Saturday, December 6, 2008

Does it seem like people with more education are harder to educate?

I'm kind of annoyed today. I was in meetings for pretty much all of Friday and then after I got home I made the mistake of reading my email. The lesson I've taken away is that people with more education might be more difficult to educate.

For those who don't know me, you can see from my profile that I work for a four year university. So I am surrounded by some of the best and brightest minds in the Western world. Or at least one would think that, but todays events have lead me to doubt that.

Starting in January we are going to have a new standard in place governing the length and complexity of passwords. On Friday I met with some people to talk about the best way to get the message out to the campus community. At this point our standard has been drafted and signed, and we've already presented it to various groups of stakeholders that had no objections. But one faculty member was acting like I was throwing puppies out of the third floor window. He was shocked and incensed that we weren't going to let them use the same password over and over again. He didn't seem to have a problem with us changing passwords every 180 days as long as he could keep setting the password to what it was. He kept asking me "How are they going to remember these passwords?" I can't believe it that an army of PhDs can't remember passwords.

After we got done with that unpleasantness, we moved on to a configuration standard for computers that are available to the Internet. This time I was getting grief because my standard is too difficult to understand. This same faculty member was suggesting that we can't expect people that set up these server to know what things like TCP, SMTP, or DNS are. Sorry, but I feel like if you're going to set up an SMTP server you better know how to make sure it isn't an open relay. I did get some satisfaction from telling him that if I don't enforce these rules then the rest of the Internet will by blacklisting that open relay. And while it may be true that some people wont be able to understand the technical talk in my standard, it still needs to be documented somewhere so that people don't think we make these requirements up on a server by server basis. This guy just wasn't getting it.

So then after that great day, I went home and ready my email. We have been having a problem with phishing emails being sent to the campus and several people have been tricked into giving their password to spammers. To combat the problem, we have send emails out to the entire campus, and I have gone to several meetings with leadership groups around campus. For the last three months I haven't gone a day without telling someone that ITS will never ask for your password over email. So guess what I found in my inbox? One of the most senior leaders in our organization asking for the fourth time if a phishing email was legitimate or not? I have to say that it is really demoralizing when the leaders that are supposed to be supporting your efforts don't even know what you're doing...even after you have told them four times!

I've heard other security managers mention that it can be difficult to get the message through to senior leadership that information security is important to them. I also have heard that it can be difficult to teach users to change the way they do things. I guess I am disappointed because I thought that a University would be full of thought leaders, lifelong learners, and people that could grasp a simple concept after four lessons. Also, most of the staff and students are grasping these concepts quite quickly. So is it just that people who have more education are too thick-headed to learn this?


Michael Janke ' or 1=1 -- said...

I'm not surprised, but unfortunately I have no better insight into this, other than to confirm that it's not just your university.

Matt and Brandy said...

Indeed, this is not an isolated phenomenon

DrInfoSec said...

Being a university faculty myself, let me provide my perspective on the subject of faculty being harder to educate and on the need for improved security education/awareness.

First of all, faculty members who have tenure (myself included) can be quite stubborn and may as you put it "thick-headed." Some of that may come from an attitude of "if it ain't broke, don't fix it" stemming from years of administration-backed changes that seem to have little positive impact on the primary mission of the university, i.e. teaching.

However, I suspect that there's a deeper mechanism at work here, namely that the very "thought leaders" and "lifelong learners" that you have identified focus the subject of their lifelong learning so narrowly as to become unable to absorb new concepts, ideas, or worse change their way of thinking.

On a concept like information security in which technology and practices need to adapt to the changes in the threat environment, I find that many of my faculty colleagues are thinking more like dinosaurs rather than "thought leaders." Most security professionals would agree that what worked yesterday (or last month, or last year, or 10 years ago) may not work tomorrow. Yet, many faculty continue to act and think as if what they've come to know and experience in the near or distant past will continue to hold true.

On the subject of the phishing emails, the simple act of questioning the validity of an email message, or a message received via more traditional means, goes contrary to the environment of trust and sharing that adorns academia. Faculty may, by the very nature of their training and conditioning, be more susceptible to phishing than the average user.

Finally, you are absolutely correct in wanting to ensure better security for ALL the machines within your domain, faculty and lab machines included. I am a firm believer in the validity of the configuration standards that you mention for all publicly visible servers. If a faculty (or staff) doesn't know what TCP, SMTP, or DNS are, then they should not be administering the server, at least not on their own. I see a need for cooperation here, where IT services and others can agree to share the administration of these servers in order to provide a valuable service (the reason that the server is up in the first place) with reasonable security and patching processes (to make security managers happy and keep hackers at bay).