Elenore Abbott, The Shoes that Were Danced to Pieces. Grimm's Fairy Tales. New York: Charles Scribner's Sons, 1920.
There was once a King who had 12 daughters. Every night they were locked in their rooms to stop them getting to any mischief, but every morning when he opened the door he would find them tired and drawn. Their shoes would in tatters. Every morning, the princesses would offer no explanation, and the King was left mystified and was required to provide more shoes. The king was not a poor man and the cost of shoes was not going to break the bank, but over time both the cost and his concern mounted.
The King set a challenge that if any man could find out what was happening to his daughters, he would give the man the hand in marriage to one of the daughters and he would become heir to the throne. However, the king was not without wit and applied a penalty clause to these challengers. They only had three nights to discover what was happening or else they would forfeit their lives.
Initially a variety of learned men, princes and chancers came to claim the hand of the princess by solving the riddle. And soon the graveyard of the palace bore witness to their failure and rapid demise. Finally, men stopped coming to answer the challenge, the princesses began to grow pale and thin and the bill for shoes began to have a serious impact on the royal household.
An old soldier returning from the wars heard of the challenge and made his way to the palace through the old wood. As he passed through, he found an old lady and he charitably helped her back to her cottage. In thanks she gave him a cloak of invisibility and a piece of advice. If he were to take the challenge he must not eat or drink anything given to him at the palace, as this had been the downfall of the other challengers who had fallen asleep.
Upon offering his services to the King, the soldier set up shop outside the door of the princesses’ room. When they offered him bread and wine, he feigned eating them and then pretended to sleep. Once the princesses left him he donned the invisibility cloak and observed them as they exited through a trap door. For three nights he followed them through the grotto and to an enchanted castle where they danced until exhausted and their shoes were in tatters.
On the morning after the third night, the soldier was taken to the king to face his death, but he produced evidence of the dancing and was granted the hand of the oldest princess to be his wife. The king sent men to destroy the grotto and the enchanted castle to remove the spell on his daughter.
Ok, I have told you a tale, but what has this to do with Infosec and policy? It is true to say that any good Infosec strategy should have three prongs. Firstly policy: it was the policy of the king to have his daughters stay at home at night and rest. It was policy for them to not wear out their shoes and themselves dancing night after night. This is akin to any resource in a company that is scarce. If it is used sparingly and for the correct purpose it will not run our or cost more money. The price of shoes in this example was almost bankrupting the king. Think about Internet bandwidth as a real world example: too much use for non-business purposes may reduce the availability for the actual business. Secondly, we need to make the users aware of what the policy is. The princesses were told they should not leave but they broke the rules and when dancing instead.
Which brings us to the third and most vital part of the policy, which is monitoring. There is a maxim in management that you manage what gets measured, but what if you are measuring the wrong thing? All the previous suitors had managed the door to the room, but had fallen asleep and had not realised there was a backdoor. Effective InfoSec policy needs to have appropriate measures that are publicly available for inspection to be able to show that policy is adhered to; and when it is not, action must be taken. Once the soldier managed the policy adherence correctly, the incorrect behaviour was stopped and action was taken to remove the external threat vector from the equation.
I am not saying that all our users are princesses and that they are all enchanted or deliberately misbehave, but they might inadvertently break the rules and you need to be checking in order to save them company and potential them from themselves.