FW: Are users right in rejecting security advice?

["Lazarus, Carolann" <lazarus () BUFFALO EDU>]

I'm stepping in late here - I just returned from an auditing conference and there were many good points made on 
workable and reasonable polices which relate very well with many of the points made here.  I thought I'd share one 
example.  Many places have a policy that users are not allowed to share their passwords, and many auditors will even 
recommend this.  But, the instructor pointed out, how is this enforceable?  Unless you have a camera on the exact 
workstation and so can definitively prove that someone else was sitting there at the exact time that the userid and 
password was entered for that IP address, you can't really enforce it.  And really, there may be legitimate exceptions 
to that policy.  Instead, you need to come up with something else, like, a policy making everyone responsible for 
anything that happens under their UID and password.  And of course, you really need to have awareness training so they 
understand the risks.  Just an FYI and another thought.  

As for some of the comments on stupid audit checklist questions, yeah, sometimes they seem pretty dumb, but I gotta 
tell you there have been too many times when the "duh" questions came back with the unexpected answer.  Not every sys 
admin (or someone assigned those duties) has a good understanding of security basics.  When I'm doing basic checklist 
work I can usually tell who the clueless are, and for those who are not clueless I make sure they know that I 
understand that many of these questions will seem pretty obvious.  These checklist sessions give me a good idea on who 
I need to go back and do a more thorough review on, and ask those follow-up questions. 

(and yes, there are auditors out there who don't understand why they are asking the questions, just like there are 
incompetents in every profession, it just seems more noticeable in an auditor)

Carolann G Lazarus
(IT Auditor)
lazarus () buffalo edu
(716)829-6947


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
Sent: Wednesday, March 17, 2010 6:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?

Your assumption is users can make an informed choice.  My assumption is users will not inform you of the deviation from 
current policy.  If your security governance allows users to make the choice, than so be it.  The institution has 
accepted the risk the users will make the wrong choice.  If this is not the case then users should not be making the 
choice.

It has been my experience that users will choose the lower cost and higher risk option because the risk is an 
externality to them.  
-Eric


Sent via BlackBerry by AT&T

-----Original Message-----
From:         Michael Sinatra <michael () RANCID BERKELEY EDU>
Date:         Wed, 17 Mar 2010 14:08:41 
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Are users right in rejecting security advice?

On 3/17/10 1:22 PM, John Nunnally wrote:
> Exactly, Eric!  Students are one thing, but faculty and staff are EMPLOYEES.
> They are no more "right" to ignore security recommendations, than they are
> to ignore any other corporate policies.  Are they "right" to
> ignore personnel policies or parking regulations because they don't see any
> reason for them?
>
> I think the point is that we will see better results from our efforts by
> making policies that make sense and are easy for end users to buy into.  But
> regardless of what those policies might be, employees are should comply or
> appeal, not ignore.

The point of the article is to examine various incentives that users 
face.  Everyone has an incentive to do the "right" thing, some more than 
others and depending on the "right"ness of what the institution is 
doing.  Whether the "right" thing is overridden by other incentives is 
exactly what security leaders at campuses must be cognizant of.

As an example, directly related to my point, is it "right" for a user to 
take an action that *better* manages risk and does so at lower cost than 
the action that is mandated by policy?

An example, which you seem to be getting at is, is it "right" for a user 
to minimize their own personal (or even their departmental) risk *and* 
cost, while creating negative externalities (like extra risk) for the 
institution?  Just about everyone on this mailing list would say "no," 
and I would certainly not disagree.  Whether our collective "no" has any 
bearing on what the users do is yet another important point of the article.

The idea is to find ways to get users to do well by doing good.  To the 
extent that we can make that happen, we will make better security policies.

michael