David Lacey's IT Security Blog

You can't visit the Far East without contemplating the contrast between Eastern strategies of negotiation, and the less colourful philosophies of the Wild West.

The Thirty-Six Chinese Strategies, for example, are a wonderfully rich collection of tactics derived from military strategy that are claimed to shape the Chinese approach to business, especially business with foreigners. 

Examples include "Kill with a borrowed knife", "Conceal a dagger in a smile" and the delightfully pragmatic "If all else fails, run away".

To the Westerner these principles might appear a mite aggressive or even a slight underhand. But to the Chinese, business is no different to warfare. And this of course gives them a positive advantage in cyber warfare, which I've long pointed out is really the "art of illusion" than the "science of sabotage".

Perhaps we should adopt a similar set of principles for the Wild West. What might they be? Tossing a few ideas around with the delightful Melanie McFarland, a US business strategist based in Hong Kong, we came up with a few ideas.

Here are my Ten Western principles (of business, war or security):

• "Circle the wagons" - Retreat to a classic perimeter defence.
• "Hang 'em high" - Find a scapegoat rather than the true root cause of a problem.
• "The only good user is a dead user" - Forget the enemy it's users we really hate.
• "If you haven't fallen off a horse, you haven't been riding long enough" - Don't worry about breaches, they're just inevitable.
• "If you're not making dust, you're eating it" - It's much better to lead blindly than to follow.
• "Don't squat with your spurs on" - Never turn your weapons on yourself by mistake.
• "Don't mention the elephant in the room" - Ignore any problems that are too big to fix. SCADA systems come to mind.
• "Why do today what can be put off to tomorrow"- Procrastination makes life easier. Just ignore those uncomfortable audit actions. You know they won't bite you for a while. 
• "When you're in a hole, stop digging" - The classic No 2 rule of holes. (Don't ask what the No 1 rule was.)
• "Just tick the box" - Never mind the quality, just follow the process. 

All further suggestions are most welcome of course.

I'm just back from a week in the Far East where I was opening the 13th Info-Security Project Conference in Hong Kong. It's a couple of years since I last spoken at this conference so it was interesting to observe the trends and progress in the region.

This year's conference was longer and well attended. Key themes included infrastructure, consumerization and mobility. There's no doubt that bring-your-own-device is this year's hot topic though it's been creeping up for a while. Cloud security is also a hot topic.

I left with an impression that this region is learning fast. Discussions with local security managers revealed a high level of maturity, as well as a healthy degree of openness to new ideas and change. Unlike the US and Europe, compliance has yet to blunt the enthusiasm of security managers.  

Of course there's little new under the sun. You see the same techniques and technologies in action but often with a regional twist. One leading company I spoke to, for example, had implemented risk assessment with anonymous voting, rather than open discussion, to avoid staff being unduly influenced from the views of their bosses.

The thing I found most fascinating however is to observe how networking varies around the world. In the US, breakfast meetings work best. In London it's dinner or perhaps after-work drinks. But Hong Kong remains one of the last bastions of the business lunch.  

I always look forward to Infosecurity Europe week, which guarantees a great congregation of security luminaries and practitioners in London. I say "week" because there is so much going on around it. You run into many old friends, meet new colleagues and learn a lot about the latest products and services.

This year I attended the first day of Infosecurity and its accompanying receptions, though I spent longer at the nearby Counter Terrorist Expo at Olympia

What impressions did these events leave? Very different and varied I have to say. The Infosecurity conference agenda was lacklustre, though the exhibition was first class. It's been progressively changing from a conference into an exhibition, which is probably no bad thing for the exhibitors, though it could limit the attraction. Interestingly, many security managers I met said they were there for the exhibition, rather than the conference sessions. You just have to walk around to find experts on just about every aspect of security.

