The business case for security awareness

Today we've released an updated version of our business case for a security awaeness program. I wrote the first complete version of this paper a few years ago, developing a set of ideas I'd had and written into budget applications and investment proposals over previous years. It gets updated every year or so to reflect the state of the art and remains one of the most popular white papers on our website.

I'm currently working on an ENISA project developing advice for organizations on building the business case for security awarness. The project team members represent a variety of experiences and backgrounds so it will be fascinating to see how things work out. I'm sure the end result of our work will be a useful and worthwhile document but, as is so often the way with collaborative projects of this nature, a productive team gets even more value from the writing process - sharing thoughts and methods, discussing common issues, explaining things and illuminating the topic as we go.

Profile of an identity theft victim

According to the Beeb, the UK credit reporting agency Experian has analyzed its records to profile typical victims of identity theft. The results are thought provoking.

"Company directors or those running their own businesses are most likely to be victims of identity theft, according to a report from Experian."

Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all.

"The credit reference agency said 6,000 victims in the UK asked its staff for help last year, a 66% rise on 2006."

Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year.

"The most likely victims were aged between 26 and 45, earned more than £50,000, rented their home and lived in London, Experian's analysis found."

OK, now I'm starting to see a pattern. Busy professionals in the rat-race that is London, who probably don't have time to bother with small details such as checking their credit card statements or worry about dubious requests from their bank to 'update their details'. Life's too short.

"It takes an average of 18 months for people to realise they are victims."

Oh boy, that's a killer! Just imagine how much damage an identity thief can do over that kind of timescale, and how difficult it must be for the scammed busy professionals to re-establish their identities and credit records after someone has been living their life for 18 months or more.

18 months! I still find it hard to believe. What is going so badly wrong in the financial services industry that such a commonplace fraud takes so long to detect? Does nobody find it remotely strange that one "John Smith" appears to be taking money out of an ATM in Chiswick at the very instant that the same "John Smith" is purchasing first class tickets to Acapulco over the web or in a travel agency in Glasgow? Or that clean-living stay-at-home busy executive and housewife "Jane Smith" has suddenly taken to online gambling and porn in a big way?

I'm trivialising the problem, I know, but there must surely be visible symptoms of fraud when identity theft is evidently happening on such a wide scale, if only someone is looking for it .... My guess is that the British banks and credit card companies are looking hard at their own customers but jealously guarding their data from those nasty competitors who might just be able to make the connections. Further, I bet the Data Protection Act figures large in the executives' thinking, regardless of the ability to disclose information for legal purposes.

Perhaps, like those busy executives, the British financial institutions are just so caught up in the money-making rat race that they can't be bothered with trivial details such as [escalating] phishing, identity theft and other fraud losses - something Bruce Schneier refers to as delinquency. After all, 'ten grand' is a lot for a single customer to lose but nothing to a bank making billions. Maybe the personal impacts of identity theft on victims' lives simply don't register with the banks. Being 'serviced' by the bank used to be something that customers valued rather than feared.

New awareness module on phishing & identity theft

It's out! The latest NoticeBored awareness module on phishing and identity theft.

It's no coincidence that this module follows last month's on IT fraud, integrity & trust. We try to link successive modules in some way for continuity, making the awareness program flow a little. It will be an interesting challenge for us to link from phishing/ID theft to next month's one on information security and risk management, though, but we'll give it a go.

"Password protected" again

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:

"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."

The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.

But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.

So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.

ISC2 blog launched

(ISC)2, the organization behind SSCP, CISSP and CISSP-concentration certifications, has released a new blog aimed primarily at qualified information security professionals but also relevant to those just considering qualification and in fact anyone with an interest in information security. I'm delighted and humbled to have been invited to join the blogging panel alongside a range of well known and highly experienced colleagues.

As the (ISC)2 blog develops, I expect I will be blogging less frequently here on the NoticeBored blog on topics that are not directly related to our current monthly awareness topic, moving those general interest posts over to the (ISC)2 blog ... so, if you want to continue seeing all these little pearls of wisdom plus others from the erudite (ISC)2 blogging panel, please subscribe to the (ISC)2 blog as well as this one. It's free, of course, and easy to track through blog aggregators such as Bloglines.

WE SCREAMED! BE AWEAR!

Most inbound 419 scams go directly to my spam box but every so often one escapes detection and lands up in my inbox. 99% of those get instantly deleted .... but oh I do enjoy the remaining 1%. Here's a classic example:

-------------------------

Assistant Director in Charge
Joseph Persichini, Jr


J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007
http://www.fbi.gov
ROBERT MUELLER
EXECUTIVE DIRECTOR FBI
FBI SEEKING TO WIRETAP INTERNET.



ATTNETION

THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF
INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL
REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE
MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE
(INTERNATIONAL CREDIT SETTLEMENT
DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.)

WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT
WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND
INHERITORS IS MADE TO THEM COMPLETELY THROUGH TELEGRAPHIC WIRE TRANSFER DR.
YAKUBO YADI DIRECTOR TELEGRAPHIC DEPARTMENT CENTRAL BANK OF NIGERIA.

SEQUEL TO THIS DEVELOPMENT,YOUR INFORMATION APPEARED AS ONE OF THE
CONTRACTORS IN OUR RECORD TO RECEIVED THEIR PART PAYMENT.

THEREFORE,WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) WASHINGTON DC IN
CONJUNCTION WITH THE ECONOMIC AND FINANCIAL CRIMES COMMISSION (EFCC)
HAVE SCREAMED AND FOUND OUT THAT THE TRANSACTION YOU HAVE WITH THE
DIRECTOR OF OPERATIONS INTERNATIONAL CREDIT SETTLEMENT/KTT DEPARTMENT)
CENTRAL BANK OF NIGERIA IS NOTING BUT LEGAL.

YOU HAVE THE LAWFUL RIGHT TO CLAIM YOUR PART PAYMENT AS WE ADVICE YOU
TO GO AHEAD AND DEAL WITH THEM FOR WE ARE MONITORING ALL THEIR SERVICES
WITH THE NIGERIA (EFCC.) IT MIGHT INTEREST YOU TO CONTACT THE (EFCC) ON


FINANCIAL CRIMES COMMISSION OFFICE
15 Awolowo Road Ikoyi
Lagos State Nigeria
EMAIL: financialinvestigationnig@post.ro

YOU SHOULD STRICTLY FOLLOW THE PROCEDURES OF THIS DEPARTMENT BECAUSE
AS A DEPARTMENT, THEY HAVE THEIR OWN LEGAL PROCEDURES WHICH WE HAVE
EXAMINED AND CONFIRMED LEGAL .

IN RESPECT TO THIS, FOLLOW THEIR INSTRUCTION WHILE YOU KEEP US UPDATED
FOR MORE DETAILS. WE WILL LIKE YOU TO KEEP US UPDATED SO FAR AS WE KEEP
OPEN COMMUNICATION WITH THIS KTT DEPARTMENTS OFFICIALS OF CENTRAL BANK
OF NIGERIA.

BE AWEAR THAT THE DIRECTOR OPERATIONS OF THIS DEPARTMENT IS NO OTHER
PERSON THAN DR. YAKUBO YADI DIRECTOR TELEGRAPHIC FOR YOUR INFORMATION.

REPLY THIS MAIL AS SOON AS YOU RECEIVE IT.

THANKS FOR YOUR CO-OPERATION.

WASHINGTON DC.
FBI Director
Robert S. Mueller,

Compliance - a matter of managing risks

Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS.

One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be a simple binary condition. For a start, in most cases, the requirements are more complex than that. It is conceivable for the organization to be fully compliant with certain parts of the requirements but not so for others. Furthermore, the extent of compliance with any one requirement is often subject to interpretation, either because the requirement is ambiguous (hopefully not!) or because the organization and whomever is assessing compliance (law enforcement, lawyers, auditors, regulators, management) have their own viewpoints and prejudices. Finally, there is a chance that noncompliance might not be detected, or even if it is, it might not lead to the worst case consquences often paraded by the compliance lobby.

It's the same with speeding laws. If I break the speed limit, even by 1 mph, I am strictly failing to comply with a mandatory legal obligation. In practice, however, it is extremely unlikely I would ever be stopped for 1 mph over because (a) there are insufficient policemen with radar guns to track my every journey; (b) their radar guns have tolerance limits; (c) my speedo has tolerance limits, and the police and/or prosecutors allow me some flexibility; (d) if I am caught, there's a chance I might talk my way out of it; (e) even if I am fined, I might escape justice by fleeing the country, or I might get off "on a technicality". The situation changes for every mph over the limit - as indeed do my chances of being involved in a fatal accident. I weigh all this up every time I drive. [And yes I make mistakes: I have been fined for speeding. I didn't flee the country, I paid up and "learnt my lesson".]

So, all of this is, in fact, a risk management exercise. I assess the threat (of being caught speeding), the vulnerability (how far over the limit I am going) and the impact (the fines, the grief).

Something like SOX can be treated in the same way. Management may consciously choose NOT to be totally compliant, assessing the risks like any other business decision. Maybe they will get away with it. Maybe they can present good enough excuses to the auditors etc. to escape the full force of the law. Maybe the commercial benefits of noncompliance justify it in purely economic, if not ethical, terms.

