Most organizations of any size have a corporate intranet and I suspect you , dear reader,   have an information or IT security website on yours. Are you tracking the page views? The count, or rather the trend in the number of page views for the security site can be an interesting, useful, perhaps even PRAGMATIC metric in its own right. Take this very blog for example. Google kindly tracks and conveniently provides the admins with page view statistics in the form of little blue graphs. Google's default stats view shows the daily page counts for the present month, something like this: Given the specialist nature of security metrics and our relatively narrow (distinguished, enlightened and very welcome!) readership, the default graph is too peaky, whereas it is a little easier to identify trends from the monthly version: Pulling further back, the aggregated annual stats follow a pretty clear pattern which we've picked out by eye in red just in case you missed it: The book had not...

We desperately  need to get better at authenticating people if we are ever going to beat the scourge of identity theft and reverse the dreadful downward spiral that is already accruing costs in the  tens of $billions annually .   As a profession, we have a pretty good idea about what needs to be done, with multi-factor authentication and biometrics being high on  the list ... and yet by far the majority of IT systems still depend entirely on passwords. In other words, for the foreseeable future we're stuck with 'em and hence the security issues arising. "Usernames and passwords are basically broken from a security and a usability standpoint" Jeremy Grant Passwords are a particularly important topic for security awareness programs since so much revolves around the way we choose and protect our passwords. Furthermore, it's essential that managers and professional specialists appreciate just how broken passwords are as a security mechanism, if we are ever going to cl...

Measuring the information security aspects of email and indeed other forms of person-to-person messaging implies first of all that you understand what your security arrangements are intended to achieve.  What does it mean to "secure email"?  If that's too hard to answer, turn it on its head: what might be the consequences of failing adequately to secure email? Does that help? Our next metrics discussion paper opens with a brief analysis of the 'requirements and targets', also known as the objectives, of email security, expressed in broad terms. For instance, preventing or at least reducing the issues relating to or arising from spam and malware is a common objective ... hence one might want to measure spam and email-borne malware, among other aspects.  That in turn begs questions about which specific parameters to measure and how - for instance, there are many possible ways to measure spam, such as the: Number of spam emails arriving at the organization, or rather...

The New Zealand government published the PSR  Protective Security Requirements this week, a well-written, readable policy manual.  Publishing the manual in an online format through a content management system is commendable, not least because it is so easy to browse, search and (presumably) maintain. The custom views for 4 primary audiences (senior managers, security practitioners, employees and service providers) addressing common questions etc . are cool. The site structure/navigation, formatting/presentation and writing style are clear. More diagrams and figures would have been welcome to supplement the somewhat tedious monochrome text but I have certainly seen worse! Overall, it's  a nice bit of web design . Personally, I would have preferred the PSR to have explicitly adopted the structure of ISO/IEC 27001 and 27002 .  Although one might argue that the ISO27k structure is arbitrary, it is at least reasonably logical and familiar around the world, making it eas...

Protecting proprietary information, especially trade secrets, is - or rather should be - a priority for almost all organizations. Trade secrets can be totally devalued if they are disclosed to or stolen by competitors, if that leads to their being exploited. The loss of competitive advantage can decimate an organization's profitability and, in the worst case, threaten its survival. Availability and integrity are also of concern for proprietary information. If the information is destroyed or lost, the organization can no longer use it. If it is damaged or corrupted, perhaps even deliberately manipulated, the organization might continue to use it but is unlikely to find it as valuable. Significant information security risks associated with proprietary information imply the need for strong, reliable information security controls, which in turn implies the need to monitor the risks and controls proactively. Being just 3 pages long, the awareness paper barely introduces a few metrics t...

User identification and authentication (I&A) is a key information security control for all systems, even those that allow public access (unless the general public are supposed to be able to reconfigure the system at will!). As such, it is important to be sure that I&A is working properly, especially on business- or safety-critical systems, which in turn implies a whole bunch of things. I&A must be: Properly specified; Professionally designed; Thoroughly tested and proven; Correctly implemented and configured; Used!; Professionally managed and maintained; Routinely monitored. Strangely, monitoring is often neglected for key controls. You'd think it was obvious that someone appropriate needs to keep a very close eye on the organization's key information security controls, since (by definition) the risk of key control failure is significant ... but no, many such controls are simply implemented and left to their own devices. Personally, I believe this is a serious blin...

... at least 46 other things in fact: Apps   - about integrating information security into the software development/acquisition lifecycle, and mobile apps; Bugs!  - security vulnerabilities created by errors or flaws in program specification, design, coding or configuration by software development professionals and end-users; Business continuity  - business impact analysis, resilience, disaster recovery and contingency ; BYOD (B ring  Y our  O wn  D evice )  - the pros and cons of allowing employees and third parties to use their personal tablets, laptops, smartphones  etc . for work purposes; Change management  - this module covers the intersection between change management and information security management, taking in risk management, compliance, patching, testing, configuration and version management, and more; Cloud computing  - covers the information security aspects of cloud computing; Compliance and enforcement  - fulfillin...

"Lo-tech infosec" is a brand new security awareness module to complement last month's one on hi-tech infosec. There is no shortage of material: there's always loads to say about information security, especially once you shed the IT blinkers and think beyond the mot-du-mois  "cybersecurity".  Our prime focus this month is on   people   including social engineering, frauds and scams, human errors and mistakes.  Physical security for tangible information assets merits a mention, along with governance and compliance, and - yes - the value of security awareness as a control.  Even industrial relations, health-and-safety and HR practices are part of the mix, plus good ol' yuman error.

