ISO27k awareness & training materials

We have published a set of security awareness and training materials concern a topic I've been itching to cover for years, literally (the years part, not the itching ... thanks to the magic ointment).

I've been a user and fan of the ISO/IEC 27000 series standards since forever, before they were even conceived, even before BS 7799 was published.

From the original corporate security policy and 'code of practice' on information security (essentially a catalogue of information security controls), ISO27k has grown into a family of related standards, along the way assimilating a couple of other standards and, lately, expanding into privacy, eDiscovery, IoT, smart cities, big data and more.

Making sense of the bewildering scope of today's ISO27k was a particular challenge for this awareness module ...

... and of course ISO27k is not the only source of guidance out there ...

The module came together and turned out nicely ...

I'm especially pleased with how the ISO27k business case and metric (the 'universal KPI') turned out. They and the other awareness materials will serve double-duty in connection with our ongoing ISO27k consulting gigs.

The shiny new batch of ISO27k awareness content is available to download now at SecAware.com, our 70th information security awareness and training topic. Top that!

Pakistan supports ISO27k

Through the Pakistan Software Export Board of the Ministry of IT & Telecom, the Pakistan government is subsidising 80% of the cost of consultants and auditors to advise and certify Pakistani IT companies against ISO 20000 (ITIL) and ISO/IEC 27001 (information security). With over 5,000 companies in Pakistan offering Business Process Outsourcing and IT services, this represent a substantial investment, reflecting the government's intention to raise standards in the industry. Good on them! If only other governments would follow their lead.

How many ISO MSSs are there?

Did you know there are fourteen ISO Management Systems Standards*?

• ISO 9001 Quality management system
• ISO 13485 Medical devices quality management system
• ISO 14001 Environmental management system
• ISO 18788 Private security ops management system
• ISO/IEC 20000-1 IT service management system
• ISO 22000 Food safety management system
• ISO 22301 Business continuity management system
• ISO/IEC 27001 Information security management system
• ISO 28000 Supply chain security management system
• ISO 37001 Anti-bribery management system
• ISO 39001 Road traffic safety management system
• ISO 45001 Health and safety management system
• ISO 50001 Energy management system
• ISO 55001 Asset management system

Is this a cottage industry, ISO's sausage-machine churning out MSSs one after another? Has ISO discovered a vein of gold?

Or is it that the MSS approach works so well that organizations welcome the standards, creating demand?

Both maybe? Or something else entirely?

You tell me.  

All I know is that ISO/IEC 27001 does a pretty good job in the area of information risk and security management, based on BS 7799.  ISO 9001 set the MSS ball rolling, drawing on BS 5750. And ISO 20000 is, in effect, the ISO version of ITIL, a UK government standard. I'm not familiar with the remaining MSSs but I wouldn't be surprised to discover several of them are also based on British standards. I don't know why that would be: the Brits are certainly not alone in understanding the value of governance structures, assurance and compliance.

* December 2022 update: the official list is now close to 40

Zero-based risk assessment

In a thread on the ISO27k Forum, Ed Hodgson said:

"There are many security controls we have already implemented that already manage risk to an acceptable level e.g. my building has a roof which helps ensure my papers don't get wet, soggy  and illegible.  But I don't tend to include the risk of papers getting damaged by rain in my risk assessment".

Should we consider or ignore our existing information security controls when assessing information risks for an ISO27k ISMS? 

That question took me back to the origins of ISO27k, pre-BS7799 even. As I recall, Donn Parker originally suggested a standard laying out typical or commonplace controls providing a security baseline, a generally-applicable foundation or bedrock of basic or fundamental controls. The idea was to bypass the trivial justification for baseline controls: simply get on with implementing them, saving thinking-time and brain-power to consider the need for additional controls where the baseline controls are insufficient to mitigate the risks.  [I’m hazy on the details now: that was ~30 years ago after all.]

I have previous used and still have a soft-spot for the baseline concept … and yet it’s no easier to define a generic baseline today than it was way back then.  

In deciding how to go about information risk analysis, should we:

• Go right back to basics and assume there are no controls at all - a zero-based assessment? This is challenging and tedious but gives us the opportunity to reconsider whether we still need all the controls we already have, or whether there might be better ways to address the risks, today;
• Ignore the existing controls comprising our baseline, focusing on the current information risks to identify any need for supra-baseline controls?This incremental risk analysis is easier and quicker, but relies on our foundational controls which might not, after all, be as solid as we presume;
• Compromise: if we use the baseline/incremental approach routinely, maybe we should occasionally review and reconsider our baselines too. In practice, we are likely to want to add even more controls to the baseline each time we do that but still we should really take a cold hard look at those baseline controls. In particular, I like to tease out and review the “key” controls, the ones we are heavily reliant upon: as such, we really ought to make more of an effort to be assured of their effectiveness, rather than just presuming it, with implications for oversight, monitoring, testing and metrics.

And that, by the way, is an area where ISO/IEC27002 could really help by clarifying what are the “key” controls, which takes us full circle back to the idea of a common/universal baseline. I have in mind defining the baseline through a set of general axioms, principles or security objectives rather than what we normally call controls - things such as ‘accountability’, ‘responsibility’, ‘role’, ‘trustworthiness’, ‘reliability’ and so on. 

Unfortunately, the ISO/IEC 27002 revision project is probably too engrossed with reorganizing and rewriting hundreds of controls to even consider such an idea at this point, but maybe I should suggest it for one of the other ISO27k standards - or just write it up as a suggestion.

ISO27k maturity metric

Yesterday I completed the "universal KPI" metrics paper for the ISO27k awareness module. 

The finished article uses the management system requirements from the main body of ISO/IEC 27001, followed by the security controls in Annex A or ISO/IEC 27002 (mostly), as the basis for measuring an organization's ISMS. 

Here's a little taster (click to enlarge):

I have added a few supplementary controls and scoring criteria in areas where I feel '27002 falls short of current good practice e.g. policy management, business continuity and compliance. At some future point, I will add IoT, cloud security and perhaps other controls for the same reason. One of the advantages of this style of metric is that it's straightforward to maintain, such as updating or adding new scoring criteria, ideally in such a way that prior scores remain valid.

As it is, it's already a lengthy, detailed paper - a 37-page Word document with two tables in landscape format containing ~13,000 words plus a page of instructions.

I'm itching to try this out in earnest, so if you know of anyone looking for an ISMS internal audit, ISO27k gap analysis, benchmark or review, or simply looking for a pragmatic infosec maturity metric, please get in touch.

PS  This metric scores well on the PRAGMATIC metametric scale, naturally, since it is predictive, relevant, actionable, cost-effective, independently verifiable etc.

PPS  The metric has value for:

• Reviewing and evaluating an organization’s information risk and security management practices
• Reviewing and evaluating an organization’s information security controls
• Comparing and contrasting organizations or business units (benchmarking), enabling good practices to be shared from high- to low- scorers
• Assessing the infosec status of current or potential suppliers, business partners and takeover targets
• Gap analyses, checking the coverage and quality of an organization’s information risk and security practices against ISO27k (e.g. when initially scoping and planning to implement the standards)
• Justifying, prioritizing and guiding improvements (driving maturity)
• Internal audits and management reviews of ISMSs
• Routine operational and management reporting (governance)
• More in-depth evaluation of particular areas of concern, expanding on the scoring matrix.

32,000 ISO/IEC 27001 certificates

The latest ISO Survey gives the certification figures for 2018 on ISO's management systems standards. 

Yes, evidently it takes that long to compile and publish the data.  

No, I don't know why it is so slow, except that it involves gathering information from busy certification bodies dotted around the globe. By donkey, maybe.

Anyway, here are some of the stats:

So, by now there are probably more than 32,000 ISO/IEC 27001:2013 certified organizations globally, each cert covering two physical sites on average. A further unknown number are currently in the process of being certified, or have chosen to adopt the standards without being certified compliant.

Compared to ISO9k (quality management) and ISO14k (environmental management), ISO27k (information risk & security management) is way behind, meaning a lot of growth potential - more than 27 times the current uptake to match ISO9k.

Yes, I'm an optimist. 

