David Lacey's IT Security Blog

The subject of Employee Monitoring is currently at the forefront of my mind as I polish up my notes on for a talk on this subject at a CISO dinner tonight at the London Capital Club. I’ve been thinking deeply about this issue for a long time. Not that I’m any kind of dangerous radical or extreme conservative. In fact I’ve always aimed to strike a healthy balance between the interests of the individual and the needs of an increasingly heavily regulated business community. And I know I’m not the only one thinking about these issues. A few years ago I aired a few comments on the breakdown of the boundary between business and personal lifestyles in Computer Weekly and was immediately contacted by Dr Peter Skyte, leader of Amicus, the top white collar union. I was impressed to be able to discuss some of these issues with a union leader with a good understanding of IT. Too often we associate trade unions with the Industrial Age, but they also have an important role to play in the new Information Age.

Things were much simpler in the old Industrial Age workplace when every aspect of business life was standardised, separated and synchronised. Employees did business in a dedicated building during set hours. Outside of that it was no concern of your employer how you spent your time. Now it’s all mixed up. People simply grab the nearest communication channel to conduct personal or business transactions at any time, any place, anywhere. You can’t easily separate business and private activity. But we do have to monitor and archive the communications activity on our business networks for three good reasons. Firstly, to keep out any bad content that might be damaging or illegal. Secondly, to detect and immediately stop any unauthorised access or leakage of confidential information. And thirdly, to meet the increasingly demanding legal and compliance requirements, which might for example require all customer communications and staff emails to be reconstructed many years hence.

Technology is not a constraint these days. The devices available today are extremely powerful and easy to install. You can buy a tiny box called netReplay from Chronicle Solutions, plug it in to your network and it will immediately begin scanning and recording the web traffic and emails of tens of thousands of users. The real issue is not capturing the information but figuring out just what is sensible to record and how best to manage the process. No responsible organisation wants to snoop on their employees’ behaviour. In fact you can’t do this without also complying with a raft of complex and occasionally contradictory legislation concerning human rights, privacy, data protection and communications interception. Just keeping up with this legislation and framing the “acceptable use” policies is starting to become a full-time job in itself. The real problem today is not keeping up with the mass of communications coming into and out of the organisation, it's controlling the policemen and securing the monitoring equipment. Because anyone can now play Big Brother at work if they want to.

Two unrelated news items caught my eye today, one an obscure case about a cheque modification fraud based on erasable ink pens, which I picked up from Bruce Schneier's blog, and the other one a high profile news item about the bugging of Royal conversations by journalists. It’s always helpful to get occasional reminders of the vulnerability of written and spoken information to short-range physical attacks, even though such attacks are generally rare and a relatively low priority for most organisations.

The interesting thing I’ve always found about these threats is that they often seem to be counter-intuitive for many people. Most of us have a high confidence in the providence of paper and ink documents, even though they are extremely easy to forge. We are too trusting when it comes to the written word because forgeries are outside our everyday experience. Bugging is also an arcane practice that is not well understood by the average person. A paranoid executive might think that a crackly telephone line suggests a bug, when in fact the opposite is more likely, i.e. eavesdroppers prefer clear lines. And I know some executives that worry that their office might be bugged but still feel confident to pull out confidential papers on a train or plane, or perhaps talk openly in bars.

There's nothing more instrusive than a planted bug or line tap, but fortunately such incidents are rare. These attacks are tricky to mount, as they present risks to the perpetrator and they require inside information and frequent access to the target office. The results can also be unpredictable and time-consuming to process. There are often cheaper and easier methods of gaining inside information, such as bribing a member of staff or hacking into an insecure database. The trick, of course, when considering potential attacks on information is always to put yourself in the attacker's shoes.

One of my colleagues drew my attention to a recent posting on the GetSafeOnline blog pointing out the lack of IT security training at MI6. In the new James Bond film, Casino Royale, a Swiss banker asks Bond to enter a password for a bank account that will hold the $150m winnings from a poker game. What password does he use? The name of his girlfriend. Stupid you might say? But on the the contrary it merely illustrates the daring risk appetite we associate with these bucaneering chaps at MI6. Unfortunately the reality of HMG Security is quite the opposite, as illustrated by the non-memorable 12 random character user identifier needed to prevent anyone else attempting to pay my VAT returns. Of course, a normal commercial organisation would never be able to afford this luxury, given the negative impact on customers and the high cost of help desk transactions to handle their complaints. But there's a simple solution. Just charge the tax payer for the phone call.

The need to manage perception seems to be a hot topic these days. Stuart King’s blog posting earlier this month got me thinking about the importance of personal perception. But managing perception across an organization is an issue that crops up whenever I give a talk on the human aspects of security. Influencing people is especially important in security because it's subect that's rarely in the forefront of peoples’ minds. And many aspects of security are either hidden or outside of their personal experience.

Managers, users and customers all need to be more aware of potential risks and the impact of security incidents. They need to understand their responsibilities and how to use the controls at their disposal. They also need to be deterred from even contemplating unauthorised activities. All of this requires more than education. It requires changes of attitude and behaviour. And as any psychologist will tell you, if you wish to change behaviour, you will have more success if you focus on the perceived consequences of peoples’ actions, rather than the corporate policies and rules that attempt to influence them.

It's no easy task, though there are some techniques and methodologies to help this problem. Typically, you can’t always argue the facts directly with people because many of them will adopt a defensive attitude. It’s always more effective if people can discover the importance of security for themselves. This requires imaginative scenarios, games or storylines to encourage people to at least temporarily suspend their disbelief and consider the fuller implications of security risks or incidents. This is the basis of many classic learning techniques such as scenario planning. The trick is not to stray too far from the real world. Unless for example you really want people to “think the unthinkable” (which might be useful for contingency planning).

Because any serious attempts to change perception need to be firmly grounded in reality. Mere spin or fantasy will never be as effective in the long run. Perception management is a powerful amplifier - but never a substitute – for the truth.

For some years I’ve been observing the quiet infiltration of Neuro-Linguistic Programming (NLP) into many respectable professions. I’m not an expert on NLP but it seems to me to be a rather bizarre mixture of science, ancient religion and new age thinking. Lately, I’ve noticed it being used in the IT Security field, mainly for social-engineering exercises.

NLP is a highly controversial field that offers practical benefits, though it lacks a reliable scientific basis. Even the Wikipedia entry is disputed. If you believe its practitioners, you can read peoples' subconscious signals and manipulate their behaviour. With a bit of practice you might even be able to hypnotize people into carrying out your suggestions. Of course the problem is that it’s not guaranteed to be 100% reliable, so you can easily be wrong or perhaps fooled by someone sending out false signals. So don’t try it for poker unless you’re certain your opponent is not an exponent.

So what should we do with this strange new tool? Exploit it or consign it to the dustbin? Some professional psychologists assure me it’s one of the most powerful tools in their armoury. Others tell me it is dangerous, to be avoided. It’s your choice. Because the jury will always be out on tools that only work some of the time.

I was highly impressed with the company and the discussion at a CIO dinner in London last night. A main topic of conversation was Second Life, the new virtual reality world that seems to have captured everyone's attention and imagination.

Many people are investing serious amounts of time and money, creating avatars to explore and enjoy this mysterious new world. Even my Welsh Terrier has developed an alter ego. These identities are now becoming so valuable that even top CIOs are suggesting that they might be a good reference site for understanding the issues around Identity Management. It's a very interesting idea. They're an obvious target for Identity Theft. But we haven't yet heard any reports of problems. How do they do it? I think we should be told.

Charles Pask's comments on my recent blog postings raise an interesting and realistic new threat: that our industry might lose credibility due to non-events, because we are simply too good at what we do, and the bean counters are out to squeeze our budgets. It's a good point. I've certainly noticed the mounting pressure from accountants as we aim to spend increasing amounts of money on yet more point solutions that all sound very similar - generally a variation on “network security” - to counter threats that rarely materialise. You can also see this fatigue in the area of staff awareness, whenever we ask to put out yet another staff circular on the importance of password selection. So what can be done? Here are some practical tips.

Firstly, explain what's changed. You won't get a bigger budget unless you can point to something new that demands it. There's certainly plenty of evidence to suggest the risks have increased.

Secondly, don't cry wolf, or at least place a realistic quantification on your risk assessment. If you assess the risk of a major incident in 2007 as 20%, there's a good chance it won't happen and you can pat yourself on the back. If you think it's 80% then you have a good case to immediately go out and spend money to reduce this to an acceptable level.

Thirdly, use a richer vocabulary for countermeasures that sounds plausible and doesn't lump them all together in a single category, such as "network security" or "access control”. Any accountant worth his salt will quickly spot that you've already bought a product under that heading. So why should you need a new one?

Fourthly, explain the need for defence-in-depth. Most managers quickly get this and it makes sense. It also suggests that you will need more than one level of countermeasure, so the accountants will expect further spend to be forthcoming. I've used this one myself quite successfully.

Fifthly, take a course in Neuro-Linguistic Programming (NPL) so you can at least try to manipulate or even hypnotise the Board and the bean counters. But check out my earlier posting on this first.

Tonight I’m again debating the subject of Employee Monitoring at a CISO dinner. I’ve already posted some thoughts on this subject. But I’ve noticed quite a lot of interest and debate now being generated as CISOs and journalists begin to consider the impact of new technology from Chronicle Solutions that enables any organisation to mount blanket surveillance on their employee’s communications.

The quintessential issue is just how far we should go in exploiting this unprecedented capability. Because it has tremendous potential for business efficiency but it can also trample all over your employee’s human rights.

Most responsible organisations will only examine staff emails as part of a formal, authorised security investigation. There should be no random fishing for potential wrongdoings. But security investigations can be broad in scope. And once you have the capability to search across all staff communications there is a clear potential for scope creep. You’re not restricted by a need to request access to each individual user’s emails.

And when you look at what’s actually going on in any organisation, you’ll find an awful lot of disturbing things that you wished you hadn’t seen.

Those of you in the medical profession might be familiar with a UK publication called Primary Care Today. I was recently approached via the BCS to contribute a short article for this on-line magazine about the importance of IT security in a primary care setting. Like all such pieces it had to be short (700 words), comprehensive and cater for a varied readership. Not an easy task. But one that all security organisations face from time to time, usually with the added difficulty that it has to be repeated on a regular basis with a fresh perspective. You can read my attempt on the Primary Care Today website. There’s certainly an art in conveying user awareness given the constraints of any popular medium and the competition for space. You need an eye-catching introduction, a memorable end-line and in between a list of points that must sound interesting despite the act that though not all of them will be relevant to each reader. It’s an interesting exercise that all security professionals should tackle every now and then, if for no reason than to remind ourselves that effective communications are not as easy as we might sometimes imagine.

Microsoft's failure to detect the animated cursor bug in Vista has encouraged critics to speculate that its highly-acclaimed secure development process might not be working as advertised. They have a point. One would certainly expect its code review process to have spotted and eliminated this particular vulnerability. It's remarkably similar to an earlier flaw in the same section of code.

But this is not so much a failure of Microsoft's new development process as a reflection of the fact that you can't eradicate years of insecure practice through a single business transformation. It takes a long time to achieve the highest levels of process maturity. And software development is a complex process full of uncertainties and pitfalls, and managed by humans who are bound by ambitious targets. Perfect, secure software is a pipedream. What really counts is an organization's capability to recognize, correct and learn from its mistakes. And that is how we should really judge the quality of Microsoft's software development process.

One would have thought that by now every company would have got the message that they need to have an effective and up-to-date acceptable use policy (AUP) in order to protect their interests from illegal or inappropriate Internet use by employees. Unfortunately that's not the case. A recent survey carried out by Chronicle Solutions, a leading UK vendor of communications monitoring products, has revealed that 31% of British firms don't have an AUP. And of the ones that did, only around one in twenty had read it recently. Only a third asked new hires to read, agree and sign it off. And 80% of respondents weren't certain if there were penalties for breaching the policy. On top of that very few policies included IM and Web mail. And none addressed blogging.

These are serious failings which must be fixed quickly if employers and employees are to prepare themselves for the onslaught of the current revolution in social computing. We need an education drive to bring managers and employees up to speed. It also makes me wonder whether larger, more experienced organizations are being put at risk by smaller suppliers who may have little or no control over their employee's behaviour. It wouldn't be the first time that we've found that poorly supervised supply chains are the soft underbelly of our security defences.

Earlier this week I gave a talk to Intellect's excellent Security and Privacy Group on the subject of how to manage the risks associated with portable devices. It's a hot topic because the risks are growing and they're very difficult to manage.

Portable devices are getting more powerful and proliferating. It's an unstoppable trend. As Neil Gershenfeld of MIT Media Lab observed many years ago, there's a tendency for computers to progressively de-fragment. They keep getting smaller, more numerous and better connected. We've moved from mainframes to minis, to micros, to laptops, to PDAs. Personal area networks are next. Eventually we will be working with clouds of smart dust.

The blog postings have been a bit thin over the last week as I've been fly-fishing for wild brown trout in North West Sutherland. (Not Sunderland, I should add, as a journalist once misquoted.) Mobile reception is weak in this part of the UK but you can just about get a GPRS signal if you sit in a car directly below an aerial mast.

You might think that fly-fishing has little in common with Information Security. But you'd be wrong. The competition for secret information is intense, as people from all walks of life - engineers, builders, sea captains, diplomats, company directors and knights of the Realm - contend for the satisfying honour of catching the most impressive fish of the week.

It takes a lifetime to master the hill lochs of North West Sutherland. There are many hundreds of lochs and lochans. Some have big fish, some have small fish and many have no fish. Beginners are usually given a few tips and than left on their own to discover the best fishing by trial and error, logical deduction or espionage. Keen regulars will search out out-of-the-way lochans with no fish and breed their own private stock fish within them. It takes years to grow trophy trout specimens. Secrecy is paramount and intelligence of the locations of these vintage stock ponds is priceless.

This is the Great Game of fly-fishing. Espionage, fraud, bluff and double-bluff are rife. Conversations are in hushed tones to prevent eavesdropping. Successful fisherman are tracked or tailed. Maps are secretly stolen and copied. And information security is the tightest I've ever encountered. That's because the motivation to behave securely is always highest when the consequences of success or failure are personal, immediate and certain.

Today the Department of Trade and Industry unveiled their latest research awards aimed at addressing the thorny (and under-researched) subject of the human risk element in network security. With £4 million of research grants already awarded, it's clearly a serious programme. Will it deliver? Yes, in my view it looks set to deliver some innovative outputs. And that's not just because I'm involved. We have four very interesting and complementary projects, from consortia including experienced universities and organisations. Participants include BAE Systems, Loughborough University, HP, Merrill Lynch, University of Bath, University of Newcastle, University College London, Chronicle Solutions, University of Plymouth, National Computing Centre and the University of Manchester. What's interesting and different is that all projects contain a significant input from professional behavioural science experts. And in my opinion that's the key. Because security is long overdue for a technology transfer from other scientific areas.

Yesterday I was presenting to the Information Security Council of a large international company on the subject of information security awareness. It’s currently a hot topic as more and more organisations wake up to the fact that people are a major cause of breaches, yet not enough has been invested in this area, and much of it has been ineffective.

There are many reasons why security awareness initiatives fail to hit the spot. Often the material is dull, people have difficulty relating to it, it’s poorly designed and presented, and the consequences of following (or not) the advice are not sufficiently personal, immediate or certain. Security managers and in-house communications staff are not the best designers of educational material. I’ve always found it pays to get external professional assistance.

One question put to me was: "What percentage of security budget should be spent on security awareness?" A good question, which deserves more than the obvious answer of “a lot more”. My immediate response was that it depends where you are in terms of process maturity and other factors that might shape your priorities, but in my view it should be 10-20% of security budget, i.e. at least 10% and no more than 20%. This might sound a lot to many organisations but it reflects the importance of the subject, the need to do it properly and the substantial return on investment from reducing the numerous incidents caused by ignorance and bad practices.

The importance of anticipating - or at the very least keeping abreast of - emerging threats is illustrated by a report by Carole Theriault, a senior security consultant with Sophos, highlighting a huge increase in the number of malicious Web sites. She points out that the number has risen from 5,000 a day back in April to nearly 30,000 a day. This indicates an escalation in the threats from malware and a shift in tactics from hackers, with more and more legitimate sites being hacked and embedded with malware.

What does it mean for organisations? Amongst other things, it's increasingly likely that users will get infected with malware when visiting innocent sites. Organisations need to raise their game to mitigate this risk by educating users about the risks and discouraging unnecessary visits to personal sites from work. Like many things in security today, the immediate answer lies primarily with enhancing human factors rather than implementing technology. But we also need to develop better technology solutions to achieve a more reliable response to this continually growing threat.

It’s good that organisations are now coming clean about breaches of customer credit card data, though it’s worrying that there are so many of these incidents. Yesterday Newcastle City Council announced an “inappropriate release” of up to 54,000 credit and debit card details covering transactions earlier this year. The Council became aware of this breach when they hired an external security specialist to test its security. The testers discovered that a file had wrongly been placed on an insecure server and had been uploaded to an address registered outside the UK. Fortunately, some of the most sensitive data items (the credit card numbers) were encrypted. But this breach should never have happened.

On the surface, it might appear that it was human error that triggered this breach. But the root cause of such incidents is always deeper. Organisations should take special care when designing and implementing systems that process sensitive customer data, especially those that connect to the Internet. Controls should be designed to take account of human failings. People make mistakes from time to time, so compensating measures are needed to prevent control lapses from turning into breaches. Crossed fingers are not good enough. Regular penetration testing is essential but not sufficient to monitor security. Such tests need to be backed up with real-time vulnerability scanning.

As the safety community has long understood, behind every major incident there are likely to be, on average, around thirty minor incidents and three hundred near misses. And perhaps many more bad practices.

I always smile when I hear security consultants advising that organisations should create a security culture. Why? Because quite simply there is no such thing. Security means entirely different things to different people. And of course there’s more than one way to skin a cat. No single approach works best across every situation and community. People respond differently according to their religion, culture, background, location, ambitions and motives. Amongst many other things.

As Douglas Macgregor, a famous MIT social psychologist, pointed out in his classic 1960 book "The Human Side of Enterprise", there are fundamentally different approaches to managing people. It’s all a matter of taste. Some managers favour an authoritarian management style. Others prefer a more participative approach. And in practice you can achieve effective security either by instilling fear, paranoia or suspicion into your staff, or by building on positive motivators such responsibility, trust and empowerment.

Great minds do not think alike on this subject. Galileo, for example clearly favoured an educational approach, declaring that “You cannot teach a man anything. You can only help him discover it within himself.” Other revolutionary leaders, such as Uncle Joe Stalin, preferred to wield the lash. “Trust is good, but control is better”, he was heard to say. So you have a choice. You can be nasty or nice. Which one should it be? Impossible for me to say. Because the most appropriate approach depends on you, as well as the nature of the community you’re trying to change, and its chosen management style.

Checking out the excellent FIRST Global News postings, my attention was drawn to a feature from the Telegraph Web site on “Top Web sites for Spies and Spying”. This article, amongst other things, comments on the new Jason Bourne film pointing out that it’s a “thinking man’s spy series…praised for it’s gritty style and widely credited with influencing the down-to-earth portrayal of James Bond in the remake of Casino Royale starring Daniel Craig”.

I have to disagree. Jason Bourne is an assassin, not a spy. He is aggressive rather than charming, as real spies should be. He would have been hopeless at gathering useful information from reluctant targets. Spies have to be friendly and charismatic to persuade people to give them secrets. From this perspective Daniel Craig is badly cast as James Bond. It was a mistake to switch from the excellent Pierce Brosnan, who was without doubt the definitive example of a top charmer and super spy. Ira Winkler will tell you that James Bond is not a great spy because he regularly gets caught. He also misses the point. That’s just an occupational hazard. The real trick is to come out on top, which Bond of course always did.

Cyberspace has an unusual effect on our perception of acceptable behaviour. For example there’s a phenomenon researchers term “the disinhibition effect” that encourages Internet users to behave in ways they wouldn’t dare contemplate in real life. There’s also an unfortunate tendency to glamorize hi-tech crime, to the extent that a successful hacker or fraudster can make a fine living out of security consultancy and appearance fees. So it was no surprise to find Frank Abagnale, a one-time convicted fraudster, giving a keynote address at last week’s RSA Conference in London, which boasts “keynotes delivered by the industry’s most respected leaders and innovators”. It’s a sign of the times.

They say that a week is a long time in politics. But changing public sector strategy can take a lifetime. So it’s unrealistic to expect civil servants to turn on a sixpence and immediately revise budgets and scorecards to implement the recommendations of a single study. It takes a bit more effort than that. So I was a little surprised by the reaction of Richard Clayton, a researcher from Cambridge University, to the rather inadequate Government response to the House of Lords Science and Technology Committee’s recent recommendations on personal Internet security.

Richard’s posting on the Cambridge University Security Research blog accuses the Government of being stupid or ignorant because they did not immediately implement his recommendations. Welcome to the reality of politics and business. Change cannot be achieved through good ideas alone. It requires convincing evidence, a sound business case and patient lobbying. And when you don’t get your own way, the smart response is to refine your arguments, not criticise the decision makers.

I've always stressed the importance of strong visual images in security programmes and awareness campaigns. It's surprising how much leverage a strong, well-thought-through image can generate. Professional advice helps. In the past I've hired award-winning ex Saathchi & Saathchi creative teams to help design themes, images and straplines. And I once hired Judith Hann of Tomorrow's World to help create a forward-looking image for a new security function.

So I can only admire the enterprise that prompted the CIA to adopt it's latest terrorist-buster logo. It certainly creates an impact. Any suggestions on a suitable hacker-buster version?

Yesterday Andrew Yeomans of Dresdner put a risk management challenge to me and fellow blogger Stuart King. The issue arose from a discussion about Get Safe Online, the educational site aimed at citizens and SMEs. Andrew favours the idea of such training but feels that the information given is too detailed and contains too much jargon. He asks “What are the 2, 3 or 4 key measures that are proven to significantly reduce the risk to your PC?”

It’s an interesting and an important problem, but it’s the wrong question. You need context to assess risks and priorities properly. One size doesn’t fit all. There’s a huge difference in user practices, the value of their data and the security of their environment. And it’s further complicated by the increasing number of alternative security solutions and the growing range of platforms of varying vintage out in the field. So let’s rephrase the challenge to “How can we simplify the security advice to PC users?” Now that’s easier to answer.

Start by asking questions to establish the context for the advice. This will help prioritise and filter down the recommended controls. Then it becomes easy. For example, if you do your banking online, then up-to-date advice on phishing would be a high priority. And if you let your family share your business laptop then you’ll probably need “the works”. But if you just use a PC for email to family and friends, then switching on your firewall and installing a good AV package is probably all you need. Building intelligence into systems is always a smarter move than dumbing them down

I couldn’t resist a smile at Bruce Schneier’s blog posting of a New Yorker cartoon, with a de-perimeterisation theme. I've always liked New Yorker cartoons, especially the dog ones, and you can buy the rights to use them in presentations at a reasonable price. They’re also a nice company to deal with, as I found out last year when I tried to order some goods online but was blocked by their anti-fraud measures. I sent an email of complaint, and was impressed to receive an apologetic telephone message from their Director of Sales offering to take my order in person. It just goes to show that good service can go hand in hand with good taste.

Earlier this week I gave the closing keynote address at Kable’s Information Security in the Public Sector conference in London. The subject, requested by Kable, was “Creating a Security Conscious Culture”. It’s another indication of the growing importance of human factors in today’s security and IT problem space. And it’s not just in user education. The key obstacles and enablers to aligning security with business goals, or in joining up Government IT, are politics, perception and relationship management.

A year or two ago there was much less interest in human factors. Today it’s the most requested topic for advice, research or presentations. The UK Technology Programme is investing millions of pounds in research in this area. Leading universities are building more human factors content into their courses. And sales of security education services are at an all time high. I’m already booked to give presentations on the subject next year in UK and USA.

Will this trend continue? Yes, it has a long way to go. The major obstacle at present is the shortfall of budget and resources assigned to the subject. It can take years for such vital enablers to catch up with the latest challenges. But there is a compelling business case because it reduces incidents and, more importantly, their associated costs. If your organisation is not spending at least 10% of its security budget on security awareness and behaviour change, then it's probably got the balance wrong.

I was interested to read my fellow blogger Stuart King’s posting on Psychology and Security. In particular he raises the tricky question about what a member of staff should do when confronting a visitor. Should they be suspicious and ask intrusive questions? Or should they be helpful?

It’s not that easy in practice. In fact, the more you encourage a service-oriented culture, the more vulnerable you are likely to become to social engineering attacks. Professional attacks are exceptional. It’s not what staff expect to encounter. It catches them off-guard. Most people want to be helpful. And it can be career-limiting to provide a bad experience to a senior person or an important customer.

From time to time I’ve been involved in interviews of applicants for security manager posts. I’ve always found it interesting to ask what they would do if the CEO arrived without an office pass. Would they let them in or would they turn them away? Generally it’s one or the other and both answers are unsatisfactory, either from a security or business perspective. You’re damned if you do, and damned if you don’t. It’s rare to hear an imaginative compromise answer. Just once I heard one: “Sir, of course I recognize you and this time I will let you in, but next time you forget your pass I will turn you away”. I was impressed with this answer, though not everyone would be. Because there is no perfect solution.

At the end of the day it all depends what sort of security culture you prefer, and how much of a nice guy, control freak or bully you are. Do you like to make other people paranoid or servile? Do you like to punish people for getting things wrong? Or do you want to encourage positive characteristics such as openness, trust, forgiveness and empowerment? The choice is yours.

One of my predictions for 2007 was that this would be the year that CISOs would finally get tough with business units, tightening corporate firewall policies and closing down insecure connections. The context was the need to respond to zero day exploits that introduce numerous sources of risk across enterprise infrastructures.

It hasn’t quite happened in the way I imagined. But the need to get tough is becoming pressing following the run of high-profile, avoidable breaches of personal data.

Sometimes a CISO needs to be a perfect diplomat, building good business relationships with a reassuring bedside manner. At other times a CISO need to be hard and uncompromising. The pendulum is now swinging towards the latter. Forget your popularity. It’s time for all CISOs to crack the whip.

It’s interesting to discuss root causes of data breaches such as the recent HMRC breach with other security professionals. Most agree with my general suspicion that when something like this goes wrong it’s more likely to be down to a cock-up rather than a conspiracy. In fact the most popular theory is that the discs never got sent. Because we’ve all experienced that situation when the phone rings and someone tells you they haven’t received that package you promised to send a few weeks ago. “It’s in the post” is the natural reaction. And once you’ve painted yourself into a corner it’s not that easy to get out.

Of course this is all just speculation. But it’s remarkable to imagine that tiny human oversights can trigger major crises. That’s often the nature of organisational crises. They’re usually caused by long-standing, deep-seated flaws, but they can be triggered by unconnected, perhaps minor events that attract media attention to the flaw. The art of crisis management is to understand and tackle the underlying flaw not focus on the trigger. But it’s easier said than done. And of course, it’s also important to remember and respect the second rule of holes: if you’re in one stop digging.

Digital cash wallets seems to be a long time coming. It must have been about fifteen years ago when I saw Bob Fletcher of NatWest Bank presenting the concept of the Mondex electronic money card to a highly amused I-4 audience of CISOs. (It was the corny cowboy music on the video that had them rolling in the aisles.) Unfortunately Mondex sank with little trace. But now the concept is being trialled again in London using Nokia phones modified to make travel payments through Oyster travel card technology. These mobile phones will double as a travel pass and a wallet for making small value payments.

From a security perspective it’s interesting to speculate on the opportunities and threats presented by portable digital wallets. What else can they be used for? Are they as reliable or as safer as cash? I have to admire the optimism of the O2 marketing people who claim that the mobile wallet is an idea whose time had come because mobile phones are already seen as many people’s most valuable possession. They point to research showing that more people are likely to go back home and get their phone if they leave it behind rather than return for their wallet. Perhaps so, but research also shows that a staggering 885,000 mobiles, worth around £342 million, are accidentally flushed down the lavatory each year.

After all the shocks and finger-pointing following the HMRC breach it’s disturbing to hear that a laptop with unencrypted, sensitive MOD data could be stolen from the boot of a parked car. The data of course should have been encrypted. But that’s not enough, because every lost laptop has a business impact.

All organisations experience laptop losses, so security managers should aim to minimise the risk. Experience shows that proactive efforts make a substantial difference. I've covered this issue before but it's worth repeating and expanding the advice. Here are some practical tips.

1. Ensure your IT Helpdesk reports cases of stolen laptops to a security manager.

2. Conduct an immediate damage assessment for every laptop that goes missing.

3. Establish where and how laptops are being lost. Is it from particular offices, models of cars or hotels?

4. Get professional advice from the local police on how best to avoid theft. For example are some car boots more at risk than others? Are there local hot spots for vehicle thefts?

5. Review your policies to ensure you have major sources of loss covered.

6. Send out warnings and advice to all executives at risk. Tailor this information as far as possible to take account of local threats and vulnerabilities.

7. Take special measures for business units and functions that handle sensitive information.

8. Monitor incidents and report them regularly to senior management. Advertise this fact to business managers.

9. Send out regular reminders to executives, especially at high risk times for thefts and losses such as the lead up to Christmas.

10. Benchmark your performance against other similar organisations. If you’re experiencing more losses, find out why and take further remedial action.

Persistency helps. Keep hammering away at the problem and it will progressively reduce. With good policy, advice and constant reminders you can reduce the level of losses to zero. That should be your target.

The newspapers are full of coverage about the amazing case of Jerome Kerviel, the rogue trader at Societe Generale, alleged to have gambled $73 billion and cost the bank $7 billion. It’s a staggering loss, yet it’s a classic risk faced by all big banks. In fact some have suggested that there is no defence against this type of insider threat. Can that really be the case?

Yes and no. In theory it should have been easy. This was a man, like Nick Leeson, with knowledge of back office systems and their checks and controls. That is a clear risk. It’s claimed he didn’t take holidays and refused to allow colleagues to cover his desk. These are classic signs associated with insider fraud that should ring alarm bells.

Why was he not uncovered earlier? Because it’s not that easy in practice to challenge company staff. Most people don’t expect fraud. It’s outside their experience. They’re trusting and they respect other peoples’ privacy. It’s not nice to point suspicious fingers at colleagues. Managers defend their staff. And their initial reaction to a suspected fraud is to disbelieve accusations. It’s human nature. That’s why insider threats are hard to detect.

HM Treasury has just published Sir James Crosby’s report on Challenges and opportunities in identity assurance. It’s a document that all security professionals should read, not only because it's a hot topic, but because it’s not often that we get to hear the views of a former top banker on a major public policy issue.

The report considers both public and private sector uses of identity. It rightly emphasises that “every aspect of an ID card scheme should be designed from the consumer’s perspective”. And it sets out some good principles regarding trust, ownership, informed consent and the need for quick repair of compromised accounts.

The report favours a more rapid roll-out. It even recommends that enrolment and tokens should be provided free of charge to encourage citizen buy-in and quick uptake. I’m sure the Treasury loves that one!

I’ve always been a great admirer of the Royal Institute of International Affairs (RIIA) otherwise known as Chatham House. And I’ve always trusted colleagues to respect any confidential briefings disclosed under the Chatham House Rule (there’s only one by the way), which states that:

"When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed".

Perhaps rather naively I’ve always assumed that even journalists respected this world-famous rule.

So my eyebrows were raised when my instructors on a recent media training course emphasised that “There’s no such thing as off the record”. “Surely that doesn’t apply to an exchange carried out under the Chatham House Rule? “ I asked. “No” they replied “the story always comes first”.

I'll certainly be more careful in future.

Just publishing on the Computer Weekly Web site are a couple of interviews I conducted last week at Infosecurity with Bruce Scheier and Ray Stanton, BT's Global Head of BT's Business Continuity, Security and Governance Practice.

There's one or two interesting perspectives on current issues and trends. Both of them emphasise the importance of getting back to basics. Ray wonders whether public authorities are ready for another year of floods. Probably not. And Bruce is surprisingly optimistic about the future.

Bruce Schneier's remarks about the security mindset, the thinking you need to design effective security countermeasures, to think like an attacker, are interesting.

He's certainly correct that such a mindset exists and it's extremely difficult to teach, though I'm not completely convinced it's something you're born with. As with many things in life, determination, patience and practice are key factors.

In fact it's always essential to get an independent evaluation of any complex design, such as cryptographic algorithm. Often the originator is too close to see the flaws. And there always are flaws.

And you do have to think differently. I once hired the late great Donald Davies, the inventor of packet switching, to review a cryptographic algorithm. "How long will it take?" I asked. "It'll take three weeks" he replied. "Just give it to me in any computer language. I can read them all. And I'll put it in my head. Three weeks should be enough thinking time. After that we'll get diminishing returns." Wow.

The Register carries an interesting story about a former employee of recruitment firm Hays who's accused of using LinkedIn to steal clients for his own agency. He claims to have been encouraged by his employer to use the site.

It demonstrates the importance of establishing clear ownership of business relationships. Increasingly that's where the real value resides. Social network sites break down the boundaries between business and personal lifestyles. We have a long way to go to fully understand what that means and how to manage it.
 

The recent confidential document breaches by UK Government officials have prompted observers such as Dame Pauline Neville-Jones to suggest that there is a "culture of carelessness". Is this true? And what can be done?

Certainly it would appear that standards of security behaviour have been slipping. It's unlikely that today's breaches would not have happened in the past. People handling highly classified material took security very seriously during the cold war.

