Bright Stove

Reflecting information risk journey

Archive for November 2007

Car as an analogy

leave a comment »

The (ISC)2 Japan organized an informal meeting today with several CISSP constituents, including a few course instructors in Tokyo during lunch time for Ed Zeitler, Executive Director of (ISC)2 and I to have a chat on local experiences and also to share our experiences on what we have learnt from the International and regional development in information security. During the discusson, one of the participants used the car as an analogy of how safety have been designed into today’s cars that users can just drive safely without much concerns over the mechanics involved. As compared with the PC systems and Internet, it seems that users need to know a lot more about the underlying security technicalities in order to surf the Internet safely. I thought this was an interesting analogy, but with a slightly different perspective.
 
For a car, the price we pay, as compared to a broadband subscription and the price of PC and related software, is many times more. Before we are permitted (by law) to use it on the road, we have to go through at least N lessons of training, and pass both written and practical examinations. Ths includes learning and demonstrating our understanding of the safety regulations involved, as well as capability in operating the mechanics of the vehicle efficiently and safely, without endangering ourselves, the pedestrians and other fellow drivers and cars on the road. If we fail in any of these aspects, we either don’t get the license, or we have it suspended, and may even get a fine. On a yearly basis, we have to pay insurance, road tax, and maintenance for the car as well. Older cars will also need to go through regular safety test for road worthiness. Because of the price involved, many car owners have to take a bank loan and service it over a period of time, at the expense of other luxuries that one may have instead. All this serves primarily for the purpose of bringing us from point A to point B, with some level of comfort during the ride, but at times, stressed further by the heavy traffics involved. Of course there are other intangible benefits of having and driving a car, but those are often beyond the needs of common users. The price for those intangibles are often much higher as well.
 
For a PC and an Internet connection, besides the much lower cost involved, there is no network or computing tax, insurance, and maintenance fees involved. Only recently, there’s this notion of security services subscription (like Microsoft’s OneCare), which is also a small price compare with what we hand out for the car. But in terms of utility, its value is very different than a car. It serves as an important tool for learning, writing, reading, searching, organizing, creating, innovating, entertainment, communications, shopping, personal management, etc., etc.; replacing many mundane tasks that we would have to do manually, or get someone else to do for us. All this are done without a "license" per-se. No formal training, examination, etc., are required to use the PC and Internet to do all these tasks. All you need is to pay for the device, and sign-up an Internet connection. The latter may not even be necessary in locations where free wireless network is available. No security or safety pre-requisities to do all this.
 
By this comparison, it is clear that we perhaps need to re-think about the way we regard the value and safety/security issues involved in using PC systems and the Internet, and the personal safety/security investment that we have accorded to them. Until then, security as an after-thought will continue to be a challenging issue, and users are likely to continue to be the victims, when in fact, there might be a chance that they may be able to drive the safety and security of the Internet themselves. 
 
Advertisements

Written by mengchow

November 13, 2007 at 2:57 pm

Posted in Awareness

A difference in trust

leave a comment »

Sep 20, 2007 – Yin Chuan (银川) – At the 2nd China Computerworld FSI Security conference today, during the keynote address, Dr Ren JinQian, Chief Engineer of a government body, spoke about the principles and approach of using a risk based approach for information security. Dr Ren highlighted the importance of using risk assessment as a basis for ensuring information security. Three approaches of risk assessment were named: (1) inspection by auditors; (2) self assessment; and (3) third party assessment. Of these approaches, Ren emphasized that self assessment is most important, and should be the focus for all government departments and financial institutions in China. As for third party assessment, it was deemed not as important at this stage. Ren rationalized that third party assessors are not part of the organization, and therefore will not understand the requirements and issues involved, and hence, will have limited contribution. His experience also revealed that some third party assessors had instead of helping in resolving their security problems, used their knowledge to attack their customers’ web site after the engagement. The integrity and reliability of third party assessors are therefore questioned. Finally, Ren expressed concerns of information leakage relating to third parties’ access to organizations’ internal IT environment. Nevertheless, when third party assessors are required, Ren expressed that only authorized third parties should be used. This is critical to ensure confidentiality of information involved, and also integrity of the assessors. Ironically, the topic is about risk management, and in the approach taken, it seems that the risk of using third party assessors is not quite an option yet for management. This reveals a major difference between his approach to risk assessment, and most multi-nationals’, including other governments, in which third-party assessors are often preferred in view of the independency and objectivity of assessment desired. It also illustrates the social trust model at work between the Chinese and Western approaches.

Written by mengchow

November 9, 2007 at 6:49 am

Posted in Risk Management

A blog of Microsoft security blogs

leave a comment »

Written by mengchow

November 2, 2007 at 3:02 pm

Posted in Awareness

%d bloggers like this: