Today we've released an updated version of our business case for a security awaeness program . I wrote the first complete version of this paper a few years ago, developing a set of ideas I'd had and written into budget applications and investment proposals over previous years. It gets updated every year or so to reflect the state of the art and remains one of the most popular white papers on our website. I'm currently working on an ENISA project developing advice for organizations on building the business case for security awarness. The project team members represent a variety of experiences and backgrounds so it will be fascinating to see how things work out. I'm sure the end result of our work will be a useful and worthwhile document but, as is so often the way with collaborative projects of this nature, a productive team gets even more value from the writing process - sharing thoughts and methods, discussing common issues, explaining things and illuminating the t...

According to the Beeb , the UK credit reporting agency Experian has analyzed its records to profile typical victims of identity theft. The results are thought provoking. "Company directors or those running their own businesses are most likely to be victims of identity theft, according to a report from Experian." Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all. "The credit reference agency said 6,000 victims in the UK asked its staff for help last year, a 66% rise on 2006." Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year. "The most likely victims were aged between 26 and 45, earned more than £50,000, rented their home and lived in London, Experian's analysis found." OK,...

It's out! The latest NoticeBored awareness module on phishing and identity theft. It's no coincidence that this module follows last month's on IT fraud, integrity & trust. We try to link successive modules in some way for continuity, making the awareness program flow a little. It will be an interesting challenge for us to link from phishing/ID theft to next month's one on information security and risk management, though, but we'll give it a go.

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list: "The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape." The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data rec...

(ISC)2 , the organization behind SSCP, CISSP and CISSP-concentration certifications, has released a new blog aimed primarily at qualified information security professionals but also relevant to those just considering qualification and in fact anyone with an interest in information security. I'm delighted and humbled to have been invited to join the blogging panel alongside a range of well known and highly experienced colleagues. As the (ISC)2 blog develops, I expect I will be blogging less frequently here on the NoticeBored blog on topics that are not directly related to our current monthly awareness topic, moving those general interest posts over to the (ISC)2 blog ... so, if you want to continue seeing all these little pearls of wisdom plus others from the erudite (ISC)2 blogging panel, please subscribe to the (ISC)2 blog as well as this one. It's free, of course, and easy to track through blog aggregators such as Bloglines .

Most inbound 419 scams go directly to my spam box but every so often one escapes detection and lands up in my inbox. 99% of those get instantly deleted .... but oh I do enjoy the remaining 1%. Here's a classic example: ------------------------- Assistant Director in Charge Joseph Persichini, Jr J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007 http://www.fbi.gov ROBERT MUELLER EXECUTIVE DIRECTOR FBI FBI SEEKING TO WIRETAP INTERNET. ATTNETION THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE (INTERNATIONAL CREDIT SETTLEMENT DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.) WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND INHERITORS IS MADE TO THEM COMP...

Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS. One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be...

A heart-wrenching story from New Zealand shows the human impact of an 419/advance fee fraud involving a dating site, a fraudster and a naive indivudual. Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation. A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a c...

I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London. If you have read the previous blog item , you'll know that one item in particular caught my eye/ear. One of the presenters essentially said that security awareness doesn't work, a somewhat curious perspective to express in support of a security awareness initiative. Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since. My blood having dropped just below boiling point, it's time to respond. Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness. I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs...

A study reported in CFO Magazine identifies 'internal errors' (mistakes by employees) as the biggest cause of financial restatements, responsible for 56%. Next biggest was 'regulatory demands' at 38%. [Deliberate] 'manipulation' and 'complexity' accounted for just 3% each.

A new logo at the UK's Office of Government Commerce looks fine, until you turn it on its side . This reminds me of the issue of naming products that will be sold internationally. Something totally innocent in one country may be highly inappropriate in another. I won't be too specific here but some of the model names I spotted in Japan last month would be considered offensive in some other countries. Or, as Anton would say, "context is everything".

I've finally found some time this Sunday afternoon to take a look at what's been going on in the UK with the new Information Security Awareness Forum (ISAF). While my passion for security awareness is undented, it's hard to support the ISAF as currently constituted. My first thought was to browse their website ... except that today it is unavailable.  Perhaps not the best advertisement for a security awareness initiative! Luckily the ISAF launch at InfoSecurity last month was recorded and the presentations are still online . According to David King, Chairman of the ISAF, the ISAF is focused on raising security awareness in the UK by coordinating existing security awareness activities. He told us, more than once, that 'not reinventing the wheel' is a key ISAF goal but curiously enough, the ISAF is essentially UK-only, so presumably he thinks nobody else in the world faces the same challenges. Further he implied that the ISAF will not create anything new, presumably...

Here's another aspect to trust, something that we covered only peripherally in the latest NoticeBored module. After a security breach that affects third parties, guess what? The affected parties no longer hold the breached organization in such high regard. Along with reputation, trust is damaged. Here's an example from an April 10th piece in Deseret News : Federal officials said a former state employee who took applications from people seeking food stamps and other welfare aid worked with three others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases. During a joint press conference Thursday, federal and state officials said this was the largest security breach at the Department of Workforce Services and were working to re-instate the public's trust. ... "We sincerely regret this breach of security," said DWS Executive Director Kristen Cox in a statement. "Our former employee's alleged misconduct certainly do...