The added attraction is the raft of free lunches and receptions in nearby hostelries. This is the inevitable result of expensive but rather limited in-house dining facilities. It persuades many visitors to look outside for lunch or early evening drinks. But it creates a tremendous village environment for the whole area. Portcullis must be congratulated for breaking the mould and establishing a rival centre for security managers to congregate. Good for them for setting and maintaining this trend. Competition is always welcome in any field.  

The Counter Terrorist Expo at Olympia had a better conference agenda with sessions on just about every aspect of physical, personnel and electronic security. A key concern for many  was the security of the London Olympics. But the most interesting trend to note was the progressive shift of cyber security know-how into the defence and counter terrorist space. Let's face it we haven't seen anything yet until we experience the impact of true cyber warfare or cyber terrorism. They're not yet happening. We'd certainly notice it if they were.  

These events are quite different from their equivalents in other regions. In the Netherlands it's hard to find the conference. In contrast, in Hong Kong at the 21C Info-security event (at which I'll be giving the keynote address) the main focus is the conference, which will be very well attended. The Hong Kong event is also better themed with a greater focus on innovation and the need for revolutionary thinking.   

So what did I take away from this week? It was so rich that I can only point out a few highlights. The Counter Terrorist conference had the best agenda. There were great presentations on terrorist threats and sophisticated debates on electronic conflict and cyber warfare. These are faster moving issues, unlike traditional information security management which has been stuck in a rut for the past decade.  

The most interesting product on display at Olympia was the panic room in a box, At Earls Court it was Wave Systems' secure Facebook solution. Secure social media is a societal game changer if the vendors can get the marketing right. Communities will be able to hide their communications. But who will hold the keys? The answer of course is that it will depend on the pattern of the uptake rather than the desires of the various actors.Like many of the future trends in security, it's in the lap of the Gods.

Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

Awareness programmes should not simply broadcast facts to an audience in the hope that behaviour might improve. They can be substantially improved with a little analysis and an understanding of the learning points from more mature fields such as safety.  

It's an excellent paper though I have to admit it's largely Geordie's work. He has an excellent knowledge of the application of psychology to analyse and solve security problems in industry. Unfortunately you have to buy it to read it.  

My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system supporting a fast-moving operational cycle. Would that this were true.

Andrew is technically correct. The problem is that you cannot easily divorce the security management system from the countermeasures themselves. ISO 27000 entwines them in a seamless programme of activities, requirements and countermeasures.

One or two operational measures operate in real time. Modern measures such as secure operations centres and intrusion prevention. But in general the pace of change and the application of new controls can be slowed to a snail's pace by risk assessments, committees, business cases and budget cycles.

A good question is why we actually need management systems, especially if they introduce delay or distraction. It's a good point. Management systems were the invention/development of quality experts and auditors, and they tend to embody their aspirations. If you don't employ such people in your organisation (and many SMEs don't) then it's not logical to implement a management system.     

Management systems are an option to enforce greater discipline and control over business and functional operations. If your organisation is small or rapidly changing, they may serve to hinder more than help you.

And it's not logical to introduce heavy governance measures for a single function or subject area unless they are generally practiced across the organisation. Why would you demand a steering committee or a set of KPIs for security management if it's not done for more important business operations? 

A few weeks ago, along with some of the great and good, I attended the launch of the new Oxford University Cyber Security Centre. I wasn't expecting anything especially new but I have to say I was impressed by Professor Sadie Creese's initiative to embrace disruptive ideas and inject creativity by engaging with experts from other fields, ranging from ethics and law to hedge funds and astrophysics.

It's a great idea because the established security research community has failed to deliver much in the way of innovation over the last thirty years. And some of the better ideas have come from stealing ideas from other areas, such as Professor Stephanie Forrest's work at the University of New Mexico in taking ideas from nature. (Her work once inspired me to commission a fraud detection system based on a model of the human immune system.)

This has to be the way forward. I salute Sadie and her team. Oxford already have a fine reputation for Trusted Computing work, so there is a good basis for future success.

It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust market for security research and consultancy. I'm also reluctant to turn down new projects because you never know whether a downturn is around the corner.

