Security, like news, is sexy when it's sensational: the
hackers are coming, the country will succumb to cyber attack any
day now, and anyone can steal your identity. But how many people
havegiven their password some real
thought, other than "it's too complicated to
memorise and change", or "those people in IT, what torture have
they invented now?" writes Ionut Ionescu, director of security
services EMEA at
Nortel Global
Services.
In a company, the security cost is felt by everyone
individually, while the benefits are not always clear to the
individual but are accrued to the whole community. The economic
cost may seem large to the individual when they are asked to
change their password every six weeks, for example, but the
negative impact felt by the company in case of a security
breach could be several orders of magnitude larger.
Information, depending on the medium it is recorded on, can be
duplicated or changed with various degrees of ease. Its value can
be so big that losing it may lead to the company going bankrupt.
Its value could be greater for a competitor than for its rightful
owner.
One has to consider how easily it could be used by someone else,
how much the company could stand to lose if it did not have it, or
if it was corrupted. In most cases, the cost is higher if the
company did not know that the information about its business was
stolen or corrupted. But we do not think about these things when we
log in to our computer at work. Most of us have no interest in
computers, we just want computers to make our jobs easier.
So, how do we help people appreciate the economic benefits of
good password practice? We have to make them care. We should
communicate the value of this good called information and offer
positive incentives that are meaningful for the employees.
Mandating that everyone has to attend information security
awareness training and change their password every so often is only
a start. We could apportion the cost of security breaches to the
specific department whose employee chose a weak password that
allowed the breach. We could reward employees that choose strong
passwords and avoid
divulging them to "researchers" tempting them with a
box of Belgian chocolates. We could reward whole departments
having better security practice with guaranteed higher bandwidth on
the firm's internet connection, or with faster print turnarounds,
etc. We could celebrate the employees who "get it" and make them
security champions, awarding them a weekend break for two at the
firm's expense (a clear economic benefit accrued to an
individual).
Economically speaking, we could create internal competition to
improve security in a company.
But perhaps that would be too much of a paradigm shift for the
majority of businesses, which see IT (and security) as a cost.
Right now, security departments use too many negative incentives,
telling people what they cannot do, and blocking initiatives.
My guess is that security will improve much more quickly and
remain strong for longer, when people understand the trade-offs,
including the impact to their job. Anyone, ready to start next
Monday morning?
About Computer Weekly's Security Zone
Security Zone is a bi-weekly series in Computer Weekly covering
all aspects of IT security management. Each article is written by a
member of the
International
Information Systems Security Certification Consortium
(ISC)2.
Security zone: outsourcing improves security jobs
Security Zone: defences must return business value
Security Zone: UK is too reliant on US for innovation