Sep 12

Data connections for travel in Europe

The Need

If, like me, you are travelling across Europe with your tablet, smart phone or laptop you too probably also want to be able to tap into the extensive and relatively fast mobile network. After all, Europe is a relatively small place, and getting a pre-paid 1 or 2 GB Data SIM, that can be topped up and that works across all or most  (at least EU member) countries SHOULD be possible…

The Reality

The reality is that European telecommunications is fragmented and regionalised (by country)  such that T-Mobile Germany, is a separate entity from T-Mobile Austria, etc. and will charge you roaming fees for data access, which can be ruinously expensive, depending on the arrangements between the companies. To make things more frustrating, some companies require a European (sometimes even a credit card issued by a local – French for example – bank)  credit card or a residential (non hotel) address and a national identity card before you can get a prepaid data SIM. In short – data roaming arrangements across Europe suck big time.

The Future

Having spoke to the crew members on the River Princess, I was informed that my initial research and information is correct, and that yes, most of the data and telephony in Europe is great inn the country where your carrier is based and sucks elsewhere. However, all that is et to change sometime mid 2014 when EU laws are likely to come into effect and, as far as I can tell,  force no-fee roaming for voice and data across all of EU member countries. Only time will tell how quickly the situation improves

In the meantime.

In the meantime there are a few things we can do to make our lives easier and cheaper.

  1. Turn off mobile data and data roaming on all of your phones and tablets. roaming data is charged at cents per kilobyte (yes kilobyte), so that a small amount of data like 1.8 MB (1800K) can cost on the order of  40AUD.
  2. Use SMS to communicatate
  3. Many cafe’s and hotels offer free wifi. Use it.
  4. Prepare your posts/messages in batches and upload/send them when you can.
  5. If you are staying primarily in one country, get yourself a data SIM for that country. Remember to switch it out when you cross borders…

Sep 07

Technolgy is wonderful. Until it is not.

Technology is such a wonderful thing, until it it not.

As some of you might know, I am overseas. Travelling across Europe. Taking a lot of pictures, and generally enjoying myself.

The problem arose a few days ago, in a small German town called Deggendorf. The older, smallish 250GB HDD in my laptop started misbehaving and throing bad sectors. Sign of old age. Anysways, I could not trust it…  So… I found a lot about a whitegoods, audio visual and technology store and store called MediaMarkt, their idiosyncratic behaviours and  had a glance at how European technology supermarkets (Harvey-Norman/Dick Smith equivalents) price items.

The upshot of this is that the laptop has been thoroughly backed up, has had its data storage surgery and is now much happier, running with a slightly slower but new and hopefully more reliable 1TB HDD.

Because I am running a Linux based system, I was able to simply mount a new drive in an external drive case, partition it up, mount things up in a new hierarchy, rsync everything across form one disk to another (excluding some runtime ephemera, and avoiding the one partition with bad sectors) and then to invoke some grub magic and fix up the fstab.  It worked really well, and with minimum of pain.

Everything seems to be running smoothly and the bad sectors on HDD ‘ate’ only 25MB CR2 file one of close to 5000 photos. It is annoying but not a disaster, as I shoot in both JPG and RAW/CR2 format in parallel.

More about the trip can be found here.

 

Jul 02

Something Different: Invictus

There are time where a bit of potery is good for the soul.

Invictus

Out of the night that covers me,
Black as the pit from pole to pole,
I thank whatever gods may be
For my unconquerable soul.

In the fell clutch of circumstance
I have not winced nor cried aloud.
Under the bludgeonings of chance
My head is bloody, but unbowed.

Beyond this place of wrath and tears
Looms but the Horror of the shade,
And yet the menace of the years
Finds and shall find me unafraid.

It matters not how strait the gate,
How charged with punishments the scroll,
I am the master of my fate:
I am the captain of my soul.

