Security is not black and white.  There are gray areas.  Sometimes IT security browbeats users into a “NEVER, ONLY, DO NOT” line of thinking (or not thinking, as it were).  Unfortunately, this backfires.

This is too hard; forget it.
IT’s asking for my password in an e-mail to help me with an issue, that must be OK.
I’m not supposed to send large files over e-mail, I’ll just use my personal filesharing program instead.

The other day, I had a conversation with another information security professional.  We talked about whether passwords should EVER be shared.  The answer: it depends.  Under certain circumstances, it may be appropriate.

Putting work accounts aside, think about your personal life for a moment.  Is there anyone with whom you share account access?  Maybe you and your spouse share access to a joint bank account, utilities for bill pay, or even an online shopping membership.  How about the wireless password in your home?  I’ll bet your spouse, kids, and visiting friends have that password stored in their devices.  If you have minor children, you may have their social network passwords to monitor their activities.

When people hear through a company awareness program that passwords should NEVER be shared, it leads to questions in their minds:

“What about my joint checking account?”

“What if I’m asked for my password by my supervisor?  How can I say no?”

“What about those third-party work accounts?”

“Uh oh.  John and I have been sharing that social media account for years.  There’s only one… what are we supposed to do?”

Are you answering these questions?  Are you inviting them to be asked?

Let users know that their main (work) account is not to be shared with anyone including supervisors, assistants, and IT staff.  Tell them why.  Ask them to report it if anyone IS asking for their password.  Tell them why.

If you default to “NEVER, ONLY, DO NOT” statements in your training, it may be because of limited time and the need to hammer home key points.  Attention spans are short after all, particularly when topics are perceived as having little to no value.

IT security definitely gets a bad rep. Change this by incorporating the gray areas.  Use them to answer the questions floating around users’ minds while you have their attention.  It will begin to build rapport.  Let employees and users see you as a helpful resource, not as the security shutdown.

As information security professionals, we can analyze the least risky means for our users and guide them to those actions by embracing the gray areas.