Steve: Writing policies is one thing..... But they still have to be backed up by the security apparatus......

downloads & runs a 'fantastic new game'
1. His user rights won't allow him to.
2. The firewall won't allow the content unless it is zipped, most users don't have winzip nor the rights to install it.

Now he knows that if he says anything he's going to get fired
He knows that he is supposed to report this, per the policy. He knows damned well that if he knows this and doesn't report it he doesn't have a chance of keeping his job. Furthermore:

1. The IDS' in my organization warn of activity like this, (scanning thresholds, SMTP transfers, virus activity etc.), so I'll know shortly.
2. Firewall only allows outbound SMTP connections from my mailservers, they block and instantly warn me of SMTP from other locations.

The issue is about socail engineering:
Yep, dead right - but where in the dictionary does it say that social engineering can only be accomplished with honey? SE is getting people to do what you want them to do. I fairly successfully achieve that with vinegar...... If it ain't broke, don't fix it.

decides to post to a usenet newsgroup
1. Blocked by the Web filter.
2. Using any email program other then the one set up by the IS dept. contravenes policy as does altering the way we set it up.
3. The malware's activity will either be picked up by IDS' or it's activity will be limited to Joe's account rights, which are limited.
4. Multiple backups of data take place daily and tapes are kept for each month of the year for a year and the Dec 31st tape is kept indefinitely.

Encouraging employees to use AOL & Other external mail accounts for anything not directly work related reduces the risk of offensive material within the organisation
Yes, if they use it from their home computer. Otherwise, wrong. The fact that Joe is using his AOL account to view the pron his buddy sent him when Joann walks into the room make it no less of a "hostile environment" when she takes you to court. You lose because you should have prevented it - which we do, (blocked at the firewall, monitored by web filter).

and everyone to be educated to understand the risks they take every time they are using their PC
Yep, and that's why whenever something new or "interesting" raises it's ugly head I put out a kind of alert bulletin explaining what it is, what it looks like, how you get it and the consequences - a lot of the this this will be warnings about a new scam or similar.... Judging by the feedback from the users, they love it and ask for more.......

So you see, I don't just carry a big stick and wave it around looking threatening. I back up my policies with good sense security measures. Furthermore - I am procative and communicative with the user base as to both the organization's security and their own and how the two may often be intertwined.

There isn't always a technical solution for an administrative problem - but the administrative solution has got to be effective in dealing with the problem or it is a waste of time and the paper it is written on.

Tiger Shark: (Consultancy fees $150/hour, $1200 for a 8 hour day........ )