Security technology cargo cult: buy more boxes (part 2)

In Part 1 we looked at the deterrence quality of security controls. It’s one of the three attributes of security controls that are often ignored; sometimes consciously but more often due to ignorance. Now we will look at another attribute that is too often neglected: awareness. Typically when discussing security awareness the immediate mental image is of mandatory courses, presentations and drab, unimaginative posters around the workplace. What this post talks about is the information security situational awareness: what is happening, where, why, and who is involved.

Security technology cargo cult: buy more boxes

Fear of reprisal is one of the most potent stimulants for action. It is also one that information security generally ignores. To that end the need to “improve security by buying more technology” is the prevalent course of action for most IT shops in large and small organisations. That this is just perpetuating the losing race is not a message most IT security staff are willing to concede. There is a better way to improve information security posture of large and small organisations, and it starts by mimicking physical security, where psychology has played a significant role.

Information security and the observer effect

The initial empirical study of the observer effect (Hawthorne effect), which said that people change their behaviour to the better when observed, has seen equal measures of criticism and support over the years. Whilst a lot of the critiques were typically academic (i.e. no impact on the end effect, just argument on which factor influences it) there were also a number of empirical studies that failed to replicate the original study’s results. Two academic papers that I used in the past on the effect of being watched (quantum physics observer effect in real world psychology, if you will) have a lot of lessons for information security designers and architects, if only they will stop rolling out new boxes and start thinking about what it is they really need to do.

Cyber Europe 2010. Learnings the same to Cyber Storm II and Cyber Storm III

Fresh from the press comes ENISA’s final report & video clip on ‘Cyber Europe 2010’: the 1st pan- European cyber security exercise. The report underlines a need for: • more cyber security exercises in the future, • increased collaboration between the Member States, • the importance of the private sector in ensuring security. Largely the same findings as were found in Cyber Storm II (2008) and Cyber Storm III (2010). There is always a lot of talk about increased sharing of information, but the reality remains that in the current environment you cannot share information without having to sign a different non-disclosure agreement for different task forces and different special interest groups and different trusted information sharing committees and groups.

Asymmetric warfare? Asymmetric definitely. Warfare? Too Early.

So we have A person, believed to be a man, entered the “sterile” area of the terminal at about 9:30am today via the exit doors from the baggage collection area. … [T]he man was spotted on closed circuit TV entering through the exit but security staff watching monitors lost track of him once inside the terminal. Thousands of people are now being cleared out of the terminal to be rescreened by security. … The breach exposes a gap in the terminal’s security for which Qantas is responsible, as there is no security officers permanently stationed at the “out” doors to watch passenger movements.

UCSF Scientists Warning About TSA Naked Body Scanners

… Sniffing dogs are what the FGBI uses for protection and they are known to be more accurate than the scanners and cost only $8,500 per dog vs $1.5 million per scanner. … Except that dogs don’t have a decent lobby behind them. And everybody knows that dogs just don’t look “tough on terrorism” - not enough in this race to appear tougher than the next hawk, anyway. Gloria Mundi went that way …