Trust Economics

Computer Weekly’s Security Trends for 2009 article discusses a number of information security threats that require greater attention in 2009 due to the use of ever more flexible data-sharing practices within the workplace.

As an example, Daniel Dresner of the National Computing Centre (NCC) is quoted as saying:

“The thing that concerns me most is the idea that there is a magic door people go into when they go to work, and that you are a private person when you leave work.”

Personal and business information may flow backwards and forwards both within and outside the workplace, across seemingly inseparable and always-connected computing environments. Dresner subsequently refers to the “human firewall”, which may be perceived as an individual’s ability to monitor and control the flow of (in this case their company’s) data using their own judgement.
This judgement (the ‘rules’ of the human firewall, if we are to maintain the analogy) can of course be informed through information security training & education within the organisation. With this there is a need to align the principles of an information security policy with an individual’s own sensibilities. That is to say, if an employee should be given rules to follow by information security advisors within the organisation, these rules should be framed in terms that mean something to the individual (and not just the organisation in general).
It is also equally necessary to ensure that the individual is aware of where those rules apply i.e. that they know which information security concerns apply at a given time (e.g. ensuring that they only disclose information exclusively to those who are meant to receive it, whether it be in the canteen, at the entrance to the company building, or in e-mails send from a personal e-mail account). This also however raises the point that in many cases security concerns are either satisfied but obscured (e.g. data marked ‘confidential’ on a “need to know” basis), or unsatisfied and omitted (“security through obfuscation” i.e. the belief that no-one can find a security flaw if it isn’t mentioned anywhere); neither of these approaches helps those who are otherwise not paid any extra money to keep themselves adequately informed about information security as part of their day-job.

The article also discusses the problem of “insider exploitation”, essentially where an outside body influences individuals within an organisation to carry out specific tasks to satisfy their criminal ends. With the global economy suffering, it is possible to imagine that individuals within an organisation will be more susceptible to activities of this kind (e.g. through disaffection towards their employer), and that there will be an increased number of tech-savvy security specialists turned criminals willing to exploit their own security knowledge for malicious purposes.
As well as securing the technology infrastructure, organisations need to ensure that their staff comply with security policy, and that the policy accounts for the movement of staff in and out of the organisation. In this case there must be a clear statement of the sanctions and incentives within an organisation to protect data and processes, just as organised criminals (with their own increasingly sophisticated ‘business models’) will use coercion (e.g. blackmail, or threats of physical harm) and bribes to achieve their ‘business’ goals. Also, just as criminals will determine who to target within an organisation to get what they want, organisations should have a sense of who has access to what is already theirs.