Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 14:11:06 -0700
-----Original Message----- From: Michael Sinatra [mailto:michael () rancid berkeley edu] Sent: Wednesday, March 17, 2010 1:57 PM To: The EDUCAUSE Security Constituent Group Listserv Cc: Eric Case Subject: Re: [SECURITY] Are users right in rejecting security advice? On 3/17/10 11:51 AM, Eric Case wrote:Is it then ok if the user accepts more risk than the institution iswillingto accept?Your question doesn't actually relate to my quote above, which referred to the risks that the institution recognizes to itself. Your question IS relevant to my second paragraph (not quoted by you) where I discuss "monetizing" user-generated externalities and trying to capture them in the market. Here is the answer: If the externality is captured, yes. That's the whole point. Extra risk can be managed if the institution understands the economic incentives and can properly modify them. Here's an example: The central IT organization provides database services for campus users.
Unless the users take on the extra risk of running their own db, with or maybe without patches, a blank SA password, etc. This is what I'm talking about. The users accepting more risk than the institution is willing to accept? You know. "It's my grant and my grad student will take care of the server." -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
(Thread continues...)