Well, my credo is well known in the meantime: We have to make it easy for users to work in a secure way. Otherwise the business (say: the users) will find ways around all our security solutions. I customer of us recently said: "I rather accept a little bit of higher risks but I know them compared to the user circumventing my security measures and therefore generating risks I do not know" – and he is right in my opinion. Security is here to support IT to support the business. This is it! Too many IT people run IT as the core part of the business but in 99% of the companies, IT is here to help me to do my job and security is here to help IT (and the business).

I read an article this morning called End Users Flout Enterprise Security Policies and there is an interesting quote in it: "What we're finding is that there is a third, growing group of users who knowingly violate security policy not to do something malicious, but because they are trying to get their jobs done. This sort of violation is innocent, but deliberate."

I still claim that this is not the user's fault but mainly security's fault. If they have to violate the security policy to get their job done, there is something wrong

Roger