Came across the following

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Via email, an interesting take on the subject of user education into security issues:

http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036

What are peoples thoughts/experiences of this topic?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I can agree with his core idea that you can go overboard with security, and some of his points are valid. But I just shake my head and laugh at some of his arguments. For example, he says that users don't see any benefit to security, but they see the costs. True, but all he has to do is ask someone who has been negatively affected by malware or identity theft if they feel that some level of security is necessary. And it's not like those people aren't out there... just about everyone I know has been affected one way or another.

He often makes the argument that users shouldn't take the time or bear the cost to implement or learn certain security procedures because it cannot be guaranteed that they will be protected. By his same logic...

...a car owner shouldn't change his oil because it's a constant, ongoing expense, with no visible, tangible benefit. If you don't change your oil, you're more likely to blow your engine. You won't DEFINITELY blow it... especially if you rarely drive and stay on low-speed back roads. But you're MORE likely to if you drive 30,000 miles between oil changes driving 80mph down the highway.

...a person shouldn't buy insurance because it's a constant, ongoing expense, with no visible, tangible benefit... at least, not until you're affected. If (or usually, when) you become affected, you'll wish you had it.

Security is the same. Reasonable steps should be taken to secure a computer, and I *think* the author and I agree on that part. Sure, we could change our oil every 50 miles or take out a $10M insurance policy, but at what cost?? There's no reason to go that extreme. However, we shouldn't just say, "You know what? This is too complicated or expensive; I'm not gonna do it at ALL." That's just asking for trouble.

 

Some interesting points.

On the subject of passwords, because of an MOD contract, we are required to change out passwords every 5 weeks. Its an absolute pain in the arse to be honest. I'm one of the good ones, and try to think up different passwords every time, but its becoming unfeasable to do so. Ergo, every 12 cycles, when the policy resets, I start from the start again. I happen to know people who have it written down, and other people, who are just working their way through the alphabet (aaaaaaaa, bbbbbbbbbb). Couple the change policy with a 9 character limit and its just really useless to be honest.

 

Changing a password every 5 weeks would annoy me, would most likley end up using a passphrase if it was that often.

Edit - Just seen the 9 character limit, ouch

 

Yep - this is one of the author's points that I agree with. Having mandatory password changes doesn't add much value. Starting out with a complex password is a reasonable step.