We've spent an unusually busy February updating two key awareness modules. The awareness module for March covers malware, including bank Trojans, ransomware, APTs, worms and more. We update the malware module annually, and it needs it: malware is a constantly evolving beast, so standing still implies falling back. In the same vein, the module looks forward at how the malware risks are likely to change in the years ahead, prompting a serious discussion with management about strategic options. In our considered opinion having researched the topic in some depth for the module, malware risks that are already serious are getting even worse. The trajectory is clear, with significant implications on the way organizations treat the risks. The  Information Security 101  module has been thoroughly refreshed and updated for use in new employee security orientation sessions, and in launching security awareness programs. Along with many other changes, we've introduced a checklist format ...

In " Business Analytics - An Introduction ", Evan Stubbs describes "value architecture" in these terms: "Results need to be measurable, they need to be contextually relevant, they need to link into a strategic vision, and their successful completion needs to be demonstrable". Breaking that down, I find that there are really only two key factors. If results are measurable, that implies to me that they can be demonstrated. Also, it's hard to see how results that are 'contextually relevant' might not 'link into a strategic vision' since that is the context, or at least a major part of it. So, in short, results need to be both relevant and measurable. Of those two aspects, measurability is the easier. Read " How to Measure Anything " by Douglas Hubbard! Evan also talks about objectivity, and he is writing in the context of big data analytics, meaning the difficult problem of extracting useful meaning from huge and dynamic volumes ...

Yet again today I find my blood pressure reading as I read yet another incredibly biased pronouncement on security metrics from security vendors: "Do you know what security metrics are right for your organization? For a holistic view, both network and host metrics are required, including firewalls, routers, load balancers, and hosts." To claim that having network and host security metrics qualifies as holistic almost beggars belief, for any thinking person's definition of the term but I'm afraid it's typical of the incredibly myopic purely technical perspective on security metrics, continually reiterated for blatantly obvious marketing reasons by the purveyors of ... IT security products. Being sick and tired of explaining that IT security is a dead end off the main information security highway, I'll merely suggest a few non-technical security metrics that might get us a tiny bit closer towards a truly holistic view: Information security ascendancy  - a measu...

In the previous blog, I promised to expand on security culture, so here goes ... Most traditional security awareness programs are designed around circulating or broadcasting security messages throughout the organization. The focus is on the communications, mostly outbound from the security function to others. Our style of awareness program, however, emphasizes bidirectional communications between Information Security and The Business. Why? What's the point? The point is that we're exploiting the socialization of security to drive cultural change. Establishing a strong social network of security friends and supporters throughout the organization takes commitment and sustained effort on the part of the entire Information Security function but promises a huge payback over the medium to long-term. An actively engaged and supportive corporate social network will keep the awareness program, and in fact the information security program as a whole, business-aligned and relevant to cu...

We've just about finished updating the website, again, this time rationalizing the textual description of our security awareness service using the simple process diagram above. They say a picture is worth a thousand words - fair enough, but to do it justice we had to cheat a bit by splitting the process into three sections: Our part in the process  outlines what we do behind the scenes every month, researching, preparing, polishing and packaging the next security awareness module, basically providing the materials and impetus to set you up for your part; Yo ur part in the process: downloading, unpacking, reviewing, customizing and deploying the awareness materials, which includes liaising with your professional colleagues to mold the program according to the organization's specific needs; What we achieve together: this is the vital bit! Here the unique features of our service come together through our joint efforts to influence the corporate culture, improve information securi...

PRAGMATIC Information Security Metric of the Seventh Quarter According to the overall PRAGMATIC scores assigned by ACME's managers, the latest metric discussed was the top choice in the three months just past, but it was a close-run thing: Example metric P R A G M A T I C Score Information security incident management maturity 90 95 70 80 90 85 90 85 90 86% Information security ascendancy 97 87 15 94 86 90 99 97 99 85% Quality of system security 83 88 83 73 90 68 80 82 10 73% Integrity of the information asset inventory 82 66 83 78 80 43 50 66 70 69% Proportion of systems security-certified 72 79 73 89 68 32 22 89 88 68% Number of different controls 71 75 72 75 88 30 50 65 43 63% Controls consistency 78 83 67 60 71 33 27 31 27 53% Value of information assets owned by each Information Asset O...

Information security should be an integral part of every employee’s time with the organization, from their first day to their last.  Most organizations put newcomers through some sort of ‘welcome aboard’ rite-of-passage not long after they join although the details vary markedly.  For some it is a full immersion course lasting one or more more agonizing days, for others it’s little more than a quick chat with someone from HR and off you jolly well go.  Neither approach is ideal for everyone because we are all different, but it seems tailoring orientation sessions to suit the newcomers is beyond the capabilities of man. The fundamental purpose of induction or orientation training is to bring new employees quickly up to a basic level of understanding regarding their new work environment.  With respect to information security, the accepted wisdom in many organizations is that new recruits must be  informed  in particular about their information security oblig...

"Waking Shark II", the UK financial services industry's latest "Desktop Cyber Exercise" (incident management/business continuity desktop walkthrough), successfully got all the main participants together in London to act out a coordinated response to a credible attack scenario.   The simulated three-day incident was compressed into a few hours, presumably using an accelerated clock - an interesting application of a technique more commonly used in product testing.  Among the reported findings and recommendations , I'm a bit surprised to see the suggestion that "In future exercises it may be beneficial to provide firms with more scenario detail in advance of the exercise and possibly allow part of the exercise to be played out internally before convening in an exercise to respond as a sector."  Surely a key part of this kind of exercise is to simulate dealing with a major incident that blows up out of the blue?  Giving participants a chance to prepare...

Security Metric of the Week #91: information security incident management maturity Notwithstanding the photo, we're using 'maturity' here in the sense of wisdom, stability and advanced development, rather than sheer age! The idea behind maturity metrics is to assess the organization against the current state of the art, also known as good practice or best practice. This particular metric measures the organization's processes for managing (identifying, reporting, assessing, responding to, resolving and learning from) information security incidents.  That's all very well in theory, but how do we actually identify good/best practices, and then how do we measure against them? The maturity metrics described in PRAGMATIC Security Metrics employ a method that I developed and used very successfully over 3 decades in information security and IT audit roles. The scoring process breaks down the area under review into a series of activities and offers guidance notes or criteri...

"Information security is not the easiest of things to manage.  The lack of suitable metrics makes it even harder in many organizations.  Security management decisions are generally made on the strength of someone’s gut feel (an important but fallible and potentially biased approach), or for external compliance purposes (seldom aligned with the organization’s risk appetite).  Metrics are the only way to tell whether best practices are truly good enough, and provide the data to make informed choices, identify improvement opportunities, and drive things in the right direction."  That's the executive summary of a new management paper on security metrics for our  Information Security 101   security awareness module, which we are currently revising and updating.  The current module was released at the end of 2010 and, despite being a relatively superficial overview of a selection of general-interest information security topics for new hires, it's surprising ...