You also make a sound point about security folks internalizing policy, and that’s a tough one to get around. Human nature creeps in here, we all tend to internalize a bit for things we built or have a stake in.

Good discussion points, in any case. This isn’t a clear-cut topic with one right or wrong answer, obviously – thus the “Random Thought” label.

You are talking about two separate concepts at the same time. In the first case the offender is being punished for something they *have* in this case a spork, or data above your security clearance, or whatnot. In the second case, you are talking about something an offender *does* such as espionage or theft. It is difficult to try to apply the concept of security policy to a case of possession-type crimes, since they almost always involve an action. A policy is put in place to reduce risk, and an employee chooses to act in violation of the policy.

I understand the concept of zero-tolerance in $GENERIC_POLICY that you are making, so I’m not (intentionally) being dense here. But let the policy be black-and-white. Let the HR people worry about the degree of enforcement. I think a problem can arise when security staff internalize the policy (that they probably wrote,) and take it personally when people violate it. But I don’t think it helps the adversarial situation between staff and infosec. Infosec needs to unplug from it. If there is a “my way or the highway attitude” then infosec is personalizing it too much.