Things have changed since then. The threat is different today. Civil servants are unlikely to feel they are being watched or tailed by hostile intelligence services. The perceived impact of disclosure is much less than it used to be. And information today is circulated in a much more open way.

Such changes in context act as subtle but powerful cues for the behaviour of staff. We need to introduce new rules, responses and motivators to alter their perception. Security culture can be changed. But only by visible acts, not by demands, policy or wishful thinking.

The recently published Poynter report on the loss of HMRC discs containing personal details of 25 million citizens confirms what most of us already suspected. Security is not taken seriously enough across many public sector organisations. It's a combination of a culture that has been allowed to grow up, as well as a failing in governance, i.e. a lack of strict targets and conformance audits to identify and correct failings.

Surprisingly there is no mention of the need for accredited certification, which is the only reliable fast-track means of enforcing security standards. The other much-needed solution is a sophisticated behaviour change programme. I say "sophisticated" to distinguish what's needed from the run-of-the-mill, half-hearted security awareness campaigns that we often see mounted in large organisations. This problem needs more serious attention, a campaign more akin to the efforts made in the nineties to eradicate crime in New York City. 

How should we go about this? Well I'm afraid you'll have to wait for my soon-to-be-published John Wiley book on managing the human factor in information security. I'm hoping it will be out early in the New Year. It will contain lots of theory, tips and practical methods for transforming security in organisations. Watch this space. 

A recent Dell-sponsored survey carried out by the Ponemon Institute suggests that more than 10,000 laptops go missing each week at 36 of the largest US airports, many stolen at security check points.

Quite apart from the disturbing fact that security check points are clearly a magnet for thieves, it's interesting to note that around two thirds of lost laptops are not reclaimed, and that more than half of them contain confidential company data, two thirds of which have no security protection.   

I've mentioned before that my experience is that a typical organisation can expect to lose up to 5% of their laptops per year, though this figure can be reduced substantially by smart, educational initiatives. I don't know how many travellers with laptops went through these airports, but I'd hazard a guess that it must be a few million, suggesting a loss rate of the order of one in 200. If an executive makes 20 flights a year then that represents a loss rate of 5% loss rate per year.

These are consistent but disturbing figures, demonstrating that too many executives are careless, and why organisations need to do more to secure the data on their laptops.

Postscript - after checking these figures some time later, it's clear I got my maths wrong! I clearly meant to say 0.5% of laptops per year, which is consistent with my earlier postings. It changes the analysis, suggesting perhaps that excutives that fly might be an order of magnitude more likely to lose their laptops.  

Regular visitors will have noticed that my postings have been a bit thin lately. It's because I've been head-down completing a new book on "Managing the Human Factor in Information Security", to be published by John Wiley in the New Year. As anyone who's ever written a book will know, it's a surprisingly tough task, about the equivalent of a hundred white papers, and all in a handful of months.

It's also interesting how the real world tends to overtake your writing. The Cabinet Office has published a collection of papers on the state of information handling in Government and what they intend to do about it. My colleagues, Philip Virgo and Stuart King have already commented on them. The human factor and the need for a culture change figures quite high in these reports. So what do I think about the Government's proposals? After all I've been thinking hard about this subject for most of this year.

I have to say that I think they've nailed the problem space, but they are a bit short of ideas on the solutions side. There is a widespread need for a major culture change. That's clear. But it can't be achieved by a training or communication programme, by decreeing a policy, by conducting impact assessments, or by simply making someone responsible.

Culture changes demand a whole lot more than that. Amongst other things they require very simple but subtle adjustments to governance, infrastructure, roles and other motivating factors. It's a specialist job, not one for policy makers or generalist civil servants. I certainly hope the implementation across Whitehall and beyond takes account of that. Otherwise we'll be conducting the same reviews a few years from now.  

JP Rangaswami, Managing Director of BT Design, gave an excellent speech last night on the "The Future of Corporate Information" at the Computer Weekly 500 Club. JP is a superb, original thinker and has a tremendous wealth of up-to-date knowledge.

I cannot fault JP's analysis of the problem space. Trends such as consumerisation and Web 2.0 technologies are revolutionising IT, in ways that traditional IT functions are not keeping pace with. We are culturally behind, and, worse, holding back the introduction of forward-looking methods of working. Young people can see this and will be less attracted to work in our old fashioned IT environments.

At the same time there is a growing shortage of computer science graduates. Human beings can't be scaled up in the same way that technology can. We are heading for "talent wars" as companies fight to attract scarce young graduates, with a growing realisation that future organisations will be more a collection of capabilities and relationships, than a set of business processes and services.

On hearing that, many CIOs will no doubt take a hard look at their conservative middle manager and sharpen their axes. But it need not be that way. Talent wars are a zero sum game. It's wrong to assume that young people are the only ones who can grasp the new skills. The failure to modernise the IT workforce lies with CIOs not their staff.

Human beings of any age are not much different. They take their cues from their roles, their peers and the environment. Change the context and they will act differently. And it's better to have an experienced workforce that gets it, rather than a younger one that doesn't have the experience to understand know why we needed some of those old-fashioned controls.

I'm always fascinated by anything new of the topic of criminal profiling, the so-called "third wave" of investigative science. Geographical profiling, in particular, is surprisingly effective. So I was highly interested to read about the latest research going on at Queen Mary, University of London, which is studying the foraging habits of bumblebees to gain an insight as to how serial criminals might select their targets. Both bees and criminals, for example, tend to maintain buffer zones around their residences to avoid attracting attention. And both limit their travel to reduce cost or effort.

Profiling for cyberspace-based criminals requires a different set of metaphors and criteria. But it's a powerful tool that we need to develop a lot more. And it's the right approach for the crime. Bacause the best response against cyber attacks is to use the network and its data against the attacker.

I note that my fellow blogger Stuart King has been speculating on security topics for 2009. It's natural in his line of business. His company organises many international security events. Stuart sees little progress in getting to grips with existing problems, never mind new ones. But he does see a lot more focus on the people side of the problem.

I fully agree with that. we need to give much greater attention to security awreness and other human factors. The problem is that we haven't seen much in the way of products, services, methods or advice to help security managers with managing the people side. Understanding where to start is a real challenge for most organisations. Most of the things we really need to do are new concepts for security managers. And there aren't many good practices out there.

But two things are certain. Firstly, the way we currently go about educating staff is not fit for purpose. There is scope for a massive improvement. It must change. And, secondly, the return on investment from cutting incident levels is substantial. So it's worth spending more time and money on education.

The lack of guidance on the subject was the main driver for encouraging me to write my new book "Managing the Human Factor in Information Security", to be published by John Wiley in January 2009. Amazingly, you can even order it now over Amazon, though the manuscript is not yet finalised. In the process of writing this book I've assembled a large body of theory and practice, which convinces me that we can, and should, transform the way we manage the people side of security. We need no less than the equivalent of a Security 2.0 solution. And I don't mean the Symantec product of that name. I mean a new kind of security, one with a much stronger focus on people and their relationships.

The latest reported loss of 84,000 unencrypted confidential Home Office records by PA Consulting illustrates the massive challenge of eradicating bad security practices across Whitehall. Massive publicity and waves of security reviews have clearly not made sufficient impact on day to day operations.

We need to take a whole new approach to security culture. It can be done. But not by diktat. It requires a more emotional engagement with people and a major programme of change. It also requires that security education and oversight extends as far as the risks extend, in this case to contractors.

Watch out for an article by me on organisational culture change in September's Infosec magazine.

Postscript - Infosec magazine now tell me that this feature has been held over until October. You'll have to wait a little longer.

A new survey of London taxi drivers, carried out by Credant Technologies, indicates that 55,843 mobile phones and 6,193 other devices, such as laptops, have been left in the back of black cabs over the past six months. This is consistent with a survey carried out a few years ago by Pointsec, which showed that in the last half of 2004, 63,135 mobiles, 5,838 PDAs and 4,973 laptops were left behind in London taxis.

Clearly the huge amount of publicity surrounding laptop losses has had little impact on the size of the problem. Of course, there might be more laptops being carried in taxis today. And perhaps the more cautious behaviour of some is being undermined by more cavalier behaviour by those who now have encrypted devices. But the figures are unacceptable.

My experience in Royal Mail at driving down laptop losses through root cause analysis and targeted education demonstrates that big reductions in losses can be achieved. Organisations are failing to address this problem adequately. If you're losing more than 1% of your laptops a year, then you should take immediate action to improve staff awareness and discipline. It's not that difficult.     

