The slow progress of people-oriented information security

Today is my annual lecture on the Royal Holloway University of London MSc course in Information Security. It’s a great course, the very best of its kind, with a good balance between lectures from leading academic experts and experienced business practitioners. In fact I regard this level of education as the minimum target level for all information security practitioners. You can’t become a professional through luck and ignorance. And trial and error takes far too long. 

I find it interest to note how my lecture has evolved over the last ten years. There has been progressively more emphasis on the human factor and increasingly less on technology and process. That’s a long term trend, which has a couple of decades at least to run before we can envisage the possibility of a level of automation that might actually take account of human failings or manipulation.

Unfortunately, it’s only now that we’re starting to see the beginnings of serious professional education and research in this area. And it will take several more years for today’s early ethods and ideas to filter through to everyday practice in industry. The solutions will be a long time coming. But at least we’re making a start.