The instinct among security teams is often to establish policies that force users to comply with security standards to prevent system compromise. But what if they were given more choice? Shelly Epps, senior director of cyber risk services & program management at Duke Health, and Mary McKee, Duke University’s deputy CISO and senior director of identity management and security services, spoke to Jill Aitoro about enabling buy-in through empowerment of the users.