Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Wed, 17 Mar 2010 11:24:45 -0700
On 3/17/10 7:30 AM, Vik Solem wrote:
Isn't the real issue one of accurate communication of risk? In the 15 months I've now spend with an educational institution, it seems to me that communicating risk effectively is more important than specifying policies and procedures. As long as a user understands the risk of something (e.g. surfing the web from an Administrator-level account) then they can make a valid determination about how they should (or perhaps should not) change their behavior.
I agree completely that it's more useful to communicate risks than to have rigid policies. That allows the users to put in compensating controls that fit their needs. However, the point of the article runs deeper than that. There are clear, rational, economic disincentives to follow some of the typical top-down security policies that campuses have. Rather than create more policies, it may be useful to attempt to monetize the externalities that users create through their own bad security practices and fold them back into the "market." michael
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
(Thread continues...)