Security

Ignoring security advice from the pros: The IT-user disconnect

IT pros and the general population of users have seemingly different agendas when it comes to security. Michael P. Kassner interviews a noted researcher about the psychology of these two groups.

"The grumpy IT guy," is the title my fellow employees have bestowed upon me. I don't think I'm grumpy. When all is said and done though, what I think does not matter; the perception is real in their eyes. How can it not be? An overwhelming number of my conversations, at work, center on some digital thing that is not working right, and it needs to be fixed right away, and no one has any idea what happened.

I know I'm not the only IT person in this illustrious club. When grabbing coffee with colleagues, the conversation inevitably gets to "us versus them" situations allowing for a shared commiseration over latte.

I think I may have a possible explanation of the phenomenon. I met Professor Rose McDermott, through her ACM paper, "Emotion and Security." During a conversation, I asked Rose, a well-regarded scholar in psychology and behavioral studies, how to convince users of the importance of IT security, and avoid IT-user discord. She did not mince words:

People will listen to a conversation that is vivid, salient, concrete, and emotionally engaging. Abstract, pallid, statistical arguments tend to make people's eyes glaze over.

Now the "not-mincing words":

IT-professionals, please don't take this the wrong way, but the skills that make one good at IT (meticulous attention to detail, ability to process large amounts of data simultaneously, detachment) can make it hard to communicate effectively with the technologically illiterate.

It's hard to deny what Rose said. Yet, I have faith in my fellow IT professionals that once we understand what Rose proposes in her paper, we'll be ready for the next IT-user encounter. Maybe I'll even be able to get rid of my "Grumpy IT guy" moniker.

Kassner: Thank you Rose, I'm not sure I would have figured much of this out without your help.

As I understand, the main idea presented in the paper is that emotions temper our perception of reality -- something IT professionals need to understand if they want to truly convince users doing something is in their best interest. Do you have an example?

McDermott: We can feel secure when we are not, just as we can feel insecure even when we are protected. For example, TSA invests an enormous amount of time, money, energy, and resources making us take our shoes and jackets off to go through a screening that is largely performative. It makes people feel secure so they will fly, not actually making anyone more secure.

On the other side, we can feel at risk when we are largely safe; the risk of dying in a shark attack is low, but people feel insecure all summer once they learn about a local shark attack case on the evening news. Psychologically, we are affected more by perception than probability.

Kassner: What you mention reminds me of the term Bruce Schneier coined: "Security Theater." Beyond that, we must be aware of how users perceive what we are telling them, as it will inform us whether we are making any sense or not.

A bit further in the paper, you drop another bomb -- one I'm not sure I comprehend. You say it doesn't matter whether we raise the flag saying a threat is likely, or whether we lower the flag saying the threat is no longer likely; people are going to be negatively impacted either way. Why is that?

McDermott: We tend to forget about things over time, or push them to the back of our minds. But when the threat is publicly addressed, even as a reduced possibility; it becomes salient again, reminding us there is still something out there we should be afraid of, and this makes people more anxious. Kassner: Wow, this explains why users are nowhere near as relieved as I am when a security issue is resolved.

You talk about two theories: Probability theory and Prospect theory. Probability theory suggests the bigger the threat, the stronger the response. But that's not the case. It seems we react more in line with tenets proposed in the Prospect Theory. Could you explain the theory, and what IT professionals should be paying attention to?

McDermott: Sure, Prospect Theory describes how people respond to risk. Basically, people are more accepting of risk when confronting loss than when they are facing gains. Also, people do not respond to probability in a linear fashion.

We give more weight and attention to events that have a low-probability of occurring. Think of all the money we have spent preventing terrorism, when fewer people have died from terrorism in the past ten years than those who have died from domestic gun violence in any one year of the past ten.

Oppositely, we give less weight and attention to moderate and high probability events. For example, few of us eat healthy, and engage in daily exercise in order to reduce the risk of heart disease and cancer.

Kassner: Finally, I have a reason why users are ambivalent about keeping software up to date on their computers.

