Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: John Nunnally <jnunnally () HARDING EDU>
Date: Wed, 17 Mar 2010 15:22:45 -0500
Exactly, Eric!  Students are one thing, but faculty and staff are EMPLOYEES.
They are no more "right" to ignore security recommendations, than they are
to ignore any other corporate policies.  Are they "right" to
ignore personnel policies or parking regulations because they don't see any
reason for them?

I think the point is that we will see better results from our efforts by
making policies that make sense and are easy for end users to buy into.  But
regardless of what those policies might be, employees are should comply or
appeal, not ignore.

John N.

On Wed, Mar 17, 2010 at 1:51 PM, Eric Case <ecase () email arizona edu> wrote:


I agree completely that it's more useful to communicate risks than to
have rigid policies.  That allows the users to put in compensating
controls that fit their needs.


Is it then ok if the user accepts more risk than the institution is willing
to accept?
-Eric

Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase
Previous By Date Next
Previous By Thread Next

Current thread: