Re: Are users right in rejecting security advice?

[Allison Dolan <adolan () MIT EDU>]

I think part of the point of the article was to focus on those things  
that really matter in terms of security and which are easy for people  
to remember/follow -  something like 'never put your password in an  
email, not matter who's asking' would seem to be an example of 'good'  
security advice.

......Allison  Dolan (617-252-1461)



On Mar 16, 2010, at 11:29 AM, Stanclift, Michael wrote:

> I would love to just be able to bill users in man hours required  
> for us cleaning up mail queues after their account is compromised  
> and turned into a spambot, or time spent trying to remove us from  
> blacklists, etc. If they were getting $500 in campus mail to their  
> department, or to them personally, they would probably think  
> differently next time about replying to an email with their  
> password in it.
>
> Michael Stanclift | Network Analyst | Computer Services
> Rockhurst University | 1100 Rockhurst Road, Kansas City, MO 64110
> Phone: 816.501.4231 | Fax: 816.501.4014 | http://help.rockhurst.edu
>
> PHelp keep our campus green, think before you print!
> ÏRUCS will never ask you for your password!
>
> From: The EDUCAUSE Security Constituent Group Listserv  
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin,  
> Kevin (mclaugkl)
> Sent: Tuesday, March 16, 2010 10:22 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Are users right in rejecting security advice?
>
> Hi All:
>
> So I read this right after I read the FBI IC3 Report that shows the  
> amount of dollar loss in the U.S. doubling from 2008 – 2009 (265m  
> to 559m) – and yes, I know there are a lot of variables and  
> intangibles in those numbers please don’t respond yet again with  
> those citations ; the bottom line is that these ARE large numbers  
> of reported loss.   Then I read the blog on Dr. Hurley’s paper and  
> once again just have to shake my head and wonder when we are going  
> to get it as a society.   I’m not going to rant or go on for a long  
> time – I’ll just say this:
>
> I bet when the end users are held 100% liable for ALL the money  
> they lose or freely give to blackhats by not following good  
> security practices that we will then see a shift in how much  
> interest and participation they take in using the safe-guards we’ve  
> been asking them to use for years.  (right now financial  
> institutions are accepting a lot of the $ loss;  however, that is  
> already starting to change).
>
> Allison – don’t get me wrong I enjoyed the read and definitely  
> appreciated you posting it as it does a great job at providing  
> insights into different (non-security) thought processes.
>
>
> - Kevin
>
>
> Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master  
> Certified
> Assistant Vice President, Information Security & Special Projects
> University of Cincinnati
> 513-556-9177
>
> From: The EDUCAUSE Security Constituent Group Listserv  
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
> Sent: Tuesday, March 16, 2010 11:03 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Are users right in rejecting security advice?
>
> A rather provocative column re: the cost/benefit of many pieces of  
> security advice.  Some points worth considering when planning  
> security awareness training...
>
> http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
>
> ......Allison  Dolan (617-252-1461)