How do you measure 'insider threats' in your organization?   If your answer is "We don't!", then I have to wonder how you are managing insider threats.  Without suitable metrics, how do you figure out how much of a problem you might have from employees, contractors, consultants, temps and interns?  How do you determine where best to spend your security budget? How do you persuade management to loosen the purse strings sufficiently to address the risks?  I guess you guess! The discussion paper breaks down 'insider threat' into chunks that can be measured sensibly.  The main divide falls between deliberate attacks (such as frauds by insiders) and accidents (such as mistakenly overwriting the entire production database - don't laugh, it happened to me 25 years ago and the nightmare still haunts me today!).  The paper picks up on one of the most productive sources of information security metrics: the IT Help/Service Desk's problem and incident manage...

Measuring network security involves, first and foremost, determining what 'network security' encompasses, and how it relates to the business. Writing way back in 2007 , we said that network security "comprises a range of technical and procedural controls designed to prevent, detect and/or recover from security incidents affecting the corporate data networks – incidents such as unauthorized access (hacking), worms and other malware infections, and unplanned network downtime". The context for the paper was a security awareness module exploring security arrangements protecting data networks against both deliberate and accidental threats. The paper described ways to measure network security incidents, controls, risks, compliance and governance.  It ended with an upbeat conclusion and call-to-action: "Do not neglect the value of having the experts present and discuss reports with management.  The dialogue that ensues adds value to the written reports.  Why not present...

The PCI Security Standards Council's  Security Awareness Program Special Interest Group  has released an 'information supplement' to PCI-DSS, suggesting an awareness approach that is remarkably similar to ours. Best Practices for Implementing a Security Awareness Program is a well-written guide elaborating on four key ideas: 1) Security awareness is a vital tool supporting the business.  "It is therefore vital that organizations have a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information." [We go further in emphasizing the business value of information security, for example giving management confidence that information assets will be sufficiently well protected when exploring new business opportunities.] 2) Security awareness is best delivered on a continual basis, all-year-round. "Security awareness...

Malware - mal icious soft ware - encompasses a variety of computer viruses, Trojans, network worms, bots and other nasties.   Malware has been the scourge of IT users ever since the Morris worm  infected the early Internet way back in 1988.  Despite the enormous global   investment over the intervening years in information security controls against malware (including security awareness!), it remains a significant security concern today.  Although antivirus software companies sometimes admit that they are fighting a losing battle, malware is generating so much income both for the VXers (malware authors) and their criminal masterminds, plus the antivirus software companies, that the arms race looks set to continue for the forseeable future.  Both sides are constantly investing in new tricks and techniques, fuelling a thriving black market in zero-day exploits and novel malware. Meanwhile, the rest of us are lumbered with paying for it in one way or another...

The next  security awareness paper suggests to management a whole bunch of metrics that might be used to measure the security of the organization's database systems. Most information-packed application systems are built around databases, making database security a significant concern for the corporation.  We're talking about the crown jewels, the bet-the-farm databases containing customer, product and process information, emails, contracts, trade secrets, personal data and so much more.   Despite the importance of database security, we don't know of any organization systematically measuring it ... although we do know of many that struggle to keep on top of database security design, development, testing, patching, administration and maintenance! So how exactly are management supposed to manage database security without database security measures? Extra sensory perception, perhaps, or gut-feel? Either way, it's hardly what one might call scientific management!

In the 11 years that we’ve been providing the awareness service, it has grown substantially in both breadth and depth. We’ve covered risk management as a discrete topic a few times before, while information risk is the foundation for information security and hence virtually all the security awareness modules.  This month, however, the latest addition to our bulging portfolio of security awareness topics concerns the central yellow area of the scope diagram shown  here. A large proportion of information these days is communicated, processed and stored using IT systems and networks.  There are numerous risks associated with IT which are central to this awareness module.  However, it makes little sense to discuss IT or tech risks in isolation since it is the possible adverse consequences on the business that determine whether or not they are a genuine concern.  If there were no impacts, the risks to the organization would be negligible. “Hi-tech risks”, t...

When we get a spare moment over forthcoming months, we plan to release a series of awareness papers describing metrics for a wide variety of information security topics through the SecurityMetametrics website . The first paper , dating back to 2007, proposes a suite of information security management metrics relating specifically to the measurement of Intellectual Property Rights (IPR). Managing and ideally optimizing IPR-related controls (namely the activities needed to reduce the chances of being prosecuted by third parties for failing to comply with their copyright, patents, trademarks etc . plus those necessary to protect the organization's own IPR from abuse by others), requires management to monitor and measure them and so get a sense of the gap between present and required levels of control, apply corrective actions where necessary and improve performance going forward. These metrics papers were written for managers.  Their primary purpose is to raise awareness of the...

Instead of, or rather as part of, fostering a corporate security culture (a grand but nebulous objective), identify specific aspects or elements of the culture that most need to change and work on those more constrained issues.  For clues about which aspects need addressing first, speak to your IT auditors and check the security incident reports and security metrics .  For example, if the organization has a longstanding, seemingly intractable problem with noncompliance in the security domain, focus on compliance awareness.  Get some traction on that, measure the improving awareness levels, and move on to the next topic. You can get as detailed and specific as you like in your planning.  Is the noncompliance problem mostly about legal and regulatory obligations, or policy compliance, or contractual compliance, or something else?  Is it all about privacy, or are there other compliance concerns such as governance and intellectual property rights?  Which parts ...