MWJ Computing » Random Thoughts http://www.mwjcomputing.com/blog A life lived through digital exploration. Mon, 02 Aug 2010 16:56:33 +0000 en hourly 1 http://wordpress.org/?v=3.0 What podcasts do you subscribe to? http://www.mwjcomputing.com/blog/2010/07/what-podcasts-do-you-subscribe-to/ http://www.mwjcomputing.com/blog/2010/07/what-podcasts-do-you-subscribe-to/#comments Wed, 28 Jul 2010 17:03:17 +0000 Matt Johnson http://www.mwjcomputing.com/blog/2010/07/what-podcasts-do-you-subscribe-to/ I was looking to see if there are any more good IT / Security related podcasts out there and figured I would ask the masses.

I am non-discriminatory on what I listen to as long as it is good content. I have a decent drive to work and use the opportunity to learn new things.

Below is my current list. Feel free to suggest more.

]]> http://www.mwjcomputing.com/blog/2010/07/what-podcasts-do-you-subscribe-to/feed/ 1 Why users don’t get security policy http://www.mwjcomputing.com/blog/2009/12/why-users-dont-get-security-policy/ http://www.mwjcomputing.com/blog/2009/12/why-users-dont-get-security-policy/#comments Tue, 08 Dec 2009 02:32:23 +0000 Matt Johnson http://www.mwjcomputing.com/blog/2009/12/why-users-dont-get-security-policy/ I have been thinking about this for a long time. I still may be a fledgling in the Information Security community, but feel that I have a pretty good grounding in the InfoSec concepts. So here it goes….

Users don’t get security policy because the don’t feel it directly relates to them. Users may wonder why would a removable media or email policy apply to them? I don’t really blame users for feeling this way. Most people are genuinely honest people trying to make a honest living. They are not trying to steal data or cause a data breach. I will go far as to say that the majority of data breaches were not the result of some willful action to release or steal the data.

I remember when I was just a user and I laughed at some of the of the policies thinking who would do that? It wasn’t until later I realized policies really are trying to catch the exception to the rule not the rule itself. I don’t feel that this is adequately communicated to most users. If we were to educate users that policies were there to help them do their job not to control or dominate them users may be more willing to accept policy. An analogy that I think could work is Monopoly. A normal game of Monopoly has rules and people police other players when it comes to rules. People normally are happy when it comes to playing within the rules and expect it while still enjoying the game. Why can’t this translate to security policy?

This however assumes is that everyone plays by the rules equally. If you are a user in the mail room or someone in a CXO position, everyone needs to follow the rules and help police everyone. No one, no matter who they are, is treated different. This sadly isn’t always the case.

Until the individual user experiences a negative effect of someone not playing by the rules, or policy, people don’t understand why the should care. I think if we spend more time thinking like users and educating them to why it is an advantage to them to follow the “rules” we might find our workplaces or organizations a more secure place.

]]> http://www.mwjcomputing.com/blog/2009/12/why-users-dont-get-security-policy/feed/ 0