ISO's other management system standards are: ISO22k (food safety), ISO45k (health & safety), ISO13k485 (medical devices), ISO50k (energy), ISO22k3 (business continuity), ISO28k (supply chain security), ISO39k (road traffic safety) and ISO37k (anti-bribery)*. 

ISO27k has been most successful in China+Taiwan, Japan and the UK with more than 8k, 5k and 2k certified organizations respectively. India, Germany and Italy are all above 1k with the USA finally catching up the developed world. Meanwhile, New Zealand had just 17 certified organizations by the end of 2018. 

So, I'll continue plugging away, doing my best to promote ISO27k.  

Onwards! Upwards!

*For reasons I perhaps ought to explore some day, ISO31k (risk) is classed as a guideline rather than a certifiable management system standard. Odd that, given that most of the ISO management systems concern some form of risk management. Security and safety are clearly amenable to the management system approach, so why not risk?

The business case for ISO27k

As part of January's awareness module, I'm compiling a generic business case laying out the costs and benefits of implementing the ISO27k standards and seeking an ISO/IEC 27001 certificate.

Well, that was the cunning plan anyway.  

So far, I have a long list of benefits and a small handful of costs - just the obvious ones to do with managing an implementation project, reviewing information risks, improving governance arrangements, writing and updating the documentation such as policies, and contracting with an accredited certification body. There may be additional costs to implement information security controls ... but not necessarily: it all depends on the information risks and decisions arising. 

Patently I'm a big fan of ISO27k but I honestly didn't expect the business case to be so overwhelmingly positive. It's quite a surprise.

If management is willing to accept the organization's current information risk status, there's no need to splash out on additional security, at least not yet, not purely for certification anyway. The situation may change, later, once the ISMS is running sweetly and shortcomings with the risk treatments come to light, perhaps through incidents or a growing appreciation of the evolving information risks ... but that's a way down the track, post-certification. Possible future costs are not part of the business case, nor are possible future benefits.

It's not entirely plain sailing though, as the implementation process involves systematically reviewing the infosec controls catalogued in ISO/IEC 27001 Annex A to be sure that nothing important has been neglected. An organization that is lacking in near-universal controls such as identification and authentication, access controls, backups, antivirus and firewalls would be hard-pressed to justify to the certification auditors that they are inapplicable. It can be done, but it's not easy.

As a consequence, it is clearly vital for third parties to consider a certified organization's ISMS scope and Statement of Applicability carefully if they depend on its information security arrangements - and that, too, is a matter of information risk. The information risks associated with the supply of commodity goods are lower than for specialist goods and services, especially professional services with a strong information content or with legal and regulatory compliance implications - IT/cloud, finance/accounting/tax, legal and HR services for instance. The stakes are higher and so are the expectations, with implications for the assurance measures, supplier evaluation, contractual clauses and relationship management. 

It cuts both ways: suppliers of goods and services with a strong information content should anticipate more thorough information risks evaluation by prospective, ongoing or renewing customers. For them, customer requirements may eclipse those in ISO27k, and yet the ISO27k ISMS provides a sound governance and management framework to help them do what needs to be done. The costs may be higher but so too are the benefits. Like I said, the business case remains overwhelmingly positive.

UPDATE Jan 3rd: I have just published the business case paper - 18 pages in total with a smattering of quotations from the standards and some graphics from January's awareness module.

What is an 'information asset'?

ISO/IEC JTC 1/SC 27 tied itself in knots for years trying to answer that disarmingly simple and straightforward question, failing to reach consensus and eventually admitting defeat.

Back in 2014, ISO/IEC 27000 defined "Asset" very broadly as "anything that has value to the organization ... including: information; software, such as a computer program; physical, such as computer; services; people, and their qualifications, skills and experience; and intangibles, such as reputation and image."

To narrow it down a bit in the context of ISO27k, "Information asset" had also been explicitly defined in ISO/IEC 27000:2009 as "Knowledge or data that has value to the organization".

That definition still works quite well for me. "Information asset" refers to the intangible content - the meaning of information - rather than the vessels, media, equipment, facilities and human beings that house, process, communicate and use it.

The content is both valuable and vulnerable and hence needs to be protected or secured. That's what ISO27k does.