The paper mentions the following as a good strategy for communicating information about potential threats. A threat should:

  • Be communicated by an expert and trustworthy source.
  • Be focused on a specific anticipated attack.
  • Motivate respondents to act.
  • Provide specific concrete actions individuals should take to counter the threat.

Could IT managers apply these principles when trying to convince employees how important a pressing security issue is?

McDermott: You may not be able to do all those things with every risk, but the more of them you can do, the more likely it is people will pay attention and respond appropriately. An IT manager would presumably be an expert and trustworthy source who is able to communicate simply, clearly, and repeatedly the potential source and type of attack, along with the cost and risk of such an attack. That expert also needs to tell the employee, what he or she can do to reduce the risk.

Also, tying the vulnerability to things employees hold dear will be more likely to gain their attention. For example, only saying shared data-storage sites are not secure may evince a yawn. Telling someone web-based email accounts (one form of online data-storage) are easy for hackers to access -- maybe read a few unsavory ones, and heaven forbid, forward the emails to a spouse -- will likely spark an immediate response.

Obviously, my example is extreme, but one need look only as far as former CIA director David Petraeus to see how common such errors are; even among those who should know better because he is, I don't know, head of US intelligence.

Final thoughts

What am I taking away from Rose's paper? We all respond to situations based on emotions, logic, and what our five senses are telling us. So, I must remember that not following advice isn't a user purposely trying to make me grumble.

I have a question I'd like to ask. After reading this article, do you think those responsible for and participating in the domestic surveillance of United States citizens have a different emotional perspective of security than the citizens who are part and parcel of the surveillance?

A tip of my hat to the ACM for publishing Professor McDermott's paper and allowing me to excise quotes from it.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

79 comments
Edward D
Edward D

I think that those who are responsible for and participating in the domestic surveillance of United States citizens are highly likely to be operating under different perspectives and under different rules than citizens in general. "Emotional perspective of security", when it is a primary motive for domestic surveillance, is probably (in my opinion) a bit more radical for those government operatives than for citizens. In my experience, the government operatives will be directed by and motivated by the key words "National Security". If you can recall the story of Karen Silkwood, who was theoretically contaminated with Plutonium (she was a whistle-blower), then perhaps you can see what I mean by the motivation of "National Security". Enormous amounts of leaking Plutonium and Uranium were overlooked because nobody had time for the "insignificant" stuff while they were working on a "National Security" project. In this type of emotional mood, who cares about rules, codes, laws, State or Federal constitutions, when "National Security" is at stake? Rights, as defined in the Constitution, are totally ignored in the zeal (my best choice descriptor of a "good" motive) to protect the nation. In my untrusting viewpoint, zeal is more often displaced by other motives (including lust for power, greed, and other ugly emotional drives). Thomas Jefferson has been quoted as saying: "Sometimes it is said that man cannot be trusted with the government of himself. Can he, then be trusted with the government of others? Or have we found angels in the form of kings to govern him? Let history answer this question." And yet, our current U.S. government seems to be operating under the opinion that we lowly citizens definitely cannot be trusted with the governing of ourselves. This (obvious to me) attitude enhances the odds that those performing the domestic surveillance do not care about laws or Constitutional rights, but are controlled only by the "rules" within their immediate organization (NSA, CIA, FBI, etc.). I think that most of us (the citizens being surveilled) are more inclined to want protection from outside evils, but without giving up our personal rights as defined in the Constitution. I certainly want the government to do the least amount of action necessary to secure the nation from outside disturbances. I would like to think that those elected to "serve" would be more tightly bound by the laws and the Constitution than the citizens at large, mainly because we give them such great powers in order to do their jobs.

