Shostack + Friends Blog Archive

 

I've Made Up My Mind, Don't Bother Me With the Facts

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year.


“My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university information is not as simple as network and/or computer attacks,” Adam Dodge, ESI creator, wrote in an e-mail.


The report also shows the majority of information breaches at colleges came from unintentional leaks, rather than hackers. But Penn State Information Technology Vice Provost Kevin Morooney said he isn’t sure how deeply anyone should read into the report.

I’m ignoring the report,” he said. “Hackers are a constant and daily threat at the university, and we have many things put in place to mitigate the risk.” (Emphasis added.)

Security of data analyzed in study,” [link to http://www.collegian.psu.edu/archive/2008/02/26/security_of_data_analyzed_in_s.aspx no longer works] The Daily Collegian at Penn State.

Adam Dodge runs the “Educational Security Incidents” [link to http://www.adamdodge.com/esi/ no longer works] blog, and his “Year In Review” [link to http://www.adamdodge.com/esi/yir no longer works] is worth a look.

I hope that Vice Provost Morooney had other things to say about a comprehensive approach to security. Because otherwise, he’s made up his mind, and don’t wanna be bothered with no facts. A sad position for anyone at a University to take.

Originally published by adam on 2 Mar 2008
Last modified on 16 Jan 2023
Categories:   breach analysis   Uncategorized  

6 comments on "I've Made Up My Mind, Don't Bother Me With the Facts"

  • Chris says:
    2 Mar 2008 at 10:49 pm

    Four factors appeared to be responsible for the majority of variance in participant responses. Of those four
    factors, three were people-related and one was network-related:

    • For factors related to IT personnel, it appears that more education and training, improved job
    requirements, and procedures that help prevent them from making accidental or careless mistakes are
    important in preventing the incidents.

    • For factors related to users, it appears that more education and awareness training, more stringent
    requirements, and better knowledge of policies and systems prior to the use of campus networks would
    be helpful in preventing them from accidental or careless behaviors, thereby preventing the incidents.

    • For factors related to non-IT staff, more education, more stringent job requirements relative to
    technology use and data protection, and having more knowledge prior to using the computer systems
    would prevent accidental and careless behaviors that are one of the causes of incidents.

    • For factors related to networks, more resources, more and better procedures and requirements relative
    to configuration of software and hardware would be helpful in preventing the incidents that are
    occurring.

    FINAL REPORT OF THE
    COMPUTER INCIDENT FACTOR ANALYSIS
    AND CATEGORIZATION (CIFAC) PROJECT,
    VOLUME I: COLLEGE AND UNIVERSITY SAMPLE

    An in-depth study of computer and network problems has identified carelessness of students and staff as one of the leading causes of those problems, not malicious behavior as most assume. As much as 40% of the incidents studied, such as hacker attacks, computer viruses, loss of confidential data, and other problems, could be attributed to carelessness. Another source of problems was inadequate training to help avoid problems, and lack of policies to deal effectively with incidents. Helping students develop judgment about computer issues and training staff is important to prevent and properly mitigate incidents.

    “Are you the cause or the cure?” – UCLA BruinTech [link http://www.bruintech.ucla.edu/news/2006/carelessness.htm no longer works]
    I’m hoping Morooney was quoted out of context or something, because people doing dumb stuff are a huge piece of the puzzle when it comes to .edu breaches, and it isn’t a secret.

  • Der Cynical says:
    2 Mar 2008 at 10:53 pm

    It’s not like those Penn alumni can get a new alma mater. They can, however, get a new provost.

  • Alex says:
    2 Mar 2008 at 10:55 pm

    Evidence? I don’t need no stinking evidence! As Pokey says:

  • Anonymous says:
    2 Mar 2008 at 10:56 pm

    Hmmm… Html for style only. No images. Whoops:
    http://www.yellow5.com/pokey/archive/pokey484_4.gif

  • beri says:
    3 Mar 2008 at 11:21 am

    anyone on this blog who is a Penn State alum ought to be letting fellow alums know what the “thinking” is at the highest levels of their alma mater. Scary.

  • Iang says:
    7 Mar 2008 at 7:29 am

    The problem is not ignoring evidence but being drowned in a sea of evidence. Morooney is right to be skeptical, he probably has at easy reach 20 other reports, all as superficial.
    Indeed, we only have to skip a few posts back to discover that awareness training is good for sexual harrassment and deforestation, but does nothing for security. Any report that attributes 40% of the problem to carelessness is simply shifting the burden to somewhere else and should be treated skeptically.

Comments are closed.