Educause Security Discussion mailing list archives
Re: stopping students sharing their login credentials
From: "James M. Dutcher - Assoc of IS/IT & CIO" <james.dutcher () SUNYORANGE EDU>
Date: Mon, 26 Jan 2009 00:22:12 +0000
Neil...good points...in relation to the "empty patrol car" reference, I heard of a stat some time ago where a dept store chain experienced an 80% drop in shoplifting by simply putting up/staging full size cut-out posters of police officers. I wish I could remember the exact details. Too, I've yet to see an electronic version of this....Jim Dutcher Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Neil Sindicich <neilsin () KSU EDU> Date: Sun, 25 Jan 2009 18:15:07 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] stopping students sharing their login credentials This assumes two things: 1. That everyone breaks every policy because they think that they can. That an individual looks at a policy and says, "Hey, they'll never be able to catch me if I do this..." and then they deliberately break the policy. 2. That we can't actually catch the people who are sharing their passwords, ever. Most people, when they are told what the rule is, don't seek to break it. Those that do are the x-factor that no policy or law will protect you from. So, we move on to number two... We have already been given an example where a students credentials were used by someone other than the student. A little bit of sleuthing will tell us that either (a) someone gained unauthorized access or (b) the student gave the information out deliberately to someone else. In either case, our sleuthing will direct us to question the student. And here we are, paying attention to our networks and policing them if something goes wrong. If we find that someone gained unauthorized access the account information we won't likely discipline a student, and after questioning the account holder on the matter and determine that they gave out the information then we have done our job in policing the situation. This gives us the same deterrent effect of that police officer sitting in his patrol car in the shrubs... The next step here would be to replicate the effect of the empty parked patrol car... Cheers, Neil Sindicich Cyber-Security Analyst Kansas State University email: neilsin () ksu edu phone: (785) 532-2598 Valdis Kletnieks wrote:
On Fri, 23 Jan 2009 10:52:35 EST, "James M. Dutcher - Assoc. VP IS/IT & CIO" said:Take for example highway "speed limits". There is not enough police/surveillance in place to ensure that everyone complies with it. But there is some in place to catch folks so as to (hopefully) keep the rest of the drivers in compliance.On Fri, 23 Jan 2009 13:22:23 EST, Gary Flynn said:randy marchany wrote:One should never put in a policy/standard any item that can not be enforced.I've heard that opinion espoused several times and I don't understand it.The crucial point is that the speed limit *can* be enforced - every driver going down the interstate *knows* there aren't enough cops to enforce every mile of the highway, but there *are* enough to make it *possible* that the next bit of shrubbery by the side of the road may have a trooper behind it, and if their radar gun goes 'PING', you *will* have a very unpleasant 15 minutes on the side of the road getting a ticket, and you will have a hard time beating the rap. Contrast this to a law that says "You may not drive on this highway on Wednesdays wearing purple underwear, or on Thursdays wearing paisley", where there is no feasible *practical* method for enforcing it, even on a semi-random basis the way speed traps and truck weigh stations are done. Consider how well-received the average DWI sobriety checkpoint is - how would you *enforce* an underwear law? It's one thing to write a policy that everybody knows that you *can* catch the offenders, even if you actually bother to do so only 5% of the time. It's something else to write a policy when it's widely known that you have *no* way of catching offenders.
Current thread:
- Re: stopping students sharing their login credentials, (continued)
- Re: stopping students sharing their login credentials Mike Wiseman (Jan 23)
- Re: stopping students sharing their login credentials Charlie Reitsma (Jan 23)
- Re: stopping students sharing their login credentials Neil Sindicich (Jan 23)
- Re: stopping students sharing their login credentials Barros, Jacob (Jan 23)
- Re: stopping students sharing their login credentials Basgen, Brian (Jan 23)
- Re: stopping students sharing their login credentials Brad Judy (Jan 23)
- Re: stopping students sharing their login credentials Charlie Reitsma (Jan 23)
- Re: stopping students sharing their login credentials Gary Flynn (Jan 23)
- Re: stopping students sharing their login credentials Valdis Kletnieks (Jan 23)
- Re: stopping students sharing their login credentials Neil Sindicich (Jan 25)
- Re: stopping students sharing their login credentials James M. Dutcher - Assoc of IS/IT & CIO (Jan 25)