philswift
philswift

People and the ability to collaborate are the most important thing APART from security. If your data (Information) is not retained, clean, non-corrupted and secure then you will not have a job to go to as the company will fold. Look at Gartner's figures for how long a business runs after a DR that non-recoverable. The first staff members that are banned (I hope this is stated in your DR documents) from sites, domain and telecomm's access are Human Resources. This is because in a disaster they absolutely NO function. 'Need to know' and 'need to work' policies have to implemented. IT and IT staff are NOT here to pander to the rest of the companies staff all the time. People......people, let's use common sense BEFORE company rules and regulations. If you are in Europe and have not passed a ECDL (European Computer Driving License) then you should be marked down accordingly. This is because you may not have the skills (or you do have the skills but they are not PROVEN) to drive a computer and care for the companies data and have respect for the 'Police' (IT staff). Courtesy and manners is key BUT, you must do as we ask or you get the consequences. I think all UK companies should ban users that do not have a ECDL (users should pay for it as well NOT the company). This would mean that companies that are essential to the well-being of of a States or Country's function would have a much better chance at avoiding a disaster and also from recovering from one in a timely manner. Common sense and tough love time.

philswift
philswift

Now it's allegedly obvious that the US is spying on US and UK citizens and companies does Cloud and BYOD look like a professional, data retentive and mature way-to-go? No......

rwnorton
rwnorton

A Security Policy that is dependent on User compliance is not much of a security policy. Users don't have to like it, but compliance shouldn't be up to them, at all. As for the IT - User disconnect, I think perhaps HR Departments could help there. Security Policy should be a top level organizational decision. Then, education of Users regarding that policy should be part of any initial/ongoing User Training programs, on equal par with Sexual Harassment in the Workplace. IT and HR can work together to put together an outline of the program, but let HR flesh it out and present it. They are likely more qualified to do the training.

enderby!
enderby!

"Probability theory suggests the bigger the threat, the stronger the response." No, it certainly does not. I do not see how probability alone even addresses threat (risk) in any way. This writing suggests probability and prospect are opposing theories. We should plan according to risk (threat), not merely probability. Risk is not one dimensional and is not necessarily correlated to reaction. In my IT world risk is the combination of probability (of occurrence) and severity of outcome. We react according to what we find most important in those two dimensions. Just because an event is likely does not mean we will take action, especially if the outcome is minor. Likewise we may choose to mitigate a low probability event if the outcome has a high impact. We have an expensive DR site because the loss of our data center would be catastrophic, although a DR event has a very low probability of occurrence. We do not hire extra staff to cover for short term absences because, while probability of occurrence is high, impact of the event is low. Probability is just one aspect of threat, it does not define it.

DontKnowItAll
DontKnowItAll

My problem with IT security lately is the constantly increasing demand of various websites, from simple web email sites to online banking sites, for the "requirement" of adding "security" questions and answers to the passwords I already use, in order to "increase" the security of my access to those sites. And in most cases I know of, those questions, and the answers we are supposed to provide, also are used to prove we are who we claim to be when we want to change our passwords. I use a password manager to access all my very secure passwords (preferably at least 14 or more randomly generated characters, though some sites won't even allow such complexity), and it is my feeling and understanding that the answers to the "secret" questions make my passwords more (rather than less) vulnerable to attack unless the "secret" answers have nothing at all to do with the questions. Remember the hacks of the email accounts of Mitt Romney and Sara Palin as examples. But if I provide irrelevant and complex answers to the "secret" questions, I have to be able to keep track of those answers in case I am asked the questions for whatever reason (like using a different computer than usual to access my account), and maybe in such a case I don't HAVE the answers at hand! Then I am denied access to my account even if my 25 or so character randomly generated password is correct! But if my "secret" answer is even randomly guessable, some hacker out there can get into my account, change my password, and I not only lose my accesss to the account, but, worst case, possibly even suffer loss of my assets! I'm all for high quality two factor authorization, but everyone lately assumes that everyone has a cell phone (which I do not), and wants to use that for the second factor. Am I wrong to assume my super-secure password is (practically speaking) unbreakable, and that I should be allowed to accept or reject other means of verifying who I am in order to be allowed access to my accounts? I think I should be able to use my username and my password, and be able to access my accounts with just that information without being told I MUST use "secret" answers to "secret" questions in addition to (what I think are, at least) my super secure passwords/passphrases (two words that for me, at least, mean the same thing)! I know that the average Joe may not have a good understanding of good passwords/phrases or of how to keep track of them, but that just means they should educate themselves better on computer security, or not use the computing resources we have available to us today. Does anyone have any meaningful response to my thoughts on this? Am I on the right track, or am I going around in circles with my head in the clouds?

