Management awareness paper on database security metrics

The next security awareness paper suggests to management a whole bunch of metrics that might be used to measure the security of the organization's database systems.

Most information-packed application systems are built around databases, making database security a significant concern for the corporation.  We're talking about the crown jewels, the bet-the-farm databases containing customer, product and process information, emails, contracts, trade secrets, personal data and so much more.  Despite the importance of database security, we don't know of any organization systematically measuring it ... although we do know of many that struggle to keep on top of database security design, development, testing, patching, administration and maintenance!

So how exactly are management supposed to manage database security without database security measures? Extra sensory perception, perhaps, or gut-feel? Either way, it's hardly what one might call scientific management!

New hi-tech risks awareness module

In the 11 years that we’ve been providing the awareness service, it has grown substantially in both breadth and depth. We’ve covered risk management as a discrete topic a few times before, while information risk is the foundation for information security and hence virtually all the security awareness modules.  This month, however, the latest addition to our bulging portfolio of security awareness topics concerns the central yellow area of the scope diagram shown here.

A large proportion of information these days is communicated, processed and stored using IT systems and networks.  There are numerous risks associated with IT which are central to this awareness module.  However, it makes little sense to discuss IT or tech risks in isolation since it is the possible adverse consequences on the business that determine whether or not they are a genuine concern.  If there were no impacts, the risks to the organization would be negligible.

“Hi-tech risks”, then, arise where the business intersects both IT and information security.  They involve security threats to information assets exploiting vulnerabilities within the technology leading to adverse impacts on the business.  [Some involve the use of technology as weapons - another facet to hi-tech risk mentioned in the awareness materials.]

Thinking more broadly, information is a valuable corporate asset that deserves and requires protection against various risks, particularly those that affect its confidentiality, integrity or availability.  Protecting information is challenging due to its intangible and ephemeral or dynamic nature.  Information is subject to a wide range of threats, while there are numerous vulnerabilities that might be exploited and the impacts or consequences of incidents vary markedly.

To complicate matters still further, information-related risks are ever-changing, and despite our best efforts we can never have perfect knowledge about them: there will inevitably be situations that we did not predict and incidents that we did not completely guard against.  Hence information risk management depends on the quality of the information concerning information risks (yes, that is self-referential!):

That's one of the simple diagrams we used to put this potentially quite complex subject across to management - not because managers are "simple", you understand, but rather they need to see past the tech content to appreciate the business implications.  

Finally, information and technology risks have to be managed alongside financial risks, market risks, product risks, strategic risks, personnel risks and so forth.  From senior management’s strategic viewpoint, they all have to be managed to a comparable degree ... which implies things such as consistency of risk management approaches and terminology, and preferably also risk metrics, otherwise we're asking them to compare oranges with apples when determining whether the risks fall within their risk appetite.  The security metrics paper in November's awareness module suggests several ways to measure tech risk that can also measure other forms of risk.

PS  You'll understand why we named this module "hi-tech risks" when you see next month's.

Management awareness paper on IPR metrics

When we get a spare moment over forthcoming months, we plan to release a series of awareness papers describing metrics for a wide variety of information security topics through the SecurityMetametrics website.

The first paper, dating back to 2007, proposes a suite of information security management metrics relating specifically to the measurement of Intellectual Property Rights (IPR). Managing and ideally optimizing IPR-related controls (namely the activities needed to reduce the chances of being prosecuted by third parties for failing to comply with their copyright, patents, trademarks etc. plus those necessary to protect the organization's own IPR from abuse by others), requires management to monitor and measure them and so get a sense of the gap between present and required levels of control, apply corrective actions where necessary and improve performance going forward.

These metrics papers were written for managers.  Their primary purpose is to raise awareness of the monthly topic, but really we hope to encourage information security professionals and management to think about, discuss and perhaps adopt better security metrics.  

If you follow the sequence, you'll notice our own thinking change over the 7 years since this first paper, particularly while PRAGMATIC Security Metrics was being written.  From time to time, we introduced new styles of metric, often covering the same information security topics repeatedly but from slighly different angles (there are already 50 infosec topics in our awareness portfolio, with about 20 more to come).

To eat a chocolate elephant, take small bites

Instead of, or rather as part of, fostering a corporate security culture (a grand but nebulous objective), identify specific aspects or elements of the culture that most need to change and work on those more constrained issues. 

For clues about which aspects need addressing first, speak to your IT auditors and check the security incident reports and security metrics.  For example, if the organization has a longstanding, seemingly intractable problem with noncompliance in the security domain, focus on compliance awareness.  Get some traction on that, measure the improving awareness levels, and move on to the next topic.

You can get as detailed and specific as you like in your planning.  Is the noncompliance problem mostly about legal and regulatory obligations, or policy compliance, or contractual compliance, or something else?  Is it all about privacy, or are there other compliance concerns such as governance and intellectual property rights?  Which parts of the business are the worst?  What have the noncompliance incidents, enforcement/penalties and compliance efforts cost the company to date, and which were the most costly types of event?  Are there particular layers (such as junior management), departments (such as Procurement) or business units (such as, say, some far-flung office that pays scant attention to corporate directives) that lag the field?  Awareness surveys and various other PRAGMATIC information security metrics will enable you to answer such questions and generate a credible basis for planning - also by the way a means to manage, maximise and ultimately demonstrate the value of your awareness activities.

Alternatively, don't worry so much about the micro-topics and the delivery sequence but take a longer term view.  Concentrate instead on the breadth of coverage, the quality of the materials and the effectiveness of your awareness program. Your organization will be relatively aware of some of the information security topics we cover, which is no bad thing. Our stuff will reinforce and encourage secure behaviors, and we may well come up with novel angles that you hadn't even considered. For instance, do your security compliance activities pay any attention to business partners' compliance with the obligations your organization imposes on them?  We'll help you pick up on all those issues and more.  Over time, we'll help you consume your choccy elephant.

So what are you waiting for?  It's not going to eat itself.

Physical IP theft

The overnight theft of an entire wall from an eco-house being constructed in Christchurch raises the possibility that competitors wanted to find out how the construction company is prefabricating the panels with such good insulation properties - in other words, they have allegedly stolen the intellectual property by stealing a clever wall, presumably with the intent to duplicate the technology and perhaps sabotage the rightful IP owner's business.

So it was cybertage.

Deconstructing a competitor's product to figure out how it works and how it was made is common practice in many product markets, although usually there's no need to steal the product: the IP thief can simply purchase it legitimately.

Sometimes (as with new car models prior to their launch), still photographs or videos of the product from the testing grounds are sufficient to steal a march on the competitor, hence physical security around the product (testing ground site access controls and fake vehicle panels to conceal its shape) can be an important IP control.

Even better for the unethical competitor is to steal the design blueprints, engineering drawings and specifications direct from the source, for example by placing a mole in the competitor's organization, bribing a worker to steal the information, or hacking the systems.  They can reduce their risks and costs still further by exploiting the patent information published for patented products and hoping that the IP owners either don't notice, don't care, or don't have the resources for a full-on legal battle.

Anyway, I'm sure the building company whose wall technology appears to have been stolen will be watching the market closely for indications that a competitor is planning to introduce eco-buildings with remarkably good heat insulation ...