The next  security awareness paper suggests to management a whole bunch of metrics that might be used to measure the security of the organization's database systems. Most information-packed application systems are built around databases, making database security a significant concern for the corporation.  We're talking about the crown jewels, the bet-the-farm databases containing customer, product and process information, emails, contracts, trade secrets, personal data and so much more.   Despite the importance of database security, we don't know of any organization systematically measuring it ... although we do know of many that struggle to keep on top of database security design, development, testing, patching, administration and maintenance! So how exactly are management supposed to manage database security without database security measures? Extra sensory perception, perhaps, or gut-feel? Either way, it's hardly what one might call scientific management!

In the 11 years that we’ve been providing the awareness service, it has grown substantially in both breadth and depth. We’ve covered risk management as a discrete topic a few times before, while information risk is the foundation for information security and hence virtually all the security awareness modules.  This month, however, the latest addition to our bulging portfolio of security awareness topics concerns the central yellow area of the scope diagram shown  here. A large proportion of information these days is communicated, processed and stored using IT systems and networks.  There are numerous risks associated with IT which are central to this awareness module.  However, it makes little sense to discuss IT or tech risks in isolation since it is the possible adverse consequences on the business that determine whether or not they are a genuine concern.  If there were no impacts, the risks to the organization would be negligible. “Hi-tech risks”, t...

When we get a spare moment over forthcoming months, we plan to release a series of awareness papers describing metrics for a wide variety of information security topics through the SecurityMetametrics website . The first paper , dating back to 2007, proposes a suite of information security management metrics relating specifically to the measurement of Intellectual Property Rights (IPR). Managing and ideally optimizing IPR-related controls (namely the activities needed to reduce the chances of being prosecuted by third parties for failing to comply with their copyright, patents, trademarks etc . plus those necessary to protect the organization's own IPR from abuse by others), requires management to monitor and measure them and so get a sense of the gap between present and required levels of control, apply corrective actions where necessary and improve performance going forward. These metrics papers were written for managers.  Their primary purpose is to raise awareness of the...

Instead of, or rather as part of, fostering a corporate security culture (a grand but nebulous objective), identify specific aspects or elements of the culture that most need to change and work on those more constrained issues.  For clues about which aspects need addressing first, speak to your IT auditors and check the security incident reports and security metrics .  For example, if the organization has a longstanding, seemingly intractable problem with noncompliance in the security domain, focus on compliance awareness.  Get some traction on that, measure the improving awareness levels, and move on to the next topic. You can get as detailed and specific as you like in your planning.  Is the noncompliance problem mostly about legal and regulatory obligations, or policy compliance, or contractual compliance, or something else?  Is it all about privacy, or are there other compliance concerns such as governance and intellectual property rights?  Which parts ...

The overnight theft of an entire wall from an eco-house being constructed in Christchurch raises the possibility that competitors wanted to find out how the construction company is prefabricating the panels with such good insulation properties - in other words, they have allegedly stolen the intellectual property by stealing a clever wall, presumably with the intent to duplicate the technology and perhaps sabotage the rightful IP owner's business . So it was cybertage . Deconstructing a competitor's product to figure out how it works and how it was made is common practice in many product markets, although usually there's no need to steal the product: the IP thief can simply purchase it legitimately. Sometimes (as with new car models prior to their launch), still photographs or videos of the product from the testing grounds are sufficient to steal a march on the competitor, hence physical security around the product (testing ground site access controls and fake vehicle pane...