Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Vik Solem <vik.solem () TUFTS EDU>
Date: Wed, 17 Mar 2010 10:30:18 -0400
Isn't the real issue one of accurate communication of risk? In the 15 months I've now spend with an educational institution, it seems to me that communicating risk effectively is more important than specifying policies and procedures. As long as a user understands the risk of something (e.g. surfing the web from an Administrator-level account) then they can make a valid determination about how they should (or perhaps should not) change their behavior.
Then again, I might just need more coffee... -Vik On Mar 16, 2010, at 14:32 , Allison Dolan wrote:
I think part of the point of the article was to focus on those things that really matter in terms of security and which are easy for people to remember/follow - something like 'never put your password in an email, not matter who's asking' would seem to be an example of 'good' security advice.......Allison Dolan (617-252-1461) On Mar 16, 2010, at 11:29 AM, Stanclift, Michael wrote:I would love to just be able to bill users in man hours required for us cleaning up mail queues after their account is compromised and turned into a spambot, or time spent trying to remove us from blacklists, etc. If they were getting $500 in campus mail to their department, or to them personally, they would probably think differently next time about replying to an email with their password in it.Michael Stanclift | Network Analyst | Computer Services Rockhurst University | 1100 Rockhurst Road, Kansas City, MO 64110 Phone: 816.501.4231 | Fax: 816.501.4014 | http://help.rockhurst.edu PHelp keep our campus green, think before you print! ÏRUCS will never ask you for your password!From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of Mclaughlin, Kevin (mclaugkl)Sent: Tuesday, March 16, 2010 10:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? Hi All:So I read this right after I read the FBI IC3 Report that shows the amount of dollar loss in the U.S. doubling from 2008 – 2009 (265m to 559m) – and yes, I know there are a lot of variables and intangibles in those numbers please don’t respond yet again with those citations ; the bottom line is that these ARE large numbers of reported loss. Then I read the blog on Dr. Hurley’s paper and once again just have to shake my head and wonder when we are going to get it as a society. I’m not going to rant or go on for a long time – I’ll just say this:I bet when the end users are held 100% liable for ALL the money they lose or freely give to blackhats by not following good security practices that we will then see a shift in how much interest and participation they take in using the safe-guards we’ve been asking them to use for years. (right now financial institutions are accepting a lot of the $ loss; however, that is already starting to change).Allison – don’t get me wrong I enjoyed the read and definitely appreciated you posting it as it does a great job at providing insights into different (non-security) thought processes.- KevinKevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master CertifiedAssistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of Allison DolanSent: Tuesday, March 16, 2010 11:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Are users right in rejecting security advice?A rather provocative column re: the cost/benefit of many pieces of security advice. Some points worth considering when planning security awareness training...http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036 ......Allison Dolan (617-252-1461)
-Vik Vik Solem Sr. Applications Risk Consultant Information Security Tufts University UIT / 617-627-4326 Check Out the UIT Information Security Team blog http://blogs.uit.tufts.edu/infosecteamblog/
Current thread:
- Are users right in rejecting security advice? Allison Dolan (Mar 16)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 16)
- Re: Are users right in rejecting security advice? Stanclift, Michael (Mar 16)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 16)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
(Thread continues...)