peterlonz
peterlonz

I think you have grossly over simplified the message. We probably all have a different take & I read only once like 99% of readers, but she is surely suggesting the specialists communicate threats & best practice more effectively.

stevebwriter
stevebwriter

I do my best to keep everything up to date and have competent anti-virus and intrusion detection. But always in the back of my mind is: What's the point? There will always be zero-day vulnerabilities; government (mine or someone's) probably has an 'in' to my system - an ingenious penetration technique that by agreement is kept out of the commercial security screeners and software updates (and a director of one prominent consumer anti-virus company has admitted to me they have been approached by the US govt to leave "back-doors". He says they refused. Seriously: Does one refuse the US govt and get away with it?) Given that there are backdoors there, do I seriously suppose the details of them won't leak from govt (whom, of course I trust) to someone with more villainous intent? As I say, I do what I can. But I'm under no illusion that I can never be 100% secure.

rwnorton
rwnorton

Any size organization that deploys the use of computers (of any format) must be held responsible for the security of their End-Users, their own devices, and their data. It is not the Users responsibility, because it is not the Users realm of expertise (not the reason they were hired). The Company needs to be responsible for employing a well-formed security policy, including purchasing and maintaining the licensing for their Anti-Malware software, and ensuring it is deployed everywhere (yes, including BYOD). I'm not against training Users in proper security etiquette. But, that training should be more about how their Company IT Department protects them from threats (come on, guys, lets sell ourselves a little) than about what they should be doing to protect themselves from threats. (Lots of real-life worst-case examples of what can happen, mixed with minimally-technical explanations about how IT prevents if from happening, along with a little bit of what Users can do to protect themselves, not only at work but also at home.) And, there should always be an open door policy, where a User can bring any conflict that arises with security restrictions that prevent the User from doing a job, to the attention of a supervisor or directly with IT, so that the conflict of interest can be resolved. IT Security Policy needs to be "granular" - meaning it has to allow for specific exceptions that are justified by the business. If any component of an Organization's system is compromised, it is the Organization's fault/problem, not the Users. There are no lack of tools for IT to use to secure the network and everything on it. Some of those tools impose restrictions and/or actions that directly affect Users. Things like enforced updates, password policies (complexity, expiration, similarity restrictions, etc.), website blocking, system scans, data access restrictions on a need-to-know basis, etc.. But I think we can all agree that these are a necessary part of any well-formed security policy, and they can all be managed globally by a small, centralized IT staff or part-time outside consultancy. Any IT staffer who is complaining about End-Users failure to follow security policy, or causing extra work/expense due to the need for an IT staffer to clean up an adversely affected system, is an IT staffer who doesn't understand his responsibility! If you're spending your life fighting fires, instead of preventing them, then you are simply not doing your job. Oh, and if you are spending your life fighting fires (there will always be some of that) and your IT Department figures out how to prevent them, then you will likely be out of a job. So, what's to complain about?!

smckenna
smckenna

"When we develop care and concern by thinking of others not as ‘them’ but ‘us’, there is no room for bullying, exploitation or deceit."

blakley52
blakley52

I'm sorry, but I hear of everyone talking about "IT" and I don't know what it is. Ok a little weak tongue in cheek comment, but hey I got more fat rhymes. Stream of consciousness i.e. verbal diarrhea. A bit of a spelling cul de sac of spellcheck that was! I just want to know where the men's restroom is. And while we're on the topic of defining and disseminating words and the thoughts associated with them...where and when did the "rest" component of the word "restroom" happen? I love humans and being one but then again I am a bit biased. ;-) Cheers, Jim

philswift
philswift

If you are an IT Manager or Financial Director/CFO for goodness sake wake up. Ban BYOD now, however embarrassing and painful it is. It seniors and IT staff are Gods, make no bones about it. Don't get me wrong, making an Enterprise 'work' is no doubt a team effort. However, IT staff can bring a company to it's knees or make it fly. Education is first then policy. We have to treat end-users like the numpty's they are, they need hierarchy, discipline and tough love. Then you can bring in collaboration and lever the brain power. Pathetic seniors that are 'yes men' and who do not stand up to the folly's of fashion and vogue deserve the trouble they will get. It's too late for some Enterprises, they will have a massive attack soon enough. Totally shutting the door after the horse has bolted. Security and education must come before form, design and fashion. Get your end-users into education, have AD Group Policy desktop educationals every morning, get them on a tour near the datacentre, involve then is a mock denial-of-service attack, get then to take ownership and embrace. Then, only then will data retention be as it should. Nail it down.

jrojas_ac
jrojas_ac

IT Pros should be the new government and take over. rule the word with an IT fist. just kidding guys

Jimbo Jones
Jimbo Jones

... but don't offer users constructive advice on alternative ways to get their job done. Security: Thou Shalt Not use unsecured ftp to transfer large files of sensitive data. User: OK I get that, but ftp is all I know; what's the alternative? Security: Not my problem. My job is to enforce HIPAA compliance. Security: Thou Shalt Not install rogue wireless access points. User: but my wireless device doesn't support your authentication method. What's the alternative? Security: Not my problem. My job is to protect the network from wireless hackers. You get the idea. This attitude sets up an adversarial relationship from the outset, and encourages users to "cheat" or come up with their own workarounds which may actually be riskier. Eventually users learn to tune out anything the "NO guys" tell them. If we want to be taken seriously, we've got to be seen as helpful and cooperative, rather than obstructive. Here's how you set up a secure ftp server. Here's how we can set up a firewalled wireless network for your device... and so on. More work for us, but in the long run users will view us as the solution rather than the problem.

maj37
maj37

This has become my new drumbeat. Yes we in IT need to do a better job of understanding how our users think and feel when we want to tell them something so that they get the information we need them to have. However!!!!! It is a two way street the users need to do a better job of understanding us both when we talk to them and they talk to us. We all work for the same company and we all need to work together not just ignore what the other is saying. But I am sick and tired of being told IT has to understand the users, and the business, and the blah, blah, blah!!!!!!!!!!!!!!!! Hopefully in the blogs etc. that our users read they are being told they have to try harder to understand their IT team, but somehow I doubt it.

simonh
simonh

Nice article Michael and it neatly touches upon typical scenarios when trying to get end users to simply be vigilant and use common sense. I always think a good case in point is that here in the UK we have a law that is there to encourage people to protect themselves. The fact that this requires a law with penalties should you flout it says a lot about perception and probability. That law is quite a simple one; namely to wear a seat belt when in a moving vehicle. People still need a threat of monetary loss in order for it to become commonplace. An often cited defence of not wearing one is the (extremely low) probability of being trapped by the belt if the car was on fire or submerged in water. Humans eh (or is that 'A')?

sysdev
sysdev

The vast majority of people do not have a firewall on their computer. The vast majority of people do not run a daily scan of threats. A large number of these have become the 'botnets' for such things as DDOS (Distributed Denial of Service) attacks as their computer is waiting for a command to do something that the owner doesn't even know is happening. His/her computer is taking part in something that they have no idea it is doing. The vast majority of people follow the path of doing nothing unless something is clearly (to them) broken - do nothing. They wonder why their computer is getting slower and slower. For many of them, other people are really controlling what is running on their computer. There are hundreds of thousands of things that are on the Internet that get onto these computers. Some steal the private information on the computer, some take ovr control of the computer when they receive a command to do so. Millions of computers are infected. Most people don't know and pretty much don't care.

ruth
ruth

Is this University-ese (Oppositely) or has it really been added to Webster's dictionary since my college days! wow.

