[unisog] Educating Users

Rita Seplowitz Saltz rita at Princeton.EDU
Wed Aug 8 11:45:19 GMT 2001


Our approach to educating users is similar to the methods H. Morrow Long
describes at Yale.  However, and unfortunately, the most effective customer
education appears to be post-incident.  I.e., after someone's server or
personal workstation has been compromised and used for an attack, the
responsible party pays much more attention to the information which is
proffered and/or available regarding security.

The "good name" seems to me a good sales point.  When an intruder has
control of your account on a shared server or of your workstation, to others
that person looks like you; is you.  Identity theft has received enough
media coverage that most people can make the connection.

With regard to the automobile metaphor: driver tests do not normally include
changing spark plugs or tuning carburetors.  Yet for the typical user of a
desktop computer, changing configuration defaults or installing intrusion
detection software probably appear more analogous to "mechanic" work than to
"driving" or "observing rules of the road."

Since mid-June, Princeton has a new President, a new Provost, and a new Vice
President for Information Technology and CIO.  (That is in chain-of-command
sequence, starting at the top.)  One of the goals I hope this new
administration will endorse is to develop a new University-wide emphasis on
"safe computing" to protect the University's property and good name, and to
protect the property and good name of each member of the Princeton
University community.  If there is true understanding at the top, and
support from the top down, I believe there is a much greater chance of
success all the way down the line.

Rita Saltz
Policy and Security Advisor
Computing and Information Technology
Princeton University



More information about the unisog mailing list