1
00:00:02,820 --> 00:00:08,650
What are the most common mistakes made with regard to security policy.

2
00:00:08,890 --> 00:00:15,980
Very often security policy comes down to threat avoidance only and because of that interferes with user's

3
00:00:15,980 --> 00:00:19,230
work on the slide.

4
00:00:19,230 --> 00:00:27,820
This problem is called user resistance when security policy implementation is carried out hastily and

5
00:00:27,820 --> 00:00:29,780
users are not part of the process.

6
00:00:30,590 --> 00:00:34,210
The result will be as ludicrous as the traffic lights shown in the slide

7
00:00:37,240 --> 00:00:39,500
does not really help the traffic does it.

8
00:00:41,830 --> 00:00:48,130
If security policy does not allow for functionality users will most certainly find a way to bypass it.

9
00:00:50,290 --> 00:00:57,890
Instead of cooperating they will start to rebel.

10
00:00:57,900 --> 00:01:04,690
The second mistake could be referred to as information gap a situation where users are given too little

11
00:01:04,690 --> 00:01:07,550
explanation.

12
00:01:07,660 --> 00:01:15,270
For example how do we convince employees that as far as security is concerned it is not really advisable

13
00:01:15,270 --> 00:01:19,660
to use social networking sites.

14
00:01:19,760 --> 00:01:26,390
You may know that in the last two or three years career women aged 30 to 50 have been the fastest growing

15
00:01:26,390 --> 00:01:28,020
demographic on Facebook.

16
00:01:29,450 --> 00:01:33,930
They didn't really use social networking before but they seem to like it now.

17
00:01:35,180 --> 00:01:41,570
A short notice forbidding users to use social networking sites creates an information gap.

18
00:01:41,720 --> 00:01:47,420
It provides too little explanation and is likely to be seen as a pointless annoying inconvenience.

19
00:01:49,280 --> 00:01:52,850
Our security policy should never give rise to such situations

20
00:02:00,500 --> 00:02:05,650
unawareness of cyber threats is yet another obstacle to effective computer security measures.

21
00:02:09,040 --> 00:02:15,750
The first picture in the slide shows a company of strategic importance say a factory or a power plant

22
00:02:18,340 --> 00:02:23,850
as you can see security policy in the company does not forbid connection of personally on computers.

23
00:02:24,010 --> 00:02:25,330
So the company's network

24
00:02:28,220 --> 00:02:34,960
when storm wreaked havoc in 2007 it showed how dangerous such behavior could be.

25
00:02:37,170 --> 00:02:43,330
If we do not help others to understand these threats we cannot expect them to act in a safe way.

26
00:02:45,340 --> 00:02:49,750
Security services fail also because users are not able to use them properly.

27
00:02:52,290 --> 00:02:57,090
It's not really that users are completely helpless in the face of all power cyber attackers.

28
00:02:59,080 --> 00:03:03,820
On the other hand software and operating systems manufacturers can't make us use their products in a

29
00:03:03,820 --> 00:03:06,750
secure way.

30
00:03:06,760 --> 00:03:08,880
Sometimes they even discourage it.

31
00:03:11,540 --> 00:03:16,810
The second picture in the slide shows a software security setting option which is by default disabled

32
00:03:16,900 --> 00:03:22,240
even though it can block dangerous file types.

33
00:03:22,260 --> 00:03:29,300
There are few if any users who would intentionally find and check such an advanced option this kind

34
00:03:29,300 --> 00:03:31,110
of security policy is ineffective.

35
00:03:31,130 --> 00:03:38,030
By nature the next picture was taken at an airport.

36
00:03:38,040 --> 00:03:46,950
It proves that even reliable security measures such as CCTV can be used ineffectively.

37
00:03:46,950 --> 00:03:53,000
Maybe the point of the solution presented here was to get a really good look at the monitor.

38
00:03:53,030 --> 00:03:55,570
If so it definitely serves its purpose.

39
00:03:56,880 --> 00:03:59,650
In the real world such negligence is easy to spot

40
00:04:02,730 --> 00:04:03,400
on the Internet.

41
00:04:03,410 --> 00:04:08,960
However mistakes of the same sword may remain unnoticed.

42
00:04:08,990 --> 00:04:10,940
There is simply not that conspicuous

43
00:04:18,310 --> 00:04:23,170
the lack of any kind of security policy is the main reason for ineffectiveness of computer security

44
00:04:23,170 --> 00:04:23,790
systems

45
00:04:26,600 --> 00:04:31,620
having no security policy means that we are not able to decide which content we should protect

46
00:04:34,620 --> 00:04:35,460
in the real world.

47
00:04:35,460 --> 00:04:39,630
You wouldn't find a private security firm that would agree to provide protection if they didn't know

48
00:04:39,630 --> 00:04:47,170
what they were to protect in the world of computers comparable situations are still relatively easy

49
00:04:47,170 --> 00:04:48,490
to come across.