Re: Are users right in rejecting security advice?

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi All:

So I read this right after I read the FBI IC3 Report that shows the amount of dollar loss in the U.S. doubling from 
2008 - 2009 (265m to 559m) - and yes, I know there are a lot of variables and intangibles in those numbers please don't 
respond yet again with those citations ; the bottom line is that these ARE large numbers of reported loss.   Then I 
read the blog on Dr. Hurley's paper and once again just have to shake my head and wonder when we are going to get it as 
a society.   I'm not going to rant or go on for a long time - I'll just say this:

I bet when the end users are held 100% liable for ALL the money they lose or freely give to blackhats by not following 
good security practices that we will then see a shift in how much interest and participation they take in using the 
safe-guards we've been asking them to use for years.  (right now financial institutions are accepting a lot of the $ 
loss;  however, that is already starting to change).

Allison - don't get me wrong I enjoyed the read and definitely appreciated you posting it as it does a great job at 
providing insights into different (non-security) thought processes.


- Kevin


Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison 
Dolan
Sent: Tuesday, March 16, 2010 11:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Are users right in rejecting security advice?

A rather provocative column re: the cost/benefit of many pieces of security advice.  Some points worth considering when 
planning security awareness training...

http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
......Allison  Dolan (617-252-1461)