Fascinating sociological changes are happening all around us as the Internet continues to expand and morph. Social media, online reviews and customer feedback sites are shifting the balance of power from retailers and other corporations towards their customers, in ways that aren’t entirely beneficial: pressure groups comprising aggrieved customers and others with axes to grind (perhaps including unethical competitors) have the ability to collaborate and express themselves very publicly and often bitterly through online campaigns, while corporations suffering the full glare of the social media spotlight struggle to respond without harming their own brands.  This issue neatly demonstrates the distinction between information security and IT or cybersecurity: the power of information is key, whereas information technology is (one could argue) merely a tool. No amount of technical security can address the challenges we've just described. The brand new awareness module for May also touc

An article written in conjunction with Dejan Kosutic has just been  published at ContinuityCentral.com .  " Most business continuity experts from an IT background are primarily, if not exclusively, concerned with establishing the ability to  recover  failed IT services  after  a serious incident or disaster. While disaster recovery is a necessary part of business continuity, this article promotes the strategic business value of  resilience : a more proactive and holistic approach for preparing not only IT services, but also other business processes  before an incident  in order that an organization will survive incidents that would otherwise have taken it down, and so keep the business operating in some form  during and following an incident." We explain how resilience differs from and complements more conventional approaches to business continui ty.  It is  a cultural issue with strategic implications and  benefits for everyday routine business, not just in crisis or disaste

An article written in conjunction with Dejan Kosutic has just been published at ContinuityCentral.com .  " Most business continuity experts from an IT background are primarily, if not exclusively, concerned with establishing the ability to  recover  failed IT services  after  a serious incident or disaster. While disaster recovery is a necessary part of business continuity, this article promotes the strategic business value of  resilience : a more proactive and holistic approach for preparing not only IT services, but also other business processes  before an incident  in order that an organization will survive incidents that would otherwise have taken it down, and so keep the business operating in some form  during and following an incident." We explain how resilience differs from and complements more conventional approaches to business continui ty ... We refer to the 'resilience mindset' in the title, and discuss it as a cultural issue with strategic implications and

We've just republished a management-level security awareness paper on metrics relating to  user authentication and phishing . The introduction asks "How do we tell whether our authentication controls are effective?" and "What does 'effective' even mean in this context?" - two decent questions that could be addressed through suitable metrics. Questions like these are central to the GQM (goal-question-metric) method (see IT Security Metrics by Lance Hayden), and not just literally in terms of their position in the handy acronym. They link the organization's goals or objectives relating to information security, to the information security metrics that are worth measuring. In your particular circumstances, the effectiveness of authentication controls might or might not be of sufficient concern to warrant generating the associated metrics. Other aspects might take precedence, for example the amount invested in authentication controls, and the ongoing op

The  2015 Verizon Data Breach Investigation Report indicates, once again, that a significant proportion of "data breaches" involve social engineering, perpetrators typically phooling victims into opening infected email attachments or clicking links to infectious or fraudulent websites.   The report also indicates, once again, that security-awareness is  necessary to mitigate the social engineering threat. Technical "cybersecurity" (IT security) controls are of limited value precisely because social engineers (and fraudsters and spies) bypass most of them, exploiting vulnerable people instead. "The common denominator across the top four [incident type] patterns—accounting for nearly  90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly, or  losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns. At this point, take your  index finger, place it on your chest, and repeat “I am the problem,” as long as it take

Controversial plans to replace two Surrey/South London hospitals with a new one were prematurely and inappropriately disclosed on a train: "The proposals were revealed by management consultants who held a conference call on a commuter train after meeting the trust chief executive Daniel Elkeles.  The call was heard and recorded on a mobile phone by a BBC London reporter." Someone being overheard discussing sensitive stuff on their mobile phone in a public place is nothing new, an everyday common-or-garden information security incident.  The factors that make this particular one notable include: The disclosure involved trusted third parties possessing (and disclosing!) valuable information belonging to an organization, having been disclosed to them by senior management.  This begs lots of questions about roles and responsibilities, compliance obligations, non-disclosure agreements, ethics, accountability and governance, as well as the information risks and security controls.

We've just published another three documents on security metrics, written and first released five years ago as part of the management stream in our information security awareness service. The first paper concerns  measuring integrity . Despite being one of the three central pillars of information security, integrity is largely overshadowed by availability and, especially, confidentiality ... and yet, if you interpret 'integrity' liberally, it includes some extremely important information security issues. The 'completeness and correctness' angle is pretty obvious, while 'up to date-ness' and 'appropriateness' are less well appreciated.  Add in the character and trustworthiness of people, and integrity takes on a rather different slant (Bradley Manning, Julian Assange and Edward Snowden springing instantly to mind as integrity failures).  An 'honesty metric' is an innovative idea. The integrity metrics paper also suggests measuring the integrit

The SEC ( Security Executive Council - not the Securities and Exchange Commission!) boldly describes itself as  "the leading research and advisory firm that specializes in security risk mitigation."  T heir primary interest appears to be physical security, although they also make the odd nod towards IT security, business continuity and 'convergence'. The SEC conducted an unscientific online poll, asking respondents to self-assess and report the capability maturity of their security programs using the classic 5 point SEI-CMM scale.  Unsurprisingly, the results show a vaguely normal distribution about the middle value ('defined'), skewed towards the low end of the maturity scale. It appears they may have asked a separate question about metrics: "When participants were asked about metrics (a higher level of maturity), 64% said they did not use business value metrics (metrics that are beyond initial "counting" of activities such as number of backgr