I appreciate that the tangible vessels, media, equipment, facilities and people are also assets that also require adequate protection, security and safety, but that's largely the domain of conventional physical risk and security measures such as vaults, locks and guards, plus health and safety. Other standards apply there.

At some point after the release of ISO/IEC 27000:2009 (I forget exactly when), SC 27 had become exhausted by the interminable arguments over the definition and called a halt to it. The definitions of "information asset" and then "asset" were summarily removed from ISO/IEC 27000. "Information asset" was systematically shortened throughout the ISO27k standards, usually to "asset" ... unfortunately as "information" would have been more appropriate in most cases.

"Asset" is currently defined in ISO/IEC 27032:2012 as "Anything that has value to an individual, an organization or a government. NOTE Adapted from ISO/IEC 27000 to make provision for individuals and the separation of governments from organizations". According to the ISO browsing platform, "asset" is also defined in several other ISO standards e.g.:

• "Plant, machinery, property, buildings, vehicles, ships, aircraft, conveyances and other items of infrastructure or plant and related systems that have a distinct and quantifiable business function or service - This definition includes any information system that is integral to the delivery of
• "Security and the application of security management."
• "Things that a user sees or hears, e.g., bitmap, audio, and text."
• "Anything that has value to a stakeholder"
• "Anything that has value to the organization"
• "Anything an individual or a company owns which has value - In the container environment, an asset could be a container, the container’s contents, or information pertaining to the container"
• "Things that a user sees or hears, e.g., bitmap, audio, text."
• "Whole building or structure or unit of construction works, or a system or a component or part thereof"
• "Manifestation, i.e. physical or digital embodiment of an Expression"
• "item, thing or entity that has potential or actual value to an organization"
• "Entities that the owner of the TOE presumably places value upon"
• "Item, thing or entity that has potential or actual value to an organization - Value can be tangible or intangible, financial or non-financial, and includes consideration of risks and liabilities. It can be positive or negative at different stages of the asset life. - Physical assets usually refer to equipment, inventory and properties owned by the organization. Physical assets are the opposite of intangible assets, which are non-physical assets such as leases, brands, digital assets, use rights, licences, intellectual property rights, reputation or agreements. - A grouping of assets referred to as an asset system could also be considered as an asset."

'Something of value' is a general definition whereas the ISO27k standards are purely concerned with the management of information risk and security - not other assets such as land, property and machine tools. So, for example, in discussing an "Asset inventory" in the annex, ISO/IEC 27001 could be interpreted literally to mean "an inventory of anything of value" which is obviously way broader in scope that an inventory of information. It therefore had to explain in the text that the assets to be inventoried are those "associated with information and information processing facilities", another confusing phrase which implied that information itself is not an asset! That, in turn, was corrected by ISO/IEC 27001 corrigendum 1 in 2014:

The corrected version of that control still indicates that the inventory should include "other assets associated with information and information processing facilities", an open-ended scope that extends beyond the intangible information content, but despite the standard's use of "shall", Annex A is in fact discretionary or advisory, not mandatory.

But wait, there's more. ISO27k standards are applicable in the corporate context, so the value of assets is seen from the corporate perspective - primarily stuff that the organization owns. However, some information is only (in effect) loaned to the organization by third-parties, including people. Personal information on individual people belongs to those people, known as the "data subjects". People have legal and ethical rights over their own personal information, since it is valuable to them personally, as well as any business value to the organizations that make use of it. The same applies to intellectual property legally owned by third-parties - commercial software for instance, plus patented or trademarked designs and copyrighted material such as this very blog. "Information asset" turns out, once again, to be more complex that it seems.

I feel that SC 27 should really have bottomed out this issue since it is crucial to ISO27k, but a proper resolution to the discussion proved impossible within the constraints of the committee's formalized and tediously slow working practices.

So there we are. "Information asset" is undefined ... and unclear. Too bad.

A universal KPI

For January's security awareness module on ISO27k, I'm developing a detailed checklist with which to assess, evaluate and score each of the information security controls recommended by ISO/IEC 27002 (as summarized in Annex A of ISO/IEC 27001)*.

The checklist/scoring format is one I invented years ago and have been using and refining ever since. It is a kind of maturity metric that has proven very valuable in practice, giving surprisingly consistent and useful results despite the subjective nature of the checks.

I am laying out 4 'indicators' for each control from '27002, specifying the kinds of things that would typically correspond to scores of 0% (exceptionally weak or missing controls) through 33% and 67% to 100% (exceptionally strong or cutting-edge controls). The 50% centre point on the scale divides 'inadequate' from 'adequate' controls, although that only really applies in the context of a mythical generic mid-sized organization with minimal information risks and hence security requirements. For many commercial organizations, 60% may be a more appropriate target, varying between organizations and controls - e.g. a financial services organization is likely to have more substantial information risks and hence needs stronger controls to ensure confidentiality, integrity and availability of information, than a typical manufacturing or retail business; an engineering design firm may value data integrity above all else, given the health and safety implications and liabilities if its output is inaccurate.   

Looking back over the draft checklist, I've noticed that the scores for most controls correlate with 'assurance' activities. At the top end, 100% scores often involve strong assurance measures such as thorough, independent audits by competent auditors. At the bottom end, assurance measures are conspicuously absent: if it's not painfully obvious already, even a cursory check would no doubt reveal that the controls are either completely absent or totally inadequate, but checking simply isn't performed at the 0% level - in fact, it probably doesn't even occur to those involved. 

In the middle ground, assurance activities either drive systematic improvements where necessary, or increase confidence that the controls in place are sufficient - fit for purpose, of decent quality, doing a good job.

Therefore, assurance appears to be a universal KPI, a Key Performance Indicator that would be applicable and valuable to almost any organization that seeks to measure and improve the quality and maturity of its approach to information risk and security management. 

Assurance is an over-arching control on a higher conceptual plane than most information security controls. The benefits of assurance include:

• Checking to ensure that the right things are being done, and things are being done right;
• Investigating and evaluating things, digging deeper than otherwise occurs and challenging the status quo;
• Hopefully generating credible evidence to demonstrate or prove that, making it possible for the organization's management, owners and other internal or external stakeholders to increase their confidence and trust that the organization is soundly governed, managed, operated and controlled;
• Generating insight such as improvement suggestions, as a result of the investigation, analysis and discussion arising;
• Spreading good practices, especially if those performing assurance activities are highly experienced and competent across a broad range of industries, organizations and situations.

So, becoming good at assurance drives the organization to a better place.

Other universal KPIs might also be relevant to information risk and security, such as:

• Oversight - the middle and junior management equivalent to assurance, watching over, guiding and monitoring activities in a more hands-on fashion;
• Information risk management practices, especially within a systematic, structured framework such as ISO27k, SP800-53, COBIT or NIST CSF incorporating information security management, incident management, compliance management and business continuity management as well;
• Measurement practices - the very act of focusing on stuff that is important enough to be worth measuring tends to achieve improvements, hence the importance of designing/selecting and implementing appropriate metrics (including sensible KPIs by the way!);
• Formalization, for example policies, procedures, guidelines, awareness and training all being managed proactively as a coherent and coordinated suite of activities that business people find beneficial rather than sheer red tape;
• Compliance - involving both reinforcement of required practices and enforcement of the rules, which implies the need for clearly defined rules and the associated checking and motivational activities (assurance again).

* I'm aware that not all of the ISO/IEC 27002 controls may be applicable to any organization, and that other controls may be required - in fact, I'm using ISO 22301 as a guide to business continuity controls in place of '27002's pathetic section 17, and I may use CSF or other standards on cloud controls to supplement/extend '27002 section 15. The scoring checklist needs to be considered, adapted and applied sensibly according to the context ... but, trust me, it's much easier, quicker and more effective to start with this guidance than a blank sheet!

Risk treatments

Yesterday I wrote about what the White Island eruption teaches us about risk management, in particular the way we decide how to deal with or "treat" identified risks. 

ISO/IEC 27005 describes 4 risk treatment options:

1. Avoid the risk by deliberately not getting ourselves into risky situations - not getting too close to a known active volcano for example;
2. Modify the risk: typically we mitigate (reduce) the risk through the use of controls intended to reduce the threats or vulnerabilities and hence the probability, or to reduce the impacts;
3. Retain the risk: this is the default - more on this below;
4. Share the risk: previously known as "risk transfer", this involves getting the assistance of third parties to deal with our risks, through insurance for instance, or liability clauses in contracts, or consultants' advice.

