Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 22:02:34 +0000
Your assumption is users can make an informed choice.  My assumption is users will not inform you of the deviation from 
current policy.  If your security governance allows users to make the choice, than so be it.  The institution has 
accepted the risk the users will make the wrong choice.  If this is not the case then users should not be making the 
choice.

It has been my experience that users will choose the lower cost and higher risk option because the risk is an 
externality to them.  
-Eric


Sent via BlackBerry by AT&T

-----Original Message-----
From:         Michael Sinatra <michael () RANCID BERKELEY EDU>
Date:         Wed, 17 Mar 2010 14:08:41 
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Are users right in rejecting security advice?

On 3/17/10 1:22 PM, John Nunnally wrote:

Exactly, Eric!  Students are one thing, but faculty and staff are EMPLOYEES.
They are no more "right" to ignore security recommendations, than they are
to ignore any other corporate policies.  Are they "right" to
ignore personnel policies or parking regulations because they don't see any
reason for them?

I think the point is that we will see better results from our efforts by
making policies that make sense and are easy for end users to buy into.  But
regardless of what those policies might be, employees are should comply or
appeal, not ignore.


The point of the article is to examine various incentives that users 
face.  Everyone has an incentive to do the "right" thing, some more than 
others and depending on the "right"ness of what the institution is 
doing.  Whether the "right" thing is overridden by other incentives is 
exactly what security leaders at campuses must be cognizant of.

As an example, directly related to my point, is it "right" for a user to 
take an action that *better* manages risk and does so at lower cost than 
the action that is mandated by policy?

An example, which you seem to be getting at is, is it "right" for a user 
to minimize their own personal (or even their departmental) risk *and* 
cost, while creating negative externalities (like extra risk) for the 
institution?  Just about everyone on this mailing list would say "no," 
and I would certainly not disagree.  Whether our collective "no" has any 
bearing on what the users do is yet another important point of the article.

The idea is to find ways to get users to do well by doing good.  To the 
extent that we can make that happen, we will make better security policies.

michael
Previous By Date Next
Previous By Thread Next

Current thread: