Yesterday Andrew Yeomans of Dresdner put a risk management challenge to me and fellow blogger Stuart King. The issue arose from a discussion about Get Safe Online, the educational site aimed at citizens and SMEs. Andrew favours the idea of such training but feels that the information given is too detailed and contains too much jargon. He asks “What are the 2, 3 or 4 key measures that are proven to significantly reduce the risk to your PC?”
It’s an interesting and an important problem, but it’s the wrong question. You need context to assess risks and priorities properly. One size doesn’t fit all. There’s a huge difference in user practices, the value of their data and the security of their environment. And it’s further complicated by the increasing number of alternative security solutions and the growing range of platforms of varying vintage out in the field. So let’s rephrase the challenge to “How can we simplify the security advice to PC users?” Now that’s easier to answer.
Start by asking questions to establish the context for the advice. This will help prioritise and filter down the recommended controls. Then it becomes easy. For example, if you do your banking online, then up-to-date advice on phishing would be a high priority. And if you let your family share your business laptop then you’ll probably need “the works”. But if you just use a PC for email to family and friends, then switching on your firewall and installing a good AV package is probably all you need. Building intelligence into systems is always a smarter move than dumbing them down
Comments (2)
My original challenge stressed the word "proven". There's a lot of good-sounding and apparently obvious advice out there, but have we real-world data to show it works? And not just the technology, but including the people and processes too.
Take phishing - do those anti-phishing toolbars reduce the incidents? Or give a false sense of security? Or block genuine emails due to use of stat-tracking URLs?
Do anti-virus and firewall stop incidents? Or do they get so intrusive that they are turned off? Or do the occasional bad AV signatures cost more by destroying critical files? Or do coding flaws in those tools open up more attacks?
Certainly context matters. At least I guess so, but I don't have the data. I'd hope corporate IT staff are generally more knowledgeable than untrained public and so different techniques will be more important.
So my challenge is still "prove it!"
Posted by Andrew Yeomans | November 8, 2007 5:36 PM
Posted on November 8, 2007 17:36
I agree absolutely that we need more research and more data to support our choice of controls. There are certainly cases where countermeasures have been found to be counter-productive. Fortunately these are rare examples. In my time at Royal Mail Group we collected a lot of essential data on incident levels and related this to security initiatives, which amongst other things demonstrated the surprising power of targeted education, based on a knowledge of where, why and how incidents were happening. What we missed was independent research on the effectiveness of alternative solutions. There are increasing numbers of user surveys hitting the press, but they are almost exclusively sponsored by vendors.
Posted by David Lacey | November 8, 2007 7:17 PM
Posted on November 8, 2007 19:17