One of the major factors behind the growth in demand for security advice is the rapid take of information security practices by small and medium size companies. This would be a fine thing if established standards catered for smaller or immature enterprises. Unfortunately they don't. Instead the market has evolved into a one-size-fits-all approach, coupled with a commodity market in security training and services.

Companies new to information security typically request penetration tests, policy & procedure manuals and ISO 27001 compliance. None of these is appropriate as the first steps in security for an enterprise, for by themselves they do not reduce risks.

Other than the shock value from your first penetration test (which admittedly can help with budgets) the outcome is generally an incomprehensible document listing of hundreds of pages of vulnerabilities, which now happen to be shared across a small community of consultants, staff and unencrypted emails and laptops. Would it not be better to have devoted that time to tightening up platforms and application? Yes, but that would be logical, rather than "ethical".

Policy and procedure manuals are quick and easy to implement but they rarely get opened. And ISO 27001 is particularly unsuitable for smaller or newer enterprises, especially those operating in regions or cultures where paper-based procedures are rarely followed. I've blogged many times about the security challenges of the smaller enterprise. They're different from the formal demands of larger organisations, which is why the ISSA-UK has developed a special standard for small and medium sized enterprises.  

A second problem however is that there is no gradual path with recognised milestones to implementing ISO 27001. And as anyone who has read my book "Managing the Human Factor in Information Security" will have noted you can't implement a rich, complex framework of controls overnight. It has to be done in stages if you want to carry people with you.

So we have an unsatisfactory market where people are trained to apply and demand skills and standards that bear little resemblance to actual requirements. How much better it might be to start with a blank sheet of paper and a good dose of common sense, and to draw up a security programme that really reduces risks rather than ticks boxes. Getting back to that sensible state would be a huge step forward, but it would require a simultaneous behaviour change by regulators, security managers and consultancies. And that's not likely to happen. 

We all know that information security management only works if we "close the loop", i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is that for far too long we have been using the wrong type of loop.

It started with ISO 27000 committee bureaucrats, who fell in love with the old-fashioned Deming loop of "Plan, Do, Check, Act". This was long after leading US military strategists had fashioned the more relevant (to security) Boyd (OODA) loop of "Observe, Orient, Decide, Act".

Now you might think these two loops sound similar. But you would be wrong. In practice, applying the Deming cycle is painfully slow. It typically translates to an annual budget-driven cycle. Deming himself also preferred the word "study" to check", which suggests that we don't spend enough time on it.

But OODA is all about speed. It's about highly competitive dog fights. It was inspired by the challenges in air combat in Vietnam. The trick is to design your environment to go faster than your opponent. And that's exactly what we need to survive in a hostile environment where competitors are aiming to exploit our intellectual property, i.e. the modern business world. 

So let's ditch PDCA and embrace OODA. It's an entirely different philosophy, and one that we all need to adopt.

Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information Security management today: just about everything, including the priorities, standards, methodologies, technologies and skills.

At the end of each talk I ask: "Do you agree?" The response is generally a refreshing "Yes".

Of course it might be my compelling rhetoric rather than the content that sways the audience. It's certainly hard to drum up any passion for today's slow, dry, quality-focused approach. But I suspect that I'm actually striking a chord that's long overdue to be heard.

If there's any hope for a change of direction, it lies with Academia. User organisations are too bogged down in the treacle of compliance to inspire any change. Vendors are only interested in what the users say they want. And institutions tend to be more concerned with preserving the status quo, rather than challenging the accepted wisdom.  

Thirty years ago, if you'd told me that Academia was our salvation, I would have laughed, watching researchers struggle to find practical use for Bell and LaPadula models. Fifteen years ago, you would have got the same reaction as I observed universities putting together MSc courses inspired more by the Common Criteria than industry practices. Today it's different. It's time for students and researchers to go back to first principles and design an entirely new approach to information security management, one that's more in keeping with a fast-moving, sophisticated risk environment.