William Ernest Henley (1849–1903)

Jun 26

Consequences and “Risk Appetite”

Philosophy of Security, part 8 – Risk Management – Consequences and “Risk Appetite”

So far, looking back at security discussion series in part 7 we took a side trip to explore a different way of looking at vulnerabilities called the Attack Surface.

Earlier, in part 5,  we have looked at the overall Risk Management process using AS/NSZ 4360 Risk Management standard as an example of a well documented process and methodology and in part 6 we discussed the concept looking at of  risks as combination of  Vulnerabilities and  Threats.

What I would like to do next is to explore the consequences of a risk event, and the concept of  “risk appetite” (also known to some as “risk tolerance”).

Consequences

Consequence of an event is a collective term used to describe the outcome of  an event and impacts of that outcome .

Whenever a threat or a risk comes to pass, the event has some outcomes. What actually matters to most organisations and individuals (and is therefore the focus of Risk Management and Risk Analysis efforts) is what  impacts these have  have on the business systems, processes and assets (including reputation and customer goodwill).

Outcomes

The outcomes by themselves are simply objective observations on what actually happened.

Impacts

However objective and factual the statement of outcomes of an event might be, what is critical to most organisations is the impact of the event, that is how the event affects a system, a process or an asset. The impact to reputation of an organisation (an asset) from a simple and minor flaw in an on-line ordering system may actually be very high.

In all cases it is the owners and stakeholders (who have been identified in the context setting phase of the Risk Managemnt process) of the impacted systems, processes and assets  who are responsible for deciding and communicating what is the level of impact of a set of events.

Examples of events, outcomes and impacts:

Event  1: Warehouse burglary

  • Outcome: a warehouse was broken into, doors are damaged and 100 flat screen television sets were stolen
  • Impacts:  financial and potential reputation damage:
    • warehouse insurance (if we have any) premiums will go up;
    • need to pay to repair damage to the warehouse;
    • need to replace lost stock;;
    • can’t service customers orders on on time, which affects our reputation as a reliable trader;

Event 2: exploitation of a flaw in a web application

  • Outcome 2: an external party to obtained personal information about some of the organisation’s clients.
  • Impact: loss of reputation, incident recovery  costs, software update costs , loss of client base.
    • reputation of the organisation will be damaged and there will be a need to handle the matter carefully to prevent widespread loss of customer trust.
    • there is a need (this is a legal requirement in some jurisdictions ) to notify customers whose details have been accessed. This process can be quite embarrassing for the organisation and for the the clients,  causing them to leave.
    • need to cater for large volume of calls to the support call centre
    • need to restore the server from backups, because we need to be certain that there is no malicious code running on our server
    • need to develop and apply a patch the faulty software

Event 3:  natural disaster – flooding

  • Outcome: an area is flooded, buildings cannot be accessed and are without electricity
  • Impacts: business continuity plans (if any) invoked; sites and systems are inoperative;
    • reduced capacity for, or loss of,  customer services;
    • reduced capacity for, or loss of,  production and distribution of goods;
    • costs of infrastructure recovery;
    • cost to replace lost stock;
    • insurance (if we have any) premiums will go up;

As we can see above the can be quite difficult to keep the natural language used for describing consequences consistent.  Also we need to recognise that event the same example will cause different people to react very differently to some of the impacts. This becomes even more pronounced when we start to deal with a specific industry such as mining, health and medical services or  information technology services, where certain  words (like “infrastructure” for examaple) have very specific but very different meanings.

This is why many industry specific risk management and security standards and methodologies have introduced  specific terminology to help define the impacts of events. For example the AS/NZS ISO/IEC 27002:2006  series of Information Technology security standards uses the Confidentiality – Integrity – Availability triad of attributes of a systems, processes and assets, to describe impacts of events. Vast majority of ICT security and risk management standards follow the same pattern.

