Re: stopping students sharing their login credentials

["James M. Dutcher - Assoc of IS/IT & CIO" <james.dutcher () SUNYORANGE EDU>]

Neil...good points...in relation to the "empty patrol car" reference, I heard of a stat some time ago where a dept 
store chain experienced an 80% drop in shoplifting by simply putting up/staging full size cut-out posters of police 
officers.   I wish I could remember the exact details.  Too, I've yet to see an electronic version of this....Jim 
Dutcher
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From:         Neil Sindicich <neilsin () KSU EDU>

Date:         Sun, 25 Jan 2009 18:15:07 
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] stopping students sharing their login credentials


This assumes two things:

1. That everyone breaks every policy because they think that they can.  
That an individual looks at a policy and says, "Hey, they'll never be 
able to catch me if I do this..." and then they deliberately break the 
policy.

2. That we can't actually catch the people who are sharing their 
passwords, ever.

Most people, when they are told what the rule is, don't seek to break 
it.  Those that do are the x-factor that no policy or law will protect 
you from.

So, we move on to number two... We have already been given an example 
where a students credentials were used by someone other than the 
student.  A little bit of sleuthing will tell us that either (a) someone 
gained unauthorized access or (b) the student gave the information out 
deliberately to someone else.  In either case, our sleuthing will direct 
us to question the student.  And here we are, paying attention to our 
networks and policing them if something goes wrong.

If we find that someone gained unauthorized access the account 
information we won't likely discipline a student, and after questioning 
the account holder on the matter and determine that they gave out the 
information then we have done our job in policing the situation.  This 
gives us the same deterrent effect of that police officer sitting in his 
patrol car in the shrubs...

The next step here would be to replicate the effect of the empty parked 
patrol car...


Cheers,
Neil Sindicich
Cyber-Security Analyst
Kansas State University
email: neilsin () ksu edu
phone: (785) 532-2598



Valdis Kletnieks wrote:
> On Fri, 23 Jan 2009 10:52:35 EST, "James M. Dutcher - Assoc. VP IS/IT & CIO" said:
>
>   
> > Take for example highway "speed limits".  There is not enough
> > police/surveillance in place to ensure that everyone complies with it.  But
> > there is some in place to catch folks so as to (hopefully) keep the rest of
> > the drivers in compliance.
> >     
>
> On Fri, 23 Jan 2009 13:22:23 EST, Gary Flynn said:
>
>   
> > randy marchany wrote:
> >     
> > > One should never put in a policy/standard any item that can not be
> > > enforced.
> > >       
> > I've heard that opinion espoused several times and I don't
> > understand it.
> >     
>
> The crucial point is that the speed limit *can* be enforced - every driver
> going down the interstate *knows* there aren't enough cops to enforce every
> mile of the highway, but there *are* enough to make it *possible* that the next
> bit of shrubbery by the side of the road may have a trooper behind it, and if
> their radar gun goes 'PING', you *will* have a very unpleasant 15 minutes on
> the side of the road getting a ticket, and you will have a hard time beating
> the rap.
>
> Contrast this to a law that says "You may not drive on this highway on
> Wednesdays wearing purple underwear, or on Thursdays wearing paisley", where
> there is no feasible *practical* method for enforcing it, even on a semi-random
> basis the way speed traps and truck weigh stations are done. Consider how
> well-received the average DWI sobriety checkpoint is - how would you *enforce*
> an underwear law?
>
> It's one thing to write a policy that everybody knows that you *can* catch the
> offenders, even if you actually bother to do so only 5% of the time. It's
> something else to write a policy when it's widely known that you have *no* way
> of catching offenders.
>
>