My latest book "Business Continuity Management for Small and Medium Enterprises" has just hit the streets. Inspired by the Cabinet Office and published by BSI it aims to simplify the essential components of business continuity planning and crisis response.

Business continuity management was initially developed by and for large organisations. I was an early pioneer more than 20 years ago when I developed plans and methodologies for coordinating the response to multiple forms of disaster across the old and gas evacuation processes in Shell operating companies. This work inspired the content of the business continuity chapter of the original BS7799 standard.

Very little has changed over the last 20 years, except for the unfortunate fact that it has become increasingly abstract, bureaucratic and complex. Small  companies also need business continuity plans  but they don't have professional advisers, crisis committees and expensive fallback arrangements.  They need simple tips and practical examples of how to achieve 80% of the benefits at 20% of the effort.

Like many things in information security, business continuity is a simple concept that is best implemented using simple techniques. It's often best to go back to basics and design practical solutions from first principles, rather than drawing on the jargon and knowledge base that accumulates over the years. Small companies are an inspiration for helping us to see the wood rather than the trees. 

I used to think that Bruce Schneier was out of touch with industry CISOs, but now I think that they are out of touch with him. He's come on tremendously in recent years. I saw him present to the United Nations last year and he was awesome, reflecting a lot of research and deep thinking about important issues such as trust, risk, surveillance and cyber warfare.  

I shall be ordering a copy of his new book "Liars and Outliers". It's about trust, a subject I find both relevant and fascinating. Trust is a phenomenon that few security researchers seem to understand. The problem is that it's a means to an end, and makes little sense when studied in isolation from its purpose.

The nature of trust is also changing as we move from an industrial-age dominated business landscape to the information age.  I find this paradigm shift is neatly captured by two Russian proverbs. The first, ascribed to both Stalin and Lenin, is "Trust is good, control is better", which encapsulates industrial-age thinking for vertically integrated enterprises and societies. The second, made famous by Ronald Reagan, is "Trust, but verify", which reflects our best endeavours for managing situations in a modern, diverse supply chain that is increasingly beyond our direct control.   

We all know there's no such thing as a free lunch. Rose Ross, a PR adviser, bought me one last week. The payback was a personal interview on her Countdown to Infosecurity site. I tried to be light hearted but it also contains some serious points. 

It's been a few weeks since my last blog posting. That's the bad news. The good news is that it's the result of being rushed off my feet with consultancy assignments. Interestingly it's not my usual line of business. I generally set out to try and make a living from research and write white papers.

But I detect that the security consultancy market is going through a much needed change at the moment, with many clients getting fed up with buying the usual, off-the-shelf, template products offered by Big 4 and other large outfits. They are looking for more practical help from experts who are prepared to listen to their concerns and develop a tailored solution.

I'm particularly finding this in the Middle East where many of my customers started by buying identical paper bricks from big consultancies. These tomes now sit unread on the shelf gathering dust. Implementing them is the problem. Paperwork is useless unless everyone understands it. It might get you part of the way towards a certificate, or help to impress an inexperienced auditor. But it's near impossible to put a hundred page manual into action if no one has read it.   

This issue is largely inevitable. Consultants tend to measure their worth by the amount of paper they generate. Twenty years ago that might have been a challenge, but with the today's instant availability of thousands of policies, standards and control methodologies on the Internet, now anybody and everybody can be a security consultant. You just need to be able to cut and paste text and questionnaires.

I prefer to take a different approach. Rather than copying a business continuity manual from a previous client, I prefer to start with a two page plan and then show the client how to progressively build it into a more comprehensive working document. My clients from last year now have plans of around 50 pages. The difference is that they developed it all themselves. Now that's real security. Once upon a time I thought that was becoming an impossible dream. Perhaps there's hope for us all yet. So let's celebrate the fact that boutique consultancies are coming back into fashion. 

