Trust and ethics  is hardly your ordinary, run-of-the-mill security awareness topic ... but then ours is no ordinary, run-of-the-mill security awareness product!  We thrive on finding creative angles and/or unusual information security subjects to stave off the boredom that comes from covering the same old same old. Ethics support many other controls, reinforcing various security-related procedures, while trust raises all sorts of potential issues and yet is a routine, often subliminal part of daily life.  As well as being intensely personal matters, trust and ethics are also relevant at the organizational level.  For instance, customers’ trust and belief in the qualities they associate with various brands are what give them such commercial value.  Anything that threatens to discredit or devalue the brand - such as the dramatic loss of trust that a serious privacy incident can cause - qualifies as a significant information security and business risk.

Security Metric of the Week #30: status of logical access control matrices for computer applications The idea behind this metric was to ask application development and support teams, application owners and/or other suitable people to assess the status of logical access control matrices for a range of application systems, perhaps comparing and ranking them.   Right up-front, we're making the bold assumption that they understand the term "access control matrix".  In practice we might need to explain and help them figure out the basis on which to figure out how good or bad each one is. In the hypothetical Acme Inc context, the PRAGMATIC score for this metric works out at 50%: P R A G M A T I C Score 70 50 60 60 88 25 40 20 40 50% Although the access control matrix status is a reasonable P redictor of the quality of an application's access control, that is only one co...

I am not familiar with the Pre-Check system but, according to my reading of  a news piece by the BBC , passengers at US airports who have paid to be "Pre-Checked" by the authorities and successfully completed the background check/pre-clearance process, normally get express passage past some of the US airport security checks that the rest of us must negotiate.   Apparently "Pre-Check" passengers are identified by the final bits of the bar codes on their boarding passes.   The barcodes are apparently unencrypted and can be read with a suitable smatphone barcode scanner app. Although the article doesn't spell it out, it is conceivable that naughty travelers could tamper with or replace [the bar codes on] their boarding passes in order to skip the checks, even if they aren't actually Pre-Checked.  They are still subject to random checks, though. It is also conceivable that naughty passengers could meddle with other info on the boarding passes, such as the flight...

Security Metric of the Week #29: security controls coverage This metric was inspired by one originally suggested by Andrew Jaquith and discussed by Scott Berinato : Baseline Defenses Coverage (Antivirus, Antispyware, Firewall, and so on) This is a measurement of how well you are protecting your enterprise against the most basic information security threats. Your coverage of devices by these security tools should be in the range of 94 percent to 98 percent. Less than 90 percent coverage may be cause for concern.  Whereas Jaquith's metric involves simply determining the proportion of IT systems that are running security software, we had in mind a more sophisticated metric that takes into account a wider range of security controls - perhaps a comprehensive review or audit of information security controls in use across the enterprise against a standard such as COBIT , ISO/IEC 27002 or the Information Security Forum's Standard of Good Practice . Although we feel it would be quite...

Security Metric of the Week #28: Benford's law Benford's law is a fascinating theorem in number theory with applications in information security, accountancy, engineering, computer audit and other fields.   Benford's law  predicts the distribution of initial digits on numbers in numeric data sets generated in an unbiased and unconstrained fashion.  In short, roughly a third of such multi-digit numbers start with a 1, whereas only one twentieth start with a 9.  If someone (such as a fraudster) or something (such as a rogue or buggy computer application) has been manipulating or fabricating data, the numbers tend not to have leading digits with the predicted frequencies.  Turning that on its head, if we compare the actual against predicted distributions of leading digits in a data set, significant discrepancies probably indicate something strange, and  possibly something untoward going on: we would have to dig deeper to determine the real cause. The PRAGMA...

Security Metric of the Week #27: number of times that assets were accessed without authentication or validation This candidate metric immediately begs questions such as would you know:  When assets are accessed?  Certain accesses to some IT systems, databases, applications, data files etc. may well be monitored and logged routinely, but probably not all of them, and certainly not when it comes to non-IT information assets such as paperwork and intangible knowledge. Who or what was accessing them?  If someone is able to access assets indirectly through a separate computer system, network connection or third party, how would you know this was taking place?  What if the access was entirely automated e.g. a scheduled backup process: does that count as an access event? Whether the access attempts were successful or unsuccessful?  The metric is ambiguous on whether it counts access attempts and/or access events. Whether they were 'authenticated'?  Often, people a...

PRAGMATIC Security Metric of the Second Quarter It has been a good quarter in the sense that several of the example metrics we have discussed have scored substantially higher than our first Security Metric of the Quarter, Discrepancies between physical location and logical access location .    With the highest PRAGMATIC score of all the metrics we have reviewed in the past three months, we are proud to announce that our second Security Metric of the Quarter is ...  ... <cue annoying drum roll to cover embarrassing pause while we fumble with the envelope> ...   Business Continuity Management maturity !   Congratulations, please walk elegantly to the stage to receive your glittering prize from our scantily-clad presenter and her vaguely amusing side-kick. Aside from  BCM maturity , the  HR security maturity  metric came a very close second, achieving almost exactly the same score.  They are both 'maturity metrics', of co...