Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Patrick Ouellette <ouellep () ALGONQUINCOLLEGE COM>
Date: Wed, 17 Mar 2010 16:44:59 -0400
But there has to be a known/viable buy-in from management - we've got a situation here where the policy is so lose you could drive a Mac truck through it sideways and not hit a bloody thing because of lack of support over time from Management. It goes further than that, but it contributed to it badly. And, if on top of that the consequences are illogical, impossible to enforce or known to never have been applied, the whole document is worth less than the paper it's printed on... Case of perception of "well, why not - the likelyhood something will be done is obviously low". I constantly amazes me what people think they can get away with (or at least try) until they get that smack-on-the-hand reaction. On the other hand, I completely agree with the "make sense" part - for users to buy into it, it has to be clear where the line is and what the limits are. But even with education, training and repetition, we all know there are some "users" who will do what they want regardless. So one suggestion that was made from an external source was to have the "New Employee Guidance" course have that info it, and have a sign-in list. That way, when they say "but I didn't know", you take out the sheet and can say "gee, it was covered in the course you took on x/y/x. I guess you didn't take it seriously and/or were sleeping that day?" :) Sincerely, Patrick Ouellette Algonquin College - School of Advanced Technology Program Coordinator: Computer Systems Technician & Technology - Networking / Security Programs Professor - Computer Studies Department From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Nunnally Sent: March-17-10 4:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? Exactly, Eric! Students are one thing, but faculty and staff are EMPLOYEES. They are no more "right" to ignore security recommendations, than they are to ignore any other corporate policies. Are they "right" to ignore personnel policies or parking regulations because they don't see any reason for them? I think the point is that we will see better results from our efforts by making policies that make sense and are easy for end users to buy into. But regardless of what those policies might be, employees are should comply or appeal, not ignore. John N. On Wed, Mar 17, 2010 at 1:51 PM, Eric Case <ecase () email arizona edu<mailto:ecase () email arizona edu>> wrote:
I agree completely that it's more useful to communicate risks than to have rigid policies. That allows the users to put in compensating controls that fit their needs.
Is it then ok if the user accepts more risk than the institution is willing to accept? -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase ________________________________
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
(Thread continues...)