Before we get into developing a policy, let's explore why so many security policies have failed. Security is a barrier to progress. Protective measures are by definition obstacles and impediments to getting work done. They typically add zero benefit: following the policy does not increase revenue, it does not increase output or productivity. Security measures are designed to mitigate specific threats, and they almost always reduce the ability to freely share informationagain, in opposition to simply accomplishing work. We must always strike a balance between being secure and creating disruption, and this balance will vary from organization to organization. Human nature begets desire ("I want more! And I want it faster!"). Traffic lights exist for safety, but at vacant intersections they are just annoying. What do you do in this case? If your patience runs out, you run the light.  People who use your network will experience the same limits, and if they perceive no benefit in complying with your policy, they will look for ways to circumvent the securityand cause a security incident as a result.
Security is a learned behavior. When an animal is on the prowl, searching for a tasty morsel to satiate its hunger, it is following an instinct. Self-preservation is instinctual, but security is not. Securityunderstanding it and agreeing to abide by itis a higher-level function that requires appealing initial learning and effective occasional reinforcement. Without reinforcement, all your sound reasoning will be forgotten as people grumble "This is a stupid policy" in the hallways. As you read through the rest of this chapter and develop your policies, remember that you need to teach and preach the policy repeatedly; tailor your message for each individual audience you encounter. Because security procedures are often unintuitive, your policy should help people recognize the value of assetsthis is another way to avoid the "stupid policy" criticism. Later in this chapter, we explain one method you can use to evaluate risks and estimate the costs of a compromise.
Many policies fail to expect the unexpected. Processes designed for global organizations handle transactions at all hours of the day for thousands, perhaps tens of thousands, of users. Global processes that have to deal with things such as time zones, varying regulatory requirements, and incompatible data formats greatly increase the complexity of systems and the procedures that describe how to operate them; with increased complexity comes the chance of increased failure. So expect such failures and disasters, and look for signs that a failure might be imminent. Keep your skills current and do not forget to practice your plan (for example, if you want your users to run as non-admin, you should do the same)this can help weed out loopholes before they get exploited.
Know that, when it comes to securing your network, you can never be finished. Security is ongoing: technology changes and improves , systems grow old and become outdated or fail or lose their effectiveness. (Look on the bright side: this is great job security!) The threats we face are the same threats people faced thousands of years agotheft, extortion, violence, launderingbut the ways the threats can be exploited has undergone monumental change and will keep doing so as attackers improve. You can rob only so many physical banks per hour , but you can steal an enormously huge amount of money electronically . The policies and procedures you develop for protecting your network require regular feedback and maintenance to remain viable .
The Real Threats
Media histrionics notwithstanding, a successful penetration of your network is unlikely . Complete security is most likely going to be a budget-buster. The real threat is from within, and most commonly comes from nonmalicious damagehuman error, accidental disclosure, inadvertent denials of service. We do not deny that external attacks happen, but these "breaches" are far more likely to be the things you encounter regularly. Most people are not out specifically to cause you harm. Overt policy violations usually are the result of this tempting morsel or that unsecured asset, and are made easier by complacent monitoring and enforcement. Your policies must create an air of value around every asset that is protectedotherwise it is intuitively obvious that the asset is pretty much worthless. (Servers kept in toilet paper supply closets are worth, well, toilet paper.) It is far more common to see violations that are the result of weaknesses in processes (stealing cash from the drawer ) than full-on attacks (cracking the safe in the vault).