Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed
Dateline: Toronto, ON, May 2002
At a previous employer of mine, the Executive Vice-President of Operations was irked at what he perceived as general slacking off by data center and support personnel. His perception was that employees were spending far too much time in the cafeteria at coffee break and wasting valuable corporate resources. Whether the Executive believed it or not, we indeed were conducting business and not wasting time. Well, not too much. I’m not suggesting that there weren’t laggards dogging it in the cafeteria. But, like many companies there was inadequate meeting space, so staff held many informal meetings in the cafeteria. I don’t remember one time when I was there having coffee that someone didn’t take the opportunity to pose a question. But these facts and others escaped the EVP, so, rather than working with his senior managers to ensure that employees had realistic work-related goals or punishing the real abusers, he restricted the hours for coffee and forbade all people from drinking their java in the eating area. Now the executive expected productivity to go up, but it didn’t, in fact, it unquestionably went down. Sometimes the cost of correction outweighs the risk. Why? Well, most individuals felt this control was bad— including yours truly—and so they sought out ways to circumvent it. At morning coffee time, you would see people streaming out of the building and heading for the coffee shop directly across the street. The uptake was that morale and productivity were down! The coffee shop proprietor smiled and was thankful for this new control as he listened to the hubbub in his once tranquil coffee shop.
You’re probably thinking, “Interesting story, but what’s the point.” The point is that most companies have similar dysfunctional controls—controls that have unexpected consequences or just plain don’t function. Sometimes the consequences are diametrically opposed to the desired effect. Our EVP reacted in a knee-jerk way. He tried to introduce a new control without a thorough cost-benefit analysis. Focusing on lower costs and short-term profits, he did not evaluate the real costs associated with the new control.
That is not to suggest that we abandon all controls, but only that we need to perform a sanity check on our controls. After all, some level of control is necessary. All aspects of human activity, inside the organization and in society at large, need control as a process. Would you travel on city streets in a major urban centre without speed limits, stoplights or street signs? Would you fly by plane in congested areas when there were no air traffic controllers? You get the picture. The results would be chaotic. So controls are necessary to define expected behavior or, in our examples, how to maneuver a car in traffic and a plane in the sky.
Control as an organizational activity—or as a component of any organizational activity—exists at all levels within the organization and is the concern of many different individuals in the organization. You can understand its basic nature by studying the major phases of the total management process. The total process begins with planningand the related establishment of objectives. Organizing and the necessary further providing of more resources—including people—supports planning. Managers then act to meet these previously established objectives. But these operational actions will not normally by themselves suffice. Things seldom work out exactly as we plan. Our underlying knowledge and estimates are never that good. Besides, people are human and humans make errors. Also, environmental conditions change from the setting of objectives. We therefore need supplementary measures and actions to provide appropriate readings on our progress and to provide the basis for further actions that will better assure the achievement of our objectives. These measures and actions are commonly called feedback. We also need procedures that assure desired types of action and prevent undesired ones. The controlfunction concerns itself with providing these supplementary measures, actions and procedures.
For a while, I have been working on my private pilot’s license. On cross country trips, I must plot the path to the next aerodrome with an estimated time of arrival. During the trip, I chart my progress. I look for points of reference that indicate I am on the right course. Because of prevailing winds or engine problems, or whatever, the plane may veer off course. To compensate where necessary, I must chart a new course and change direction, and possibly alter speed. I also might have to revise my estimated time of arrival. I am the control function in our example since my role is to consider and evaluate the impact of developments in actual progress, and to provide a proper basis for needed supplementary action. I thus contribute to reaching the destination (the objective) on a timely basis and in a most efficient manner.
problems arise when management does not have clearly established
objectives. Apparently the control function cannot exist unless we have objectives.
If we do not know where we want to go, we can hardly know what measures
and actions should be taken to get us there.
To paraphrase the Cheshire cat’s advice to
It is useful to note also that the responsibility for the proper analysis and determination of appropriate managerial action is the responsibilityof the manager in charge for the activities delegated to subordinates or other staff groups. This is consistent with the fact of every manager’s responsibility for final acceptance of goals and objectives.
Now that you have a cursory appreciation for control theory, let’s look at some dysfunctional controls I have found in my travels. My point is not to embarrass the companies or make light of them, but rather to illustrate the resultant behavior from these controls. By studying useless, impractical, purposeless, inefficient, poorly-designed, and worthless controls, we may gain insight into the constituents of good controls.
The Chairman of a large financial corporation where I labored wanted to control all expenses. He kept a very tight rein on expenses. So much so that dysfunctional behavior resulted. Because we couldn’t easily buy software that we needed to get our job done, we begged and borrowed or used demo copies or software from home. The results were predictable—there was an increase in viral activity. Obviously, our Chairman had not intended this outcome for it was not useful.
