Search This Blog

Tuesday, September 27, 2005

firewall-wizards digest, Vol 1 #1675 - 2 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: The home user problem returns (Elizabeth Zwicky)
2. Re: The home user problem returns (tbird@precision-guesswork.com)

--__--__--

Message: 1
Cc: "'R. DuFresne'" <dufresne@sysinfo.com>,
"'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
From: Elizabeth Zwicky <zwicky@greatcircle.com>
Subject: Re: [fw-wiz] The home user problem returns
Date: Mon, 19 Sep 2005 12:43:08 -0700
To: "Tina Bird" <tbird@precision-guesswork.com>

On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
> i disagree. i don't know *anyone* who willingly makes a fundamental,
> significant change in their behavior without pain as a motivator.

On the one hand, I agree with Tina -- people change their OWN
behavior based on their OWN pain. On the other hand, this insight
leads people to some terrible attempts at training, because people
(dogs, cats, octopus, anything with a brain of reasonable size)
do not respond effectively to imposed pain. Positive training
methods always work better on long-term measures.

Why is this relevant in security? Because the principal problem
is NOT that people don't feel pain when they screw it up -- it's
that there's absolutely no reward for doing it right (in fact,
it often causes pain itself). If more secure solutions were
faster, nicer, more fun OR cheaper in practical terms, we
wouldn't have the problems we do. Asking people to choose
long-term lack of pain over immediate reward is like asking
water to flow uphill. It can be done, but it's an awful
lot of work...

As long as you're working on increasing the pain for bad
security and making it happen faster, you're still
working on doing things the hard, ineffective way. If
you can get a reward for good security, then you're
working with the flow. If you want people to patch
their systems, show an interesting video clip only
available during patch downloads. Or whatever.

Elizabeth Zwicky
zwicky@otoh.org

--__--__--

Message: 2
Date: Mon, 19 Sep 2005 19:36:59 -0700
From: tbird@precision-guesswork.com
To: Elizabeth Zwicky <zwicky@greatcircle.com>
Cc: "'R. DuFresne'" <dufresne@sysinfo.com>,
'Mason Schmitt' <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns

Quoting Elizabeth Zwicky <zwicky@greatcircle.com>:

>
> On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
>> i disagree. i don't know *anyone* who willingly makes a fundamental,
>> significant change in their behavior without pain as a motivator.
>
> On the one hand, I agree with Tina -- people change their OWN
> behavior based on their OWN pain. On the other hand, this insight
> leads people to some terrible attempts at training, because people
> (dogs, cats, octopus, anything with a brain of reasonable size)
> do not respond effectively to imposed pain. Positive training
> methods always work better on long-term measures.

correct, as we expect from elizabeth :-) most of the time when i'm presenting
the use of endpoint enforcement techniques to system administrators (the folks
who will be managing the systems) and their end users, i start by
describing it
as a reward system for proper configuration, rather than a punishment system
against incorrect or compromised configurations. it's the same as the
artificial ignorance approach to log management, or good ol' deny all firewall
rules. the list of "things that absolutely ought to be configured this way" is
shorter than the list of all possible things that should be prohibited.

so of *course* most folks won't want to do that.

unfortunately, i am consistently told by marketing folks and journalists that
rewarding the right behavior isn't sexy enough to be newsworthy. apparently
selling "a kick ass system for maintaining proper system config, and
simplifying enterprise desktop management" doesn't work - but "scan and block"
or "worm preventers" or "quarantine solutions" will. i think it's absurd, that
stupid reactive approach to life. it was much easier to get the UNIX
sys admins
to adopt security mechanisms by pointing out how much easier they make system
management, but apparently that's not always a good sell for the desk top
folks. i don't get it.

tbird

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments: