Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: "SCHALIP, MICHAEL" <mschalip () CNM EDU>
Date: Tue, 23 Mar 2010 08:14:31 -0600
This may sound a little odd, (and sickeningly philosophical), but - a lot of policy that is written/adopted within the Fed sector is written as "thou shalt do...", but is seldom enforced to that extent......it tends to be read as "thou should do....", (ie, as "guidance"?) That is, until something or someone was found to have gone too far astray - THEN, the policy would be read as "law", instead of "guidance". It gives the governing body an out.... I've observed a little bit of the same thing in Higher Ed. Policy is written to guide the use of technology, (sometimes with the *intent* of being vague and ambiguous - thus non-restrictive) - but the interpretation of that policy is quickly tightened up as soon as an actual problem is identified. The opportunity to codify and substantiate the premise behind the policy is tied to the immediate circumstance - but this never really seemed to make sense to me. I always (naively) thought that policy was written to prevent people from doing "the wrong thing".....but more often, it seemed that it was written as a means of justifying the reactions and repercussions for people who were determined to do "the really wrong thing". An interesting thread.... From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Leon DuPree Sent: Tuesday, March 23, 2010 3:12 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? In order to be able to facilitate what you said you must be able to identify what the behavior you want to enforce. Structure of your organization will determine if you have the ability to make this happen. Government, Business/Corporate tend to be pretty restrictive. Academic... well that tends to change from college to college depending on the circumstance. I believe that you must identify the behavior you want to reinforce then determine how can you guide the user toward that action or away from that action. People are people no matter what technology we use. Can we find a way to re-enforce positive behavior? discourage negative behavior? You definitely are looking in the right direction I would check ope-rant learning behavior models to map the policy with the technology. I did a wireless security audit but discovered that the structure of the organization was too centralized to be able to even consider cross functional threats of the report. too bad probably wont react until a real threat occurs. On Mon, Mar 22, 2010 at 7:20 PM, Eric Jernigan <eric.jernigan () pcc edu<mailto:eric.jernigan () pcc edu>> wrote: Although I have a higher opinion/assumption of 85% of users can make an informed rational decision with the right information available, no system can rely on user awareness/policy alone. Making users responsible for activity regarding their UID...whether they like that or not is really one of the few ways to reduce password sharing. After all if you have remote access, that shoots the surveillance control out of the water. As Eric alluded to, the internal/externality of risk can be a safeguard. For mission critical systems two factor authentication...when/if affordable is another option that I would recommend investigating. There may be exceptions to the rule but when a shared access is needed, one option may be to have a group ID, with a responsible POC for activity on the account. These shared accounts should be the exception (IMKHO) because it is very easy to get 'need creep' if not carefully managed. Policies are always important not just to spell out the requirements but to give an acceptable alternative to the undesired behavior. Eric Jernigan Information Security Manager, Technology Solution Services Portland Community College PO Box 19000 Portland OR 97280-0990 503-977-4896 Eric.jernigan () pcc edu<mailto:Eric.jernigan () pcc edu> http://www.pcc.edu/resources/tss/info-security/ ________________________________________ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain sensitive or privileged information as well as information covered by the Privacy Act, FERPA, HIPAA, and/or other laws. It is being e-mailed as the most practical method of transacting business. As such, it must be safeguarded. Any unauthorized review, use, disclosure or distribution is prohibited unless permission is obtained from the original sender. _______________________________________ -----Original Message----- From: Lazarus, Carolann [mailto:lazarus () BUFFALO EDU<mailto:lazarus () BUFFALO EDU>] Sent: Friday, March 19, 2010 7:18 AM Subject: FW: [SECURITY] Are users right in rejecting security advice? I'm stepping in late here - I just returned from an auditing conference and there were many good points made on workable and reasonable polices which relate very well with many of the points made here. I thought I'd share one example. Many places have a policy that users are not allowed to share their passwords, and many auditors will even recommend this. But, the instructor pointed out, how is this enforceable? Unless you have a camera on the exact workstation and so can definitively prove that someone else was sitting there at the exact time that the userid and password was entered for that IP address, you can't really enforce it. And really, there may be legitimate exceptions to that policy. Instead, you need to come up with something else, like, a policy making everyone responsible for anything that happens under their UID and password. And of course, you really need to have awareness training so they understand the risks. Just an FYI and another thought. As for some of the comments on stupid audit checklist questions, yeah, sometimes they seem pretty dumb, but I gotta tell you there have been too many times when the "duh" questions came back with the unexpected answer. Not every sys admin (or someone assigned those duties) has a good understanding of security basics. When I'm doing basic checklist work I can usually tell who the clueless are, and for those who are not clueless I make sure they know that I understand that many of these questions will seem pretty obvious. These checklist sessions give me a good idea on who I need to go back and do a more thorough review on, and ask those follow-up questions. (and yes, there are auditors out there who don't understand why they are asking the questions, just like there are incompetents in every profession, it just seems more noticeable in an auditor) Carolann G Lazarus (IT Auditor) lazarus () buffalo edu<mailto:lazarus () buffalo edu> (716)829-6947 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Eric Case Sent: Wednesday, March 17, 2010 6:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Are users right in rejecting security advice? Your assumption is users can make an informed choice. My assumption is users will not inform you of the deviation from current policy. If your security governance allows users to make the choice, than so be it. The institution has accepted the risk the users will make the wrong choice. If this is not the case then users should not be making the choice. It has been my experience that users will choose the lower cost and higher risk option because the risk is an externality to them. -Eric Sent via BlackBerry by AT&T -----Original Message----- From: Michael Sinatra <michael () RANCID BERKELEY EDU<mailto:michael () RANCID BERKELEY EDU>> Date: Wed, 17 Mar 2010 14:08:41 To: <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Are users right in rejecting security advice? On 3/17/10 1:22 PM, John Nunnally wrote:
Exactly, Eric! Students are one thing, but faculty and staff are
EMPLOYEES.
They are no more "right" to ignore security recommendations, than they are to ignore any other corporate policies. Are they "right" to ignore personnel policies or parking regulations because they don't see any reason for them? I think the point is that we will see better results from our efforts by making policies that make sense and are easy for end users to buy into. But regardless of what those policies might be, employees are should comply or appeal, not ignore.
The point of the article is to examine various incentives that users face. Everyone has an incentive to do the "right" thing, some more than others and depending on the "right"ness of what the institution is doing. Whether the "right" thing is overridden by other incentives is exactly what security leaders at campuses must be cognizant of. As an example, directly related to my point, is it "right" for a user to take an action that *better* manages risk and does so at lower cost than the action that is mandated by policy? An example, which you seem to be getting at is, is it "right" for a user to minimize their own personal (or even their departmental) risk *and* cost, while creating negative externalities (like extra risk) for the institution? Just about everyone on this mailing list would say "no," and I would certainly not disagree. Whether our collective "no" has any bearing on what the users do is yet another important point of the article. The idea is to find ways to get users to do well by doing good. To the extent that we can make that happen, we will make better security policies. michael -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 18)
- FW: Are users right in rejecting security advice? Lazarus, Carolann (Mar 19)
- Re: Are users right in rejecting security advice? Eric Jernigan (Mar 22)
- Re: Are users right in rejecting security advice? Leon DuPree (Mar 23)
- Re: Are users right in rejecting security advice? SCHALIP, MICHAEL (Mar 23)