There's talk that corporate security is now so ineffective that breaches are inevitable and the focus must therefore switch to detecting, containing and responding to intrusions, rather than aiming to prevent them in the first place. Information Week is the latest to report on this "notable change in information security rhetoric". They report that "instead of preventing all attacks from succeeding, many CIOs now acknowledge that getting hacked is a question of when, not if".

It's a remarkable and damning admission. I can see the problem: the threats are getting smarter and our security is not. But how do you explain this to an executive board? And how would you expect them to react?  "Off with your head" would be a likely response. Given the amount of money spent on security policies, administrators, technology, reviews and audits, executive boards would be entitled to assume that their security professionals are on top of the problem.

The problem is that for years we've been telling boards that security is fine, and it's even "enabling the business". That's a lie and it's time to come clean. The truth is that security is difficult, expensive and full of holes. Passing a Sarbanes-Oxley audit is easy. Keeping foreign intelligence services and organised crime out your networks is not.  

Where do we go from here? Do we now start to admit to customers that their sensitive data is not secure though there's a chance we might catch the culprits? Do we tell shareholders that we're producing lots of valuable intellectual capital but it's likely that someone will steal it at some point? I think not. This sort of talk is unacceptable.

We have to fix the problem. Security managers should be sent back to the drawing board. It's not reasonable to have hackers wandering around corporate networks and dipping into databases at will.  We have to prevent them getting access to sensitive data and services.

Now that's not to say that we shouldn't have measures to detect and respond to incidents. Such measures have always been part of a defence-in-depth model that has been universally practised for several decades. But what we need to do is change our approach to preventative measures. If the corporate perimeter is getting weaker, then we need to build security around the data and applications. If valuable or sensitive data cannot be protected within the enterprise network, it should be removed.

The fact is that information security as it's been practised for decades doesn't work in today's higher risk environment. Security managers should stop congratulating themselves and cease reassuring citizens, customers and investors that it's everything is fine and dandy. 

My crystal ball tells me that 2012 is a relatively predictable one. That's largely because we've experienced significant changes in the political, business and security landscapes, ones that are sufficient to inspire some form of predictable short term action. Amongst other things it means some interesting action items will percolate up the management agenda. Here's my top six predictions for 2012.

Space weather creates concern

Even if you're cynical about the forecasts of widespread electrical disruption, it's certainly worth dusting down the contingency plans and filling up the generators. At the very least, increased solar activity will probably cause a few minor annoyances to GPS users. The larger concern, however, is that it might take out mobile communications, power supplies or perhaps anything with a GPS chip. Not quite Y2K in impact, but longer, less predictable and much less researched and publicised.

Social networks get secure

Why have we been waiting so long to deploy a solution to insecure social networks when it's not that difficult to achieve? The answer is our lack of imagination. This will change in 2012 as easy-to-use products emerge to secure Facebook and Twitter communications, just in time for a Springtime wave of citizen uprisings. I'm already playing with an alpha version.  

Big data is the new black

Yes, we've all known about the information explosion for decades, arguably for centuries. The problem is that no one has done much about it. But big data is now becoming interesting, both as a challenge to existing security processes and an opportunity for data mining and fusion opportunities. It's a timely catalyst for change as the real future of security lies more with smart information exploitation rather than industrial-age quality management systems. I detect an increasing number of security vendors exploring this area. That's good news for a security community that's lacking in imaginative ideas.

The electronic Pearl Harbour strikes home

I've been forecasting the electronic Pearl Harbour for more than a decade. In 1999 I predicted it would not happen until at least 2006. That analysis was based on technology road mapping exercises.  Last year I forecast it would finally hit home. It didn't, but the integrity of many of our critical services continues to survive on borrowed time. Expect a big catastrophe this year. It's long overdue, and much needed to shake up the current lacklustre order of battle in the cyber security space.

