There is something of an urban myth that when the University of California at Irvine, USA was designed and built, no pavements were put in place on purpose. A year later the planners came back to see where trails had been worn into the grass and then placed the pavements and permanent pathways on top of them. This “intelligent architecture” approach ensures not only that there were no unsightly trails left in the grass like the above picture, but also that they were placed in the optimal position for the daily use of the students. There is even a similar approach often told in the development of PERL programming language.
By understanding the usage patterns of the audience in question and building a permanent solution that reflects those usage patterns, the designers ensured the maximum amount of adoption, and quite possibly in some cases unconsciously so.
This same approach of intelligent architecture is the best way to implement a successful and adopted information security programme. Any programme that looks to dramatically alter the working patterns of its target audience is therefore going to struggle to gain adoption, and informal “trails” of behaviour will very quickly become apparent.
The information security policies that are the foundation of your programme must first start by acknowledging existing behaviours and ensure there is not only a long term approach to dramatic changes in behaviour, but also similar or more efficient alternatives to accepted behaviours.
Take a moment to see where the grass, and where the paths are in your organisation, and ask yourself if the “proper” way is actually the “best” way.