One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 412461 |
| Date de publication | 2017-09-27 13:08:17 (vue: 2017-09-27 13:08:17) |
| Titre | NBlog September 27 - compliance culture |
| Texte |  A discussion thread on CISSPforum about the security consequences of (some) software developers taking the easy option by grabbing code snippets off the Web rather than figuring things out for themselves (making sure they are appropriate and, of course, secure) set me thinking about human nature. We're all prone to 'taking the easy option'. You could say humans, and in fact all animals, are inherently lazy. Given the choice, we are inclined to cut corners and do the least amount possible, making this the default approach in almost all circumstances. We'd rather conserve our energy for more important things such as feeding and procreating.Yesterday, Deborah mentioned being parked at a junction in town near a one-way side road. In the few minutes she was there, she saw at least 3 cars disregard the no-entry signs, breaking the law rather than driving around the block to enter the side road from the proper direction. Sure they saved themselves a minute or so, but at what cost? Aside from the possibility of being fined, apparently there's a school just along the side road. It's not hard to imagine kids, teachers and parents rushing out of school in a bit of a hurry to get home, looking 'up the road' for oncoming vehicles and not bothering to look 'down the road' (yes, they take the easy option too).The same issue occurs often in information security. 'Doing the right thing' involves people minimizing risks to protect information, but there's a cost. It takes additional time and effort, compared to corner-cutting. Recognizing that there is a right and a wrong way is a starting point - easy enough when there are bloody great "No entry" signs on the road, or with assorted warning messages, bleeps, popup alerts and so forth when the computer spots something risky such as a possible phishing message. Informing people about risks and rules is part of security awareness, but it's not enough. We also need to persuade them to act appropriately, making the effort that it takes not to cut the corner.You may think this is a purely personal matter: some people are naturally compliant law-abiding citizens, others are naturally averse to rules (sometimes on principle!), with a large swathe in the middle who are ambiguous or inconsistent, some plain ignorant or careless. How they react depends partly on the particular circumstances, including their past experience in similar situations ... which hints at another aspect of security awareness, namely the educational value of describing situations, explaining the consequences of different courses of action, guid |
| Envoyé | Oui |
| Condensat | recognizing abiding about achieve act action activities additional advisory alerts all almost alone along also ambiguous amount animals another anyway apparently applies approach appropriate appropriately are argue arising around aside aspect assorted averse avoidance awareness background barely based beaten becomes being best bit bleeps block bloody both bothering breaking bribery but can careless cars case choice circumstances cisspforum citizens clear code collision compare compared compliance compliance: compliant computer consequences conserve context corner corners corruption cost could course courses cultural culture cut cutting deborah default demonstration derisory describing develop developers difference differences different direction discussion disregard distinctions doing don down drivers driving easy educational effort either employees energy enforce enough enter entry equally especially etc even experience explaining express fact feeding figuring fined first forth from game get getting given goal grabbing great groups guiding hard having hence hidden hints home how however huge human humans hurry ideally ignorant imagine important inadequate incidental inclined including inconsistent information informing inherently intellectual involves is part issue italy judging junction just kids knowing large law laws lazy least level lights limits long look looking made make making management mandate matter: may mediterranean mentioned merely message messages met middle might minimizing minute minutes more most much namely national naturally nature nblog near necessary need needed noncompliance noncompliant not objective occurs off often oncoming one opinion option organizations others out parents parked particular partly past people per personal perspective persuade phishing plain play point policies popup possibility possible potentially practice principle privacy procedures procreating prone proper property proportion protect publish purely rather react depends reasonably reinforce respect respond right rights risks risky road roads rome rules rules: rushing safe safety same saved saw say school secure security september set she should side signs similar situations snippets social software some something sometimes sorts speed spots stage standards starting stay subjective such sure swathe sweden take takes taking tax teachers than that them themselves there thing things think thinking this: thread time too town traffic true ultimate until value vary vehicles warning way web what when whereas which who will would wrong yesterday |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.