Risk management standards and advisories usually state or imply that these 'options' are exclusive, in other words alternatives from which we should choose just one treatment per risk. ISO/IEC 27005 says "Controls to reduce, retain, avoid, or share the risks should be selected". In fact, they are nonexclusive options since they all involve an element of risk retention. The sentence should perhaps read "Controls to reduce, retain, avoid, and share the risks should be selected".*

Risk retention is inevitable because of the very nature of risk. We can never be totally certain of risk, up to the point that the probability reaches 1 when an incident occurs (which, arguably, means it is no longer a risk but a certainty!). We might have misunderstood it, or made mistakes in our analysis. Our risk treatments might not work out as expected, perhaps even failing spectacularly when we least expect it, or conversely working so well that the risk never eventuates. Our insurers and partners might renege on the deal, and consultants (including me, right now) might give bad advice. The threats, vulnerabilities and impacts are all dynamic, complex and partially unknown: geologists speak of 'eruption hazards' predicted to affect areas of varying size, but 'predict' is misleading. They can calculate the probability of various volcanic and seismic events occurring, but not with sufficient precision to be of short-term use in planning trips.

The upshot is that a retained risk is still a risk: with a residual level of risk, we should bear in mind that incidents might still occur. 'Risk acceptance' is no longer the preferred term since it subtly implies that the risk has gone, whereas some is retained, whether knowingly or not. Whether the implications are truly understood when we make risk treatment decisions is uncertain ... and, yes, that means risk management itself is risky.

* There are other problems with that sentence. In the information risk context, 'control' is generally used and understood to mean 'information security control' specifically: risk avoidance and especially retention would not normally be considered forms of control. Also, merely 'selecting' options achieves nothing: for all except risk retention, things need to be done subsequently if those decisions are to have any effect, and even retention generally ought to be documented, especially if the retained risks are significant - like, for instance, an adventure tourist signing to confirm their acknowledgement of the hazards ahead and clarify their personal accountability for the decision to proceed.

A brutal lesson in risk management

Yesterday's volcanic eruption on White Island is headline news around the globe, a tragedy that sadly resulted in several deaths, currently estimated at 13.  

Also, yesterday in NZ there were roughly 90 other deaths (as there are every day), roughly two thirds of which were caused by cardiovascular diseases or cancer:

So, yesterday, the proportion of deaths in NZ caused by "Natural disasters" spiked from 0% to 13%. Today, it is likely to fall back to 0%. 

"Natural disasters" will have caused roughly 0.04% of the ~33,500 deaths in NZ during 2019 ... but judging by the news media coverage today, you'd have thought NZ was a disaster zone, a lethal place - which indeed it is for ~33,500 of us every year. Very very few, though, expire under a hail of molten rock and cloud of noxious fumes, viewable in glorious Technicolor on social media.

Those 13 tourists who perished yesterday chose to see NZ's most active volcano up close, real close. You may be thinking "Ah but if they'd known it would erupt, they wouldn't have gone" ... but they did know it was a possibility: for at least some of the 13, that was the very reason they went. It's euphemistically called "adventure tourism". The possibility of death or serious injury is, perversely, part of the attraction, the thrill of it. Recent warnings from geologists about the increased threat of eruption on White Island would, I'm sure, have been carefully considered by the tourist companies involved, plus I guess they may have noticed changes in the amount of steam and sulfur lingering in the air. Tourists are explicitly warned about the dangers and instructed on the safety aspects. I gather one of the dead was a local, an employee of the tourist company. Aside perhaps from the geologists, it's hard to think of anyone more aware of the risk.

Having weighed-up the risks and rewards, the 13 enjoyed an amazing spectacle, doing the equivalent of 'clicking the go-away button' to dismiss computer security warnings despite facing, in their case, the ultimate impact. While I suspect their final moments would have been literally petrifying, hopefully the extra-special buzz leading up to it made it worthwhile. At that point, having made their decision to go, they were committed to their fate.