Closer to Home: language for consequences in the Information and Communications Technology Systems

In the Information and Communications Technology (ICT) risk management the terms  Confidentiality, Integrity and Availability have a specific meaning:

  • Confidentiality – the information held within a system, a process or an asset is held and processed in such a way as to be accessible only to the authorised users. In this context, confidentiality is a necessary condition for privacy of data.
  • Integrity – a system, a process or an asset behaves in a consistent manner, that was intended by its designers and that no data is being modified in an unintended fashion without that modification being detected.
  • Availability – a system, a process or an asset, and the services and the information they hold and process  is available for use by authorised users as required and when required.

Note : Personally, when dealing with ICT systems  I like to add another attribute: “auditability”.  In this context auditability refers to the ability of the owners and stakeholders of an ICT based system, business process or an asset to satisfy themselves that the levels of confidentiality, integrity and availability are  maintained in line with their business requirements.

Risk Appetite

“I don’t care about that”  is a valid risk management statement, provided the person or the organisation using this method have high enough level of risk appetite.

“Risk Appetite”  (also called “Risk Threshold” by some)  is simply a measure of how much risk a person or an organisation is prepared to live with before they will commit resources to mitigate these risks associated consequences. In a It is an expression of a particular type of cost-benefit analysis which pits potential costs and consequences of an event, againt the costs of attempting to minimise the chances or reducing the impacts.

Unless there is a legal or contractual requirement to deploy certain kinds of security measures, or to minimise certain kinds of risks, the decision on how much risk to accept and which need to be treated is a decision that is the responsibility (and a privilege of sorts)of the the owner of a system, a process or an assets.

Given the variable risk appetite  of various organisations and individuals (based on the varied perception of the severity the consequences of an event) involved in a risk management process, it is our goal to provide ( as far as is possible) an objective and unbiased assessment of the risks, their likelihood and their potential impacts, because that will be the information that will be used to make decisions about severity, risk prioritisation and risk treatment. Some of the below pointers might be helpful in achieving this aim:

  • use a consistent risk analysis methodology
  • be aware of biases in your own perception of risks
  • where possible, attempt to use quantitative methods to estimate the likelihood of each risk (how likely it is to happen)
  • be (as far as we can)  objective in describing the  outcomes of an event
  • engage the asset owner and other stakeholders when working out the impacts and grading their severity, as different people will have a different focus and different views
  • not all risks can be eliminated or reduced. All risks can, to some extent,  be managed.

I will discuss the various methods for risk treatment and management, in the next instalment of this series

Jun 25

What is an “attack surface”?

Philosophy of Security, part 7 – Risk Management – What is  and “attack surface”?

In part 6 we have discussed threats and vulnerabilities, their relationship with each other and with overall idea of risk. This post is a small side trip to explore a related concept.

There is  a related concept, that is often used in information technology systems risk analysis. This concept is is very closely related to the concept of vulnerability and is called “attack surface”.

While attack surface  has originated from software systems analysis,  it  is equally applicable other systems, to processes and physical assets and can be used as a useful abstraction,  a different way of thinking about vulnerabilities and their associated potential for exploitation.

Attack surfaces:

To put it simply, an attack surface is a measure or a description of how many  features or a functions of a system, a process or an asset can be accessed by an entity in a way that can be used to discover and exploit a vulnerability in that feature.

All attack surfaces need to calculated or estimated in the same context as our analysis of threats context of our risk management.

To illustrate this concept with a couple of simplified examples:

