Re: Are users right in rejecting security advice?

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

I would argue that faculty, students and staff would each evaluate risk differently. So, a system that crosses all 
groups means that group X makes the risk decision?  
I had my coffee - just being cantakerous today. :-)


----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wed Mar 17 10:30:18 2010
Subject: Re: [SECURITY] Are users right in rejecting security advice?

Isn't the real issue one of accurate communication of risk?  In the 15  
months I've now spend with an educational institution, it seems to me  
that communicating risk effectively is more important than specifying  
policies and procedures.  As long as a user understands the risk of  
something (e.g. surfing the web from an Administrator-level account)  
then they can make a valid determination about how they should (or  
perhaps should not) change their behavior.

Then again, I might just need more coffee...

-Vik




On Mar 16, 2010, at 14:32 , Allison Dolan wrote:

> I think part of the point of the article was to focus on those  
> things that really matter in terms of security and which are easy  
> for people to remember/follow -  something like 'never put your  
> password in an email, not matter who's asking' would seem to be an  
> example of 'good' security advice.
>
> ......Allison  Dolan (617-252-1461)
>
>
>
> On Mar 16, 2010, at 11:29 AM, Stanclift, Michael wrote:
>
> > I would love to just be able to bill users in man hours required  
> > for us cleaning up mail queues after their account is compromised  
> > and turned into a spambot, or time spent trying to remove us from  
> > blacklists, etc. If they were getting $500 in campus mail to their  
> > department, or to them personally, they would probably think  
> > differently next time about replying to an email with their  
> > password in it.
> >
> > Michael Stanclift | Network Analyst | Computer Services
> > Rockhurst University | 1100 Rockhurst Road, Kansas City, MO 64110
> > Phone: 816.501.4231 | Fax: 816.501.4014 | http://help.rockhurst.edu
> >
> > PHelp keep our campus green, think before you print!
> > ÏRUCS will never ask you for your password!
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> > ] On Behalf Of Mclaughlin, Kevin (mclaugkl)
> > Sent: Tuesday, March 16, 2010 10:22 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Are users right in rejecting security advice?
> >
> > Hi All:
> >
> > So I read this right after I read the FBI IC3 Report that shows the  
> > amount of dollar loss in the U.S. doubling from 2008 – 2009 (265m  
> > to 559m) – and yes, I know there are a lot of variables and  
> > intangibles in those numbers please don’t respond yet again with  
> > those citations ; the bottom line is that these ARE large numbers  
> > of reported loss.   Then I read the blog on Dr. Hurley’s paper and  
> > once again just have to shake my head and wonder when we are going  
> > to get it as a society.   I’m not going to rant or go on for a long  
> > time – I’ll just say this:
> >
> > I bet when the end users are held 100% liable for ALL the money  
> > they lose or freely give to blackhats by not following good  
> > security practices that we will then see a shift in how much  
> > interest and participation they take in using the safe-guards we’ve  
> > been asking them to use for years.  (right now financial  
> > institutions are accepting a lot of the $ loss;  however, that is  
> > already starting to change).
> >
> > Allison – don’t get me wrong I enjoyed the read and definitely  
> > appreciated you posting it as it does a great job at providing  
> > insights into different (non-security) thought processes.
> >
> >
> > - Kevin
> >
> >
> > Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master  
> > Certified
> > Assistant Vice President, Information Security & Special Projects
> > University of Cincinnati
> > 513-556-9177
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> > ] On Behalf Of Allison Dolan
> > Sent: Tuesday, March 16, 2010 11:03 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Are users right in rejecting security advice?
> >
> > A rather provocative column re: the cost/benefit of many pieces of  
> > security advice.  Some points worth considering when planning  
> > security awareness training...
> >
> > http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
> >
> > ......Allison  Dolan (617-252-1461)

-Vik

Vik Solem
Sr. Applications Risk Consultant
Information Security
Tufts University UIT / 617-627-4326

Check Out the UIT Information Security Team blog
http://blogs.uit.tufts.edu/infosecteamblog/