Although it’s well-known to many that the infosec behaviour as required by organisations of their employees, doesn’t conform with what the employees [that according to the theory of firm, are the organisation not ‘processes/procedures/”GRC”‘ ridiculousness nor capital] would want, as all strive to reach their individual ill-aligned, together inconsistent and incomplete objectives.
Since infosec in this, borders on the (sum of the) individual ‘contributions’ in this (too) and the emergent property achieved infosec for the organisation. And since no-one has ever been able to bridge the gap in a methodological sense between set member characteristics and emergent properties … We can aggregate but will not reach the emergent by definition (or the emergent would be seeded in the elements already; no need for emergence); we can disaggregate but will never implant any meaningful noise in the properties as it is exactly that which was lost during the ‘initial’ aggregation / collection into set characteristics. Meaningful noise being the original elements’ noise on any concept. Politically, one would reference Ortega y Gasset here; great holday season’s reading
Aren’t we lucky then, that we will not hinder those already doing it… The above is methodoligically unsteady and unrigorous. Practice will allow us to reach infosec nirvana – which is far off total security: cost, effectiveness and flexibility being the limiting factors – if only we’d try, we could align what we want from ‘users’ to fit along their personal objectives and motivations, and moods, so well that ‘users’ will unnoticedly do the right thing. Link may not apply.
[Talk about right things … the battlefield from Little Round Tops, Gettysburg]