Putting policies under pressure


A note on LinkeDin led me to an intriguing scientific research study that tested the following five hypotheses:

  1. People who receive instructions via a written policy about rules will have better knowledge of these rules than those that do not. 

  2. People who receive a shorter form version of policy about the rules with less text will have better knowledge of the rules than those who receive a longer training form. 

  3. People who receive a written policy outlining the rules in a more vernacular and less legal technical language will have better knowledge of the rules than those presented with a more formal-legal-styled training text. 

  4. People with better knowledge of rules will also comply more with such rules.

  5. The more legal rules align with people’s personal and social norms, the higher people score in their knowledge of these legal rules.  
The study was conducted on more than a thousand employees of an unnamed large international technology company in the process of introducing its first corporate policy on fraud and corruption. [I suspect it wasn't its first ever policy, rather the first one on that particular topic.]

The findings do not support the first four hypotheses - in other words, there was no statistically significant improvement in employees' knowledge or conformity with the rules laid down in long-form 'legalese', short-form 'plain English' or pictorial policies. 

Regardless of format, the policies were simply not effective, despite (a) the gravity of the subject matter, and (b) the employees being aware of the study's purpose (well, presumably so since the study involved informed consent: maybe the information presented by the researchers to gain consent had as little impact on participants as the policies!). 

Oh oh.

However, the findings supported the fifth hypothesis - in other words, employees' knowledge and conformity of the rules reflects their personal and social norms, a form of bias. We are more likely to accept and conform with rules that align with our expectations based on the things we see or perceive are going on around us.  That finding, in turn, also has intriguing implications.

If culture trumps policy, then what (if anything) can be done to influence culture? 'Culture' is diffuse and hard to describe, let alone shape or control, so I plan to keep reading and would welcome further studies into that.

Meanwhile, we have here a classic information risk with ineffective mitigating controls so we might:

  1. Re-evaluate the risk. What are the threats, vulnerabilities and impacts? What else can be done to address any/all of those factors, if the risk is unacceptable? Can we avoid, share or control it better? Or is this an information risk we are forced to accept?

  2. Anticipate [at least some of] our policies being ineffectual despite our best efforts, leading inevitably to incidents, at least some of which will need to be addressed. [The specific subject matter of the policy in this study may be relevant. Perhaps the findings would be different with other kinds of policies, information security and privacy policies for instance. I doubt it but I don't know for sure.]

  3. Revise our expectations for corporate policies: although they are valuable and may be necessary for legal reasons (which, along with laws and regulations, are now in some doubt as a result of this research), they have little value in rule-setting. Don't spend all your infosec budget on those finely-crafted policies!

  4. Increase focus and effort to influence cultural understanding, acceptance and conformity, accepting that 'culture' is a complex social construct that resists change - it seems to move slowly, seemingly resisting or counteracting externally-imposed pressures.
It's almost enough to make this long-time policy and awareness author and proponent retire in disgust. Am I just wasting my time here? Worse still, am I misleading clients by flogging snake-oil, even at knockdown below-cost-prices? Alternatively, maybe I need to explore innovative solutions stemming from that fifth hypothesis and finding.  


PS  Arguably, the study proved that no single means of promoting awareness of a new policy is sufficient: maybe a more rounded approach using a combination of methods would be better? Unfortunately, there are numerous possible permutations and combinations of the three policy types in this study, plus the control, let alone variants and other awareness and training approaches, meaning a lot of work and expense for a scientific study.