A new 28-page research report by George Campbell's  Security Executive Council (SEC)  concerns the status of physical security metrics. Enterprise Security Metrics: A Snapshot Assessment of Practices (free but registration required) "provides a snapshot of the use of metrics in corporate security management. It includes information on the current state-of-the-art of various models of benchmarking and security metrics, types of metrics, judging the maturity of security metrics programs as well as challenges and opportunities for those undertaking security metrics programs. This report specifically summarizes our learned experience from corporate security measures and metrics initiatives." The report refers to SEC's ongoing metrics research but unfortunately does not go into details about the methods.  A note on page 7 refers to a survey of 27 companies representing "a solid cross section of industry sectors [with] mature and multi-service corporate security progr...

Prompted by recent revelations about mass surveillance by the NSA, we wrote a new awareness module covering the information security issues relating to surveillance from two distinct perspectives:  Surveillance conducted by the organization on its employees and others; Surveillance conducted on the organization by the authorities and others. We interpret 'surveillance' liberally to include activities such as monitoring employees' use of email, the networks, applications and the phones.  Surveillance is generally a side effect, not usually the main purpose of ICT monitoring, but nevertheless myriad system and network managers and security professionals have the data and the tools to analyze what users are up to and often where they are.   CCTV is an everyday example of surveillance, and again the security pros watching those TV screens inevitably see lots of ordinary people quietly going about their lives, not just criminals, intruders, vandals, shoplifters and so on. Cutt...