Kieron Seymour-Howell
Kieron Seymour-Howell

I fail to see what IT security has in relation to political viewpoints? Unless you are accounting for the paranoia and ignorance most often touted and spread about by middle managers and political leaders. I fail to see how climate change relates to IT security. I can absolutely assure you that the computers used to model global weather patterns do not run on Windows, or any other popular desktop OS. I fail to see why we have to put up with American political views, usually racial, ignorant, and arrogant, about guns and terrorism or any number of other pop-culture issues that seem to pop up like weeds to infest the comments section of technology articles. It is like having annoying TV commercials interrupt your favourite show. I find it ironic that since this article touches upon psychology traits, these types of political comments do come out like mistimed and poor taste comedy routines. I wonder if anyone has ever done any sort of study correlating the efficiency and effective communication skills of someone who is addicted to puffing out political views whenever they get the chance? It is likely those personality types probably experience a higher mortality rate amongst their peers though... *grins* The problem as I see it is that these people see political views everywhere like dictators see assassins. They're so pathetically insecure and trivial in their desperate desire to justify their own existence, often through obscure and ridiculous opposing views, that they miss all other aspects of any conversation once they supposedly detect a political statement. Some sort of internal alarm sounds and the conversation immediately swings to who is an elephant or a donkey. If it was not so damnably annoying, it would be hilarious. You have to feel sorry for them though; or not. lol

alamedaod
alamedaod

I'm a user. Had a computer since 1982. But you guys would call me "illiterate". the rules regarding passwords are ludicrous. I probably have 200 on line accounts and there is no way I can keep track of the passwords. So LASTPASS it is. But some sites won't take to let LASTPASS fill out the password for you. Some won't even let you paste into the password field. Yet the want highsecurity pws. So how the hecks are you supposed to remember 15#ee5kpot% Perhaps a sticky on your monitor. MAKE IT EASIER Pleeeeeeeeeeeeze

JCitizen
JCitizen

as for me - give me liberty of give me death - It can be that simple - If I have to choose between the safety of my nation, and the loss of my liberty to a tyrant - then nation be damned, I could care less, life isn't worth living without being free. The only factor tempering that attitude is my Lord - religious beliefs transcend even freedom. There is no doubt that freedom is the best environment for Christianity, it is just that we have to take others into our considerations when looking at any degradation of life and liberty. I'm not condoning tyranny just because if this factor, I'm just saying that violence is not always the answer either - but jail time for whistle-blowers, and even sacrifice of life, like that of Karen Silkwood's sometimes becomes necessary. It is sad that it has to come to that because of timid people's unreasonable fears, but just as John 15:13 says, "Greater love has no man than this, that a man lay down his life for his friends"; - I think this bears consideration too. We are supposed to be the land of the brave - we need to grow a pair and live up to that ideal. Edward Snowdon should probably face the music - but I wonder if he'd truly get a fair trial here. It is hard to look at him as a hero without him facing the consequences though.

NickNielsen
NickNielsen

or self-created. As an example, the average American is more likely to win the lottery than be a victim in a terrorist attack. The expansion of surveillance is not about protecting us, it's about controlling the people to protect those "in charge".

Michael Kassner
Michael Kassner

I sure see a whole lot of lousy vehicle drivers on the freeway.

Michael Kassner
Michael Kassner

Convenience is tough to ignore, particularly when people are given the extra incentive that doing something will save them money.

Michael Kassner
Michael Kassner

That in more cases than not upper management is as guilty as any other division. So if they don't buy in, it becomes more than difficult.

Michael Kassner
Michael Kassner

You state: "my IT world risk is the combination of probability (of occurrence) and severity of outcome." That is what Rose and I consider a bigger threat.

Michael Kassner
Michael Kassner

And are doing a good job. I will mention that with this business about companies turning over information without warrants, I'm concerned about password managers with a cloud/company server component. It might be best to use a self contained manager like this one: http://passwordsafe.sourceforge.net/ I also think you are correct for answering the security questions as you do. What most people do is add the answer to the note section of that entry in the manager. I know it is a pain, but security is never convenient. I also wanted to mention that a security question is not considered a second factor it is a second step of the same factor -- more secure but not near as secure as using another factor. Factors are: 1. What you know 2. What you have 3. What you are The security question and password are two of what you know.

