Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 14:11:06 -0700
-----Original Message-----
From: Michael Sinatra [mailto:michael () rancid berkeley edu]
Sent: Wednesday, March 17, 2010 1:57 PM
To: The EDUCAUSE Security Constituent Group Listserv
Cc: Eric Case
Subject: Re: [SECURITY] Are users right in rejecting security advice?

On 3/17/10 11:51 AM, Eric Case wrote:

Is it then ok if the user accepts more risk than the institution is

willing

to accept?


Your question doesn't actually relate to my quote above, which referred
to the risks that the institution recognizes to itself.  Your question
IS relevant to my second paragraph (not quoted by you) where I discuss
"monetizing" user-generated externalities and trying to capture them in
the market.  Here is the answer:

If the externality is captured, yes.  That's the whole point.  Extra
risk can be managed if the institution understands the economic
incentives and can properly modify them.

Here's an example: The central IT organization provides database
services for campus users.


Unless the users take on the extra risk of running their own db, with or
maybe without patches, a blank SA password, etc.  This is what I'm talking
about.  The users accepting more risk than the institution is willing to
accept?  You know.  "It's my grant and my grad student will take care of the
server."
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase
Previous By Date Next
Previous By Thread Next

Current thread: