Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Wed, 17 Mar 2010 14:08:41 -0700
On 3/17/10 1:22 PM, John Nunnally wrote:
Exactly, Eric! Students are one thing, but faculty and staff are EMPLOYEES. They are no more "right" to ignore security recommendations, than they are to ignore any other corporate policies. Are they "right" to ignore personnel policies or parking regulations because they don't see any reason for them? I think the point is that we will see better results from our efforts by making policies that make sense and are easy for end users to buy into. But regardless of what those policies might be, employees are should comply or appeal, not ignore.
The point of the article is to examine various incentives that users face. Everyone has an incentive to do the "right" thing, some more than others and depending on the "right"ness of what the institution is doing. Whether the "right" thing is overridden by other incentives is exactly what security leaders at campuses must be cognizant of. As an example, directly related to my point, is it "right" for a user to take an action that *better* manages risk and does so at lower cost than the action that is mandated by policy? An example, which you seem to be getting at is, is it "right" for a user to minimize their own personal (or even their departmental) risk *and* cost, while creating negative externalities (like extra risk) for the institution? Just about everyone on this mailing list would say "no," and I would certainly not disagree. Whether our collective "no" has any bearing on what the users do is yet another important point of the article. The idea is to find ways to get users to do well by doing good. To the extent that we can make that happen, we will make better security policies. michael
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
(Thread continues...)