Michael Kassner
Michael Kassner

I did not impart my thoughts in the article, I interviewed an expert presenting her views. And I do not feel that she is suggesting anything either, just point out what she has observed -- which happens to be that in a large part specialists do not communicate effectively.

JimFarm
JimFarm

"But I am sick and tired of being told IT has to understand the users, and the business, and the blah, blah, blah!!!!!!!!!!!!!!!! Hopefully in the blogs etc. that our users read they are being told they have to try harder to understand their IT team, but somehow I doubt it." You don't seem to understand that you are in a customer service job. Yes, your job is to serve the needs of end users (who are your customers). That requires not only having good technical skills but also good people skills. If you have no wish to understand the users and the business, you should seriously start thinking about a career change.

Michael Kassner
Michael Kassner

I hope you did not conclude I was trying to point a finger anywhere specifically. What I found fascinating was Rose explaining that each and everyone of us see reality differently. I'm still crunching that one.

eegomez
eegomez

You seem to be missing the problem. Your job as a system administrator is to do things to the system that make it LESS usable, in order to protect it. Users are grateful to you when you install something new or when you recover from a crash or fix a virus infection. The rest of the time you are a daily annoyance.

aidemzo_adanac
aidemzo_adanac

No? Find some. Politics is what TR was built on, It just kinda finds it's way in every now and then. Two of the longest running and most popular discussions ever on TR were about Climate Change and Evolution, well I'm sure a few GWB rants took a few posts too. [i]"I fail to see why we have to put up with American political views..."[/i] That would be because it's a privately owned and operated, American website where the majority of members are from the USA. [i] I wonder if anyone has ever done any sort of study correlating the efficiency and effective communication skills of someone who is addicted to puffing out political views whenever they get the chance?[/i] As soon as they finish explaining to whiners, how to use a mouse and click a different link, they'll be right on that. [i]"The problem as I see it is that these people see political views everywhere like dictators see assassins. They're so pathetically insecure and trivial in their desperate desire to justify their own existence, often through obscure and ridiculous opposing views, that they miss all other aspects of any conversation once they supposedly detect a political statement. "[/i] EXACTLY and THAT'S what makes it so much fun. I missed what you were adding to the discussion though, while you were complaining about how off topic the discussions go.

Paul.a.s
Paul.a.s

One idea I had, print passwords as barcodes, stick 'em somewhere on your desk, then use a scanner to log in!

emgub
emgub

For websites that don't let you save in Lastpass, you can enter your user name and password but don't hit submit yet. Go to the Lastpass button and choose the last option "save all entered data". Then submit it. Next time you go back to the site it will remember you.

psf
psf

"MAKE IT EASIER Pleeeeeeeeeeeeze" is a GREAT password! (just make sure the number of e's is an easy to remember number for you) Good job coming up with it. Now you just need to add something to the beginning, end, or even the middle that is unique to each site. Even something obvious, like "MAKE IT EASIER Pleeeeeeeeeeeeze.techrepublic.com" And you don't even need Lastpass (although I do recommend it)! Of course, we all know it now, so you might use something else. But the point is - it is actually really easy to come up with a good password. You just need to make a few decisions and stick to them: * what is your long phrase? * how will you vary it by site?

rwnorton
rwnorton

Oops - using a Microsoft Wedge Mouse and the pointer slipped just as I was trying to click on the "+" vote. So sorry... don't find a way to fix it.

