Human behavior is inherently risky. In this entry, I want to explore two types of behavioral risk to the organization – operational risk and reputational risk – and to argue that illegal behavior is a reputational risk that is inconsistently regulated.

In a Government Executive piece a couple months ago, Jill Aitoro reported on a survey of federal IT workers that revealed employees using government computers and networks sometimes fail to follow policy and thereby endanger information security. Certainly, this is no surprise. In fact, I question the study's results because only 56 percent of 474 survey respondents reported having observed security violations. If anything, this suggests that 44 percent of the respondents were simply unaware of the security policy.

Operational risk is the umbrella term that includes all sorts of risks to an organization’s mission – loss of intellectual property or other information, theft, natural disaster, customer confidence, and so forth. Employee/contractor behavior that might compromise operational security comes readily to mind – leaving doors or file cabinets unlocked, creating weak passwords, bypassing security controls, losing portable equipment, discarding unshredded sensitive printed material in recycling bins, programming applications with built-in vulnerabilities, etc.

A truism in information security is that operational security controls are only effective if such controls require no human action. Disk encryption will be effective only to the extent that users or administrators cannot disable it. Physical security will be effective only if locks are automatic. Device configuration standards will be effective only to the extent that such configurations are burned into ROMs or other unalterable devices, and so forth.

Reputational risk is really a distinct type of operational risk, one that threatens the way outsiders (the public, Wall Street, Congress, etc.) understand the organization’s trustworthiness. Employee/contractor behavior that could damage the organization’s reputation is often labeled security risk, but really is not, in that such behavior seldom directly threatens information or operations. Examples are viewing pornography (or other “inappropriate” material), using alcohol or other drugs in the workplace, stealing, sexual or other harassment, gambling, etc.

Reputational risk controls are seldom technical. Instead, the Standards of Ethical Conduct for Employees of the Executive Branch and specific agency policies proscribe certain behaviors. However, such policies are seldom specific enough to cover employee/contractor behavior in a world of interconnected networks.

Many information security officers and agency lawyers claim concerns about legality to justify attempts to limit employee/contractor reputation-threatening behavior (often by including behavioral policies and controls under an information security rubric), though the justification for regulation of behavior is really the “standards of trust” principle in the Federal Standards of Conduct.

I believe it is important to note that some of the behaviors we think of as reputational risks are illegal and others are not. It is clear that illegal behavior such as underage drinking, child pornography or theft would reflect badly on any organization. But using alcohol is legal for those of age, though most agencies have policies prohibiting alcohol consumption in agency offices. Viewing pornography is legal, though hostile workplace interpretations have made such behavior legally risky in most offices.

I am pretty sure gambling is illegal everywhere in the United States except where expressly allowed by state law.* But I find it curious that gambling in the office (online poker, Super Bowl and college sports pools, etc.) is seldom discussed in security or personnel policies, though it is seemingly as illegal as a craps game in the mailroom.

* Please don’t send me citations from your favorite poker site that claims legality. I had little luck in finding a truly authoritative source, so had to settle for Wikipedia.