Re: Are users right in rejecting security advice?

[Leon DuPree <duprleo () GMAIL COM>]

In order to be able to facilitate what you said you must be able to identify
what the behavior you want to enforce.
Structure of your organization will determine if you have the ability to
make this happen.

Government, Business/Corporate tend to be pretty restrictive.
Academic... well that tends to change from college to college depending on
the circumstance.

I believe that you must identify the behavior you want to reinforce then
determine how  can you guide the  user toward that action or away from that
action.

People are people no matter what technology we use.  Can we find a way to
re-enforce positive behavior?
discourage negative behavior?  You definitely are looking in the right
direction I would check ope-rant learning behavior models to map the policy
with the technology.

I did a wireless security audit but discovered that the structure of the
organization was too centralized to be able to even consider cross
functional threats of the report.  too bad probably wont react until a real
threat occurs.



On Mon, Mar 22, 2010 at 7:20 PM, Eric Jernigan <eric.jernigan () pcc edu>wrote:

> Although I have a higher opinion/assumption of 85% of users can make an
> informed rational decision with the right information available, no system
> can rely on user awareness/policy alone. Making users responsible for
> activity regarding their UID...whether they like that or not is really one
> of the few ways to reduce password sharing. After all if you have remote
> access, that shoots the surveillance control out of the water. As Eric
> alluded to, the internal/externality  of risk can be a safeguard. For
> mission critical systems two factor authentication...when/if affordable is
> another option that I would recommend investigating.
>
> There may be exceptions to the rule but when a shared access is needed, one
> option may be to have a group ID, with a responsible POC for activity on
> the
> account. These shared accounts should be the exception (IMKHO) because it
> is
> very easy to get 'need creep' if not carefully managed. Policies are always
> important not just to spell out the requirements but to give an acceptable
> alternative to the undesired behavior.
>
> Eric Jernigan
> Information Security Manager,
> Technology Solution Services
> Portland Community College
> PO Box 19000
> Portland OR 97280-0990
> 503-977-4896
> Eric.jernigan () pcc edu
> http://www.pcc.edu/resources/tss/info-security/
> ________________________________________
> NOTICE: This email message is for the sole use of the intended recipient(s)
> and may contain sensitive or privileged information as well as information
> covered by the Privacy Act, FERPA, HIPAA, and/or other laws. It is being
> e-mailed as the most practical method of transacting business. As such, it
> must be safeguarded. Any unauthorized review, use, disclosure or
> distribution is prohibited unless permission is obtained from the original
> sender.
> _______________________________________
>
> -----Original Message-----
> From: Lazarus, Carolann [mailto:lazarus () BUFFALO EDU]
> Sent: Friday, March 19, 2010 7:18 AM
> Subject: FW: [SECURITY] Are users right in rejecting security advice?
>
> I'm stepping in late here - I just returned from an auditing conference and
> there were many good points made on workable and reasonable polices which
> relate very well with many of the points made here.  I thought I'd share
> one
> example.  Many places have a policy that users are not allowed to share
> their passwords, and many auditors will even recommend this.  But, the
> instructor pointed out, how is this enforceable?  Unless you have a camera
> on the exact workstation and so can definitively prove that someone else
> was
> sitting there at the exact time that the userid and password was entered
> for
> that IP address, you can't really enforce it.  And really, there may be
> legitimate exceptions to that policy.  Instead, you need to come up with
> something else, like, a policy making everyone responsible for anything
> that
> happens under their UID and password.  And of course, you really need to
> have awareness training so they understand the risks.  Just an FYI and
> another thought.
>
> As for some of the comments on stupid audit checklist questions, yeah,
> sometimes they seem pretty dumb, but I gotta tell you there have been too
> many times when the "duh" questions came back with the unexpected answer.
> Not every sys admin (or someone assigned those duties) has a good
> understanding of security basics.  When I'm doing basic checklist work I
> can
> usually tell who the clueless are, and for those who are not clueless I
> make
> sure they know that I understand that many of these questions will seem
> pretty obvious.  These checklist sessions give me a good idea on who I need
> to go back and do a more thorough review on, and ask those follow-up
> questions.
>
> (and yes, there are auditors out there who don't understand why they are
> asking the questions, just like there are incompetents in every profession,
> it just seems more noticeable in an auditor)
>
> Carolann G Lazarus
> (IT Auditor)
> lazarus () buffalo edu
> (716)829-6947
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
> Sent: Wednesday, March 17, 2010 6:03 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Are users right in rejecting security advice?
>
> Your assumption is users can make an informed choice.  My assumption is
> users will not inform you of the deviation from current policy.  If your
> security governance allows users to make the choice, than so be it.  The
> institution has accepted the risk the users will make the wrong choice.  If
> this is not the case then users should not be making the choice.
>
> It has been my experience that users will choose the lower cost and higher
> risk option because the risk is an externality to them.
> -Eric
>
>
> Sent via BlackBerry by AT&T
>
> -----Original Message-----
> From:         Michael Sinatra <michael () RANCID BERKELEY EDU>
> Date:         Wed, 17 Mar 2010 14:08:41
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Are users right in rejecting security advice?
>
> On 3/17/10 1:22 PM, John Nunnally wrote:
> > Exactly, Eric!  Students are one thing, but faculty and staff are
> EMPLOYEES.
> > They are no more "right" to ignore security recommendations, than they
> > are to ignore any other corporate policies.  Are they "right" to
> > ignore personnel policies or parking regulations because they don't
> > see any reason for them?
> >
> > I think the point is that we will see better results from our efforts
> > by making policies that make sense and are easy for end users to buy
> > into.  But regardless of what those policies might be, employees are
> > should comply or appeal, not ignore.
>
> The point of the article is to examine various incentives that users face.
> Everyone has an incentive to do the "right" thing, some more than others
> and
> depending on the "right"ness of what the institution is doing.  Whether the
> "right" thing is overridden by other incentives is exactly what security
> leaders at campuses must be cognizant of.
>
> As an example, directly related to my point, is it "right" for a user to
> take an action that *better* manages risk and does so at lower cost than
> the
> action that is mandated by policy?
>
> An example, which you seem to be getting at is, is it "right" for a user to
> minimize their own personal (or even their departmental) risk *and* cost,
> while creating negative externalities (like extra risk) for the
> institution?
> Just about everyone on this mailing list would say "no,"
> and I would certainly not disagree.  Whether our collective "no" has any
> bearing on what the users do is yet another important point of the article.
>
> The idea is to find ways to get users to do well by doing good.  To the
> extent that we can make that happen, we will make better security policies.
>
> michael