rwnorton
rwnorton

I know, boy do I know. When I became ITIL Foundation certified, I made a presentation to the CIO with the intent of pointing out where our (many) gaps are, and it fell on deaf ears. The response was "we do that". Yes, "we do that" - all IT organizations "do that". But without clear cut definition and relationships it is inconsistent at best, and more often than not, reactionary. At the time I was responsible for global application support, database support, and the North American service desk. I know for a fact that almost none of the roles, responsibilities, and relationships were defined in anyone's job description, nor was performance evaluated on it, and data was rarely collected to evaluate it. It was often unclear exactly who was responsible for "that". And the largest gaps were at the top - specifically things like cost/risk assessment and budgeting. Most organizations have no idea what even an hour's outage costs, much less a day or more. You raise a worthy topic - one IT needs be aware of, and try better to overcome. And your reply to my comment is spot-on. I would go so far as to say that ITs greatest challenge is in the other direction - UP the ladder, not the end users. Technology pretty much allows us to force compliance on the end users. But not if upper management doesn't believe in it or is unwilling to pay for it...

enderby!
enderby!

from this writing, but I think I understand your view. One thing is for sure, if you meant to get some reactions here, it sure worked. Peace.

aidemzo_adanac
aidemzo_adanac

It took until 1984 for New York to START the seat belt laws in the USA. That' s29 years ago and people STILL thought seat belts were not needed. One guy gets trapped in an accident and hundreds of millions of others justify it as a reason that seat belts don't save lives. Kind a like GW and everything else, one tiny conspiracy theory and 300 million join the club. As for helmet laws, in BC, Sikhs are allowed to wear turbans, INSTEAD or helmets; I consider it natural selection though. Their insurance doesn't cover them for head injuries though, they forfeit life in order to retain their chosen religion. This one cracks me up, I saw them this year and just about wet myself. http://tinyurl.com/oamdn4w LOL, GO ROCKET~ !!!

aidemzo_adanac
aidemzo_adanac

The USA was WAAAAAAAAAAY behind other sin recognizing that seat belts save lives. It took until 1984 before New York finally started the US trend of making seat belts compulsory. That's only 29 years ago! Despite constant proof that seat belts were saving lives, the American people denied it because every now and then, someone would be trapped by a seat belt in in accident. Now if one person suffers, then the other few hundred million shouldn't wear them. I know it's a pretty clever mind set, kind like GW and all the other issues that are discarded because of one small conspiracy theory. Mind you, in BC you are allowed to substitute a turban for a helmet ( I KNOW!). They pretty much write themselves off though, insurance won't pay to put your head back together, you forfeit that part of your coverage, Gotta admit though, watching this with my very own eyes was pretty freakin hilarious though! Just a Google image page, long link, sorry. https://www.google.ca/search?q=sikh+motorcycle+club&bav=on.2,or.r_qf.&bvm=bv.48293060,d.aWc&biw=1440&bih=785&um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi&ei=HmfIUdaQCqrwyAHJuoHwAw#facrc=_&imgdii=_&imgrc=h3kOLZGmQp5bbM%3A%3BJYEja2vvSHUkcM%3Bhttp%253A%252F%252F1.bp.blogspot.com%252F_LTO3CJPsu5Y%252FTKnm90zG8UI%252FAAAAAAAAGOw%252FbjgSm4_5zao%252Fs1600%252FIMG_1379.JPG%3Bhttp%253A%252F%252Fmotorcycho.blogspot.com%252F2010%252F10%252Fsikh-mc.html%3B1600%3B1200

aidemzo_adanac
aidemzo_adanac

I used to sell the software and scanners to do it.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

A longer password is more secure than a short complex password. Unfortunately the password requirements vary so much between sites that it is difficult to have one standard password that works. I use keepass because it is impossible to remember less frequently used passwords. I would like to see governments issue smart cards and have everything go to smart card authentication, but the likely hood of that happening is small. Bill

Michael Kassner
Michael Kassner

I'm more concerned and happy that you have commented and shared your experiences. Learning what others have to deal with helps all of us.

Michael Kassner
Michael Kassner

The place where it's the most obvious is with BYOD. I have received email from many IT pros telling me about how upper management has forced acceptance without regard for security, told IT that it's do as I say and not as I do. Not sure what the answer is for the people having to deal with that.

Editor's Picks