Re: stopping students sharing their login credentials

[Neil Sindicich <neilsin () KSU EDU>]

This assumes two things:

1. That everyone breaks every policy because they think that they can.
That an individual looks at a policy and says, "Hey, they'll never be
able to catch me if I do this..." and then they deliberately break the
policy.

2. That we can't actually catch the people who are sharing their
passwords, ever.

Most people, when they are told what the rule is, don't seek to break
it.  Those that do are the x-factor that no policy or law will protect
you from.

So, we move on to number two... We have already been given an example
where a students credentials were used by someone other than the
student.  A little bit of sleuthing will tell us that either (a) someone
gained unauthorized access or (b) the student gave the information out
deliberately to someone else.  In either case, our sleuthing will direct
us to question the student.  And here we are, paying attention to our
networks and policing them if something goes wrong.

If we find that someone gained unauthorized access the account
information we won't likely discipline a student, and after questioning
the account holder on the matter and determine that they gave out the
information then we have done our job in policing the situation.  This
gives us the same deterrent effect of that police officer sitting in his
patrol car in the shrubs...

The next step here would be to replicate the effect of the empty parked
patrol car...


Cheers,
Neil Sindicich
Cyber-Security Analyst
Kansas State University
email: neilsin () ksu edu
phone: (785) 532-2598



Valdis Kletnieks wrote:
> On Fri, 23 Jan 2009 10:52:35 EST, "James M. Dutcher - Assoc. VP IS/IT & CIO" said:
>
>
> > Take for example highway "speed limits".  There is not enough
> > police/surveillance in place to ensure that everyone complies with it.  But
> > there is some in place to catch folks so as to (hopefully) keep the rest of
> > the drivers in compliance.
>
> On Fri, 23 Jan 2009 13:22:23 EST, Gary Flynn said:
>
>
> > randy marchany wrote:
> >
> > > One should never put in a policy/standard any item that can not be
> > > enforced.
> > I've heard that opinion espoused several times and I don't
> > understand it.
>
> The crucial point is that the speed limit *can* be enforced - every driver
> going down the interstate *knows* there aren't enough cops to enforce every
> mile of the highway, but there *are* enough to make it *possible* that the next
> bit of shrubbery by the side of the road may have a trooper behind it, and if
> their radar gun goes 'PING', you *will* have a very unpleasant 15 minutes on
> the side of the road getting a ticket, and you will have a hard time beating
> the rap.
>
> Contrast this to a law that says "You may not drive on this highway on
> Wednesdays wearing purple underwear, or on Thursdays wearing paisley", where
> there is no feasible *practical* method for enforcing it, even on a semi-random
> basis the way speed traps and truck weigh stations are done. Consider how
> well-received the average DWI sobriety checkpoint is - how would you *enforce*
> an underwear law?
>
> It's one thing to write a policy that everybody knows that you *can* catch the
> offenders, even if you actually bother to do so only 5% of the time. It's
> something else to write a policy when it's widely known that you have *no* way
> of catching offenders.