Yesterday I was in the Netherlands speaking at Endeavour Events' excellent InfoPROTECT 2008 conference. This event attracts a very good crowd and it seems to get the balance right between lectures, workshops and networking. You don't feel that you're being excessively "lectured at" or "sold to", yet there is constant interaction between users and vendors.

I was speaking on the subject of the growing importance of people in the information security problem and solution space. It's a really hot subject and my talk seemes to go down very well. There's a growing "resonance" whenever I speak on this subject. Information security practitioners are becoming increasingly conscious of the need to invest more in this area. But there is a serious lack of guidance of services in this space.

I've long said that security managers should devote at least 10% of their budget to security awareness. There's no doubt in my mind that the benefits of reduced incident levels more than justify that. But the real problem is identifying what you should spend it on. There's a complete vacuum on this subject. No education, standards or guidelines, and few products other than handful of specialist services, such as Martin Smith's security awareness services.

The situation is slowly changing. University courses, such as Royal Holloway's MSc course are increasing their coverage. Large companies are assigning full-time senior managers to address the subject. And, of course, my book, perhaps the first one devoted to the subject, will be published in January. But we need a lot more inter-disciplinary technology transfer. Today, security managers can learn more from psychologists than technologists. That speaks volumes.   

My in-tray has been hot today with questions about the reported EDS Ministry of Defence data breach. In fact, there's nothing here that's either new or unexpected. It's just a regular security incident demonstrating, yet again, that our information security falls way behind the business and consumer expectations.

And this trend will continue because of several factors. Firstly, the protection we give to personal information does not reflect its current value. That's essentially a legacy, catch-up problem. We'll all get there eventually, as we gradually recognise that personal data is like hard cash. But don't expect it to be resolved in the next year. These lessons take a long time to learn. 
 
Secondly, the solutions space is much more complex than it seems. Moving to a regime of encryption, rights management and data leakage prevention as a standard practice is far from easy. It requires considerable planning, policy and technology. We can't implement these solutions overnight. They require, for example, major adjustments to security classification systems (if you actually have one) and security architectures (again, if you actually have any of them).

And, thirdly, we have no significant budgets and very little idea about how to deal with the "layer eight", "wet ware", people issues: how to respond to the mass of personal mistakes, accidents, lies and frauds that continuously occur in all organisations. These are the events that we fail to see them, or perhaps turn a blind eye to. This problem, of course, will all be addressed in detail in my new book on "Managing the Human Factor in Information Security" due out in January 2009. Amazingly it's the first major book on the subject. That says a lot for a subject area that's been around for several decades.

Back in the early 90s, in Shell, for example, we employed behavioral psychologists and creative teams to help address this area. Unfortunately, this seems to have been the peak of effort in this area. The state of the art has stood still since then. I've long been advising organisations to spend at least 10% of their security budget on security education. But they don't. And if you look at the agenda for forthcoming conferences, such as RSA 2009, you'll find not a mention of the subject. Our thought leaders are failing to provide the guidance we all need in this area.

So expect this problem to get increasingly worse until organisations realise they have serious policy, governance and implementation weaknesses in this area. And don't expect a quick fix. It's a complex problem space, and an even more difficult solutions space.  

Monday sees the start of the RSA Conference and exhibition in London, which I'll be attending.  It's a significant occasion, with a reasonable level of sponsorship and attendance. But it's very different from its US counterpart. For one thing, it's a lot, lot smaller: just a fraction in size of the San Francisco thrash, which attracts around a staggering 17,000 attendees. But more interestingly, it's "softer" in focus, with more emphasis on non-technical issues.

Earlier this year, following a trip to Miami, I suggested that US and European UK approaches to security were converging. I now question if that's really the case. The US security community has clearly picked up the "process" focus that many UK firms have practised for decades. But that could be largely down to regulatory compliance pressures. More significantly, few US companies appear to have latched onto the "people" side as much. You can see that, for example, by the absence of coverage of this subject in next year's RSA Conference USA.

It will be interesting to see how 2009 plays out. My feeling is that this could be the year that information security finally bites the bullet and invests properly in human-focused initiatives. But, so far, budgets have not reflected this, and they're now being seriously squeezed. Perhaps we'll have to wait for regulatory compliance to bang the table. But one thing is clear: we can't keep ignoring it for long.

More government data breaches in the news again today. And they'll continue to be reported, not only because we can't completely eliminate human error, but because not enough effort is currently being focused on the right areas. The approach needed will be covered in my new book "Managing the Human Factor in Information Security", to be published by John Wiley in January 2009. In the meantime you can read articles setting out some of my views on the problem and solution spaces in Government Technology and in the print edition of this month's Infosecurity magazine. 

RSA conferences are a great opportunity to network with friends, colleagues and interesting personalities. At last week's even in London, I especially enjoyed having dinner with Ira Winkler, a legendary figure in the information security community and an original thinker. Information security has a tendency to attract quiet thinkers, so it's refreshing to encounter outspoken observers.

That's one reason why Bruce Schneier is such an influential commentator. Ira Winkler falls into the same category. He's dares to speak his mind and promote new viewpoints. We need more of that. I especially like the way that Ira adapts learning points from Far Eastern martial arts. Information security is a new subject. We need to build on ideas developed in other fields. And there's lot's of interesting parallels out there to be discovered.

One area we argued about was whether fear or reward works best for influencing behaviour. Ira prefers the former, I subscribe to the latter. Ira is better qualified in psychology, but I've also done research in this area. Both work, but, in my view, fear and punishment breed negative, rationalised responses and don't get the best out of people. But Ira is right to say that it works well in practice, especially in the short term.

In fact, this is exactly the sort of debate that's long overdue in the information security field. We need to encourage security managers to think about these issues, and their consequences. There's too much argument about public policy issues that we can't influence, rather that local organisational issues that we can address now.  

It's getting to the time of year when security managers begin to lighten up after another year of cost-cutting, restructures and bad content. Alan Stockey, ex JP Morgan security veteran, has put together this sketch to cheer us up as the temperature plummets and the nights draw in. It's the "Dead Firewall Sketch" or for fans of de-perimeterisation, the "Firewall is Dead Sketch!" Enjoy.

Today is my annual lecture on the Royal Holloway University of London MSc course in Information Security. It's a great course, the very best of its kind, with a good balance between lectures from leading academic experts and experienced business practitioners. In fact I regard this level of education as the minimum target level for all information security practitioners. You can't become a professional through luck and ignorance. And trial and error takes far too long. 

I find it interest to note how my lecture has evolved over the last ten years. There has been progressively more emphasis on the human factor and increasingly less on technology and process. That's a long term trend, which has a couple of decades at least to run before we can envisage the possibility of a level of automation that might actually take account of human failings or manipulation.

Unfortunately, it's only now that we're starting to see the beginnings of serious professional education and research in this area. And it will take several more years for today's early ethods and ideas to filter through to everyday practice in industry. The solutions will be a long time coming. But at least we're making a start.

Lately I've been proof-checking my book "Managing the Human Factor in Information Security". This type of exercise is a real eye-opener for anyone that sets out to achieve 100% error-free operations. The simple fact is that we simply can't avoid or eliminate mistakes, no matter how hard we try.

I've checked the text of the book over and over again. It's also been reviewed by three colleagues, my publishers and a team of professional proof-readers. Yet you can still find errors if you look hard enough. It's the same with software, which typically has 20 to 30 bugs for every 1,000 lines of code. Our information systems are far from perfect.

Mistakes are caused by many different human factors, including negligence and stress, as well as lack of training or bad system design. Spotting errors is particularly hard as we generally only see what we're expecting to see, so exceptions will go unnoticed.

We shouldn't really blame individuals for causing accidental data breaches. In fact, it's often the best performers that make most mistakes. That's because they work harder and faster, and are more empowered. Yet whenever a big data breach occurs, the tendency is to hang the poor person who triggered it.

The safety field has long understood this problem. That's why they use defence-in-depth (or the "Swiss cheese" model as they prefer to call it). We need more compensating controls around our systems and better checks and reminders in the systems themselves. Areas such as policy, training, supervision, system design and validation are weak ones in most organisations. That's where we need to focus more effort.  

How honest are people? It's a good question and an important one as we head into a socially networked world offering greater empowerment and information access to both our staff and customers. The answer though is far from clear cut. Two recent stories in the UK media demonstrate a wide variance in customer honesty.

The first was the trusting shopkeeper in Yorkshire who decided to leave an unattended store open to customers on Boxing Day. He made a fine profit. The second was the ATM machine in the Welsh border town that paid out double the money it should have, attracting a queue of a hundred customers. Why the difference?

The answer is that few people are completely honest. In fact this starts early in life: all children will cheat from time to time. But behaviour is influenced by many different factors, including risk assessment, loyalty, peer pressure, personal circumstances, environmental factors, and, of course, the likely consequences.

