Q: When does adding secuirty policies make you less secure?

A: When you forget that there are these things called "users".

     If you were to send an email from a government computer and it included a drop down menu (in which you *must* choose an option to send email) that had 2 choices:

UNCLASSIFIED

and

SECRET

    Would you assume that the system you were on was authorized to process SECRET information? Seems logical to most folks but on many Government computers you would be wrong. Wrong and on the way to commiting a serious security violation/spillage if you were to actually send SECRET level information.

    The goal of adding the classification box was to ensure that all UNCLASSIFIED emails were marked as such (a regulatory thing) but the implementation of it leaves the users with the idea that they can send SECRET info securely over NIPR (that's Non-Classified Internet Protocol Router Network) only machines when you should be sending it only on SIPR (Secret Internet Protocol Router Network) boxes.

    This is BAD security. A particularly egregious example of Security Theater actually.

    Sometime I need to post about making your password policy so "secure" that users are forced to circumvent the system but not today.

Bonus question:

Q: Why would you label an email SECRET on an UNCLASSIFIED system?

A: To make life easier for the prosecuting attorney at your Court-martial!