Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Wed, 17 Mar 2010 13:56:40 -0700
On 3/17/10 11:51 AM, Eric Case wrote:
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Sinatra Sent: Wednesday, March 17, 2010 11:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? I agree completely that it's more useful to communicate risks than to have rigid policies. That allows the users to put in compensating controls that fit their needs.Is it then ok if the user accepts more risk than the institution is willing to accept?
Your question doesn't actually relate to my quote above, which referred to the risks that the institution recognizes to itself. Your question IS relevant to my second paragraph (not quoted by you) where I discuss "monetizing" user-generated externalities and trying to capture them in the market. Here is the answer: If the externality is captured, yes. That's the whole point. Extra risk can be managed if the institution understands the economic incentives and can properly modify them. Here's an example: The central IT organization provides database services for campus users. They know they need to take extra care if users have trigger-notifying data on the system. They could enforce a policy whereby users are not allowed to have TND (which might actually cause some users to work around the policy), or they could provide a fee schedule whereby the costs of TND storage are paid by the entities that derive the benefit, while creating incentives to minimize TND. Heck, you could even have a cap-and-trade system if it doesn't get too complicated. Mind you, I am not a free-market fundamentalist and I recognize that there are limitations to this approach. But I also recognize that such economic incentives cannot be ignored and they cannot *effectively* be overcome merely by fete of policy. I see way too much of that it higher ed security right now. michael
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
(Thread continues...)