Measures of honesty are hard to come by. There are a few interesting statistics quoted in Freakonomics, based on the records of a Washington bagel supplier who relied on customers placing the money for their order in a collection box. He generally got a return of around 90% though it varied according to the company he dealt with.

When carrying out risk assessments, I generally apply a rule of thumb passed on to me some thirty years ago by an experienced security professional. He advised me that, out of every four people, one is likely to be an out-an-out crook, another honest to the point of stupidity, and the others will apply a risk assessment as to what they can get away with. I call this "the rule of four", though a statistician might view it as no more than the expression of a bell curve.

The problem in practice, of course, is that, like many things in life, it's not evenly distributed. You'll find a different mix in a church than a prison. But it's a healthy starting assumption when designing any system of controls.

If you're interested in this subject, you can read more in my book "Managing the Human Factor in Information Security". It should be in the shops in the next few weeks. Also check out the promotional video, just released on Youtube.

Today is a special day for me as it marks the official publication of my book "Managing the Human Factor in Information Security". I received a box full of copies a few days ago. Ever since then, my friends have been admiring the shiny blue and grey cover and the fine white paper. It's a beautiful book, even if I say so myself. Interestingly, Amazon are already selling used copies at premium prices, even though none have yet been shipped. I guess that's a good way of making money out of books that have larger advance orders than the initial stock.

Putting the book together has taught me a lot about life, people and publishing. I've researched many subjects that I hadn't previously delved into. I collected numerous ideas, tips and suggestion from friends, and I fused it all with my own experiences into a new set of principles and conclusions. I also found myself reading newspaper and magazine articles with new eyes, picking up nuances that I might otherwise have missed. In fact, writing a book is a powerful learning process that I'd recommend to everybody. 

I also learned a lot about the difficulties of getting the bugs out of a large body of text. I'm a bit of a perfectionist myself, so I tend to check everything I write. Yet even after carefully checking the manuscript, subjecting it to three independent reviews and having it professionally proof-checked, I still uncovered hundreds of flaws in the final proofs, and a few in the corrected proofs. Given the ever-accelerating nature of the business world and the consequential growing expense from delays in carrying out multiple checks, this means that we are heading for a world increasingly characterised by inaccurate information.   

Encouragingly, the book was printed a week ahead of schedule. This seems to be a rare achievement. When I told Fred Piper last year that we were aiming for an end-of-January publication date, his reaction was "Wanna bet?" That's because he'd been involved in lots of books and none were published on time. Bruce Schneier also admits to being very late in completing the manuscript to his book "Secrets and Lies". Given the busy nature of modern executives and academics, perhaps this points to world also characterised by late and incomplete information.

In fact, data quality will be one of the largest business problems of the next decade. And that means not only ensuring that the data is accurate, but also that we deliver the right information, at the right place, at the right time. Addressing this problem will be one of my priorities for this year. 

Yesterday I was fortunate to attend Martin Smith's Security Awareness Special Interest Group. It was a sell-out event at BT Centre in London with close to a couple of hundred attendees from across the public and private sectors. Martin has done a tremendous job in recent years in organising security awareness services for large organisations, especially in the banking and communications sectors. Ten years ago, few companies were interested in this area. Now it's become one of the hottest topics in security. It's great to see such a high level of interest. But it's also clear that we have a long way to go to get it right.

All security managers wish to raise their game substantially in this area. Unfortunately, few of their organisations are ready to listen. The spirit might be strong but the budget is weak. The exception, of course, is the select group of organisations who've been hit by a large data breach, where the knee-jerk response is an expensive, short-term change programme. Ideally, such efforts should be more evenly distributed. No enterprise is an island. Large organisations rely on dozens of tiers of business partners and contractors, not to mention the cooperation of millions of customers. Education is a community issue. We're all in it together. 

A further problem is a widespread failure to learn from the safety field about how to prevent and respond to incidents. Security is many decades behind the safety field in understanding how to manage risks. The typical response to a security incident is to select an appropriate neck for the chopping block. That approach breeds a damaging blame culture which discourages teamwork, risk-taking and reporting, as well as failing to address the root causes of the incident. In fact, most incidents are not caused by a single person or action. They are the result of a large number of bad practices, encompassing policy, training, system design, supervision and everyday unsafe acts. And it's often the best performing staff who make the most mistakes because they will work harder, faster and longer than their lazier, risk-averse colleagues. Aviation safety focuses on eliminating bad practices and root cause analysis of near-misses and incidents. Planes don't just fall out of the sky in the same way that data regularly goes missing.

A third issue is the lack of psychology applied to the solution space. Security managers talk about winning hearts and minds, but they have yet to identify many positive motivators. Punishments are the easy way out. They are easier to identify and quicker to implement. But they're much less effective in a modern empowered organisation. Negative incentives only work when you're constantly watching your staff, and most will not apply to contractors.

A fourth issue is the lack of sophistication and stickiness in the design of educational material. Best-practice leaflets in the security field are not great, they're just better than most other people's amateur efforts. Designing compelling methods for communicating messages and influencing attitudes and behaviour is a rich science that's rarely applied properly. The last time I saw this done properly this was in the early nineties at Shell where we drew of the experience of behavioural psychologists and ex-Saatchi creative teams.

Martin Smith also hits the nail on the head when he says that the true size of your security department is the extent of your enterprise. So far we have failed to recognise and exploit such network effects. The security community need to look outwards and learn how to do this, to steal ideas and methods from other functions and sectors that have succeeded in creating large scale behaviour change. Marketing, for example, is a good field to draw on. Criminology is another. As I've often said, these days we can learn more about security from a psychologist than a technologist. 

Hardly a week goes by without a major concern about the compromise of personal identity data. The latest one in the news is the Federal Aviation Administration, yet another high-profile organization that should have been better protected against such risks, especially as it's an organization that maintains critical national infrastructure.

The big question is what type of security approach we should apply to critical infrastructure and sensitive citizen data. Controls, risk assessments and selective audits are not sufficient. That combination failed the financial sector. It didn't curb the excesses of management, nor did it highlight the growing indications of impending disaster.

What we really need is an extension of the type of culture we've developed in areas such as aviation safety into the security domain. That means a number of things. For example, better education, a healthier culture that encourages prudent behaviour, more frequent inspections and, most importantly, a thorough root cause analysis of minor incidents and near misses.

Unfortunately, the aftermath of a security incident tends to focus on short term fixes and personal accountability. This is counter-productive. Many banks and government agencies are instilling a "blame culture". That doesn't work. Incidents are rarely caused by a single person, and, as Deming correctly noted, if blame has to be apportioned it lies with management. Deming also understood that employee reward systems were flawed, something we're only now beginning to question, following the clear excesses generated by the City bonus culture. 

It's about time we went back to the basic principles of good management, defined by the likes of Deming. Security needs an approach more rooted in the lessons learned over the last fifty years in the safety and quality fields. Unfortunately we seem to have ignored or forgotten many of these essential management principles. 

I'm generally reluctant to criticize colleagues, but occasionally they come up enough drivel to spur me into action. I was disappointed, to say the least, to read that Stuart King, a kindred spirit and fellow blogger, has taken to rubbishing the value of security awareness projects. Pay no attention to his ramblings. He's got it completely wrong.

Stuart's own initiatives might have failed to hit the spot, but there are still massive benefits to be gained from well designed security awareness initiatives. I've seen huge drops in security incident levels through smart educational projects.

The problem is that this is not a subject that amateurs can easily tackle. Many security awareness projects are poorly conceived and consequently ineffective. So don't judge them all equally. The solution is to get it right, not to broadcast failings. Just because you can't do it doesn't mean that others can't.

A Jericho Forum email yesterday drew my attention to a claim by Eric Domage of IDC that the current recession is likely to trigger an increase in so called "frustration hacking" when people opportunistically attack their own company because they have been fired or frustrated".

Nonsense, I thought. My experience has always been that when times are hard and people get sacked, taking unnecessary risks is the last thing on their mind. Future security takes priority. That means not risking redundancy payments, pension rights and employer references. It's bad enough being out of work, but it's a lot worse to end up destitute and unemployable.   

Interestingly, responses to my comments from colleagues were mixed, some for and some against, though most seemed to agree with me. Perhaps this would be a good topic for a debate?

The latest edition of Financial Services Technology magazine has interviews with myself and Bruce Schneier, as well as brief book reviews. It's a sign of the times: security management now plays an increasingly dominant role in financial services, with the "softer" human issues becoming more significant.