In addition, staff could get as many taxi chits as they wanted but couldn’t get approval for hardware or software. In the performance of our duties, we traveled by taxi from our data center in the suburbs to our offices in the financial district. These trips were not inexpensive. So, we had a saying that “one personal computer equaled 100 taxi chits.” Again, people found ways around controls they believed were ill-conceived or worthless.
A client of mine was having a problem with hardware and software theft. The problem became significant enough that management decided to implement a control. They decided to check all briefcases and boxes leaving the building. The building had two entrances one in the front and one in the rear. During the dayshift, that is, eight to five, there were guards at both entrances. The guards dutifully checked all briefcases and parcels looking for purloined company property. Unfortunately, they only had one guard at the front door on the off-shifts. So, should someone want to steal something, all one had to do, was wait until after dark and walk out the back door. If this control wasn’t a waste of time, then I don’t know what is. Talk about impractical! Further, they didn’t even stop to think about the loading dock. Most likely, hardware and software were falling off the loading dock, yet they were doing parcel checks at the front door.
Another organization I did some work for had a similar problem. They thought individuals were taking confidential information out of the organization. The guards were checking for diskettes and Iomega Zip drives. However, nobody told the guards to look or ask for other media. I have a USB drive on my keychain that holds 1 Gigabyte or about 695 high-density floppies of data. Forget the issue of employee distrust, but what a colossal waste of time!
One time when
visiting a secure data center in the
Another client asked me to do a pre-audit audit. Tell them what their ‘Big Few’ auditors would find before they swarmed my client. So, I offered to look at security administration, change control and backup and recovery. Naturally, I started with security administration. Upon meeting the security administrator, I asked whether they recorded violations. She pointed to a stack about a yard deep. When I asked whether the listing was year-to-date, I was told no it was from the previous day. Whoa, that’s violation recording! When I asked how many people reviewed the log, I was told just her. When I asked whether it was a full-time job, she replied she reviewed the listing before coffee. I thought she must have felt like a one-armed paper hanger. When I asked what she looked for in her review, I was told—and this is one of my favourites—she looked for “unusual activity.” When I asked her to define unusual activity, she responded quite seriously, “activity that is not usual.” Any attempts at further defining ‘unusual activity’ got us no closer to an understanding of her review process. After a short exercise in circumlocution, I suggested we look through the voluminous violation reports looking for ‘unusual activity.’ After a while, I noticed someone could write to the system kernel. This has got to be unusual. So, I asked was this unusual, and she replied no that person was the system programmer. We scoured the listing a little further when lo and behold I saw that someone could update the payroll file. “Is this unusual activity,” I optimistically asked. No, that person was a clerk in human resources. This went on for a while until I closed the listing and bet the system administrator that I could log on to the system with information gleaned from the reports. When challenged, I went over to the nearest workstation, and logged straight in. The date was July 2 and I noticed someone had tried JUNyy to login. Naturally, I used JULyy and presto I was in. So why do people still spend all that effort examining violation reports looking for intruders? Reports such as these tell us of people who didn’t get access to a file or directory or people with learning disabilities, ‘fat fingers,’ or poor memories. All the company was doing was supporting the pulp and paper industry and wasting valuable human and computer resources. Talk about a worthless control!
Another client asked me for a general controls review. As part of the review, my associate and I decided to do a moonlight audit. A moonlight audit occurs when you roam around the building at night after the majority of the staff has left for the day. You generally have an objective for this type of audit; and ours was no different. We wanted to check whether staff complied with the company’s clean-desk policy and a requirement to logoff at the end of the day. Suffice it to say, they failed on both counts. Also, at most cubicles, we found something very curious. We found a sticky note with what looked like, not one but, two passwords and the related account. It turns out that most employees not only wrote down their password but they also wrote down the passwords of their neighbors in the event that they needed another account for whatever reason. Now, you can’t really blame the employees for writing down their passwords, as they were OS/400 system-generated ones. You know the ones that look like rocket fuel formulae. Well, this strong password control—system-generated non-pronounceable codes—resulted in a large exposure. Employees were writing down their passwords and sticking them to their computer screen. Talk about purposeless!
Many companies started indiscriminately blocking all executables at their proxy server or firewall because of the fear of e-mail with attached virus code. I had one such client. When I started a security review for them, I explained that I didn’t want to send confidential reports in clear text using the Internet. They agreed, so I started explaining how we could use public key algorithms to protect the documents. When their eyes started to glaze over, I realized I had lost them. So, instead of using a good program like OpenPGP, I used another program I have that creates a self-extracting encrypted file. I gave them a password (really the decryption key) that they entered when prompted after trying to open the document. Off went the document as an attachment to e-mail. However, it got bounced back to me with a message saying they could not forward the executable. When I phoned and told my client my predicament, they said just send it unencrypted. Again, I hope that wasn’t the intention of the control that stripped the executables out of e-mail; because that’s not useful.