Public clouds fail to hit the spot

Why are public cloud services so reluctant to give security assurances? Now that's the bit I don't get. You can't make money without talking up your products. There are plenty of liability considerations of course. But that's precisely why big customers are holding back. If vendors can't deliver cast iron guarantees then big companies will not buy the services. If any cloud services catch on they are likely to be private or hybrid implementations. Public clouds might seem like a good idea in theory but they have a long way to go in practice.  

The new global game

For decades we lived in the shadow of a largely invisible cold war dominated by pervasive espionage aimed primarily at military or diplomatic targets. It had little, if any, apparent impact on everyday citizen and business interests. Few of us noticed, or cared what was going on. Today it's different. The new battleground is our global business infrastructure, and the targets our trade secrets. It's no longer realistic for governments to turn a blind eye to hostile attacks, or even attempt to keep the new game under wraps. As exploitation of stolen secrets becomes increasingly visible, then we should expect an overt response to any covert attacks. It's time for soft targets to strike back. 

As we near the close of 2011, I find it instructive to look back and see just how accurate my forecasts proved to be. At the start of the year I forecast three major shifts in thinking during 2011.

Firstly, I expected that we would experience a major security incident involving the integrity of critical national infrastructure - perhaps an easy forecast, given the discovery of Stuxnet in 2010. Yet surprisingly it didn't happen. 2011 was perhaps a lucky year for CNI managers, but many insecure legacy systems continue to survive on borrowed time. 

Secondly, I forecast that emerging security technologies, based on virtualisation and trusted computing, would encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Unfortunately, as Bill Gates pointed out, we have a tendency to overestimate what happens in the short term and underestimate what comes to pass in the longer term. Many existing solutions were found wanting in 2011, but innovative alternatives have yet to be adopted. 

Thirdly, I predicted that we would finally see some action in response to the growing need to encourage small and medium enterprises to implement security. I'm pleased to say that this forecast was nearer the mark, with the launch of the ISSA-UK 5173 standard, the US Government "Small Biz Cyber Planner" and a host of vendor solutions from the likes of Qualys, Sourcefire and Dell.

I also suggested that 2011 could see the start of a revolution in security thinking, which would last for most of the next decade, a period that might prove to be a new age of enlightenment for information security. On this one I probably jumped the gun. I still believe this will likely happen, but not until next year, judging by the reaction I get from my lectures to universities and conferences. 

Well done for Shell for drawing public attention to the serious hazards presented by cyber attacks on physical machinery. Unfortunately it's much too late. Today's critical infrastructure is riddled with security vulnerabilities and insecure external connections. SCADA systems have been under attack for more than two decades, many since they were first deployed. Yet security standards remain weak, despite continuous growth in the power and sophistication of both the systems themselves, and the threats to them.

Many government and industry authorities think the answer is better awareness and public-private dialogue. Unfortunately, that's far from sufficient.  We already have plenty of that. What we're missing is better solutions and incentives. In the case of SCADA security, I expect that all the major players are generally aware of the risks, but the available solutions are inadequate or unpalatable.

Fixing the problem cannot be left to the marketplace. Companies will not willingly rip out insecure platforms, disconnect operational systems or spend a small fortune on higher security solutions. Tougher regulation is the only solution. But there remain two barriers to building an effective stick.

The first is that today's security standards do not guarantee high security. They are based on outdated collections of controls, designed for a business environment that was less connected, less externalised and less threatened. They promote light-touch security management systems rather than strict engineering disciplines.

The second is that few of today's so-called best practices are incapable of withstanding a professional attack. Security has become a commodity, based on cut-and-paste policies, commercial off-the-shelf technologies, and testing based on routine platform scans rather than imaginative attacks. We have built a dangerous monoculture of identical defences which have been progressively eroding. 

The security community needs to raise the bar rather than embrace low cost, convenient solutions. No less than a revolution is needed. Compliance is not healthy unless it encourages innovative solutions and enforces effective rather than commonly accepted standards. Unfortunately such thinking is far too radical for most regulators and standards committees. 

