Your shout: education, users, licencing

Have your say at

Education is just the start for user-focused security

Ian Mann's article is a refreshing call to promote one vector for tackling the human vulnerabilities in information security. It raises the challenge that we need to defend in depth by not only tackling social engineering with technology, but by locking down technology at the true end point: the users.

The National Computing Centre has long endorsed the ISO/IEC 27001 (BS 7799) standard as the foundation for security best practice, and we would hope that would-be implementers will not be discouraged into thinking that "education and awareness" is the only one of 135 controls that tackles the people element. Many others that tackle the human firewall directly - including screening and allocation of responsibilities - are core parts of the standard.

It is also worth noting that certification is based on a plan-do-check-act risk management cycle that applies relevant security controls according to circumstance. Some security management may be based on trust, other systems will be based on serious restrictions. It is this effectiveness-based process that helps identify the right people/process/technology balance.

Call centres and air traffic management centres can pick and mix accordingly and still be benchmarked to the same standard. But it is always a people issue - who writes their password under the keyboard, who sets up the anti-virus software, and who writes the firewall software? Not technology.

Daniel Dresner, information assurance analyst, National Computing Centre


Pass the word: human nature creates data risk

I applaud Ian Mann's article on social engineering. For the past four years I have been leading a third-level information security unit at Southampton Solent University. A constant comment to my students from a security point of view is, "You are the weakest link."

Banks and other online firms can suffer harm by the actions of customers who are not aware of the threats. Phishing has become a sophisticated technique for gaining personal information. Add to that similar techniques involving ID theft, and criminals have an armoury for making millions from a naïve sector of society.

Educating IT users about these attacks is a major issue. Every organisation that teaches IT should provide examples of attacks and the possible consequences, not only to educate, but also to pass the word on so that this threat is universally acknowledged.

The threats are multiple and diverse, from winning money on a fictional lottery to entering a date of birth and an address so that a personal horoscope can be sent. People like to communicate they like to know that others are interested and may have good fortune for them. This very nature leaves us exposed to the more malevolent elements of society.

Vic Thorn


Look before you leap into licence management

I read with interest your article on new Microsoft Vista licence models aimed at larger businesses and I have to say I think the whole issue of licensing continues to be a minefield for users, creating a huge amount of confusion for many organisations.

Evidence suggests that firms can overspend on licences by up to 60%. This is often because they are unable to easily identify licensing expenditure and lack the information to accurately forecast software budgets. A structured software licence management programme can help companies to better manage these costs.

The golden rule for licence management is to first understand the potential risk by carrying out a basic risk assessment. At this stage you don't need to spend a huge amount of money as 100% accuracy is not the goal. The process can be fairly simplistic and low cost, as long as it immediately gives you a feel for your risk exposure.

Many companies run into problems because they jump in and purchase the wrong IT system, which then fails to deliver the desired results.

It is fundamental to understand the scale of the problem before you purchase audit or discovery tools. Only then can you work out a programme to prove compliance and a process for maintaining this position in the long-term.

Anton Schnider, software organiser

Have your say
Do you agree with any of the above views? If you have an opinion about the letters or any article in Computer Weekly, e-mail [email protected]

Read more on IT risk management