Finally, it's true that one shouldn't spend $100,000 to protect a $10,000 asset, but it is just this return on investment (ROI) that must be determined. While it is easy to quantify the cost of firewalls, proxy servers, intrusion detection systems, dialback servers, and other security products, it is harder to evaluate the cost of having your network or host systems compromised, your data stolen or destroyed, or your network site inaccessible. Often, a system or network manager may not be trained in security (or even security awareness) and management may not be inclined to pay for training in this area before there's a problem.

7) Security is Inconsistent With the Main Line of Business

Unfortunately, sometimes the simplest, most obvious reason is the correct one. In the "old days," only computer companies owned computers. Today, nearly every business has purchased at least one computer system. In many cases, as long as they are working, the systems are not maintained nor upgraded adequately because there's no time nor staff; the company views itself as being not in the computer business, but in manufacturing or retail or service or publishing or whatever.

Most businesses with more than a few computers today have a LAN. Again, as long as it is working, the LAN is often at the bottom of the pecking order for resources and maintenance because of the same lack of time and staff; these companies, after all, aren't in the networking business...

It is a natural extension, then, that the same thing happens with network security. "All businesses are the same size on the Internet" is a mantra that is constantly being chanted. If a small business with a small LAN gets connected to the Internet, the business will concentrate on the marketing or service capabilities that such connectivity provides. But at the same time, it becomes as lucrative a target as any other site on the Net.

8) Management Does Not Support Enforcement of Security Violations

As a final issue, corporate policies do not always allow for the "punishment" of security violators. In most organizations, only the most blatant, purposeful violations of policy will result in a loss of networking privileges but this consequence is rarely meted out, although recently publicized incidents noted that several companies have fired employees because of the exchange of inappropriate e-mail messages.

But what about users who never seem to find the time to update their antivirus signature files, enable Java on their browser because to do otherwise is inconvenient, or gives their intranet password to others ("I can trust my wife and kids.")? If that user's system is affected by a virus, rogue code, or another person's error, both the user and network staff lose productivity. But the user rarely faces additional consequences, regardless of how much and how often they ignore the security plan until — and unless — they cause a major problem that affects everyone else.

So, what is the proper negative consequence for such actions? Companies need to balance the level of protection that they need with the social costs of implementing consequences to inappropriate behavior, and the "punishment" has to match the infraction. If users were to be denied access to computer or network resources as a result of repeated problems, it is quite possible that some people would lose their jobs; on the other hand, the rest of the user community might be better protected. Whatever policies are put in place must be uniformly applied, however, from president to mail room clerk.

On a related note, it is not only the user population that ignores security policies; the computer and network operations staff is always a target for social engineering. Operations managers should have the authority — and should avail themselves of the opportunity — to periodically test their own staff and there should be consequences for those employees who violate the procedures in an effort to be "helpful." If building guards and network and computer operations staff were tested more, social engineering would be significantly less successful.


There are no secure sites on the Internet, only vigilant ones.

And frequently it is this vigilance that gets the security managers in trouble. Most techies see a straight line as the shortest distance between two points; it is the rare and/or experienced infosec professional that understands both the technical needs of the systems with the non-technical needs of the organization he or she serves. Sometimes in our zeal to implement the best security procedures, we lose sight of the users and implement policies that are viewed as so Draconian that they are ignored — such as the user who places a modem on his/her computer to get around the firewall and stays connected to an ISP for 8 hours a day, unaware of, and unconcerned about, the backdoor that has been created.

There are undoubtedly other reasons besides those cited here for why end user organizations do not use prudent care to exercise vigilance, including lack of personnel and what may be viewed as overhype by the industry. Lack of education and awareness, however, is at the root of all of these I believe.

Not surprisingly, the Internet — in the form of intranets, extranets, virtual private networks (VPNs), telecommuting, and small remote/branch offices — has been leading many companies to recognize the need for added security. One reason may be that companies employing these information nets are building them from the ground up and see the need because they have something tangible at risk.

Identifying and appreciating the reality of the lack of security at many sites around the Net is not meant as an apologia, but as a first step in rectifying the situation. The typical challenge to those of us in the security field is to look outside of our own network. But we also have to be mindful of what is — or is not — going on right behind us. And why.


Commonly overlooked security measures:

  1. Not having written security policies, resulting in uneven and often undocumented security protections applied to network hardware, servers, applications, and user systems.
  2. Not employing strong password policies, such as auditing user passwords, forcing password expiration, and encouraging users to employ good passwords.
  3. Inadequately training the "security manager," resulting in an insufficient level of real security, improperly configured devices, and individual frustration.
  4. Not educating management, and thus the rest of the workforce, about the importance of security and the role that every user plays.
  5. Not creating a plan to respond to security events, telling both users and network staff how to deal with incidents of various severity.
  6. Not linking the importance of information security with the goals of the organization, relegating information security to an after-thought rather than designing it in during the early phases of projects.
  7. Keeping security plans and policies as dynamic as the rest of the network, resulting in short-term fixes to problems rather than long-term planning.

About the Author: Gary C. Kessler is an Assistant Professor and program coordinator of the Computer Networking major at Champlain College in Burlington, VT. He also provides independent consulting related to network security, Internet- and TCP/IP applications and services, and e-commerce. He has written over 55 papers for industry publications and is co-author of ISDN, 4th. edition (McGraw-Hill, 1998). He is a member of the IEEE Computer and Communications Societies. His e-mail address is