I was concerned to read a recent report of a study by SecurityMetrics, a vendor of merchant data security solutions, which claims that 71% percent of the merchants who took part were found to store unencrypted payment card data. This is direct violation of the mandatory Payment Card Industry Data Security Standard (PCI DSS). And it apparently reflects an increase of 8% on last year.

Who is at fault? That's not difficult to pinpoint, given that Visa estimates that its smallest business customers account for 95% of its breaches. Why are small businesses to blame? The answer is that no one has bothered to educate them. Who should have done this? Industry and government are both at fault.

It is well over a year ago since the Information Commissioner's Office published my research into the availability of advice on security for small/medium sized organisations. It was pretty damning, pointing out that most advice was unsuitable, incomplete or in the wrong place. Amongst other things it pointed to the absence of any advice on PCI DSS on the major educational sites.

The report was widely discussed and presented. Yet little seems to have been done. Where does one look? A quick glance at Get Safe Online turns up a blank on PCI DSS. A pointer from Get Safe Online to a Business Link site results in a server error on the first question. A pointer from Get Safe Online to Microsoft's Small Business Centre contains no mention of PCI DSS. A click to a Symantec guide results in an "access forbidden" message.

So who should take the lead in leading on advice to small companies? Given that the UK Government has such a high-profile investment in cyber security, I think they should start to roll up their sleeves.  

Michael Colao's excellent presentation to the ISSA-UK Chapter last week on the legal implications of social networking got me thinking. Not so much about the letter of the law, but more about the consequences of taking it too literally.  

Social networking introduces or amplifies many legal hazards. And Michael's vivid presentation of them is enough to put many managers off allowing their troops to have access. But let's face it, there are numerous risks associated with empowering employees and contractors. They can steal from you, sue you and get you into all sorts of trouble. Running a business is certainly not for the faint-hearted.

Legal demands are just one piece of the rich tapestry of employment hazards. And laws are often unclear, contradictory, unreasonable or virtually impossible to implement.  To meet Health and Safety requirements to the letter, for example, you probably have to supervise every individual contractor. In practice, it doesn't happen. Otherwise no work would get done. 

The real art of compliance is establishing the minimum you can get away with to stop all work grinding to a halt. That's why we employ lawyers. A good one can steer you through the maze of compliance demands. The thing not to do is to attempt to interpret the legislation yourself, at least not without sound experience of the law or the subject area. 

We are perhaps fortunate that many entrepreneurs are ignorant, dismissive or foolhardy in their response to business risks and compliance requirements. Thank goodness for that. We'd not progress very far if we followed every single rule to the letter.

Information security practitioners have long been poor at developing awareness materials. Partly this is because misguided governance systems focus on legalistic policies and procedures that no one ever reads. (When was the last time you read an instruction manual?) It's also because security professionals are not trained in the art of designing effective communications materials. We need to tackle both of these weaknesses.

Unfortunately, the growing wave of regulatory compliance means that there is little prospect of the governance side being improved, as established security standards are rooted in an outdated, paper-based, quality model, designed more for churning out identical widgets rather than inspiring people to safeguard intellectual assets.  

Progress with the human aspects is likely to be show more promise. At least the problem is  recognised, though the interventions leave much to be desired. (The UK strategy appears to be to leave everything to a single underfunded web site, Get Safe Online.)

On the bright side, however, more and more academic courses are including human factor considerations. It's a big subject and expertise is thin on the ground. Lessons can however be learnt from other fields. Safety is one. A good place to start is to study the art of designing road signs. The BBC News website has an interesting feature on this, which makes some excellent points.

It also raises the obvious question of why we don't have universally recognised warning signs for information security risks. Now that would be a good idea, though it's unlikely to be taken up by a community that believes that hundreds of pages of policy guidance are the answer.  

Postscript:

Many thanks to Andrew Yeomans for pointing out there is an excellent example of the use of warning signs in the SPIDER project by Pete Burnap, Jeremy Hilton and Anas Tawileh.