  • Physical asset such a a storage warehouse is used for storing of valuable electronic goods that we have imported at form a land far away.  This warehouse has a truck gate, a personnel access door and some windows. The gates doors have locks on them, while the windows are high up in the walls and have plain glass panes in them. Once the warehouse is locked up for the night, a potential thief appears. What vulnerabilities can the thief exploit to get at warehouse quietly and efficiently? The thief could exploit the vulnerability in the locks and unlock the doors or simply climb up the walls and go in through a window, by cutting the glass. Therefore we conclude that the attack surface of the warehouse are the the doors, locks on the doors and the windows.
  • A computer  system such as  web application server, the vulnerability lies in the fact that an external or an unauthorised user has a way to access various features and functions of the server is via services,  user input fields, interfaces and protocols, and to use them to attempt to subvert the system. Therefore the attack surface of a web server  is comprised of the externally accessible user input fields, interfaces, protocols and services.
  • An benevolent organisation of some sort (please indulge me, here for sake of an example)  has a process for issuing of a new energy efficient entertainment widgets to all citizens  in a particular city. They wish to one gcomputer ive everyone, but they only wish to give out one per person. The idea is that the only way to get this new widget is to fill in a form and turn it in, in exchange for the item. The process a person returning a filled in form that  has been sent to each household, in return for the new widget.  The attack surface of this process is the form and the form verification sub-process (if any). This is because if there is no way to uniquely identify each form, and to weed out duplicate claims, someone could manufacture a  number of fake forms and obtain a number of widgets.

Reduction of attack surfaces.

The basic response to “features” included  in an attack surface, is reduction, be removal of external access to the potentially vulnerable points of the system, process or asset. This process reduces the number of potentially vulnerable entry points,  but does not mitigate against damage that can be done if a vulnerability in the system is found and exploited.

This can be done for both existing systems processes and assets:

  • In case of the web server we might choose to disable  or block access to unnecessary services and protocols, and remove any unused or unnecessary software from the server.
  • In case of the warehouse we might choose to apply shutters over the windows, thus removing them as potential points of entry.
  • In case of a process, the name and address of the person who is claiming the widget could be checked against a form of photo ID and the issue recorded recorded in a database, allowing fake claim forms to be detected and dealt with.

Also being able to measure attack surface of a system, process or of a physical asset during development time, will lead to a more secure product :

  • A new warehouse design could eliminate windows, thus eliminating them as a n access point (a vulnerability).
  • In case of a web web application that is under development, the attack surface analysis will identify all the externally accessible user input fields, and programmers will proceed to add user input validation routines on those fields, thus reducing the risk of exploitation, resulting in a more secure system.
  • In case of a business process development, we might require that each form have randomised  serial number printed on it,  and that these be recorded so that so that each form could be verified (perhaps in an automated fashion to save form processing time and effort) at the time it is handed in. This would prevent faked forms from being used to claim more than one widget per person.

Jun 25

Risk Management – Threats and Vulnerabilities

Philosophy of Security, part 6 – Risk Management – Risks: Threats and Vulnerabilities

In previous part, Part 5 of this series we discussed the general approaches to Risk Management. In this part I wish to take a closer look at the heart, and technically, the most difficult part of the process – Risk Analysis – and specifically dealing with risks as expressed as a set of  threats and vulnerabilities, and the interaction of the two, which provides an insight into likelihood of a risk event coming to pass.

Vulnerabilities.

Vulnerability is as a flaw in the business  systems, processes and assets that are the subjects of the risk analysis process, or in the environment where these systems operate  While there are many types of vulnerabilities,  in general they can be grouped into three categories:

  • Technical vulnerabilities – are generally flaws in the production process  and/or  design flaws in a business system or a set of security or risk controls around an asset (such as a door lock, an operating system, a web server, a telephone exchange unit or a mechanical mail handling device) that can be used to subvert the to system or control in order to cause it behave in a fraudulent fashion or to deliver an outcome other than was intended by the business owners of the system or the asset.
  • Process vulnerabilities – these are the flaws  found in processes, (such as gaps in validation,  gaps in document handling, unsafe assumptions, and the like) which can be used to subvert the process  in order to cause it behave in a fraudulent fashion or to deliver an outcome other than was intended by the business owners of the process.
  • People and Social vulnerabilities  – these “flaws” are unwanted and often unintended behaviours, that arise from social, psychological and cultural conditioning (such as politeness, and helpfulness of the people who carry out the processes or operate the systems, which can be used to to subvert the system or the process  in order to cause it behave in a fraudulent fashion or to deliver an outcome other than was intended by the business owners of the process.
  • Environmental vulnerabilities – the features of the environment in which the business systems, processes and assets have to operate, which can ins ome way be used to the detriment of these systems, processes and assets. For, example when choosing a site for a major data centre, a location within 50 year flood line on a major floodplain might well be seen as an environmental vulnerability to a flood.

