Anyone can 'do' security awareness.  It's easy, right?  Tell staff to choose strong passwords, avoid dodgy websites, and comply with policies and procedures, and the job's a good 'un.  Bish bash bosh, is it time to go home already? OK, smarty-pants: try writing something meaningful and worthwhile about information security for a non-technical audience, people who 'have things to do' or 'have a life', don't particularly care about information security, have limited attention spans and negligible vocabularies. For a genuine challenge, limit yourself to the "ten hundred" most common English words . If you can say what has to be said without it coming across as a condescending finger-wagging lecture to a six-year-old, congratulations, that's one hurdle cleared.   For bonus marks, make it engaging, action-oriented or motivational in style, sufficient to persuade your audience not just to nod sagely as if they actually give a toss, but to...

Security Metric of the Week #46: measuring IT capacity and performance The capacity and performance of IT services, functions, systems, networks, applications, processes, people etc . are generally measured using a raft of distinct metrics addressing separate pieces of the puzzle.  Collectively, these indicate how 'close to the red line' IT is running.   Conceivably the individual metrics could be combined  mechanistically to generate a single summary metric or indicator giving an overall big-picture view of IT capacity and performance ... but more likely in practice is a dashboard-type display with multiple gauges showing important metrics in one view, allowing the viewer to identify which aspects of IT performance and capacity are or are not causing concern, and perhaps dig down for still more details on specific gauges.  Glossing over the question of precisely what is shown on IT's capacity and performance dashboard, let's see how ACME Enterprises scored the metri...

Security Metric of the Week #45: extent to which information security is incorporated in software QA Well-managed IT development projects incorporate information security at all applicable stages of the systems lifecycle, from initial outline specification and business case, through design, development, testing and release, on through operational use, management and maintenance of the system, right through to its retirement/replacement at the end of its life.  It would be possible to measure that in order to generate some sort of security index for all systems, using the index to drive-up security integration and quality, but doing so would be a tall order for most organizations.  Perhaps we should talk about that another time. This week's example security metric is far simpler with a much tighter scope, measuring information security activities only during the "software Quality Assurance" (testing) phases of a development.   The "extent to which information security...

Here's a little lesson on metrics, courtesy of rock-gods Spinal Tap:  This is the top to a, you know, what we use on stage but it's very, very special because, if you can see ...  Yeh  ... the numbers all go to eleven.  Look, right across the board, eleven, eleven, eleven and ...   Oh, I see.  And most amps go up to ten?   Exactly.   Does that mean it's louder?  Is it any louder?   Well, it's one louder, isn't it?  It's not ten.  You see, most blokes, you know, will be playing at ten.  You're on ten here, all the way up, all the way up, all the way up, you're on ten on your guitar.  Where can you go from there?  Where?   I don't know.  Nowhere.  Exactly.  What we do is, if we need that extra push over the cliff, you know what we do?   Put it up to eleven.   Eleven.  Exactly.  One louder.   Why don't you just make ten louder and make ten be the top number and make that ...

Security Metric of the Week #44: Correlation between system/configuration logs and authorized change requests In theory, changes to controlled IT systems (other than data changes made by legitimate, authorized users through their applications) should only be made under the authority of and in accordance with approved change requests.  In practice, other changes typically occur for various reasons such as ad hoc system administration (usually involving relatively "minor" changes that may not require separate authorization) and changes made for nefarious purposes (such as hacks and malware).  Furthermore, authorized changes aren't always made ( e.g. they are delayed, overtaken by events, or neglected).  This metric involves someone somehow linking actual with authorized changes.   The metric's  PRAGMATIC ratings and overall score are quite good apart from the final three criteria:  P R A G M A T I C Score 87 80 ...

