Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Leon DuPree <duprleo () GMAIL COM>
Date: Tue, 23 Mar 2010 05:11:47 -0400
In order to be able to facilitate what you said you must be able to identify what the behavior you want to enforce. Structure of your organization will determine if you have the ability to make this happen. Government, Business/Corporate tend to be pretty restrictive. Academic... well that tends to change from college to college depending on the circumstance. I believe that you must identify the behavior you want to reinforce then determine how can you guide the user toward that action or away from that action. People are people no matter what technology we use. Can we find a way to re-enforce positive behavior? discourage negative behavior? You definitely are looking in the right direction I would check ope-rant learning behavior models to map the policy with the technology. I did a wireless security audit but discovered that the structure of the organization was too centralized to be able to even consider cross functional threats of the report. too bad probably wont react until a real threat occurs. On Mon, Mar 22, 2010 at 7:20 PM, Eric Jernigan <eric.jernigan () pcc edu>wrote:
Although I have a higher opinion/assumption of 85% of users can make an informed rational decision with the right information available, no system can rely on user awareness/policy alone. Making users responsible for activity regarding their UID...whether they like that or not is really one of the few ways to reduce password sharing. After all if you have remote access, that shoots the surveillance control out of the water. As Eric alluded to, the internal/externality of risk can be a safeguard. For mission critical systems two factor authentication...when/if affordable is another option that I would recommend investigating. There may be exceptions to the rule but when a shared access is needed, one option may be to have a group ID, with a responsible POC for activity on the account. These shared accounts should be the exception (IMKHO) because it is very easy to get 'need creep' if not carefully managed. Policies are always important not just to spell out the requirements but to give an acceptable alternative to the undesired behavior. Eric Jernigan Information Security Manager, Technology Solution Services Portland Community College PO Box 19000 Portland OR 97280-0990 503-977-4896 Eric.jernigan () pcc edu http://www.pcc.edu/resources/tss/info-security/ ________________________________________ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain sensitive or privileged information as well as information covered by the Privacy Act, FERPA, HIPAA, and/or other laws. It is being e-mailed as the most practical method of transacting business. As such, it must be safeguarded. Any unauthorized review, use, disclosure or distribution is prohibited unless permission is obtained from the original sender. _______________________________________ -----Original Message----- From: Lazarus, Carolann [mailto:lazarus () BUFFALO EDU] Sent: Friday, March 19, 2010 7:18 AM Subject: FW: [SECURITY] Are users right in rejecting security advice? I'm stepping in late here - I just returned from an auditing conference and there were many good points made on workable and reasonable polices which relate very well with many of the points made here. I thought I'd share one example. Many places have a policy that users are not allowed to share their passwords, and many auditors will even recommend this. But, the instructor pointed out, how is this enforceable? Unless you have a camera on the exact workstation and so can definitively prove that someone else was sitting there at the exact time that the userid and password was entered for that IP address, you can't really enforce it. And really, there may be legitimate exceptions to that policy. Instead, you need to come up with something else, like, a policy making everyone responsible for anything that happens under their UID and password. And of course, you really need to have awareness training so they understand the risks. Just an FYI and another thought. As for some of the comments on stupid audit checklist questions, yeah, sometimes they seem pretty dumb, but I gotta tell you there have been too many times when the "duh" questions came back with the unexpected answer. Not every sys admin (or someone assigned those duties) has a good understanding of security basics. When I'm doing basic checklist work I can usually tell who the clueless are, and for those who are not clueless I make sure they know that I understand that many of these questions will seem pretty obvious. These checklist sessions give me a good idea on who I need to go back and do a more thorough review on, and ask those follow-up questions. (and yes, there are auditors out there who don't understand why they are asking the questions, just like there are incompetents in every profession, it just seems more noticeable in an auditor) Carolann G Lazarus (IT Auditor) lazarus () buffalo edu (716)829-6947 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case Sent: Wednesday, March 17, 2010 6:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? Your assumption is users can make an informed choice. My assumption is users will not inform you of the deviation from current policy. If your security governance allows users to make the choice, than so be it. The institution has accepted the risk the users will make the wrong choice. If this is not the case then users should not be making the choice. It has been my experience that users will choose the lower cost and higher risk option because the risk is an externality to them. -Eric Sent via BlackBerry by AT&T -----Original Message----- From: Michael Sinatra <michael () RANCID BERKELEY EDU> Date: Wed, 17 Mar 2010 14:08:41 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Are users right in rejecting security advice? On 3/17/10 1:22 PM, John Nunnally wrote:Exactly, Eric! Students are one thing, but faculty and staff areEMPLOYEES.They are no more "right" to ignore security recommendations, than they are to ignore any other corporate policies. Are they "right" to ignore personnel policies or parking regulations because they don't see any reason for them? I think the point is that we will see better results from our efforts by making policies that make sense and are easy for end users to buy into. But regardless of what those policies might be, employees are should comply or appeal, not ignore.The point of the article is to examine various incentives that users face. Everyone has an incentive to do the "right" thing, some more than others and depending on the "right"ness of what the institution is doing. Whether the "right" thing is overridden by other incentives is exactly what security leaders at campuses must be cognizant of. As an example, directly related to my point, is it "right" for a user to take an action that *better* manages risk and does so at lower cost than the action that is mandated by policy? An example, which you seem to be getting at is, is it "right" for a user to minimize their own personal (or even their departmental) risk *and* cost, while creating negative externalities (like extra risk) for the institution? Just about everyone on this mailing list would say "no," and I would certainly not disagree. Whether our collective "no" has any bearing on what the users do is yet another important point of the article. The idea is to find ways to get users to do well by doing good. To the extent that we can make that happen, we will make better security policies. michael
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 18)
- FW: Are users right in rejecting security advice? Lazarus, Carolann (Mar 19)
- Re: Are users right in rejecting security advice? Eric Jernigan (Mar 22)
- Re: Are users right in rejecting security advice? Leon DuPree (Mar 23)
- Re: Are users right in rejecting security advice? SCHALIP, MICHAEL (Mar 23)