Potential for exploitation of vulnerability generally expressed as a simple phrase such as “unlikely” or “highly possible” or a numerical value is the main outcome of vulnerability analysis. This potential is based on how easy it is to exploit the vulnerability given the current set of  security and risk controls in place, and the actual nature of the vulnerability.

Threats.

Threats are events which present a danger to, or have a detrimental effect on,  the business  systems, processes and assets that are the subjects of the risk analysis process.

  • Exploitation of a vulnerability – This is the threat that arises from a person or an organisation attempting to use the the existence of a vulnerability in business  systems, processes and assets.  An example of this would be a theft from a room with a poorly constructed lock or a website defacement where the web server had a well known flaw.
  • Direct Threats: – These threats are the direct action by a person or an organisation  to take direct action against business  systems, processes and assets.  An example of this would be deliberate and targeted action such as arson, a robbery or a burglary aimed to obtain a particular item, or even a so called “spear-fishing” cyber-attack campaign.
  • Indirect Threats: – These threats that arise form the effects of the actions of a person or an organisation, where these effects have a detrimental to the business  systems, processes and assets. This can take form of a  new legislation, political instability and similar.
  • Environmental Threats – These are environmental disasters such as floods, earthquakes, fires and the like. These threats do not have a human actor in it.

Probability of occurrence is the most critical part of the risk analysis. In this part, the methodology must be rigorous and as much as possible to rely on quantitative methods  in order to avoid the natural human bias in estimation of probability of the occurrence of threats.  This calculation must take into account  the current set of  security and risk controls in place.

Putting it all together: the likelihood of a risk.

The most appropriate measure of how likely it is that a risk event will be realised is derived form a combination of the potential for exploitation of a vulnerability and the probability of occurrence of a threat, combined with the effect of the current set of  security and risk controls in place.

Most risk management frameworks and provide a set set of guidelines on how to calculate and consistently describe the resulting likelihood or a risk, and how to make use of the resulting information.

Notes on Risk Analysis:

Context:

All the threat and vulnerability analysis and evaluation must be done the in context  that has been set at the outset of the risk management process. Otherwise the results will be inconsistent.

Methodologies:

 Pick a well documented Risk Management standard, which is relevant for the for the type of risk management you are undertaking (there are separate standards that relate to ICT systems risk management, medical systems risks management, etc. ) Use of a well documented standard provides a well understood and documented risk analysis methodologies. Adoption of a well documented standard makes it easier to find reference materials, and to get skilled peer review and overall acceptance of the results.

 The aim is to use the the same methodology for all risks analysis unless there are very good reasons to change to another standard.  If we wish to compare the results from different methodologies, we need to bear in mind that a change to methodology, will naturally lead to inconsistent results in risk analysis.

 This fact, along with needs to be kept in mind when comparing the results produced under two different methodologies such as AS/NZS 4360 and that in the  ISO 31000 series.

 Conversely, results of analysis in undertaken within two different organisations but using similar contexts, and using the same risk management framework can be compared with a reasonably high degree of confidence.

Jun 18

Psychology of Fear and Safety

Philosophy of Security, Part 4 – On psychology of fear and safety.

In part 1 and part 2 of this series, I have looked at, in very general terms, what security is about and why we bear the costs associated with it.

It has occurred to me that before we can move onto discussion of risk management and moving on to the more practical advice in terms of  risk management strategies,  information security strategies or tools and techniques, we need to consider the psychology of trust and psychology fear and safety. This is  because perceptions of safety and feelings of fear are vital in understanding risk-based decisions.

