Trust Economics

An article by Christopher Burgess of Cisco describes the “Social Elements of Security Policy and Messaging”. It is argued that IT security managers must identify the operational requirements of individuals in an organisation, and integrate security controls into the associated processes in a way that does not inhibit the work of employees.
With this, Burgess makes a distinction between various factors that may influence an individual’s security compliance and flexibility requirements within the workplace. These are identified as ’social differences’, and serve to indicate the expectations and concerns that should be addressed when deploying security measures in proximity to specific groups of workers. These social differences are divided into geographical, cultural, generational and functional factors. As an example the article describes needing to “deal with individuals who are entering the workforce having collaborated and communicated openly using social media and other collaborative tools” as a generational concern.
Different groups of employees have different ways of approaching business opportunities. Security managers should attempt to understand the operational requirements of these different groups, and deploy security measures accordingly. By distinguishing between different kinds of social drivers, the behaviour of employees towards security can be (to some extent) anticipated and approached in a structured manner.

Rich Mogull of Securosis has posted a blog entry about “Selective Inverse Recency Bias In Security”. The article discusses some of the psychological and emotional foundations for identifying trends in security events and justifying security management decisions.
The article reiterates some truisms relating to human behaviour as a component of an organisation’s security environment (“We know that human behavior doesn’t change, people will make mistakes, and are predictably unpredictable”). It does also however serve to highlight that in order to be objective, security managers must acknowledge their own innately human responses to security events.
Security managers should keep in mind that even with a wealth of monitoring data and preventive controls at their disposal, it is still possible that they may respond to security threats in a human way, i.e. an emotive way. Their beliefs and ‘gut feelings’ about past events will influence the management decisions they make in the moment. The Securosis article argues that an emotional investment can only serve to skew trends and data in a security manager’s mind, in a way that could potentially drive them to find the evidence that supports their emotionally-driven decisions to the exclusion of that which does not.
Shostack and Stewart’s “The New School of Information Security” discusses how security managers can consciously use fear as a tool to justify security decisions and expenditure in the boardroom. However these same security managers may also subconsciously use this fear as a tool to convince themselves of the efficacy or inappropriateness of a given approach (depending on their feelings toward it), by disregarding those events (both recent and historical) that do not support their established way of thinking (or in this case, feeling).
Arguably, security managers operate in an environment that is naturally predisposed to fear and suspicion. Previous experiences and monitoring data may be used selectively to justify management decisions that have already been pre-determined by these emotions. It is perhaps just as important then to equip security managers with the emotional tools to be able to weigh the benefits and risks of a given course of action, so that decisions are not only justified, but also rational.

An article in the US National Law Journal details cases of staff from various companies (including AT&T Inc. and Cigna Corp.) who believe that they should still receive pay for time spent waiting for their work computers to boot-up. They may be resting on the argument that they find other work to do while they wait for their machines to become useable (e.g. making phonecalls and arranging their work calendar), although the defendants in these cases argue that in these situations employees instead engage in “non-work activities”.
A concern that is raised from a Trust Economics perspective is that this is a simple case of computer infrastructure management decisions (specifically power-management policies) affecting user productivity in an ambiguous way. It may not be too much of a leap to imagine similar situations where information security infrastructure can have a bearing on an employee’s ability to use their workstation (e.g. waiting for virus scans of externally-connected devices, configuring security software on a machine at start-up etc.).

Prominent information security specialist Charles Cresson Wood recently talked to ThreatChaos about the future of information security policies. Among other things, discussion touched upon the importance of user education within the organisation, and the use of expert systems and instrumentation to automatically determine policy compliance.

A recent Network World article rounds up a number of experts from the field of information security to discuss some of the prevailing beliefs that they encounter. The article covers a series of interesting topics, such as regulatory compliance (“You can be extremely secure but not compliant. Just as you can easily be compliant but not secure.”), the virtues of open source software, and the measurement of security Return-on-Investment (ROI).
One particular section focuses on the training of employees to behave in a more secure manner. As one of the experts, the 451 Group’s Nick Selby, points out: “… resisting social engineering is really, really hard, as most people you’d want to hire are socially disposed to try to be, at the very least, helpful”. If the goal of an organisation is to train their staff to behave in a more predictable and security-conscious manner, care should be taken so as not to stifle the ‘human factor’ altogether (e.g. unpredictable behaviour doesn’t necessarily always produce bad results). It is often this same ‘human factor’ that is relied upon to further the prospects of the organisation.

A Computer Weekly article discusses comments made by RSA’s Art Coviello during the RSA Europe Conference 2008. Discussion focuses on Coviello’s view that an urgency to comply with industry regulations is distracting security practitioners from those security projects which may serve the ambitions of the organisation. As the article puts it, “regulation has to be focused on an intended result and not on a prescriptive list of controls”.
These comments highlight the need to consider how the implementation of industry regulations must be approached on a per-organisational basis, so as to benefit an organisation in its pursuit of specific productivity targets without putting unnecessary barriers in the path of the activities that ultimately contribute to those targets. Furthermore, a reasoned and transparent consideration at board-level of how regulatory compliance should be approached would help to clarify instances where resources are being diverted away from security projects towards compliance procedures.

The Office of the UK Government’s Information Commissioner has released a press release to coincide with a speech given by Information Commissioner Richard Thomas. The speech highlights some views towards the handling of personal data within organisations.

Two opinions expressed by Mr. Thomas are especially pertinent to Trust Economics:

• Top-level directors should take more responsibility for the protection of personal data held by their organisation within databases etc. This includes demanding that appropriate data security policies be put in place, that privacy be built into software applications used within the organisation, and that employees be suitably trained to manage data security risks. In relation to Trust Economics this implies both that workable policies be enacted, and; that in a general sense, company staff be educated not only in how to interact with the security controls that protect the data they work with, but also in the procedures to follow when those security controls fail (some activities have possible negative consequences that make them seem ‘risky’ in the first place). Mr. Thomas asks “How many staff do not tell their managers when they have lost a memory stick, laptop or disc?” – just as it is important to learn from reported data breaches, it could be equally of use to glean an understanding of the behaviour and working culture that promotes silence on the subject in so many cases.

• An increased capacity to store personal data can have its own associated risks (to the degree that Mr. Thomas refers to information as a “toxic liability”). With this it could be argued that organisations should develop a greater awareness of what their system users are capable of achieving with the data that they have access to. Instead of securing data to the point of making interaction with it impossible, organisations should seek to allow potentially productive access to personal data only if and when necessary, and when it is necessary, it is important to have an informed understanding of what an employee can then do with that data (and just as importantly how and why they may do what they do).

There is also a BBC article that discusses Mr. Thomas’ speech.