No doubt those who escaped the island alive will be thinking themselves lucky. They 'cheated death', coming as close as possible to being wiped-out ... and I'm sure they'll be telling everyone they can about it, some excitedly spreading the idea that near-death experiences are the ultimate thrill. The grieving relatives and friends of the dead, on the other hand, will have plummeted into the pit of despair, a very introspective and sad place. Some might be spreading the word that "adventure tourism" is lethal and crazy, but do you honestly think this incident will materially change the way it is promoted and advertised in future? Will "adventure tourism" and "extreme sports" operators go bust in short order?

Conceivably, some tourists decided not to take the fateful trip yesterday on safety grounds, or because they determined that it was "too expensive" and hence "not worth it". Although usually framed as a value judgment, to me that's a risk decision. Clearly they chose correctly, regardless of their analysis. The risk outweighed the benefits. I'd be interested to learn more about their thought processes.

So there we have it: ultimate impact or ultimate thrill. The uncertainty is part of the package, part of the attraction for some. It's something I've seldom seen discussed in relation to information risk, specifically, although risk-acceptance is part of the professional lexicon. There are legitimate business reasons for knowingly getting into risky situations. We advise and assist our corporate colleagues to identify and evaluate the risks, to reduce them where cost-effective and prepare to deal with incidents and disasters when they eventuate. Risk, incident, disaster, safety and business continuity management are all part of the same process. Risk avoidance is often a viable option, one that should not be simply dismissed out of hand. There's a reason that "wise old men" are old.

ISO27k security awareness

Our two-hundred-and-first security awareness module concerns the ISO27k standards.

◄ The quotation from ISO/IEC 27000 is right on the button: information is worth securing because it's valuable, essential in fact. Inadequately protected organizations hit by ransomware incidents know that only too well, with hindsight ... which is of course 20/20 ...

... And that reminds me: as the monthly awareness service draws to a close, I'd like to think we'll be leaving the world in a better state in 2020, but to be honest we've made little impression. 

Pundits have long advised that security awareness is important. An increasing proportion now recommend regular awareness activities. A few even suggest a continuous or ongoing approach. Perhaps they've been listening. I've been banging that drum for 20 years.

As we hand over the reins, I hope the information security management and awareness pros will finally come to recognize the value of not treating their awareness audience as one amorphous blob, disparagingly called "users". As far as I know, our service remains unique in addressing two discrete audiences within "users" (we much prefer the term "workers") with distinct information needs: managers and professionals. Given their markedly different concerns and responsibilities, its hardly surprising (to me!) that they find little of value in conventional security awareness content and fail to participate in the usual awareness activities. They are largely disinterested and disengaged, substantially weakening the organization's security culture, like a three-legged milking stool missing two of its legs. 

ISO/IEC 27002:2013 section 7.2.2 takes a page to say not very much about security awareness: I must take a close look at the awareness section in the draft update to '27002, currently extruding its way through the ISO/IEC sausage machine towards publication at the end of 2021. 

Infosec driving principles

In an interview for CIO Dive, Maersk's recently-appointed CISO Andy Powell discussed aligning the organization with these five 'key operating principles':

"The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message. 

The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient ... 

The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly. ...

The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business. ... 

And the final piece, and this has been one of the big call outs of my team to everybody, is that security is a benefit, not a burden. The reason I say that is people's perception is that security will slow things down, will get in the way ... the reality is that if you involve security early enough, you can build solutions that actually attract additional clients."

Fair enough Andy. I wouldn't particularly quarrel with any of them, but as to whether they would feature in my personal top-five I'm not so sure. Here are five others they'd be competing against, with shipping-related illustrations just for fun:

• Governance involves structuring, positioning, setting things up and guiding the organization in the right overall direction - determining then plotting the optimal route to the ship's ultimate destination, loading up with the right tools, people and provisions. Corporate governance necessarily involves putting things in place for both protecting and exploiting information, a vital and valuable yet vulnerable business asset;
  
  
• Information is subject to risks that can and probably should be managed proactively, just as a ship's captain doesn't merely accept the inclement weather and various other hazards but, where appropriate, actively mitigates or avoids them, dynamically reacting and adjusting course as things change;
  