While researching competitive intelligence today, I came across Glassdoor.com , a site that lets employees share their opinions of their employers.  It is evidently yet another jobs site that aggregates vacancy notices from various sources (for a hefty fee to its advertisers, no doubt).  Purely out of curiosity, I checked the current listings for security awareness jobs and found a tidy stack of vacancies including one at Disney's IT function and another at a US defense contractor.  I didn't notice their salaries, but I suspect both are offering many times what it would cost them to subscribe to an awareness service such as ours.  They all seem to want people to prepare their awareness materials from scratch, implying that they each consider themselves "special".  And they are asking for qualified, experienced infosec pros with technical writing skills.  [Just glance at the average corporate security procedure or guideline to see how rare that particu...

PRAGMATIC information security policy metrics First, to set the context for this piece, let me be explicit about four important presumptions: "Policy" means a clear statement of management intent or direction or control - a written set of high-level requirements or constraints over what employees should and should not do under certain circumstances, considered and laid out by management, and formally mandated on everyone in the organization. Management is more than merely 'concerned' to achieve compliance with the corporate policies: they have implemented a suite of compliance-related processes and activities with the goal of achieving a high level of - though not necessarily total  - compliance ( e.g. there is a formalized way of identifying and handling policy exceptions and, where appropriate, granting exemptions). Employees are aware of their obligations under various policies.  They have ready access to the policies, and they are actively encouraged to read them...

DOGMATIC information security metrics Whereas most of us in the profession see business advantages in having reliable, accurate, truthful data about information security, metrics are occasionally used for less beneficial and ethical purposes.  There are situations in which information is deliberately used to mislead the recipient, for example where the reporting party wishes to conceal or divert attention from information security issues in their remit. We have seen this most obviously in the context of regular performance reporting by service providers to their customers against SLAs (Service Level Agreements) and contractual requirements.  IT outsourcers or IT departments typically report "uptime", a metric that sounds straightforward enough at face value but turns out to be something of a a minefield for the unwary. Imagine, for instance, that I, an IT Operations manager for an IT outsourcer, report to you, the relationship manager for my client, that we have achieved our...

" Users must not make the mistake of thinking that this number-heavy approach is somehow going to make decisions for them – the method is just a heuristic tool to help people  think  about the issues,  decide  on solutions and  act  on their decisions." Well said  Dave !   That statement came at the end of a piece advising businesses to develop matrices showing the knowledge and skills of employees in order to identify single points of failure and gaps, for business continuity purposes.   I'm not entirely convinced that Dave's suggested approach is materially better than management and/or HR simply scratching their heads and working out who the organization would miss the most if they fell under a proverbial bus.   On the other hand, 'completing a self-assessment questionnaire/skills matrix by the end of next month' might be a convenient lever to ensure that some analysis is in fact done rather than being continually back-burnered. ...

Another excellent blog piece by Brian Krebs concerns a custom-made hardware skimmer module installed in Point Of Sale card-readers at an unnamed major US retailer. The neat little module skims the card data and captures the PIN number from the PIN pad, encrypts them, and transmits them to the criminals either via Bluetooth or over the cellphone networks. Those behind the scam evidently had the resources to get the module designed, manufactured, programmed and installed in card-readers, and presumably captured the stolen information using Bluetooth in or near the stores concerned in this case.  They would also have needed the wherewithal to use the stolen information to drain their victims' bank accounts and launder the proceeds. Commercial card-readers employ various anti-tamper and tamper-evident controls to prevent this kind of modification going unnoticed, but unless these (a) work as intended, and (b) are actually checked regularly, the criminals have a window of opportunity i...

Security Metric of the Week #43: VaR Value at Risk VaR is one of several metrics used to measure the financial aspects of information security.   VaR is normally used in investment management, for insurance purposes, and to determine the appropriate levels of contingency cash reserves needed by banks etc., but it can be applied to measure other kinds of risk. In the financial world, VaR is the calculated value of a portfolio of financial assets (e.g. stocks and shares) at which there is a stated probability of loss within a defined period, assuming normal trading.   For example, a 5% daily VaR of $1m means the value of the portfolio is predicted to fall by more than $1m on one day out of twenty, on average. Management of ACME Enterprises Inc calculates the PRAGMATIC score for VaR at just 38%: P R A G M A T I C Score 70 65 20 30 35 40 30 30 22 38% Although VaR appears to be quite  P redictive and  R ...