[lrvick]

Camp #2 is naive and dangerous thinking if your company protects anything of value. Even if every employee is honest today, one of them can be extorted tomorrow. If you allow your employees easy access to substantial value without hard technical controls to enforce accountability then you are creating a situation where someone has reason to threaten or harm your employees.

Gas stations have "Never more than $200 in the drawer" for a reason. Criminals knowing that is the case deters most of them and if it doesn't you are out $200 at most.

[seventhtiger]

As an information security analyst for an organization that deals with highly valuable info assets, I agree. The comment you replied to sounded like how employees argue for less security. They don't understand the scope or environment of information security.

95% isn't nearly secure enough. You're actually looking for the one malicious agent among thousands. If you conduct contracting bids, you have to realize that at any moment your employees can be offered incentive to leak, and their leaks will cost millions of dollars.

So when we apply our strict need to know policies and data transfer tracking, it's not about trusting individual employees. It's about finding a needle in a haystack.