In line with common practice, we've covered "information security risk" previously in the security awareness materials. Virtually all the awareness modules cover information security, so this time around we've refocused the module on information risk, information risk management (IRM) especially. The diagram below sums up the guts of the classic IRM process: identify then assess information risks, choose how to treat them, implement the treatments, then loop back to pick up and respond to changes. There's more to it than that, for instance information must flow to and from management ( e.g. information risk levels, business priorities and risk appetite) while suitable metrics are necessary to manage and improve the process systematically. Talking of which, I'm currently reading a fascinating account of how High-Reliability Organizations (HROs) use Highly Reliable Security Programs (HRSPs) to drive improvements in their information risk and security management...

A new public alerting scheme for terrorism was introduced in Australia this week, with the 5 color-coded levels shown here. The previous scheme, introduced in 2003, had 4 levels (low, medium, high and extreme), primarily reflecting the scale or severity of the threat.  The new scheme's levels primarily reflect the probability of an attack. I'm puzzled because, as generally understood, risk reflects both aspects - the likelihood, probability or chance of an incident coupled with its scale, severity, consequences or impact. With the new system, even if a threat is deemed "certain" and coded red, the scale gives us no idea of the likely scale of the incident/s.  Are we talking about a lone gunman on the rampage in one location, a coordinated series of attacks across a number of locations, or what? Should I suggest the Analog Risk Assessment method  to the Australian government?

With hindsight, perhaps it wasn't such a bright idea for an information security company to send out an email promoting phishing awareness, encouraging its readers to click an embedded blog link ... pointing to a different domain than the address of the sender of said email:

If you had the requisite access, skills and opportunity to defraud or otherwise exploit your employer (which, I suspect, many of us in this profession do), would you be tempted to take advantage? Not even a tiny bit?  What if the ‘social contract’ with your employer was seriously strained for some reason - something had soured the relationship, putting your nose out of joint, once too often?  If you were so inclined, how much effort would you be willing to expend to 'get your own back'? Would you feel justified in causing material harm? Would you be willing to break the law? Would it matter if you worked for a bank, the government, a charity or family business? And how cautious/subtle/sneaky would you be about it? What if the potential prize on offer was, say,  more than $10 million : how tempting would that be? How much caution and risk mitigation would $10m buy you? Stories like that make me wonder idly about my personal integrity and ethics. If everyone has their pric...

Metrics in general are valuable because, in various ways, they support decisions. If they don't, they are at best just nice to know - 'coffee table metrics' I call them. If coffee table metrics didn't exist, we probably wouldn't miss them, and we'd have cut costs. So, what decisions are being, or should be, or will need to be made, concerning information risk and security? If we figure that out, we'll have a pretty good clue about which metrics we do or don't want. Here are a few ways to categorize decisions: Decisions concerning strategic, tactical and operational matters, with the corresponding long, medium and short-term focus and relatively broad, middling or narrow scope; Decisions about risk, governance, security, compliance ...; Decisions about what to do, how to do it, who does it, when it is done ...; Business decisions, technology decisions, people decisions, financial decisions ...; Decisions about departments, functions, teams, systems, proje...

While listening to a couple of ISSA webinars on security awareness and idly scribbling notes to myself, I've been mulling over the common refrain that 'We just don't have the resources for security awareness'.  One of the speakers said something along the lines of "I've never had the luxury of anyone on the payroll to do security awareness, except me and I'm always busy. I don't think we'll ever have anyone to do it full time, maybe a quarter FTE next year if we're lucky".  This is for a healthcare organization with over 20,000 employees.  That struck me as a depressing, almost defeatist attitude. I honestly struggle to believe that their management doesn't support security awareness, given how absolutely crucial it undoubtedly is to meet their security and privacy obligations and business challenges. How can they possibly afford NOT to do security awareness? I suspect the real problem lies not so much with management's resistance ...

I wonder if any far-sighted organizations are using a database/systems approach to their metrics? Seems to me a logical approach given that there are lots of measurement data swilling around the average corporation (including but not only those relating to information risk, security, control, governance, compliance and privacy). Why not systematically import the data into a metrics database system for automated analysis and presentation purposes? Capture the data once, manage it responsibly, use it repeatedly, and milk the maximum value from it, right? If you think that's a naive, impracticable or otherwise krazy approach, please put me straight. What am I missing? Why is it that I never seem to hear about metrics databases, other than generic metrics catalogs (which are of limited value IMNSHO) and Management Information Systems (which were all the rage in the 80s but strangely disappeared from sight in the 90s)? Conversely, if your organization has a metrics database system, how ...

Look what just fell into my inbox.  Legit, crude spear-phish or just plain nuts? I already own ISO27001security.com which is presumably why they think I might be interested in iso27k.com (I'm not!), but this is such an obvious con, I'd have to be a complete mindless idiot to fall for it. [I've crudely redacted their URL: please don't try to reconstruct and visit it unless you actually  want your system to be compromised - and don't blame me!]