Security is a people problem - right?
Let's face it - the one thing you can't predict with any accuracy is people's capacity for stupidity.
The organisers of the Infosecurity Europe 2003 found that 90% of office workers would reveal their passwords to a questioner at Waterloo Station in London. This is up from last year's 65%. What the survey tells us is that social engineering is a real threat and is getting smarter and that management is not addressing it. Shame on you all who have this responsibility.
You do not have to be a security expert to understand security basics. Human instinct usually prevents us handing over personal assets to a complete stranger and most of us manage to lock the door on the way out - some, though not all, might even set the alarm.
Many people self-insure, assessing risk based on the law of averages (the "it won't happen to me syndrome") and living with the costs themselves. The problem is that the law of averages is a variable based on the situation in which one finds oneself. The lady who lives next to me was burgled when she walked the dog in the afternoon. She has an alarm fitted, she just didn't think that she needed to set it for the time she would be out. Two messages here - a) be aware of current threat profiles, and b) be aware of peak risk periods.
The most popular passwords are the usual suspects: people's names, team names, birthdays and almost amazingly still, er..."password".
Despite these, it seems that 64% of us, according to a recent Rainbow Technologies survey, write our passwords down. This, the survey goes on to say, is because of the number and frequency of forced password changes.
What strikes you is that in corporate-land and in the community, we are failing our citizens to our own detriment. There is a woeful lack of awareness campaigns in information security programmes. People need constant reminders. People need to know what the threats look like.
The most visible example of awareness campaigns in action come from London Underground and BAA, who constantly through posters and tannoys make their users and staff aware of threats. This is what is required elsewhere but which is not done.
Where information security can differ is in the delivery. Is security a people problem? Talk to Dr James Backhouse who heads-up the Computer Security Research Centre at the London School of Economics. He will tell you that security is not about people but about behaviour.
This is why it is important to architect systems that remove as much of the people input as possible and to apply heuristic techniques to the policing of workflow with the capacity to execute responses in real-time. This leads us to a more predictable environment where the vagaries of behaviour and the ability of external forces to manipulate it are substantially reduced.
Cybercrime News Archive
^macro[showdigestcomments;^uri;Security is a people problem - right?]