Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy?

Jason McNew writes: I have been in IT since the late '90s, and began a graduate degree in Cyber Security with Penn State two years ago. I have always been interested in how and why users break policies, despite being trained carefully. I have observed the same phenomena even in highly secure government facilities — I watched people take iPhones into highly sensitive government facilities on several occasions. That led me to wonder to what extent the same problem exists in the private sector: Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property. This question has become the subject of a pilot study I am doing for grad school. So, do you use a smart phone or other PED during work hours, even though you are not supposed to? Please let me know, and I will provide the results in a subsequent submission to Slashdot.

No!

[chinton]

Of course not.

--- Sent from my Verizon Wireless Galaxy S4

Re:No!

I always obey the decrees of IT. Even when they prevent me from getting work done. IT knows what's bets for me.

IT is mother IT is father.

Fix your Survey

Question 8. What kind of wearable smart devices do you own (check all that apply)?

If I don't check any, I get a "! This question requires an answer." Alert.

I guess I better go get a wearable smart device.

(Other questions have the same problem)

Not a factor in actually secure environments

I've worked a lot of places. I work for the government now.

There's two classes of secure workplace. Actually secure, and pretend secure.

Actually secure places have people who search everybody when they come in, may have thugs with guns guarding the place, have proper access controls and actual consequences. Active network monitoring. Plug something unexpected in and security shows up, not the admin. Violation of policies can result in things like jail, detention, civil liabilities, immediate termination, etc.

Pretend secure places have polices, maybe a secure door, and no real consequences.

Perceived incompetence and lack of rationale.

When you see people around you at work who are incompetent in your field, you assume that people throughout the organization are often incompetent in their field. When I worked in government, this wasn't uncommon. So you have a lot of rules, many of which are inconvenient to you. Since the *reasons* for the rules aren't ever published, you write off the inconvenient ones as incompetence; you don't believe they're actually any threat at all, and the punishments are sporadic-at-best, so you ignore the rule.

Taken out of the normal corporate workplace, there are rules against phones on airplanes. For over a decade... they simply didn't matter to the plane, and it was easily observable to any traveller, as often, the person next to you wouldn't turn off a damn thing, and things worked out fine.

The reason for the rule was that one phone a mile in the air could try to connect to hundreds of ground based towers, hosing the whole network. Since you weren't able to connect, you couldn't see that; you just used the phone. But since the *reason* for the rule wasn't really published, and the effects seemed nonexistent, people ignored the rule all the time.

That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that... ...which leads back to my first point, which is when you see occasional incompetence around you, you assume the rules were written by someone incompetent.