Emergent Chaos: I've Made Up My Mind, Don't Bother Me With the Facts

Navigate to next or previous posts:

« Unclear On The Concept | Emergent Chaos Main page | Credit Ratings for Governments? »

I've Made Up My Mind, Don't Bother Me With the Facts

(Posted by adam)

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year.
...
"My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university information is not as simple as network and/or computer attacks," Adam Dodge, ESI creator, wrote in an e-mail.
...
The report also shows the majority of information breaches at colleges came from unintentional leaks, rather than hackers. But Penn State Information Technology Vice Provost Kevin Morooney said he isn't sure how deeply anyone should read into the report.
"I'm ignoring the report," he said. "Hackers are a constant and daily threat at the university, and we have many things put in place to mitigate the risk." (Emphasis added.)

"Security of data analyzed in study," The Daily Collegian at Penn State.

Adam Dodge runs the "Educational Security Incidents" blog, and his "Year In Review" is worth a look.

I hope that Vice Provost Morooney had other things to say about a comprehensive approach to security. Because otherwise, he's made up his mind, and don't wanna be bothered with no facts. A sad position for anyone at a University to take.

Posted by adam on March 2, 2008 at 8:54 PM in breach analysis . You can: comment, view comments (6), see trackbacks (0) or search Technorati.

Bookmark this post:

Comments

Four factors appeared to be responsible for the majority of variance in participant responses. Of those four factors, three were people-related and one was network-related:
• For factors related to IT personnel, it appears that more education and training, improved job requirements, and procedures that help prevent them from making accidental or careless mistakes are important in preventing the incidents.
• For factors related to users, it appears that more education and awareness training, more stringent requirements, and better knowledge of policies and systems prior to the use of campus networks would be helpful in preventing them from accidental or careless behaviors, thereby preventing the incidents.
• For factors related to non-IT staff, more education, more stringent job requirements relative to technology use and data protection, and having more knowledge prior to using the computer systems would prevent accidental and careless behaviors that are one of the causes of incidents.
• For factors related to networks, more resources, more and better procedures and requirements relative to configuration of software and hardware would be helpful in preventing the incidents that are occurring.

FINAL REPORT OF THE COMPUTER INCIDENT FACTOR ANALYSIS AND CATEGORIZATION (CIFAC) PROJECT, VOLUME I: COLLEGE AND UNIVERSITY SAMPLE

An in-depth study of computer and network problems has identified carelessness of students and staff as one of the leading causes of those problems, not malicious behavior as most assume. As much as 40% of the incidents studied, such as hacker attacks, computer viruses, loss of confidential data, and other problems, could be attributed to carelessness. Another source of problems was inadequate training to help avoid problems, and lack of policies to deal effectively with incidents. Helping students develop judgment about computer issues and training staff is important to prevent and properly mitigate incidents.

"Are you the cause or the cure?" - UCLA BruinTech

I'm hoping Morooney was quoted out of context or something, because people doing dumb stuff are a huge piece of the puzzle when it comes to .edu breaches, and it isn't a secret.

Posted by: Chris | March 2, 2008 10:49 PM

It's not like those Penn alumni can get a new alma mater. They can, however, get a new provost.

Posted by: Der Cynical | March 2, 2008 10:53 PM

Evidence? I don't need no stinking evidence! As Pokey says:

Posted by: Alex | March 2, 2008 10:55 PM

Hmmm... Html for style only. No images. Whoops:

http://www.yellow5.com/pokey/archive/pokey484_4.gif

Posted by: Anonymous | March 2, 2008 10:56 PM

anyone on this blog who is a Penn State alum ought to be letting fellow alums know what the "thinking" is at the highest levels of their alma mater. Scary.

Posted by: beri | March 3, 2008 11:21 AM

The problem is not ignoring evidence but being drowned in a sea of evidence. Morooney is right to be skeptical, he probably has at easy reach 20 other reports, all as superficial.

Indeed, we only have to skip a few posts back to discover that awareness training is good for sexual harrassment and deforestation, but does nothing for security. Any report that attributes 40% of the problem to carelessness is simply shifting the burden to somewhere else and should be treated skeptically.

Posted by: Iang | March 7, 2008 7:29 AM