[ISN] How Insecure Do You Think You Are?

From: InfoSec News (alerts@private)
Date: Tue Oct 10 2006 - 01:01:24 PDT


http://www.internetnews.com/stats/article.php/3636831

By Sean Michael Kerner 
October 9, 2006

A new Cisco sponsored global study of 1,000 remote workers indicates 
that IT workers may well be engaged in more insecure activities than 
they are willing to admit.

Users are apparently aware of insecure activities, such as opening 
e-mail attachments from unknown senders; yet they still open the 
attachments and e-mails. The study, which was conducted by research firm 
InsightExpress, reveals a number of such security contradictions.

For the most part, users are aware of IT security concerns, but not 
pervasively so. Sixty-six percent of global users indicated that they 
were aware of security concerns when working remotely.

"At least one-third were not even aware that they are exposed to or 
could experience security breaches or compromises," Bruce Murphy, 
Cisco's vice president of Advanced Services, told internetnews.com.

Only 25 percent of global respondents admitted to using their work 
computers to open an unknown e-mail. However when the question about 
what they do with unknown e-mails was asked a different way, the results 
were somewhat different.

Respondents were given five choices to choose from:

1. Leave the e-mail unopened and notify IT;

2. Leave the e-mail unopened but not notify IT;

3. Open the e-mail to see who it's from but not open any attachments or 
   links;

4. Open the e-mail to see who it's from and open any attachments or 
   links; and

5. Delete it immediately without opening it.

When presented with options as to what they would actually do with the 
e-mail from an unknown sender, 44 percent of respondents admitted that 
they would open the e-mail.

A similar sort of contradiction appeared in response to questions about 
personal versus work use for respondents work computers.

On a global basis, 29 percent of respondents reported using their work 
computers for personal purposes. Yet 40 percent admitted to using their 
work computers to buy personal items and 46 percent admitted downloading 
personal files to their work computers.

"We see inconsistencies between what people say they do and what they 
propose they might do in certain cases," said Erica DesRoches, program 
manager for InsightExpress.

Twenty-one percent of global respondents admitted to allowing others to 
use their work computers and 11 percent admitted to using their 
neighbor's wireless connection.

According to DesRoches, the inconsistency of responses is one of the 
most surprising aspects of the survey and one that likely requires 
further examination to better understand.

"People understand that they should be concerned about security but they 
don't behave in secure ways," DesRoches said.

"Is that because they feel overly confident that their IT department has 
them covered in all scenarios, or is it because they are simply willing 
to take risks?"

>From Cisco's point of view the survey and its findings aren't about 
driving any Cisco product. In fact, Cisco's Murphy argued the study was 
vendor-agnostic and is really an attempt at a different type of security 
survey.

"There have been lots of surveys; most of them are very numbers driven. 
What's different here is that it gets into people's behaviors," Murphy 
said.

"What people who are sophisticated in the security space know is that 
it's not just one specific area or issue. It's primarily driven by 
people's behaviors.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Oct 10 2006 - 01:04:02 PDT