Comments on: Data Privacy and Security – closing the stable door? http://steve-dale.net/2008/09/22/data-privacy-and-security-closing-the-stable-door/ Perceptions about learning and sharing in a virtual world by Steve Dale Tue, 13 Jul 2010 07:16:10 +0200 http://wordpress.org/?v=2.8.4 hourly 1 By: Steve Dale http://steve-dale.net/2008/09/22/data-privacy-and-security-closing-the-stable-door/comment-page-1/#comment-311 Steve Dale Tue, 23 Sep 2008 06:08:31 +0000 http://steve-dale.net/?p=255#comment-311 Steph - thanks for the comments. Sensible perspective as always. There's a good point you make about reducing the options to err, which to me means understanding the areas of (security) weakness. For example, forcing users to change strong passwords every two months will only encourage them to write the passwords down somewhere - thus defeating the original objective. You can't write policies or deploy security techniques in complete isolation from the system user. Steph – thanks for the comments. Sensible perspective as always. There’s a good point you make about reducing the options to err, which to me means understanding the areas of (security) weakness. For example, forcing users to change strong passwords every two months will only encourage them to write the passwords down somewhere – thus defeating the original objective. You can’t write policies or deploy security techniques in complete isolation from the system user.

]]> By: Steph http://steve-dale.net/2008/09/22/data-privacy-and-security-closing-the-stable-door/comment-page-1/#comment-310 Steph Mon, 22 Sep 2008 21:26:08 +0000 http://steve-dale.net/?p=255#comment-310 Amen. I think there are two jobs being done though. First, getting the policies designed and in place so that the organisation can justifiably say that it has recognised the issue and taken steps to address it, and taking away the 'I didn't know X was against the rules' defence from foolish or malicious staff. It makes managers sleep easier, but as you say, it really shouldn't because it doesn't mean that disasters are any less likely. So second - the 80% - is actually changing the culture within the framework created by the policy (but in reality, pretty much independently of it) so that people behave in different ways. I'm struggling with this one a bit myself in a different field, but for the example you cite I think it involves reducing the options to err (encryption, password rules etc), making compliance easy (password rules that humans can cope with, templates and tools that save time), formal training for people who like that kind of thing, self-paced online learning for people who like *that* kind of thing, and coaching/'superusers' for people who only learn when the person next to them shows them over and over. And maybe some figurative skulls on pikestaffs too to show the consequences of disaster? Amen. I think there are two jobs being done though. First, getting the policies designed and in place so that the organisation can justifiably say that it has recognised the issue and taken steps to address it, and taking away the ‘I didn’t know X was against the rules’ defence from foolish or malicious staff. It makes managers sleep easier, but as you say, it really shouldn’t because it doesn’t mean that disasters are any less likely.

So second – the 80% – is actually changing the culture within the framework created by the policy (but in reality, pretty much independently of it) so that people behave in different ways. I’m struggling with this one a bit myself in a different field, but for the example you cite I think it involves reducing the options to err (encryption, password rules etc), making compliance easy (password rules that humans can cope with, templates and tools that save time), formal training for people who like that kind of thing, self-paced online learning for people who like *that* kind of thing, and coaching/’superusers’ for people who only learn when the person next to them shows them over and over. And maybe some figurative skulls on pikestaffs too to show the consequences of disaster?

]]>