Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 22:02:34 +0000
Your assumption is users can make an informed choice. My assumption is users will not inform you of the deviation from current policy. If your security governance allows users to make the choice, than so be it. The institution has accepted the risk the users will make the wrong choice. If this is not the case then users should not be making the choice. It has been my experience that users will choose the lower cost and higher risk option because the risk is an externality to them. -Eric Sent via BlackBerry by AT&T -----Original Message----- From: Michael Sinatra <michael () RANCID BERKELEY EDU> Date: Wed, 17 Mar 2010 14:08:41 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Are users right in rejecting security advice? On 3/17/10 1:22 PM, John Nunnally wrote:
Exactly, Eric! Students are one thing, but faculty and staff are EMPLOYEES. They are no more "right" to ignore security recommendations, than they are to ignore any other corporate policies. Are they "right" to ignore personnel policies or parking regulations because they don't see any reason for them? I think the point is that we will see better results from our efforts by making policies that make sense and are easy for end users to buy into. But regardless of what those policies might be, employees are should comply or appeal, not ignore.
The point of the article is to examine various incentives that users face. Everyone has an incentive to do the "right" thing, some more than others and depending on the "right"ness of what the institution is doing. Whether the "right" thing is overridden by other incentives is exactly what security leaders at campuses must be cognizant of. As an example, directly related to my point, is it "right" for a user to take an action that *better* manages risk and does so at lower cost than the action that is mandated by policy? An example, which you seem to be getting at is, is it "right" for a user to minimize their own personal (or even their departmental) risk *and* cost, while creating negative externalities (like extra risk) for the institution? Just about everyone on this mailing list would say "no," and I would certainly not disagree. Whether our collective "no" has any bearing on what the users do is yet another important point of the article. The idea is to find ways to get users to do well by doing good. To the extent that we can make that happen, we will make better security policies. michael
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
(Thread continues...)