Part 3 of this series dealt with concept of trust and factors that influence levels of trust.

This article deals with  fear and safety.

About Fear

At the very core, fear is an emotional and physiological response that is induced by perception of being under a threat of some sort. The threat need not be real to elicit the fear response. We merely have to feel or believe that we are under threat.

Fear, as an emotion that has kept humans, and other animals alive for alive for hundreds of thousands of years, and our bodies have adapted very well to reacting to threats and fear they produce with a very strong physiological response called  “flight or fight response”.  It is an ancient survival mechanisms, whose influence we feel even today.

Unfortunately in most ways, out fear responses have not kept up with the rapid social and technological development of the last ten, twenty , one hundred or even one thousand years.  Evolution simply does now work that fast, and in in that time, especially in last fifty or so years,  our societies, technology and world view in general have become far more complex, than our minds can process in as short a period of time as it takes for the hard wired fear responses to kick in.  As mentioned before  fear driven by the perception of being under a threat of some sort,  and in today’s world the number of things that can be potentially perceived threats have become far higher more varied than the the basic “there is a sabre tooth tiger out there in the tall grass” for which we are prepared by evolution.

About Safety

Safety is a state of being protected from threats and harm that these threats bring.  As such safety is a state in which by large, fear is not being induced.

There are several types of safety to consider:

  • Normative safety – Normative safety is when a product or design meets applicable design standards and protection.
  • Substantive or objective safety  – this type of safety occurs when the real-world safety history is favorable, whether or not standards are met.
  • Perceived or subjective  safety – Perceived or subjective safety refers to the level of mental and emotional comfort of users.  For example, traffic signals are perceived as safe, yet under some circumstances, they can increase traffic crashes at an intersection. Traffic have a generally a better safety record than traffic signals but are often seen as difficult to navigate and thus make drivers nervous.

In many ways the perceived safety can be seen as a relief from fear regardless so the normative or substantive safety of the object or a situation . For example:

  • After the September 11 terrorist attacks, many people chose to drive rather than fly, despite the fact that, even counting terrorist attacks, flying is safer than driving.
  • Similarly, the perceived threat of injury and the resulting fear discourages people from walking and bicycling for transportation, enjoyment or exercise, even though the health benefits outweigh the actual risk .

Manipulation of perception – Manipulation of fear and safety

The propensity for human beings to experience fear, and the strong physiological and psychological  reactions that being placed in a  situation that our minds perceive as sort of a threat have been manipulated and exploited in politics, and by the advertising and news media, in order to cause us to act or thing a certain way. For example:

  • An add or a sales letter will work to create an impression that the product and/or service on offer is scarce, and play on the fear of our missing out on a good deal, in order to induce us to buy. The product or the service, apart from the  inherent value appeals to our perceived state of financial safety.
  • Political advertising often plays on the fear of “other”, crime or similar in order to get us to vote a certain way, or to behave a certain way, witch is beneficial to the political cause who commissioned the ad
  • News media is mostly concerned with the news of bad events near and far. This is because we are curious creatures and we are geared through evolution to attempt to understand the threats in  the world around us better.  After all a headline of “Six billion people had an uneventful day” does not evoke the same emotional response as “Thief breaks into 3 homes”. 
  • Implied presence of a threat of threats and resulting feeling of unease and fear is often used to market “security” products and services, which are designed to provide a certain amount of normative and substantive safety, but also provide a level of of perceived safety, often in excess of the product’s effectiveness.

To make things worse, research has  shown repeatedly,  that our own experiences, and the constant exposure to bad news causes us to become bad at estimating the actual, as opposed to the imagined probability of threats coming to pass. Instead we focus our attention on,  and give greater weight to, the things that we are bombarded with in news and media.  Because of this we end up making fear driven decisions, resulting in a much higher or a much lower level of perceived safety, than the circumstances actually warrant (see traffic lights and roundabouts)

I will talk more about a set of processes that we can use to counteract this particular perception bias in my discussion of risk analysis.

