The Problem With Pundits, Part II.
Ira Winkler, who is normally a smart guy, completely blows it with this article on why ethics should stay out of computer security awareness programs.
Clearly, a good computer security program should help to identify illicit activities, but it is not what it exists to do, and it’s counterproductive to accomplishing the program’s true goals. In too many organizations, computer security has a negative connotation, and its rules (and personnel) seem to exist mainly to mete out punishments for rule infractions.
Well then, Ira, I’d suggest that you’re not doing it right. Users who are not technically sophisticated also need to be taught why certain behaviors on the computer ARE unethical. Too many people don’t understand that copying software to multiple computers can be wrong and even illegal. They don’t see anything wrong with sharing passwords. They don’t understand that if they’re blogging about confidential information, it’s findable by the whole world, including their employers.
Underlying practically all security awareness instruction is plain old IT instruction. It’s needed both within IT and in other parts of the organization. You simply cannot assume that a developer understands that he shouldn’t build a back door into an application; he may not even realize that it IS a back door until you explain it to him.
Not only that, but computer security is data security. You have to explain to people what they are allowed to do with data and why. A security awareness program is very closely married to confidentiality and legal issues. Most of the policies created in those areas end up being funneled through my awareness program because it makes sense to do so, and often I’m the one who raises the issues because I end up having to investigate them and deal with their fallout.
My awareness program isn’t all “meting out punishments for rule infractions.“ It’s also education for the users on how to keep themselves secure at home, and how to keep themselves out of trouble in general. I think it’s better for me to warn them that everything on the network is potentially logged, and that they shouldn’t write anything that they don’t want their co-workers to know about, just in case a legal discovery request forces me to go through their mailbox. I warn them that they shouldn’t publish anything under their own name on the Internet unless they want it to be searchable by their bosses or employees for the next 20 years. (One of my guys is STILL giving me grief about a college photo of mine that he found. It was a Coca-Cola bottle in my hand, I swear!)
And you should never pass up an opportunity to educate users about IT policies that you may be using later as grounds for disciplinary action, termination and/or prosecution. The Legal, HR and Audit folks will all thank you for it. You shouldn’t have to say “Don’t impersonate a co-worker,“ but you may well have to say, “Don’t send email from someone else’s account; that’s the same as impersonation.“ You may have to explain why stealing bandwidth IS stealing. Our justice system isn’t THAT robust yet when it comes to dealing with ethical violations involving information technology.
If you do it right, a security awareness program can open the door for all sorts of IT-related education, some of which is sorely necessary. If you’re only concentrating on telling users How Not To Break The Computers, you’re missing a huge part of the big picture, and therefore you’re not doing your job.
Posted by shrdlu on Friday, October 27, 2006
(3) Comments • Permalink •
