Re: Are users right in rejecting security advice?

[Patrick Ouellette <ouellep () ALGONQUINCOLLEGE COM>]

But there has to be a known/viable buy-in from management - we've got a situation here where the policy is so lose you 
could drive a Mac truck through it sideways and not hit a bloody thing because of lack of support over time from 
Management. It goes further than that, but it contributed to it badly.

And, if on top of that the consequences are illogical, impossible to enforce or known to never have been applied, the 
whole document is worth less than the paper it's printed on... Case of perception of "well, why not - the likelyhood 
something will be done is obviously low".
I constantly amazes me what people think they can get away with (or at least try) until they get that smack-on-the-hand 
reaction.

On the other hand, I completely agree with the "make sense" part - for users to buy into it, it has to be clear where 
the line is and what the limits are.

But even with education, training and repetition, we all know there are some "users" who will do what they want 
regardless.
So one suggestion that was made from an external source was to have the "New Employee Guidance" course have that info 
it, and have a sign-in list.

That way, when they say "but I didn't know", you take out the sheet and can say "gee, it was covered in the course you 
took on x/y/x. I guess you didn't take it seriously and/or were sleeping that day?" :)

Sincerely,

Patrick Ouellette
Algonquin College - School of Advanced Technology
Program Coordinator: Computer Systems Technician & Technology - Networking / Security Programs
Professor - Computer Studies Department

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Nunnally
Sent: March-17-10 4:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?


Exactly, Eric!  Students are one thing, but faculty and staff are EMPLOYEES. They are no more "right" to ignore 
security recommendations, than they are to ignore any other corporate policies.  Are they "right" to ignore personnel 
policies or parking regulations because they don't see any reason for them?

I think the point is that we will see better results from our efforts by making policies that make sense and are easy 
for end users to buy into.  But regardless of what those policies might be, employees are should comply or appeal, not 
ignore.

John N.

On Wed, Mar 17, 2010 at 1:51 PM, Eric Case <ecase () email arizona edu<mailto:ecase () email arizona edu>> wrote:
> I agree completely that it's more useful to communicate risks than to
> have rigid policies.  That allows the users to put in compensating
> controls that fit their needs.

Is it then ok if the user accepts more risk than the institution is willing
to accept?
-Eric

Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase

________________________________