So what was the verdict on Infosecurity Europe 2009?

Overall, I thought it a definite success. The feedback I received from both vendors and visitors was positive. The new venue was bigger and quieter (in most places). The programme was wide ranging and entertaining, even a little "edgy" at times. The Hall of Fame expert panel, in particular, was a classic session: lively, controversial and entertaining.

The issues raised throughout the conference were relevant, interesting and thiught provoking. I now see electronic voting and DNS in a new light. I was also particularly pleased that visitors seemed keen to explore relatively new dimensions of security such as human factors, information governance and data integrity. In fact, I felt that a new climate of change is beginning to emerge, which is something that surprised me in an economic climate when everyone seems rushed off their feet.   

Many vendors commented to me that they were pleased with outcome: the footfall might have seemed a little lower but the visitors were of a higher quality and more business like, with less time wasting. This might reflect a more mature or perhaps a more hard-pressed customer base. It would be interesting to hear the views of exhibitors.

All of the visitors I spoke to seemed very pleased with the outcome. Many were there to learn rather than judge and they liked the variety in the programme, both in subject matter and format. Some also commented on the fact that the stands seemed to have less hype and more focus on useful services rather than obscure products. Perhaps this reflects a growing maturity of vendors as well as customers in an increasingly tough market. We could certainly do with more events that deliver efficient marketing of relevant products to potential customers. Unlike many things in security, this is a win-win opportunity 

The clunky side was the aggressive policing: more of a security guard than a receptionist mentality. If you found yourself in the wrong place at the wrong time you were treated like an intruder. We need a better welcome for visitors and somewhere dry, warm and with refreshments to park anyone that happens to arrive early. Earls Court in the rain is not a great place to be. You wouldn't experience that at a modern location such as Excel. But then Excel is in the middle of nowhere unless you happen to be flying in to London City airport.

But overall the verdict has to be one of a significantly improved event from most perspectives. My congratulations go to the organisers who clearly did a fantastic job. 

The Hall of Fame presentations given by Paul Dorey and myself are now available on the Infosecurity Europe web site. Recordings of these sessions and podcast interviews will also be available shortly.

This site is still worth checking out long after the event as new content and discussions appears regularly.

This month's edition of Information Age magazine carries an insightful review of my book "Managing the Human Factor in Information Security". Information Age is an excellent magazine, which for many years has encouraged innovation, excellence and networking across the UK IT sector. It's a privilege to be reviewed in it.

I see that the US Department of Homeland Security has launched a blog. The initial efforts appear to be very formal and official, more like a series of press releases, in contrast to the more natural, imaginative and reader-oriented style of the excellent (though sporadic) postings on the Transportation Security Administration blog. So far the Homeland Security blog has not attracted many comments. But it's early days yet. Let's hope that it evolves into a more insightful communications channel that's sufficiently streetwise to be termed a blog.

I've just got back from speaking in Athens at HAISA 2009, the leading international symposium on the human aspects of information security. Picking up today's Computer Weekly, my eye was naturally drawn to an interesting article on why staff break security rules.

CW reports that researchers at Nottingham Trent University have actually discovered that many staff will knowingly break or bend security rules in order to perform a job more efficiently, to help a colleague, or to provide good customer service. They also noted that complacency can set in when staff have been working in the same area for a long time and they know they will "get away with it".

Of course they could have saved a lot of time by simply asking me or any experienced security or safety manager. We've known all this for decades. Perhaps, as Basil Fawlty might put it, the researchers might be qualified to set up a course in the not-too-subtle art of stating the bleeding obvious.

Some interesting experiments in Holland have confirmed that many people adjust their behaviour according to the people and environment around them. In this research it was a case of graffiti encouraging people to behave badly. But there is already plenty of evidence to suggest that you can change people's behaviour by manipulating the environment. I've observed it myself many times. This subject is also covered in my John Wiley book Managing the Human Factor in Information Security.

It works at many levels. The size and shape of rooms and buildings, for example, affects team behaviour. And the practices of colleagues and cues in the immediate environment will have a major influence on individual behaviour. Even more significant is the impact of the cyberspace environment, where the sense of isolation, fantasy and the absence of prompts to correct bad behaviour can bring out the dark side in people.

Cyberspace is more dangerous than we imagine. It can encourage crime, inappropriate activity and aggressive behaviour. As people spend more and more time online, we need to develop mechanisms to keep this in check. Unfortunately, very few system designers and security managers appreciate that people might behave differently when they're online. It's time we raised the visibility of this phenomenon.

A posting on Bruce Schneier's blog drew my attention to this interesting case study of how a hacker was able to gain access to the personal accounts of Twitter executives. There's nothing new here of course. We've always known that password security is simply not good enough for any publically accessible service. The real issue here is the fact that executives are increasingly using cloud services that were designed primarily for personal use, not business purposes. A further worrying trend is that, in many cases, our personal data is becoming just as sensitive as our business data. We need an all round improvement in authentication methods for cloud computing services.

Wales is one of the least likely places you'd expect to find leadership in information security. Yet they have managed to assemble a specialist e-Crime prevention web site, complete with newsletters, cartoon videos, a sample acceptable-use policy, and even a Dummies Guide to e-Crime prevention. Now I'm not sure whether this has been primarily done to reduce crime or attract business. But it's encouraging to see such a proactive approach being taken.  

Keen-eyed information management professionals will have been amused last night to spot Andy Hayler, former Shell data management expert and Kalido executive, in his modern role as professional restaurant critic, judging the finalists in Masterchef: The Professionals.

As Terry Wogan put it, the three judges looked like a lorry driver, a 1970s porn film producer and the 'Son of Satan'. (Andy presumably being the lorry driver?) It just goes to show that there are no barriers to reinventing yourself. There's still hope for us sad technologists and security professionals to achieve our true purpose in life, whether scoffing free food or driving trucks.  

My postings have been thin over the last few weeks as I've been busy travelling, researching and writing. The highlight was a visit to Switzerland to give presentations to institutes in Zurich and Geneva, a thoroughly enjoyable experience. It's been a few years since I last visited Switzerland, so I was interested to experience the latest views and perspectives of the local security professionals.

I was impressed by the Swiss appreciation of the human factor in information security. They have a very good grasp of the nuances of organisation culture and the techniques required to change user awareness and behaviour. And it's also reflected in university teaching and research.

This might of course be expected in a country that successfully combines contrasting cultures, languages and politics. But it's not what we generally find in the USA, which has a stronger focus on security technology, often at the expense of the softer skills.

The UK is different again, with more emphasis on policies and processes, perhaps reflecting its claims to fame as the birthplace of ISO standards for quality and security. The ideal would be to combine these skills. But the blend is changing. Once we move into clouds, the balance will favour the softer side of security. Continental Europe is better prepared for that. But, unfortunately, so are our enemies. 

Last week I was fortunate to have been presenting at a MIS Training CISO Executive Summit in Muscat. The Sultanate of Oman has long been my favourite business and holiday location. It's also a place where managers understand the importance of the human factor in business and security.

In the past, the people perspective has been low on the management agenda of Western organisations. The only time an executive board pays attention to staff is when they need a headcount reduction. But the business world has changed. Networks are empowering people to unprecedented levels of influence. We need to educate and listen to employees, customers and citizens, because the focus of decision making has shifted from the corporate centre to the front-line workforce. Managers, staff and customers are the engine of intellectual property generation, as well as the thin red line that safeguards these assets.

This is why I was highly impressed with The Sultanate of Oman's new information security awareness programme. It's a government sponsored, nationwide initiative, and it's tailored to the local culture. Madison Avenue executives might not be especially impressed with the simplicity of their images and messages. But they would be wrong. What counts for success is a good understanding, empathy and a resonance with the target audience.

From that perspective, Oman has set the bar for an initiative that other countries must also meet. There might be a wave of technology coming from the West. But there is also a wave of best practices in citizen education building from the East.

The National Journal has an interesting article on cyberwar, pointing out some of the opportunities and hazards associated with this new form of conflict. It's very different from anything we've seen before and it demands very careful consideration to avoid attacks damaging valuable business assets. It's also a very sneaky form of conflict. As I've often said, it's more the art of illusion than the science of sabotage.

It's also far too easy to trigger covert attacks. Minor, local conflicts can quickly escalate and cause global impact. In cyberspace, as John Suler points out in his online book The Psychology of Cyberspace, people can be tempted to go much further than they might in the physical world, exploring dark subjects, taking risks and becoming unusually hostile.

Cyberspace is a surprisingly dangerous medium in which to conduct warfare. Let's hope that future cyber warriors are alert to the dangers.