Posts

Showing posts from 2013

Protecting knowledge - a novel security awareness topic

Image
January's security awareness topic is 'protecting knowledge'. By 'knowledge' we mean intangible forms of information such as ideas, concepts, thoughts, expertise, experience, perception, understanding and so forth, distributed throughout the organization in the brains of employees and other workers such as contractors and consultants.  Along with various other intangible forms of information, knowledge constitutes an extremely valuable category of corporate asset. Think about the creative designs and inventions that may one day become profitable new products and efficient production processes: they all start as concepts, thoughts and ideas in workers’ heads. The gems that we call “skills” and “expertise”, plus the education and work experience so proudly listed on our résumés, are enormously important factors when recruiting or promoting employees, while consultants make a business by selling their intellectual capacity and wisdom. If you accept that valuable ass...

SMotW #85: controls consistency

Image
Security Metric of the Week #85: consistency of information security controls This metric implies that someone is concerned about security controls being inconsistent, but what does that mean - inconsistent in what regard? Possible types of inconsistencies include: Controls do not sufficiently mitigate the risks, address the wrong risks, or are in some way inappropriately designed/specified; Expected or standardized controls ( e.g.  controls mandated in law) not implemented in all relevant places; Controls not implemented to the same degree or extent, or in the same way, in all relevant places; Controls that vary over time ( e.g. security procedures ignored in busy periods); Controls not operated or managed in the same way in all relevant places; Others. ACME's senior managers did not rate this metric highly, being concerned about its  A ccuracy,  T imeliness,  I ndependence/integrity and  C ost-effectiveness: P R A G M A T I C Sc...

Security culture in 3 simple steps (NOT)

Image
In " What are the building blocks of security culture? ",  Kai Roer  recommended the following "three vital parts / prerequisites needed for creating and maintaining good security culture": Security technologies . Kai tells us that "In order to create security culture, you need security technology. This includes all the basics like firewalls, antivirus, VPNs, access management and so forth." Policies and regulations . "These are all the rules you put in place - either by writing them down or by sharing them orally - to set up the boundaries of acceptable actions your users can and should perform. One thing to keep in mind is that policies are worthless if they come without incentives. If there is no defined and explained reason to adhere to the rule, the possibility that people won’t do it is great. Also, the policies should be clear and make sense to everyone that has to follow them." Competence . "We all have a large amount of policies w...

Risk Management 2.0 stillborn

Image
An article from Wharton " Re-thinking risk management: why the mindset matters more than the model " is a rambling essay about financial risk management, mostly. There is a strong undercurrent that the global financial crisis/recession of recent years was created by flaws in risk management practices at the banks and other financial institutions, in other words the infamous sub-prime mortgage fiasco and systemic issues with the financial industry relating to the highly-leveraged and extremely risky financial instruments that were all the rage. "Knowing the historic risk profile, we made investment decisions. But historic data does not shape the future anymore, given how rapidly the world is changing. We usually look at the known issues and make a nice diagram with probability on one axis and impact on the other. That’s Risk Management 1.0. Risk Management 2.0 is [going] beyond the known issues to look at the links and interdependencies. You can no longer look at the ri...

SMotW #84: % of security-certified systems

Image
Security Metric of the Week #84: proportion of IT systems whose security has been certified compliant Large organizations face the thorny problem of managing their information security consistently across the entire population of business units, locations, networks, systems etc . Achieving consistency of risk analysis and treatment is tricky for all sorts of reasons in practice: diverse and geographically dispersed business units, unique security challenged, cultural differences, political issues, cost and benefit issues, differing rates of change, and more. Three common approaches are to:  Devolve security responsibilities as much as possible, basically leaving the distributed business units and teams to their own devices (which implies widespread distrust of each other's security arrangements between different parts of the organization); Centralize security as much as possible, possibly to the extent that remote security teams are mere puppets, with all the heavy liftin...

SMotW #83: information asset values

Image
Security Metric of the Week #83: total value of information assets owned by each Information Asset Owner This week's metric presumes two key things.   First, it presumes that the organization has Information Asset Owners (IAOs). While the terms vary, IAOs are generally the people who are expected to protect and and exploit the information assets in their remit or nominally assigned to them, both the organization's own information asset and those placed in its care by other organizations or individuals (its clients and employees for instance). Someone senior such as the Human Resources Director would typically be the IAO for the HR system, while lesser databases, systems and paperbases might be allotted to mid-level managers. By holding IAOs personally accountable for valuable information, management puts them under pressure to assess and treat the associated risks sensibly, and ideally to enhance the value of the assets by using them well. Second, the metric presumes that ther...

Asking wise questions

Image
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz Posing good questions is one of the things that research scientists learn to appreciate early on: scoping and framing an issue in such a way that the questions which arise can actually be answered through feasible research is important, but there's more to it than that. Although narrowly-focused, specific questions tend to be easier to answer, the answers are usually just as narrow and specific. Whereas broader, deeper, bolder questions relating to bigger concerns are much harder to deal with and answer, they can generate greater insight. "How many spam emails were wrongly classified by the anti-spam software as ham last month?" is an example of a narrowly-scoped information security question, relatively straightforward to answer ... but of little real consequence to the business. The number that is generated by this metric - the measurement...