Most organizations of any size have a corporate intranet and I suspect you , dear reader,   have an information or IT security website on yours. Are you tracking the page views? The count, or rather the trend in the number of page views for the security site can be an interesting, useful, perhaps even PRAGMATIC metric in its own right. Take this very blog for example. Google kindly tracks and conveniently provides the admins with page view statistics in the form of little blue graphs. Google's default stats view shows the daily page counts for the present month, something like this: Given the specialist nature of security metrics and our relatively narrow (distinguished, enlightened and very welcome!) readership, the default graph is too peaky, whereas it is a little easier to identify trends from the monthly version: Pulling further back, the aggregated annual stats follow a pretty clear pattern which we've picked out by eye in red just in case you missed it: The book had not...

We desperately  need to get better at authenticating people if we are ever going to beat the scourge of identity theft and reverse the dreadful downward spiral that is already accruing costs in the  tens of $billions annually .   As a profession, we have a pretty good idea about what needs to be done, with multi-factor authentication and biometrics being high on  the list ... and yet by far the majority of IT systems still depend entirely on passwords. In other words, for the foreseeable future we're stuck with 'em and hence the security issues arising. "Usernames and passwords are basically broken from a security and a usability standpoint" Jeremy Grant Passwords are a particularly important topic for security awareness programs since so much revolves around the way we choose and protect our passwords. Furthermore, it's essential that managers and professional specialists appreciate just how broken passwords are as a security mechanism, if we are ever going to cl...

Measuring the information security aspects of email and indeed other forms of person-to-person messaging implies first of all that you understand what your security arrangements are intended to achieve.  What does it mean to "secure email"?  If that's too hard to answer, turn it on its head: what might be the consequences of failing adequately to secure email? Does that help? Our next metrics discussion paper opens with a brief analysis of the 'requirements and targets', also known as the objectives, of email security, expressed in broad terms. For instance, preventing or at least reducing the issues relating to or arising from spam and malware is a common objective ... hence one might want to measure spam and email-borne malware, among other aspects.  That in turn begs questions about which specific parameters to measure and how - for instance, there are many possible ways to measure spam, such as the: Number of spam emails arriving at the organization, or rather...

The New Zealand government published the PSR  Protective Security Requirements this week, a well-written, readable policy manual.  Publishing the manual in an online format through a content management system is commendable, not least because it is so easy to browse, search and (presumably) maintain. The custom views for 4 primary audiences (senior managers, security practitioners, employees and service providers) addressing common questions etc . are cool. The site structure/navigation, formatting/presentation and writing style are clear. More diagrams and figures would have been welcome to supplement the somewhat tedious monochrome text but I have certainly seen worse! Overall, it's  a nice bit of web design . Personally, I would have preferred the PSR to have explicitly adopted the structure of ISO/IEC 27001 and 27002 .  Although one might argue that the ISO27k structure is arbitrary, it is at least reasonably logical and familiar around the world, making it eas...

Protecting proprietary information, especially trade secrets, is - or rather should be - a priority for almost all organizations. Trade secrets can be totally devalued if they are disclosed to or stolen by competitors, if that leads to their being exploited. The loss of competitive advantage can decimate an organization's profitability and, in the worst case, threaten its survival. Availability and integrity are also of concern for proprietary information. If the information is destroyed or lost, the organization can no longer use it. If it is damaged or corrupted, perhaps even deliberately manipulated, the organization might continue to use it but is unlikely to find it as valuable. Significant information security risks associated with proprietary information imply the need for strong, reliable information security controls, which in turn implies the need to monitor the risks and controls proactively. Being just 3 pages long, the awareness paper barely introduces a few metrics t...

User identification and authentication (I&A) is a key information security control for all systems, even those that allow public access (unless the general public are supposed to be able to reconfigure the system at will!). As such, it is important to be sure that I&A is working properly, especially on business- or safety-critical systems, which in turn implies a whole bunch of things. I&A must be: Properly specified; Professionally designed; Thoroughly tested and proven; Correctly implemented and configured; Used!; Professionally managed and maintained; Routinely monitored. Strangely, monitoring is often neglected for key controls. You'd think it was obvious that someone appropriate needs to keep a very close eye on the organization's key information security controls, since (by definition) the risk of key control failure is significant ... but no, many such controls are simply implemented and left to their own devices. Personally, I believe this is a serious blin...

... at least 46 other things in fact: Apps   - about integrating information security into the software development/acquisition lifecycle, and mobile apps; Bugs!  - security vulnerabilities created by errors or flaws in program specification, design, coding or configuration by software development professionals and end-users; Business continuity  - business impact analysis, resilience, disaster recovery and contingency ; BYOD (B ring  Y our  O wn  D evice )  - the pros and cons of allowing employees and third parties to use their personal tablets, laptops, smartphones  etc . for work purposes; Change management  - this module covers the intersection between change management and information security management, taking in risk management, compliance, patching, testing, configuration and version management, and more; Cloud computing  - covers the information security aspects of cloud computing; Compliance and enforcement  - fulfillin...

"Lo-tech infosec" is a brand new security awareness module to complement last month's one on hi-tech infosec. There is no shortage of material: there's always loads to say about information security, especially once you shed the IT blinkers and think beyond the mot-du-mois  "cybersecurity".  Our prime focus this month is on   people   including social engineering, frauds and scams, human errors and mistakes.  Physical security for tangible information assets merits a mention, along with governance and compliance, and - yes - the value of security awareness as a control.  Even industrial relations, health-and-safety and HR practices are part of the mix, plus good ol' yuman error.