Re: Are users right in rejecting security advice?

["Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>]

I would love to just be able to bill users in man hours required for us cleaning up mail queues after their account is 
compromised and turned into a spambot, or time spent trying to remove us from blacklists, etc. If they were getting 
$500 in campus mail to their department, or to them personally, they would probably think differently next time about 
replying to an email with their password in it.

Michael Stanclift | Network Analyst | Computer Services
Rockhurst University | 1100 Rockhurst Road, Kansas City, MO 64110
Phone: 816.501.4231 | Fax: 816.501.4014 | http://help.rockhurst.edu<http://help.rockhurst.edu/>

PHelp keep our campus green, think before you print!
ÏRUCS will never ask you for your password!

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Tuesday, March 16, 2010 10:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?

Hi All:

So I read this right after I read the FBI IC3 Report that shows the amount of dollar loss in the U.S. doubling from 
2008 - 2009 (265m to 559m) - and yes, I know there are a lot of variables and intangibles in those numbers please don't 
respond yet again with those citations ; the bottom line is that these ARE large numbers of reported loss.   Then I 
read the blog on Dr. Hurley's paper and once again just have to shake my head and wonder when we are going to get it as 
a society.   I'm not going to rant or go on for a long time - I'll just say this:

I bet when the end users are held 100% liable for ALL the money they lose or freely give to blackhats by not following 
good security practices that we will then see a shift in how much interest and participation they take in using the 
safe-guards we've been asking them to use for years.  (right now financial institutions are accepting a lot of the $ 
loss;  however, that is already starting to change).

Allison - don't get me wrong I enjoyed the read and definitely appreciated you posting it as it does a great job at 
providing insights into different (non-security) thought processes.


- Kevin


Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison 
Dolan
Sent: Tuesday, March 16, 2010 11:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Are users right in rejecting security advice?

A rather provocative column re: the cost/benefit of many pieces of security advice.  Some points worth considering when 
planning security awareness training...

http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
......Allison  Dolan (617-252-1461)