Re: Are users right in rejecting security advice?

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

On 3/17/10 1:22 PM, John Nunnally wrote:
> Exactly, Eric!  Students are one thing, but faculty and staff are EMPLOYEES.
> They are no more "right" to ignore security recommendations, than they are
> to ignore any other corporate policies.  Are they "right" to
> ignore personnel policies or parking regulations because they don't see any
> reason for them?
>
> I think the point is that we will see better results from our efforts by
> making policies that make sense and are easy for end users to buy into.  But
> regardless of what those policies might be, employees are should comply or
> appeal, not ignore.

The point of the article is to examine various incentives that users
face.  Everyone has an incentive to do the "right" thing, some more than
others and depending on the "right"ness of what the institution is
doing.  Whether the "right" thing is overridden by other incentives is
exactly what security leaders at campuses must be cognizant of.

As an example, directly related to my point, is it "right" for a user to
take an action that *better* manages risk and does so at lower cost than
the action that is mandated by policy?

An example, which you seem to be getting at is, is it "right" for a user
to minimize their own personal (or even their departmental) risk *and*
cost, while creating negative externalities (like extra risk) for the
institution?  Just about everyone on this mailing list would say "no,"
and I would certainly not disagree.  Whether our collective "no" has any
bearing on what the users do is yet another important point of the article.

The idea is to find ways to get users to do well by doing good.  To the
extent that we can make that happen, we will make better security policies.

michael