Jun 16

On Psychology of Trust

Philosophy of Security, Part 3 – On psychology of trust.

In part 1 and part 2 of this series, I have looked at, in very general terms what security is about and why we bear the costs associated with it.

It has occurred to me that before we can move onto discussion of risk management and moving on to the more practical advice in terms of  risk management strategies,  information security strategies or tools and techniques, we need to consider the psychology of trust and psychology safety. This is  because perceptions of trust are vital in understanding risk-based decisions.

This article deals with the concept of trust.

Trust relationships.

Any trust relationship is,  at the very core, a relationship between:

  • the trusting individual, organisation or a social group party  – the trustor
  • the trusted individual, organisation or a social group – the trustee

It is a relationship which implies that:

  • there is  willingness on the part of the the trustor to be vulnerable in some way; and
  • that the trustor holds some form of  positive expectations of the the trustee.

It is important to note that in many ways the level of trust placed by the trustor in the trustee is a measure of their belief in the benevolence, also expressed as a belief in fairness and honesty, the ability or competence and the integrity, or congruence and consistency of behaviour, of the trustee.

What factors influence trust.

The research in this are shows that that the factors that influence trust are influence trust are groups into three broad categories, which are generally called ability, benevolence and integrity.

As a trust factor ability, also referred to as “competence” is the measure of what the trustor thinks and believes is the trustee’s ability to act in a certain way.  Ability as a factor tends to be focused on how reliable,   knowledgeable and responsible the trustee is.  Ability is therefore most commonly associated with thought an belief (also called ‘cognition-based’) trust decisions.

Benevolence is focused on the emotional bond between the trustor and the trustee. It is created by the feeling created by expressions of genuine care and regard for each other’s welfare, and implies a sense of empathy, rapport and union. As such benevolence is most commonly associated with  an emotionally based (also called  ‘affect-based’ ) trust decisions.

Integrity is a mixture of thought/belief and emotion based trust and revolves around how the trustor perceives the actions of the trustee in terms of ethical and moral values and principles, such as honesty or behaviour that is congruent with stated goals and values. The perception of the integrity of the trustee can influence both the emotional and thought-belief based trust decisions made by the trustor.

Types of trust relationships and importance of factors

The type of trust relationship will determine which factors play a greater role:

  • In case of  a downward trust judgement, such as a relationship between employer with an employee, the largest relative weight is placed on the employees ability and integrity.
  • In case of upward trust judgement such as relationships such a an individual and a commercial organisation or an employee and an employer the greatest weight is placed on benevolence and integrity of the trustee.
  • In peer to peer relationships all three factors appears to play equally important role.

There exists a a kind of a trust relationship called  “confidence“. This type of trust relations most often appears in commercial relationships, where confidence is most commonly grounded in the beliefs in the ability and track record  of  the other party. In these types of relationships  contractual arrangements replace the need to consider the feelings or beliefs  about benevolence and integrity.

Other factors that influence trust judgements.

  • Worldview ­ and attitudes – personal, political and cultural values.
  • Infrastructure  – ­ social and economic infrastructure.
  • Social norms – people look at the behaviour of those around them to guide their own actions.
  • Autonomy ­  – the level of choice an individual feels hey have.
  • Priorities ­  – an individual may need to focus on different concerns in their life (e.g. financial worries).
  • Perceived costs and benefits of a transaction.

As an interesting side note, some research shows that in general a failure or a breach of a trust relationship is much less damaging and more easily repaired and/or forgiven if it is perceived as a  failure of ability or competence, rather than a breach of integrity or benevolence. Why that might be is beyond the scope

Jun 13

Why do we do security?

Philosophy of Security, Part 2 – Why do we do “security”?

In Part 1 of this series we have looked at a high level concept of what it is that we are dealing when when we talk about security.