I haven't seen this kind of perspective discussed anywhere but I am not a compliance expert. Perhaps it's old hat and I've just stumbled across somethig that is already well known. Or perhaps this stuff actually happens but nobody is willing to acknowledge it openly? I'd be interested in your thoughts.

Love hurts

A heart-wrenching story from New Zealand shows the human impact of an 419/advance fee fraud involving a dating site, a fraudster and a naive indivudual.

Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation.

A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a car accident". The requests continued and so did his generosity, sending thousands more by Western Union for taxes, expenses and air fares to Pretoria and Ghana, mostly on his Mastercard.

The woman even wrote to his mother, saying "I love him and I will get the money to him". All lies of course, but it's easy for me to say that. I'm a cynic who has seen thousands of 419ers before. For those caught up in the drama, it's not nearly so obvious. "It was all believable" said his mum, but when he was already $10k down, the bank stopped his card and when he asked her for more money, mum said "Err, this sounds like a scam. I'm not happy about that. It just sounds ... like ... bullshit." But still she lent him the money "because that's what mothers do."

After the total crept up to around NZ$20k, the penny finally dropped when he noticed that the cellphone bill recorded calls to Ghana not South Africa. "The weren't just alarm bells. They were great big gongs!".

The passport copy she had sent him was a fake and her claimed address didn't exist, according to Google (naturally). Her 'friend' via whom he had been sending money turned out to be a known scammer using different aliases. "I thought oh-oh, I've been scammed! I've been conned ... I'm stupid. Gullible ... 10% of me, even now, thinks she still might be genuine." And that, of course, is how the scam works.

Security awareness: how not to do it

I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London. If you have read the previous blog item, you'll know that one item in particular caught my eye/ear. One of the presenters essentially said that security awareness doesn't work, a somewhat curious perspective to express in support of a security awareness initiative. Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since. My blood having dropped just below boiling point, it's time to respond.

Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness. I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs.

1. The 'awareness program' I tried takes the form of a website and simple (first generation) Learning Management System, basically a series of web pages plus questions covering a range of information security topics. There was almost no introduction, explaining why I might want to pay attention (presumably because the only way anyone can be persuaded to do this stuff is if management cracks the big whip). There was very little latitude for the user in sequencing the topics - just start at the first and proceed one by one until you reach the end. If I had questions about password construction, for example, I had to have answered the first nine of 15 modules to get to number 10 on passwords. The only concession to usability was that I could have interrupted the flow (in between - but not during - the modules) and could return later to the saved checkpoint.
   
   
2. The information pages appeared to have been lifted from existing materials - policies and guidelines, complete with legalese and cross references (which didn't work since there was no way to alter the delivery sequence of the awareness package, and there were no active hyperlinks). There was a lot of tedious content to read. I suspect that much of it would have gone right over the heads of many of the employees taking the course, even those diligent enough to read every tedious word. Worse still, there were inconsistencies within the text, sometimes direct and explicit contradictions - for example in one paragraph stating that limited personal use of corporate IT facilities was permitted with various caveats, and two paragraphs further on stating that corporate IT facilites were only to be used for legitimate organizational purposes.
   
   
3. The quiz questions were mostly idiotic. It is common practice to include one obvious distractor in a multiple choice question, something that is clearly wrong. However, some of the questions had 2 obvious distractors with only one remaining option. About a third of the questions showed no creativity whatever, being merely "true/false" or "yes/no" choices. In most cases, the correct answer was easily identified from the quiz alone i.e. without needing to reference the information previously presented, typically because it was the longest and most legalese answer and/or it repeated key words from the question. I had to try especially hard to answer anything wrong ...
   
   
4. When I entered an incorrect answer, the system told me it was correct and highlighted the correct answer in bold. It gave me absolutely no further information about why my chosen answer was wrong or why the correct answer was right. There was no opportunity for me to go back to the information page to re-read and check my understanding - in fact the introduction to every module said I could not return to the information page after starting the questions. In other words, this was really a quiz not an awareness activity.
   
   
5. At the end, the system told me "congratulations", emailed me a certificate of completion (whoop whoop! Lashings of ginger beer all round, I've got a CERTIFICATE!), and finished with "See you next year!" SEE YOU NEXT YEAR!! Oh boy, it seems this is a once-a-year process. I will have trouble remembering all that content tomorrow. I will probably forget chunks of it and important details by the end of this week. Next month, I will have forgotten I even took the test and wrote this rant. What's the point of once-a-year anything? Imagine if, say, learning to drive a car was done this way! Or sex!
   
   
6. Some of the information and questions were inaccurate, ambiguous or misleading, occasionally technically incorrect. For example, a "complex password" that fulfils the corporate minimum specifications (8 characters, mixed case with numbers) is actually WEAKER than a substantially longer password example. There are indeed "more than 97,000 viruses" but that data item is, oh, about a decade out of date. There were grammatical errors and logical errors too. I admit to still being in a particularly picky and cynical mood today but these problems should have been addressed by more careful proofreading before this was released for use. It is being used to assess tens of thousands of employees in an organization for which information security is extremely important. Couldn't they afford to pass it by a competent reviewer first?
   
   
7. There were 15 modules. I'm a lightning quick reader and an infosec professional. It took me about 5 to 10 mins to read each module and do the quiz. That's an hour or two facing the little screen - many employees would need much longer. It was a totally humorless, soul destroying and, yes, boring exercise. Almost entirely text, with no diagrams and only a few nasty cartoon icons for company. I came away thinking "Thank , that's over for a year!". It was a distinctly negative experience, equating information security with tedium and slog. Q: What's in it for me? A: Nothing. In fact, the entire perspective was around protecting the organization's interests, not the indivudual user. Maybe if it had explained why installing and updating antivirus software on my home system would help protect me and my family from identity theft, then I might just have paid more attention.
   
   
8. Some modules appear to have been updated, including a couple of mentions of a major information security breach that hit the news headlines, oh, about 2 years ago. All the impact has gone. Old news is an oxymoron. Its such a shame because the news media, IT press and infosec specialist press is full of highly relevant, topical and, dare I say it, INTERESTING news and incidents. Even better, the organization has undoubtedly suffered infosec incidents that could have made even more relevant and interesting case studies. But no.
   
   
9. Some of the modules mention (relatively) new infosec risks, including social engineering. Great! Unfortunately, they provided no (zero, nothing at all) advice on what I ought to be doing about the social engineering and similar 'new' threats such as wireless network hacks. "X could be really nasty! It's a big issue! You're on your own kid!" is hardly the most productive awareness content. I wonder if this is partly because someone would have to create (and ideally proofread!) new content ... and if there is nobody on the payroll with the competencies and time to do it, that means going back cap-in-hand to the supplier of the "leading edge online information security awareness and training" pup they've been sold.

OK OK I'm ranting I know, but the reason is to point out that:

• With little investment and even less thought, security awareness can be done really badly;
  
  
• Bad security awareness is unlikely to be effective, and in fact could be counterproductive;
  
  
• The ineffectiveness of badly designed, constructed and delivered awareness programs says nothing about the potential for well designed, well constructed and effectively delivered programs; and
  
  
• It doesn't take a genuis to figure out how to improve security awareness, especially when starting from such a low base. A 20 minute team seminar about information security would have achieved so much more than this hour or two of extreme tedium. Almost ANYTHING else would have been better!

I cannot understand why security awareness seems to be stuck in the mold of once-a-year inform-and-test (I used to call it the "sheep dip" approach to awareness, but subsequently found out that sheep are dipped more often than most employees are made to jump through the awareness hoops!). It's high time for a new approach and some fresh ideas. ISC2's Cyber Security Awareness Resource Center offers a range of freely available creative materials and ideas. Rebecca Herold's wonderful book "Managing an information security and privacy awareness and training program" is full to the brim with sound advice.

Security awareness is dead. Long live security awareness!

Errors in financial accounts

A study reported in CFO Magazine identifies 'internal errors' (mistakes by employees) as the biggest cause of financial restatements, responsible for 56%. Next biggest was 'regulatory demands' at 38%. [Deliberate] 'manipulation' and 'complexity' accounted for just 3% each.

Logo fun

A new logo at the UK's Office of Government Commerce looks fine, until you turn it on its side.

This reminds me of the issue of naming products that will be sold internationally. Something totally innocent in one country may be highly inappropriate in another. I won't be too specific here but some of the model names I spotted in Japan last month would be considered offensive in some other countries.

Or, as Anton would say, "context is everything".

Information Security Awareness Forum

I've finally found some time this Sunday afternoon to take a look at what's been going on in the UK with the new Information Security Awareness Forum (ISAF). While my passion for security awareness is undented, it's hard to support the ISAF as currently constituted.

My first thought was to browse their website ... except that today it is unavailable.  Perhaps not the best advertisement for a security awareness initiative!

Luckily the ISAF launch at InfoSecurity last month was recorded and the presentations are still online.

According to David King, Chairman of the ISAF, the ISAF is focused on raising security awareness in the UK by coordinating existing security awareness activities. He told us, more than once, that 'not reinventing the wheel' is a key ISAF goal but curiously enough, the ISAF is essentially UK-only, so presumably he thinks nobody else in the world faces the same challenges. Further he implied that the ISAF will not create anything new, presumably just repackaging materials "donated" by their sponsors. He was also decidedly ambiguous about the ISAF's target audiences: is it large (British) businesses, (British) SMEs, (Her Majesty's) government and the public sector, the general (British) public, all of the above, or something else? Being delivery focused with minimal red tape, relying on trust and mutual support by ISAF "members" [sponsors] is a laudable goal, but is this realistic?

On the whole, speakers from the organizations sponsoring ISAF seemed to agree that security awareness is important although paradoxically Louis Gamon from ISSA pointed out the common perception that security awareness doesn't work (Louis: awareness done badly is more or less bound to fail but that doesn't mean it is worthless, just that it needs to be done better. Please don't throw out the baby with the bathwater).

The sponsors evidently have different perspectives and objectives for ISAF but there was general consensus on the threats (primarily phrased in terms of Internet security threats such as phishing, "organized crime" and so forth - the sort of stuff that ISO/IEC 27032 will tackle) and the need to 'educate the general public' (and perhaps SMEs) about information security appears to be a common goal. A few ideas were presented on how to do this but apart from the presentation by ISC2's John Colley, most of the discussion emphasized how difficult this is to achieve in practice. The idea of 'Making security interesting and relevant for everyone' was widely supported but again there was little in the way of pragmatic advice on how to actually achieve that.

The presentation by Tony Neate, MD of GetSafeOnline, included recent statistics from a UK survey on perceived Internet security threats and incidents. He pointed out that the general public tend to deny responsibility for their online security. Naturally, he promoted GetSafeOnline, demonstrating a clear bias towards Internet security.

Martin Smith of The Security Company, ostensibly representing the "Security Awareness Special Interest Group" (a closed user group sponsored and controlled by ... you guessed it ... The Security Company), made a convincing case for the value of security awareness in a commercial organization, but segued directly into a full-on sales pitch for The Security Company's products. I'm more than happy to declare my own prejudice here: Martin and I are commercial competitors. However, I fear Martin has undermined not just his own company but the 'security awareness industry' (such as it is!) by letting his commercial interests overshadow the ISAF's laudable aims. I've already heard others complaining at the commercial edge to ISAF. It's sad to say but unfortunately I suspect continued involvement of The Security Company in ISAF may seal its eventual fate.

Likewise, Kevin Bocek from PGP evidently saw the ISAF presentation as an opportunity for a straight sales pitch. In Kevin's little world, it seems data encryption technology (or rather PGP's version of it), not awareness, is The Answer To Everything. All very odd since PGP is supposedly supporting the ISAF. The only mentions of awareness I spotted in his presentation were around awareness of (PGP) encryption. [Wake up Kevin, there's a whole world out there!]

According to speakers from ISACA and the CMA, IT governance (not awareness) is The Answer. Once again, why they are even involved in the ISAF is something of a conundrum.

Mark Chaplin from the Information Security Forum initially focused on Generation Y - people born after the 1980s according to Mark - and their easy familiarity with complex technologies that their parents probably do not comprehend. The presentation diverted briefly into road safety awareness by Australian kangaroos (I kid you not) before meandering back to core issues such as changing behaviours (not just making people aware) and achieving cultural change. These are important concepts, albeit buried so deep in the ISAF launch ceremony that a large part of the audience was probably semi-comatose at that point.

So, the bottom line is a rather disappointing launch and uncertain future for the ISAF. As a security awareness professional, I'm very reluctant to knock any security awareness initiative but, frankly, this was a poor show. With too many competing agendas, it's hard to see any unifying theme or predict any genuinely useful output from this initiative. If the ISAF does get it together, fabulous. If not, well I guess there's nothing lost ... except a golden opportunity.

Breaches harm trust

Here's another aspect to trust, something that we covered only peripherally in the latest NoticeBored module.

After a security breach that affects third parties, guess what? The affected parties no longer hold the breached organization in such high regard. Along with reputation, trust is damaged.

Here's an example from an April 10th piece in Deseret News:

Federal officials said a former state employee who took applications from people seeking food stamps and other welfare aid worked with three others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases. During a joint press conference Thursday, federal and state officials said this was the largest security breach at the Department of Workforce Services and were working to re-instate the public's trust. ... "We sincerely regret this breach of security," said DWS Executive Director Kristen Cox in a statement. "Our former employee's alleged misconduct certainly does not represent the long-standing honesty, integrity and dedication of our staff to the well being of each and every one of our customers."