  
• Flexibility and responsiveness, along with resilience and robustness, present more options, opportunities to make the best of whatever situations occur, including novel hazards that weren't anticipated. If the Titanic's captain hadn't been steaming quite so fast through icy seas at night, or had thought further ahead, or was at the helm of a more nimble vessel, maybe he could have turned hard enough to avoid the iceberg that ripped open the hull of his supposedly unsinkable and apparently difficult to steer ship;
  
  
• Making the best of available resources implies a blend of knowledge and skills, particularly in leadership and motivation of people: people remain central to information risk and security management. Even as technology grows in importance within information security, it's more tool than device. In the hands of a master mariner, a sextant becomes a valuable instrument rather than an ornament;
  
  
• Assurance is a valuable product of oversight, monitoring, testing, reviewing and auditing activities, allowing management as well as third parties to have faith in the information risk and security management arrangements. The extent and quality of assurance activities correlates strongly with an organization's capabilities and maturity, largely because assurance supports the need for improvements and demonstrates progress.  That seaworthiness certificate isn't just a ticket to leave port: it gives confidence that things are in order down below.

Social engineering awareness module

December 2019 sees the release of our 200^th security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys. Yeah right!

I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people.

Vigilance is often the only remaining hurdle to be overcome, making security awareness and training crucial to our defense. It’s do or die, quite literally in some cases! 

The module concerns information risks, controls and incidents involving and affecting people:

• Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;
• Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;
• The social engineer’s tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion.

While there are many indiscriminate scams and cons in operation, most are relatively minor (except, perhaps, ransomware). However, social engineering attacks and frauds specifically targeting the organization through its workforce are of greater concern. 

Adversaries who patiently research us and our people through social media and social networks stand a better chance of gaining our trust, reducing our wariness of unknown people and unusual requests, so catching us off-guard. Our being cautious about what we reveal to outsiders makes their task that bit harder, a subtle but effective control.

Creative scammers are developing ever more sophisticated attacks, sometimes combining hacking, malware, physical site penetration and social engineering methods. Business Email Compromise, for instance, is highly lucrative, some attacks netting tens of millions of dollars by tricking professionals into making fraudulent payments from corporate bank accounts, bypassing the normal checking and authorization controls due to some trumped-up emergency situation. Tricking them into installing malware or changing payee account numbers are just two of their cunning tricks.

I'm especially pleased with these three A-to-Z guides covering social engineering scams, techniques and controls respectively - a

neat set with plenty

of meaty content in
an engaging format.

Buy the materials today at SecAware.com and download them instantly: all our content is electronic, provided as MS Office files mostly, so that you can customize and adapt them to suit your specific needs. If you don't like our logo, swap it for yours. If our version of a social engineering policy doesn't quite work for your organization, hack it about as much as you like.

Risks, dynamics and strategies

Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often did.

Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends.

On Probability-Impact Graphics, it is possible to represent changing risks with arrows or trajectories, or even time-sequences. I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective).  

[Click the PIG to watch it dance]

It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainties that make evaluating and treating the risks so, errrr, risky (e.g. I didn't foresee the rise of cryptomining malware, and who knows what novel malware might suddenly appear at any time?).

A simpler approach is to project or imagine what will be the most significant information risks for, say, the year or two or three ahead. You don't need many, perhaps as few as the "top 5" or "top 10", since treating them involves a lot of work, while other risks are often also reduced coincidentally as controls are introduced or improved. It's possible to imagine/project risks even further out, which may suit a security architectural development or strategic planning approach e.g. planning to implement biometrics in a few years' time to address increasing requirements for worker authentication.

Another aspect of strategic planning for information risk and security management is that the risk modelling, analysis, treatment and projections are all inherently uncertain, therefore taking us into the realm of resilience and contingency thinking. An ISO27k Information Security Management System (or, in fact, any structured approach to managing the corporation's risks) that helps the organization cope with an uncertain future is an asset, whereas one that rigidly restricts its options may turn out to be a liability if things don't quite go to plan.

The point of this ramble, prompted by Anton's throwaway yet insightful comment about dynamics, is the need to consider both the 'here and now' and the future - even if you find yourself still desperately trying to catch up with the past!