Bright Stove

Reflecting information risk journey

What would you do with a magic wand for security?

leave a comment »

Recently, I had the opportunity to speak with several senior information security practitioners on various areas of information security risk management to get their insights and learn about their experiences and concerns in their practices. Before closing each of the conversations, I asked what would they do if they have a magic wand for information security? Interestingly, all the practitioners gave a consistent answer, i.e., change the security awareness of people. All believes that if individuals, be it users, architects, managers, or engineers, are more security conscious, they would do the “right” thing in terms of security, creating more secure products and services, and also be less reckless in using products and services on the Internet. The end result would perhaps be a more secure Cyberspace for everyone. One of the practitioners added that if we could also understand the psychology of how people think about security, perhaps we can also influence their behavior and result in the more secure outcomes.

The same answer from the group of experienced practitioners demonstrate a level of consistency in their information security knowledge and experience. They all face, more or less, the same challenges and felt that the root of the issues are mainly human related, not a technology or process problem. They all perhaps read the same literature and attend similar types of training such that they all believe on the power of awareness. Or maybe they were exposed to the same media that deliver their information as well. It also shows the stability or consistency of the information security knowledgebase, which could be inferred as the existence of a consistent baseline of understanding of the problems, and the principles for addressing some if not most of the challenges.

If the problem is so well known, and time and again surfaced to require focus on the human aspects of information security, the next question is then why the problem continues to exist and call for more attention every other year when we review the situation? What’s missing? Why can’t we have everyone become more aware and competent “securilly”?

When I posted this finding on my microblog at Sina site, one micro-blogger, who is also a fellow information security practitioner, responded that pushing for security awareness is like educating the public at large. There are so many social issues that no simple social education can resolve the problem. It takes time.

Interestingly, I watched a short documentary video on “Freakonomics” a few days ago and the question of why crimes in US decreased in the 1990s was deliberated. The short answer, according to the authors (Dubner and Levitt), was that the new generation of young people who joined the society in the 1990s were much better off economically, lived in a more coherent family, and more well educated than the previous generation, and therefore, they are less attracted to crimes. Maybe there lies the solution to the Cybercrime problem, as well as security awareness problems in today’s Internet world. Educate from a young age, create an environment that instill secure practices as the norm, including not just the Internet users-to-be, but also Internet developers and designers-t0-be so that we also get more secure applications and technology systems by default.


Written by mengchow

May 2, 2011 at 5:09 pm

Posted in Awareness

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: