John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

Twelve Word Tuesday: European View of Security vs. North American View

by John Pescatore  |  September 30, 2008  |  10 Comments

 

 

NA vs. EU Security Attitudes

 

 

 

 

(posted from the Gartner IT Security Conference in London)

 


10 Comments »

Category: Uncategorized     Tags:

10 responses so far ↓

  • 1 Greg Young   September 30, 2008 at 2:39 pm

    Carbon based operating systems have proven themselves highly vulnerable and unpatchable. Just say no to pop-ups and posters.

  • 2 John Pescatore   October 1, 2008 at 4:36 am

    Well, I think they are patchable – but the patches take generations to stick and the threats change continually. I’m sure pretty soon people will stop falling for the same scams that my grandfather fell for 100 years ago…

  • 3 Hyrum   October 1, 2008 at 2:20 pm

    John –
    You forget that the patches tend to undo each other. If people stop falling for those scams, which others will they start falling for again? We seem to have limited bandwidth…

  • 4 John Pescatore   October 1, 2008 at 2:58 pm

    At the Gartner security conference here in London, we had a keynote speaker talk about the “Mark 1 Human Being” who apparently would *not* fall for new scams and *would* stop falling for old scams. I’m pretty sure that Mark 1 beings are only found on planets where corn on the cob is eaten vertically, though…

  • 5 Stiennon   October 1, 2008 at 5:11 pm

    I like the EU approach if it means warning people of acceptable use and then enforcing it.

    -RS

  • 6 John Pescatore   October 1, 2008 at 11:17 pm

    That’s security 101 – what everyone is supposed to do. The EU philosophy if more along the lines of “security is a people problem. We can change the people through education.” rather than focusing on technology to enforce.

    Now it may be that no one has done education right, but I’ve seen many, many product presentations on “building a secure aware culture” and rarely if ever seen any actual improvement in security. Education tends to just be a way to say “I told the users not to do that” after a security incident – blame shifting.

  • 7 Rob Lewis   October 5, 2008 at 11:32 am

    Sure, it is a people thing. We need a technology that protects people from themselves !!!

  • 8 John Pescatore   October 5, 2008 at 7:24 pm

    Exactly! The example I always use is the “interlock” – like having to have your foot on the break in order to shift from park to drive.

  • 9 Rob Lewis   October 6, 2008 at 2:52 pm

    This may be semantics, but it may not be necessary to “force” users to behave correctly, but to set an enforceable boundary that prevents incorrect behaviors. Subtle difference.

  • 10 John Pescatore   October 6, 2008 at 4:49 pm

    Yeah, that difference is probably a bit *too* subtle for me. Having the diameter of the diesel nozzle at my local gas station be too large to fit in my non-diesel car’s gas tank does a decent job of preventing me from ruining my engine. Whether that forces me away from danger or subtly prevents incorrect behavior is questionable.

    Now, good UI design can *definitely* reduce the chance of misbehavior. But variable typing and input limitations to block, say, buffer overflow or command injection attempts is back to the gas pump analogy.

Leave a Comment