No matter what else you might think on this topic, there is one fact about security that most, if not all of us agree on:  Security costs a lot of money. Having “security”,  in whatever form it takes, costs the businesses both time and money. This impacts a business’ bottom line and eats into profit margins.

  • Security costs us time in the sense of ensuring your business processes have built in protection for you and your customers (such as requiring passwords or that customer data is not left lying around on desks where someone can easily access it).
  • Security costs us money in terms of investment in safes, locks, secure storage services, firewalls, guards, etc.

So why do we do security?

There are three broad reasons why we expend time and money on security:

1. Regulatory and/or contractual obligations

This is the easy to spot and an obvious case, but one that is often the most expensive to comply with. Quite often the kinds of security tools, and the types of business processes are seen to provide compliance and are specified as part of the regulation and/or contract. This makes certain types of security mandatory.

  • Government regulations, such as the various privacy laws (e.g. Commonwealth of Australia Privacy Act 1988 ), which dictate what we can and can’t do with information entrusted to us by our customers, and that we must protect that information.
  • Banks and other financial institutions require on-line merchants have certain security measures in place before they will allow those merchants to take and process credit card transactions on-line, and often  these measures are part of the contract you have to  sign to gain access to the merchant facility. Payment Card Industry (PCI standards) standards are an example of contractually mandated security .

2. Customer/Supplier expectations:

Our customers and suppliers expect us to behave in a certain way, a way that implies that we will protect their information (personal or commercial) from being seen by other people and organisations. This means that:

  • We are expected to have “published” privacy policies (as part of our public facing systems or included as part of our contract paperwork);
  • We are expected to require the user identification of some sort – most often  in the form of usernames and passwords  – to identify users during prior to granting access to a commerce or an  information system; and
  • We are expected to use tools like the Secure Socket Layer (SSL)  protocol to encrypt information being sent over communications networks.

3. Desire for protection of our own business assets

This area is often the least well defined, because deciding how much time and money to spend on protection of our own assets is driven in large part by our own assessment of risks associated with each of these.  In general business assets can be grouped into 3 categories:

  • physical – materials, goods, stock and buildings;
  • intellectual property – processes, procedures, formulae, code and business data; and
  • reputation – the “good name” of the business, and the level of trust placed in our goods and services by our customers.

How you arrive a decision about what, how and how much to protect your business assets is the domain of risk management, and it merits a separate discussion.

In the case of most small and medium businesses, most of the security that you need to worry about will fall into three categories:  regulatory compliance, protection of customer data, and protection of your own assets – including your reputation.

 

Jun 11

What is “security”

Philosophy of Security, Part 1 – What is “security”?

Recently I have been watching a lot of videos and reading quite a few articles about “security”.  While they contain a lot of information about techniques and technologies used to provide “security”, very few of these publications attempt to explain what security is all about.

So, what is this “security” thing?

Fundamentally security is not about firewalls, passwords, SSL certificates, intrusion detection tools, alarms, locks and guards. All of these are tools which we use and with which we work, to deliver security.

Looking at nate of security from a buisness point of view, we arrive at two general conclusions:

  • First: security is a process of assurance and maintenance of trust relationships that your business – and you – have with your customers and suppliers.
  • Second: security is a process to provide protection of business and personal assets, such as premises, products, stock and goods holdings, or reputation.

The critical thing to note is the concept of assurance and manintaiance of trust as well as that of protection of assets and reputation.

This is because in absence of trust there is little or no commerce.  A relationship with a level of trust is a must for commerce to happen because essentially people buy from people and organisations that they have come to trust (and at the end of the day, like it or not, all of your customers are people, regadless of the medium of the where the transactions that they engage in take place).

The  level of trust required in a commercial relationship is derived form, and maintained through, yourself and your business behaving in a manner consistent with your stated values and with your customers expectations. Therefore it is important that you consider (security in the form of trust assurance) as  a vital part of your business processes and procedures, and as impornant a targhet of investment as your tools and technology.