Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Response to phishing e-mails

From: Robert Meyers <REMeyers () MAIL WVU EDU>
Date: Wed, 29 Oct 2014 13:01:58 +0000
“ 99% of our problem is students; we require a one-on-one sit  down security talk with students if we’ve found that 
they have responded. Yet we’ve even had repeat offenders.” [emphasis mine]

“Blaming the users” doesn’t enter into it.  It’s a simple matter of observing normal human behavior. Walls around the 
world are replete with fresh fingerprints immediately below the big sign that says, “WET PAINT!”  That doesn’t stop us 
from warning and educating, but the reality is that we will always be mitigating the aftermath of users ignoring both.


Bob Meyers
remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nick 
Semenkovich
Sent: Tuesday, October 28, 2014 5:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Response to phishing e-mails

Ouch -- there's nothing to gain by blaming your users.

Why would students care about a school e-mail they may rarely use, perhaps didn't want, and will likely disappear in a 
few years? Because it impacts some external spam score metric that's of little importance to them?

I'm always reminded of this Microsoft Research paper when it comes to user phishing education: 
http://research.microsoft.com/pubs/80436/SoLongAndNoThanks.pdf


User-education is a time sink that never ends. Implement good two-factor and phishing is a ~non-issue.

- Nick

On Tue, Oct 28, 2014 at 4:05 PM, Robert Meyers <REMeyers () mail wvu edu<mailto:REMeyers () mail wvu edu>> wrote:
Some people refuse to change. They are too invested in bad decision making to even consider any other possibility.


Bob Meyers
remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Thomas Carter
Sent: Tuesday, October 28, 2014 4:12 PM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Response to phishing e-mails

How has the response to this been? Our problem is those most likely to respond to a phishing attempt will do it before 
we can do anything about it. They’re also not likely to check against a list of phishing attempts. 99% of our problem 
is students; we require a one-on-one sit  down security talk with students if we’ve found that they have responded. Yet 
we’ve even had repeat offenders. I (only half jokingly) suggest that the 3rd offence should involve removing all 
computer privileges and handing them a yellow legal pad and a pen as that is all they can be trusted with.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564<tel:903-813-2564>





--
Nick Semenkovich
Laboratory of Dr. Jeffrey I. Gordon
Medical Scientist Training Program
School of Medicine
Washington University in St. Louis
https://nick.semenkovich.com/
Previous By Date Next
Previous By Thread Next

Current thread: