We have just delivered April's security awareness module covering best practices in information risk and security to subscribers - nearly 100Mb of crisp, fresh awareness content. Numerous learned committees, panels, industry groups and other bodies of experts recommend best practices relevant to information risk and security, covering a wide variety of methods, controls and approaches.  What can we learn from their advice?  The latest module discusses a selection of best practices in information, helping our customers’ awareness audiences contemplate their purpose and value.  We even lay out for them a systematic, cyclic process for discovering, evaluating and adopting best practices. Strictly speaking, the ‘best’ in ‘best practice’ is misleading unless the guidance is truly universal and cannot possibly be improved upon.  In reality, each organization differs in its situation or context and needs, so the practices that happen to be best for one might not suit a...

An article by Mintz Levin about the 2013 privacy breach/information security incident at US retailer Target  stated that the company has disclosed gross costs of $252 million, with some $90m recovered from its insurer leading to a net cost of $162m, up to the end of 2014 anyway (the incident is not over yet!). Given that the breach apparently involved personal information on about 40 million people, it's trivial to work out that the incident apparently cost Target roughly $6 per compromised record ($4/record net of insurance payouts) ... but before anyone runs amock with those headline numbers, let's delve a bit deeper. First off, what confidence do we have in the numbers themselves? The article cites its sources as 8-K filings, in other words Target's official reports concerning the incident to the Securities and Exchange Commission. Personally, I'm quite happy with that: the dollar amounts are not mere speculation but (I believe, not being a specialist in US laws and...

I spent the morning reviewing the Draft International Standard version of ISO/IEC 27000:2016, in particular checking carefully through the definitions section for changes since the current 2014 version  in order to update our information security glossary.  I noticed that "executive management" is now defined in addition to "top management". The difference between these terms is quite subtle: whereas it appears the former always refers to the most senior managers within the entire organization, the latter may refer to senior managers within a business unit, department etc. if the scope of an ISMS is limited to that particular business unit, department etc.  In practice, this distinction is unhelpful except under particular circumstances which might have been covered by a note to the definition of "executive management". To this native English speaker, "top management" is an obscure term - in fact I don't recall ever hearing or using it outsi...

In situations where it is infeasible or impracticable to quantify something in the form of a discrete count or absolute value in specific units, comparative or relative measures are a useful alternative. They are better than not measuring at all, and in some cases easier to comprehend and more useful in a practical sense. In this respect, we disagree with those in the field who fervently insist that all metrics must be expressed as numbers of units ( e.g. " 20 centimetres"). It seems to us "A bit longer than a pencil", while obviously imprecise, might be a perfectly legitimate and helpful measure of something (regardless of what that thing might be - a cut on your arm for instance). Cardinal numbers and units of measure have their place, of course, but so do ordinals, comparatives and even highly subjective measures - all the way down to sheer guesswork (and, yes, 'down to' itself implies a comparative value). Douglas Hubbard's "How To Measure Anyth...

We have just published our security awareness case study on the Sony hack under a Creative Commons license. The information sources are fully cited and referenced in the materials – all public domain stuff and no special inside-track from Sony I’m afraid*, hence there are probably errors and certainly omissions … and yet nevertheless this was a remarkably instructive incident touching on an usually wide range of information security topics.  One aspect that stands out for me is that, since information is Sony’s lifeblood, information risks are business risks.  Regardless of whether the North Koreans were or were not behind the hack, management’s strategic decision to press ahead with The Interview undoubtedly affected Sony’s information risk profile.  Their strategic approach towards information and IT security has been implicated in several major infosec incidents over the years.  There are lessons here about governance, risk management and security strategy. The on...

Every March we update and re-issue our awareness module on malware (viruses, worms, Trojans and all that junk).  This year, we've picked up on three disturbing trends in the murky world of malware - three risks that are in or heading towards the red zone. The Sony hack security awareness case study presented a golden opportunity to demonstrate how today's sophisticated malware-fueled attacks work ... so that's exactly what we did.  Being such a technical topic, it is becoming more of a challenge every year to explain cutting-edge malware in terms that everyone can understand ... but that's the kind of challenge we relish!   Does your security awareness program cover malware?  Is it bang up to date on today's malware landscape?  Do you have the time to research and prepare top-quality adult education materials that motivate your audiences to behave more securely?  Have you been able to take advantage of Sony's misfortune and learn from their mistakes? ...