How do you measure 'insider threats' in your organization?   If your answer is "We don't!", then I have to wonder how you are managing insider threats.  Without suitable metrics, how do you figure out how much of a problem you might have from employees, contractors, consultants, temps and interns?  How do you determine where best to spend your security budget? How do you persuade management to loosen the purse strings sufficiently to address the risks?  I guess you guess! The discussion paper breaks down 'insider threat' into chunks that can be measured sensibly.  The main divide falls between deliberate attacks (such as frauds by insiders) and accidents (such as mistakenly overwriting the entire production database - don't laugh, it happened to me 25 years ago and the nightmare still haunts me today!).  The paper picks up on one of the most productive sources of information security metrics: the IT Help/Service Desk's problem and incident manage...

Measuring network security involves, first and foremost, determining what 'network security' encompasses, and how it relates to the business. Writing way back in 2007 , we said that network security "comprises a range of technical and procedural controls designed to prevent, detect and/or recover from security incidents affecting the corporate data networks – incidents such as unauthorized access (hacking), worms and other malware infections, and unplanned network downtime". The context for the paper was a security awareness module exploring security arrangements protecting data networks against both deliberate and accidental threats. The paper described ways to measure network security incidents, controls, risks, compliance and governance.  It ended with an upbeat conclusion and call-to-action: "Do not neglect the value of having the experts present and discuss reports with management.  The dialogue that ensues adds value to the written reports.  Why not present...

The PCI Security Standards Council's  Security Awareness Program Special Interest Group  has released an 'information supplement' to PCI-DSS, suggesting an awareness approach that is remarkably similar to ours. Best Practices for Implementing a Security Awareness Program is a well-written guide elaborating on four key ideas: 1) Security awareness is a vital tool supporting the business.  "It is therefore vital that organizations have a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information." [We go further in emphasizing the business value of information security, for example giving management confidence that information assets will be sufficiently well protected when exploring new business opportunities.] 2) Security awareness is best delivered on a continual basis, all-year-round. "Security awareness...

Malware - mal icious soft ware - encompasses a variety of computer viruses, Trojans, network worms, bots and other nasties.   Malware has been the scourge of IT users ever since the Morris worm  infected the early Internet way back in 1988.  Despite the enormous global   investment over the intervening years in information security controls against malware (including security awareness!), it remains a significant security concern today.  Although antivirus software companies sometimes admit that they are fighting a losing battle, malware is generating so much income both for the VXers (malware authors) and their criminal masterminds, plus the antivirus software companies, that the arms race looks set to continue for the forseeable future.  Both sides are constantly investing in new tricks and techniques, fuelling a thriving black market in zero-day exploits and novel malware. Meanwhile, the rest of us are lumbered with paying for it in one way or another...