I despise security controls that don’t work or provide actual security, and especially despise those controls whose only function appears to be the irritation of the human condition. Here’s my short list:
1) Requiring a user ID be typed each time you log into a PC.
What does this accomplish other than require the user to type their user ID several times a day? And how many times per day does it prevent unauthorized use? Almost never to never. Mostly, this control kills productivity and raises irritability. Especially in executives.
2) Cryptic server naming conventions that only server administrators* understand.
For example, server names consisting of DivisionCityApplicationFunctionNumber, such as PlasticsClevelandOracleDatabase5, which is abbreviated PLCLORDB5. Not only have you confused attackers, but everyone else who has to reference that server on a daily basis.
My favorite example of this was the Exchange email server called HQAWAMPE1, which as a PC installation and break/fix guy, I had to type a hundred times a day (not counting the 20 times I fat-fingered it). While this practice may not tell an attacker it’s an email server immediately, a simple nmap scan will do that. Security .05, Productivity -2.
* I was a server administrator once, and I voted against such nonsense. See About.
3) Requiring a user ID and password to access the Intranet.
First of all, why isn’t the logon linked invisibly to Active Directory or some other LDAP?
The companies that require Intranet passwords tend to leave all kinds of confidential data open to all employees, vendors, consultants, etc. Password-protecting data isn’t useful if everyone has a password.
Remember, the best security is closest to the data. When you put the security at the entry point of the Intranet (logon), it is too far from the data to provide any protection. Try again. Security .05, Productivity -3.
4) Confidential shred bins that are not emptied often enough (until the confidential documents are sticking out of the bin for 3 days).
I’ve even seen bins that are not locked!
I prefer to do my own shredding. Again, it’s always better to put the security (shredding) as close to the data (sensitive documents) as possible. Don’t rely on a third party to pick up the bin and shred it (usually offsite).
Even so, storing documents in stuffed, locked bins that are shredded offsite is better using the waste basket (at least the documents at the bottom of the bin are somewhat protected :)
Final score: Security, 1, Productivity -3.
Congratulations! You increased security slightly, increased irritation noticeably, and reduced productivity even more. There’s always next year.