[Cynicism: high] We have just delivered June's security awareness module to subscribers, covering portable ICT, BYOD (Bake|Bury|Bash|Bring Your Own Device|Disaster|Dog), mobile and home working, and various associated matters. One of those 'associated matters' concerns the social changes that are going on around us, thanks in large measure to the freedom that comes from workers no longer being leashed to the office like so many dogs.  I've been pondering this issue for quite a while now, sitting here in my modest home office looking out over the beautiful New Zealand countryside.   When I think back to the days when I commuted to the city every day to sit in a series of dreary offices and stuffy meeting rooms, looking forward to a chance to escape to a nearby cafe or go for a lunchtime walk in the local park, I wonder how I put up with it - those seemingly endless wasted hours of traffic jams and pointless committees and (in some cases) ignorant, pig-headed bosses tryin...

I mentioned the  Hannover Research/Tripwire  CISO Pulse/Insight Survey   recently  on the blog .  Now it's time to take a closer look at the 11 security metrics noted in section 5 of the report.   The report doesn't explain the origin of these 11 metrics.  How and why were they singled-out for the study, from a vast population of possible security metrics?  To be precise, it doesn't actually say that survey respondents were presented with this specific choice of 11 metrics, nor how many were on the list, leaving us guessing about the survey methods. Furthermore, the report neglects to explain what the succinctly-named metrics really mean.  If survey respondents were given the same limited information, I guess they each made their own interpretations of the metrics and/or picked the ones that looked vaguely similar to metrics they liked or disliked.   Anyway, for the purposes of this blog, I'll make an educated guess at what the metrics m...

Security Metric of the Week #59: total liability value of residual/untreated information security risks This sounds like a metric for the CFO: tot-up and report all the downside potential losses if untreated or residual information security risks were to materialize.  Easy peasy, right? Err, not so quick, kimo sabe. In order to report risk-related liabilities in dollar terms, we would presumably have to multiply the impacts of information security incidents with the probabilities of their occurrence.  However, both parameters can only be roughly estimated, hence the metric is subjective and error-prone which naturally cuts down on its A ccuracy  rating.  The skills and effort needed to calculate the liabilities, especially with the care needed to address that subjectivity, makes this a relatively  C ostly security metric too, although arguably there are substantial benefits in doing the analysis, aside from the metric.   The A ctionability  rating...

"Building a culture of security within the organization as well as compliance with regulations, standards, and policies are the most important security capabilities for executives and non-executives: the surveyed information security managers were most likely to give these capabilities the highest overall importance ranking." So says Hannover Research's CISO Pulse Survey aka CISO Insight Survey *, a small-scale study on behalf of Tripwire.  Whether you consider the 100 or so mostly North American respondents a valid sample of the population is your decision, but let's just say that their conclusions are "unsurprising". Unfortunately the report does not explain what 'building a culture of security' actually involves .  It's a shame that the security culture is so often mentioned glibly in such vacuous, throwaway statements.  The concept may gets heads nodding sagely but, in my experience with a few exceptions, information security professionals, m...

A information security metrics piece in our local newspaper caught my recently. To be honest, it didn't actually use the word "metric" as such, nor "information security" for that matter, but that's what it was. Like many others, the train company in Wellington NZ has a problem with fare dodgers. Some bright spark in their internal audit team, I guess, realized that comparing the number of people who use individual trains with the number of tickets sold would give them a huge clue about which trains and stations should be at the top of the ticket inspectors' hit list. Counting passengers would be a tedious and error-prone job for a person, but an infra-red beam across the carriage doors would do nicely - particularly as the hardware may well already be installed as part of the door control and safety system. The automated count will inevitably have errors ( e.g. passengers who alight at the wrong stations then rejoin the same train), but provided the co...

What's the betting that this is a scam? The gaudy pink box on this screengrab shows the reply-to address is using gmail, not Redcross.org as in the (presumably spoofed) email sender's details.  If this was a legitimate request for funds from the Red Cross (or is it Organizing for Action?), why wouldn't they use their own corporate email address?  My guess is that the 'instructions' that will evidently be given to you if you reply to the message will (a) be malware infected and/or (b) be phishing for credentials or seeking advance fees.  I, for one, am not about to find out. The only surprising thing about this incident is that I am still surprised that scumbag scammers are yet again picking up on a tragic news story as a lure for gullible victims.  They've done it many times before, and no doubt will do it again.   [If by some miracle I am wildly mistaken, and this is in fact a genuine begging email from the Red Cross, or indeed Organizing for Action, we need to...

Security Metric of the Week #58: rate of change of emergency change requests The premise for this week's candidate security metric is that organizations with a firm grip on changes to their ICT systems, applications, infrastructure, business processes, relationships etc . are more likely to be secure than those that frequently find the need for unplanned - and probably incompletely specified, developed, tested and/or documented - emergency changes.   Emergency change  requests are those that get forced through the normal change  review, approval and implementation steps to satisfy some urgent change  requirement, short-cutting or even totally bypassing some of the steps in the conventional change management process.  Often the paperwork and management authorization  is done retroactively for the most desperate of emergency changes.   Being naturally pragmatic, we appreciate that some emergency changes will almost inevitably be required even in a h...

Security Metric of the Week #57: Proportion of information assets correctly classified Patently, this metric relates to the classification of information, an important form of control.   The assumption underlying classification is that the majority of an organization's information is neither critical nor sensitive.  It is therefore wasteful to secure all the information to the extent that is appropriate for the small amount that is highly critical or sensitive.   Likewise, the basic or baseline controls that are appropriate for most information are unlikely to be sufficient for the more critical or sensitive stuff. The classification process can be as simple or as complicated as you like, according to the number of classes.   Taken to extremes: A single classification level such as "Corporate Classified" could be defined in which case everything would end up being protected to the same extent.    More likely, certain important items of information woul...

Security Metric of the Week #56: embarrassment factor This naive metric involves counting the privacy breaches and other information security incidents that become public knowledge and so embarrasses management and/or the organization.  The time period corresponds to the reporting frequency - for example it might be calculated and reported as a rolling count every 3-12 months, depending on the normal rate of embarrassing incidents.   In bureaucratic or highly formalized organizations, it would be a challenge even to define what constitutes 'embarrassing', although most of us can figure it out for ourselves without getting too anal about it. The metric's purpose, of course, is to reduce the number of embarrassing breaches/incidents that occur, which may involve reducing the rate of breaches/incidents and/or reducing the extent to which they are embarrassing.    With that end in mind, the precise definition of 'embarrassing' doesn't actually matter much, just so l...

The latest  Information Security Breaches Survey is required reading if you care about information security risks.  The survey, commissioned from PwC by the British Government's Department for Business, Innovation and Skills, takes place every couple of years or so. The statistics are useful ... provided you take the trouble to think carefully about what you are being told. Take for instance the following graphs and the associated commentary on page 6 of the technical report: "Having a security policy is just the start; to prevent breaches, senior management need to lead by example and ensure staff understand the policy and change their behaviour.  Less than a quarter of respondents with a security policy believe their staff have a very good understanding of it; 34% say the level of understanding is poor.  There's a clear payback from investing in staff training.  93% of companies where the security policy was poorly understood had staff-related breaches versus...