The No's have it.

Kevin Devin writes on his blog about how we write policies that tell users what they can and can't do. When it comes to user education we often focus on the "do nots" as opposed to the "can dos". We all know that giving a list of "do nots" usually raises the curiosity level of people and often encourages them to explore the "dark side". For those of you who have kids you know what I'm talking about.

Kevin wonders what it would be like to give our users a list of things that they can do with their laptops, and portable devices, as well as any company resource. He is right in noting that it would be a longer document but it could provide some good direction for our users. I know from personal experience users often look at IT (and more lately the security team) as those "kill joys that want to control everything". Having a list of things that they can do would go a long way towards improving our reputation. Not that our reputation is important compared to keeping things secure.

Even though it may provide benefits I think that going down that road is not a good idea. Too much room for wiggle. I can see users thinking that there is an "implied" clause that allows them to do "a" because it is similar to "b". Having a clearly defined policy that sets boundaries, defines the consequences for exceeding them and is enforced is the best way to keep things in check.