Recently in Economics of Security Category

Levels of spam are currently down, quite substantially. It's reportedly because a major source has gone off the air. But has the threat gone away? Unfortunately not. In fact, it illustrates one of the perils of over-reliance on security metrics. 

Do not dismiss metrics. Visibility is a cornerstone of security. You cannot manage security without sight of threats, vulnerabilities and events. Metrics are a natural development in this direction, as well as an obvious criterion for performance measurement.

But seeing should not imply believing. Many metrics are selected to achieve a bonus, to justify a business case, or to complete a security management framework. These are the wrong reasons for the enterprise, Security metrics can help identify and to justify trends. But events are subject to wild swings, often unconnected to the quality of the security management framework.

Given that the general trend is for ever-increasing security incidents, it makes sense to anticipate a world with greater incidents. But do not place too much reliance on real-time statistics. Every now and then, we will experience a quiet period. Do not be fooled. We are on a collision course to a world of information insecurity.

I read that US Cyber Czar Howard Schmidt is scheduled to hold a meeting on Wednesday with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano, where he is expected to discuss how to improve private-sector cyber security through economic incentives. The meeting is expected to consider tax, liability and insurance incentives among other steps to encourage industry to increase its network security.

It's an interesting development, reflecting the inescapable fact that smart intervention is needed to stem the growing threats of e-Crime, espionage and, inevitably, cyber wars and terrorism.  

"Small and midsized businesses (SMBs) have a reputation of being somewhat lax when it comes to information protection... That's why the Symantec 2010 SMB Information Protection Survey is so surprising. It turns out that in the last 15 months, SMBs have become extremely aware of and focused on information protection."

So opens the latest research report from Symantec. It's one I find a little hard to accept because many claims simply don't ring true. The interpretation of statistics is also unconvincing, to say the least, as a claim that 42% of businesses have lost confidential or proprietary information in the past is immediately followed by a pie chart which shows that two thirds have not.  

When I read on, I find that around a third of SMBs claim to be extremely skilled in computer security and that they spend more money on security, back-up and DR than on general computing. They also lose on average two dozen laptops a year, and experience hundreds of individual security incidents each year, yet most claim never to have lost any confidential or proprietary data. Around half don't have a written DR plan, yet more than half claim to test it at least twice a year.

Is this really typical of small and midsized businesses? 

A friend of mine drew my attention to an interesting article on the Boston Globe website which suggests our security advice to users is (literally) a waste of time. The feature was prompted by the claims of a Microsoft researcher who believes that "Most security advice simply offers a poor cost-benefit trade-off to users". The article raises two important points, one correct and one misguided.

The first point it makes is that advice to users on choosing passwords is bad. Quite right: in my view we're addressing the wrong problem. It's not about choosing a single strong password, but managing a bulging portfolio of constantly changing ones. We need better tools to store and retrieve them securely. How difficult is that? Yet after several decades the cupboard is embarrassingly bare.

The second point is that user's time is money and should therefore be factored into the cost/benefit equation. Wrong: an extra ten minutes of my time costs nothing and earns nothing in real money. It's simply an irritation. No investment appraisal manager would accept a business case built on such imaginary costs or benefits.

As I've pointed out before, there are fundamental flaws in any attempts to quantify the costs and benefits of security. Investing in security is primarily a leap of faith based on an educated guess.  

One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It's interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.

The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was "actual or imminent, not conjectural or hypothetical." That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.  

Which? Computing magazine has just published a comparison of the leading UK banks' on-line security measures. The results are quite damning. Many top banks have failed to keep up with simple best practices that help to counter security threats from keylogging software.

But there's nothing new here. Banks might have plenty of valuable assets to protect but they've always been painfully slow in updating their security measures. What does come as a surprise, however, is the wide variation in methods used, which is remarkable for a sector with a 'herd mentality' selling identical services.

According to recent research by Gartner, consumers regard security as the most important feature in online banking. That's a pretty obvious finding. Security is the cornerstone of banking. Unfortunately, that doesn't make it a competitive edge, as Gartner appear to suggest. Because we don't pick banks for their security. We pick them for their interest rates, or because their branches are conveniently located. And we expect all leading brands to be equally secure. In banking, security is a minimum standard, not a differentiating factor.

I was interested to read the figures published last week about the number of laptops that went missing last year from government departments. I've been tracking this problem for the past decade and have a reasonable perspective on what constitutes an acceptable rate of loss. 

Take Work and Pensions for example. Their minister Jim Knight reported that out of around 9,700 laptops used by his department and its agencies, 41 were lost or stolen in 2008, compared to 15 the previous year, but not as high as the figure of 75 for 2004.

Is this good? In my experience it is no more than an average performance. As I've said before, organisations should lose no more than a handful of laptops per 1,000 per year. In the case of DWP, that means less than 50 a year. 41 is neither good nor bad. 75 is a poor performance. But the figure of 15 is surprisingly good.

Of course not every organisation has reliable asset registers and incident reporting systems. So reported figures of losses should always be regarded as potential underestimates.