Re: Security Awareness Programs

[Von Welch <von () VONWELCH COM>]

> Why does Higher Education make students, their customers, change their password? 

Suggested reading:

http://research.microsoft.com/apps/pubs/?id=132623

Where Do Security Policies Come From?
dinei Florencio and cormac herley
June 2010

We examine the password policies of 75 different web-sites. Our goal is understand the enormous diversity of 
requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their 
users. We compare different features of the sites to find which characteristics are correlated with stronger policies. 
Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of 
users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we 
find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. 
Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice 
show strong inverse correlation with strength.

We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are 
simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must 
compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury 
they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is 
superfluous: it causes considerable inconvenience for negligible security improvement.



On Apr 2, 2014, at 3:49 PM, Mike Cunningham <mike.cunningham () PCT EDU> wrote:

> I have a philosophical question for this group... 
>
> My bank never requires me, their customer, to ever change my password
> My credit union never requires me, their customer, to ever change my password
> My health insurance company never requires me, their customer, to ever change my password
> My investment web site, my credit card bank, my online prescription site, my hotel rewards account, my airline 
> rewards account, my daughters school district, never requires me to ever change my password
>
> Why does Higher Education make students, their customers, change their password? 
> Would it be better to not require it and teach them why they should instead?  
>
> Mike Cunningham
> VP of Information Technology Services/CIO
> Pennsylvania College of Technology
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
> Gary - flynngn
> Sent: Wednesday, April 02, 2014 3:41 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security Awareness Programs
>
> JMU policy requires password changes every 90 days.
>
> Our password change process includes having to click through captive web
> pages containing security awareness content.
>
> We do not track progress. People may click through without reading it. We
> know based on feedback that some do. OTOH we know based on feedback that
> some don't.
>
> It is all custom code and content. Content is based on role and whether it
> is the first time through.
>
> new applicants (one page on phishing and AUP)
> new/returning student
> new/returning employee/affiliate
> graduate (one page on phishing and AUP)
>
> Content for new folks is relatively constant. It hasn't changed much over
> the years.
>
> Content for returning folks changes about once a semester. 
>
> We've been doing this for around ten years.
>
> People are sent an email message after the password change indicating the
> change and providing a link to provide feedback for the security awareness
> content. Feedback has been mixed. Sometimes, uh, colorful and often
> associated with  the requirement to change passwords. Sometimes quite
> positive and/or constructive.
>
> Gary Flynn
> Security Engineer
> James Madison University
> Don't Be A PHISH!
> IsItReal?
> http://www.jmu.edu/computing/ittraining/SIGUCCS/story.html
>
>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Lundstedt
> > Sent: Wednesday, April 02, 2014 3:33 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Security Awareness Programs
> >
> > Hi All,
> >
> >
> >
> > Curious on what others are doing to 'get the word out' on their campuses.
> > What approaches seem to work best from both an initial push out on a new
> > subject or with a new program, to keeping things up to date with
> > acknowledgements, visibility, &c?
> >
> >
> >
> > From a product point of view, we've explored the SANS Securing the Human
> > series among a few others, but the lack of customization and integration
> into
> > HR training modules is steering us away.  Experiences there?
> >
> >
> >
> > Peter Lundstedt
> >
> > SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES
> >
> >
> >
> > oit