3

I work for a company that deals with medical data, so we must comply with HIPAA as well as our desire for plain old corporate security. However, our ops team is quite zealous about the extent to which things are locked down. I don't need to give specific examples, I think, because that's not the point of the question, but the outcome is that it can be difficult to get things done without jumping through many hoops, and in a few rare cases, the security policies contradict each other in a way that some tasks are simply impossible. This is not "Security Theatre" because we actually do require some amount of security, which is in fact accomplished. A friend of mine I posed this question to put it quite well:

I know what you mean. Sometime security measures are so strict that they actively encourage people to subvert them to get what they need done and you end up with less visibility and control of what is being done.

Is there a term for this sort of over-zealous security that practically begs to be subverted? I don't want to discuss merits or otherwise of such policies, and again, it's not "Security Theatre" for reasons outlined above. I'm just curious if there is any generally accepted term for this because I'm coming up blank.

dmg
  • 131
  • 1
  • Not a real answer, but some used to call this an [administrative fascist](https://www.gnu.org/fun/jokes/know.your.sysadmin.html). – WhiteWinterWolf Aug 04 '17 at 19:26
  • [Policy sprawl?](https://www.virtualizationpractice.com/avoid-policy-sprawl-allow-less-choice-39401/). VTCing as off-topic. – Jedi Aug 05 '17 at 18:27

4 Answers4

2

"Over-zealous security policies" works for me. ;)

An engineering term I have used to describe the situation where conflicting security policies prevent work from being accomplished is "overconstrained" (the equivalent mathematical term is overdetermined). The principle is that there are multiple conditions placed on a particular system, all of which it is mathematically or physically impossible to satisfy simultaneously.

Mike McManus
  • 1,415
  • 10
  • 17
0

Gone way too far, Paranoid or Paranoia seems to fit what you're describing.

Mike Waters
  • 131
  • 8
0

the outcome is that it can be difficult to get things done without jumping through many hoops, and in a few rare cases, the ... policies contradict each other in a way that some tasks are simply impossible.

Sometime ... measures are so strict that they actively encourage people to subvert them to get what they need done

You're describing a term in the ___cracy family of nouns. If you look past the specific application of security policies, you could just as easily be describing tax code or any other bureaucratic process.

When laws/regulations/policies are so cumbersome that individuals don't feel empowered to do their jobs, you end up with things like cops planting evidence or individuals doing extralegal things out-of-band instead of following proper procedure.

In this case, "technocratic" might be an appropriate term. Technological experts are the ones in power, dictating all the rules and enforcing them through technical controls. "More technology" is the only solution to all societal/workplace woes, especially when the prevailing problem is too many technical controls. And so on.

Ivan
  • 6,338
  • 3
  • 18
  • 22
-1

I saw a quote from AviD that I really liked on here. XKCD #936: Short complex password, or long dictionary passphrase?.

AviD's Rule of Usability:

Security at the expense of usability comes at the expense of security.