I know of many companies who suffer from this following problem. They have a dysfunctional virus policy. They don’t encourage people to come forward and freely admit that they have a virus on their machine. Instead, when someone reports a virus on their machine, the support staff starts interrogating the individual with the intent to kneecap the person. This surely discourages employees from coming forward. So instead, they ignore the virus behavior, hoping it will go away. This dysfunctional behavior directly results from the consequences of reporting the problem and most likely will lead to more damage. They also warn all their co-workers about what happens when you talk to those people in support.
A functional virus policy would encourage employees to report suspected viruses. A good policy would go something like this: If you have a virus and report it to the support group, we’ll assume you didn’t put the virus on the machine. On the other hand, should you have a virus and don’t report it, we’ll assume you did put the virus on the machine and that is grounds for dismissal. This well-designed policy should force the type of behavior you desire—the reporting of suspected viruses.
So, there you have some dysfunctional controls and the unexpected behavior that resulted. Or, was the behavior really unexpected? Perhaps, you have some good examples in your company. You have seen how the controls produced results that were unexpected. Sometimes these results are disastrous: other times they just are a waste of valuable corporate resources. Other times they provide comic relief to stressed-out staff or visiting consultants. Surely, there is a better way. Perhaps, if we look at how people and controls interact, we may learn how to design good controls.
Controls and People
Controlsaffect people and human nature being what it is, this causes problems. The basic source of the problem comes from the fact most individuals instinctively like independence and freedom of action. The very fact you require someone to do something makes them tend to view such a control with aversion, and even hostility. I have seen tremendous amounts of energy spent by individuals trying to get around the simple precept of passwords. These individuals will write elaborate programs to change the password a number of times and change it back. They will spend all this effort to avoid thinking of a new password.
The extent of the tolerance for controls depends to a considerable extent upon the individual—intelligence, experience, cultural background and emotional stability. But it is safe to say, there is a normal tendency to resent controls and to resist them to some extent. Of course, their acceptance depends a great deal on how management develops, presents and administers them. Therefore, we should anticipate these problems and develop action plans to minimize this control animosity.
First, the organization must develop a total reputation for ethical integrity and competence. Your organization should develop this reputation at the top and communicate it downward by word and deed.
That is where the corporate culturekicks in. Culture is the values, beliefs and norms a group shares. A positive culture is what enables some organizations to be leaders in security. Banks, for instance, have internalized security. Trustand security are necessary and unquestionable values for a bank. A negative culture, and an over-reliance on formal controls, is what lead some companies to ignore security. Real leaders are crucial to security because their words and deeds are the touchstones of culture. Implementing security in environments where the leaders have not bought in is a difficult if not impossible task.
No company can implement security unless its top management is visibly, constantly and sometimes irrationally committed to security. Setting up security controlsis so much work that it only gets done when the people at the top lead the charge. When they don’t, the organization naturally turns inward and concentrates on less demanding processes to work on. Everyone succumbs to the pressure of just doing their jobs instead of providing security.
Second, people do not follow blindly like sheep when they do not understand the rationale. You must explain in plain language the rationale for any proposed control. Otherwise, staff will surely resent any control that they do not understand and appreciate. Encryption usemay be patently obvious to your security administrator and auditors but lost on the rest of your staff.
Third, you must allow for people’s feelings. A controlhas a greater chance of survival when presented with courtesy and reasonable consideration, as well as an opportunity for adjustment. You cannot legislate encryption controls today and expect them tomorrow. Controls suffer from cultural lag. People do not question the use of key locks and combinations, but they do question the need for encryption. Someday encryption may be as pervasive as locks and no one will question its use.
Fourth, people resent controls that they perceive you do not have the authority to impose on them. They will not use password controls when they believe they are a technical solution to a technical problem. The answer is to have controls sponsored by individuals with sufficient authority and a legitimate right. The Corporate Executive Officer and not the Corporate Information Officer should endorse the corporate security policy. However, all employees must embrace it.
Fifth, controls derived by consensus have a greater chance of success. The control consultation process should be as broad as practical. Besides, someone during the consensus process may see right through the control as impractical or inefficient.
Finally, the manner of administration affects the success of the control. Administration should not be arbitrary and should show an understanding of the problems involved. People affected by the controls need to know there is an interest in problems and a willingness to listen to solutions from all sources.
My vocation is management accounting. One lesson I learnt well from my studies was, “You get the type of behavior out of your systems (substitute; controls, people or whatever), that you force.” You may find this behavior incongruent with your intentions. Think about this the next time you implement a “needed” control.
Abridged version of an article published in EDPACS by Auerbach Publications 2002.