People who design security measures to protect the confidentiality of business information often face a tension between security and ease of use. When employees view a security measure as an annoying obstacle to getting the job done, they often find a work around to avoid the annoyance. This can create a new risk of disclosing the information that the security measure was designed to protect.
For example, a company might implement an IT protocol that prevents employees from accessing company computer files in any manner except through use of a company owned computer. An employee who needs to complete work at night, but who does not want to carry a company laptop home, might print out paper copies of files necessary to complete the work. This creates a new risk that the paper copies could be lost or stolen.
Another company might implement a rule requiring employees to use very complicated computer passwords in the hope of increasing the security of the company computer network. Employees who find it too difficult to remember their passwords may write the password on a piece of paper stuck to their monitor. The password is now visible to all who pass by.
One step in security design is to ask whether a security precaution will do more harm than good.