Despite thinking that it would be relatively straightforward to update last year’s malware awareness module for 2016, when we did the research it turned out that the malware situation has taken a turn for the worse since last March, so we ended up writing a slew of brand new content.  Just to whet your appetite ... l ast year we raised concerns about bank Trojans. Bank Trojans definitely haven't gone away, unfortunately, but ransomware has (arguably) become an even more significant threat today.  It's not a good sign when the authorities admit defeat, advising " Just pay the ransom ". Other  emerging trends in the shady world of malware covered in the new security awareness module include: Multifunctional malware  that is remotely controlled, remotely updated, remotely targeted, and (through encryption and obfuscation) more variable than earlier generations. This stuff is  hard  to identify, block and control, a tough challenge even for the very best antivi...

The latest and greatest sixth version of the CIS (Center for Internet Security) Critical Security Controls (now dubbed the "CIS Controls For Effective Cyber Defense") is supported by a companion guide to the associated metrics . Something shiny in the introduction to the guide caught my beady eye: "There are lots of things that can be measured, but it is very unclear which of them are in fact worth measuring (in terms of adding value to security decisions)." Sounds familiar. In PRAGMATIC Security Metrics , we said: "There is no shortage of ‘things that could be measured’ in relation to information security. Anything that changes can be measured both in terms of the amount and the rate of observable change, and possibly in other dimensions as well. Given the dynamic and complex nature of information security, there are a great number of things we could measure. It’s really not hard to come up with a long list of potential security metrics, all candidates for o...

Zurich Insurance published a web page with a bunch of graphs projecting the global costs and benefits of cybersecurity under various scenarios ... but what do they mean? What is the basis for analysis? I find the graphs confusing, almost devoid of meaning like so many infographics, a triumph of marketing gloss over substance. The page succeeded, however, in catching my beady eye. Although Zurich neglected to provide a working hyperlink, Google led me inexorably to the research paper from which the graphs were plucked: Risk Nexus: Overcome by Cyber Risks? Economic Benefits and Costs of Alternate Cyber Futures is a report by the Zurich Insurance Group and the Atlantic Council's Brent Scowcroft Center on International Security plus the Pardee Center for International Futures at the University of Denver, a follow-up to their 2014 report: Beyond Data Breaches: Global Aggregations of Cyber Risk .    Apart from casually referring to "cybers pace" as 'the internet and assoc...

Some say that information security awareness is hard to measure, and yet a moment's thought reveals several obvious, straightforward and commonplace metrics in this area, such as: Attendance numbers, trends, rates or proportions at awareness and training events; Feedback scores and comments from attendees at/participants in said events, or concerning other awareness activities, promotions, media, messages etc. ;  General, broad-brush, state-of-the-nation security awareness surveys of various populations or constituencies conducted on paper or using electronic forms or polls; More specific information recall and comprehension tests relating to awareness topics or sessions, conducted on paper or online (maybe through the Learning Management System); Awareness program metrics concerning activities planned and completed, topics covered (breadth and depth of coverage), budget and expenditure ($ and man-days), comparisons against other forms of security control and against other a...

Crime-related statistics/metrics are problematic for several reasons: Crime tends to be hidden, out of sight, mostly in the shadows. An unknown number of crimes are never discovered, hence recognized/identified incidents may not be representative of all incidents. Criminals might brag about their exploits to their posse but they are hardly likely to participate willingly in surveys. Criminals cannot be trusted so even if they did complete the forms, we probably shouldn't swallow their responses whole. Mind you, if the surveys weren't designed scientifically with extreme care over the precise questions, proper selection of the samples, rigorous statistical analysis, honest reporting etc ., then all bets are off anyway.  The police, governments/authorities, news media, assorted commercial organizations, professions, industry bodies and pressure groups all have vested interests too, meaning that we probably shouldn't believe their surveys and assessments either, at least not u...

Animals like us are fantastic at spotting patterns in things - it's an inherent part of our biology, involving parts of our brains that are especially good at it. Unfortunately, while some patterns are significant, many are not, and our brains are not terribly good at differentiating between the two - in fact, we tend to overemphasize matches, believing them to be especially significant, meaningful and, in a sense, real. It could be argued that both pattern-recognition and overemphasis on matches are the result of natural selection over millenia, since in the wild, anything that helps us quickly identify and respond to possible attacks by predators, even if there are none, is likely to increase our survival, within reason anyway. Arguably, this is what makes wild animals 'alert', 'nervous' or 'jumpy'. It's a fail-safe mechanism. It's also the root of the fear we feel when we think we are in a dangerous situation, such as walking down a dark alleyway ...