Trust Economics

An article in the US National Law Journal details cases of staff from various companies (including AT&T Inc. and Cigna Corp.) who believe that they should still receive pay for time spent waiting for their work computers to boot-up. They may be resting on the argument that they find other work to do while they wait for their machines to become useable (e.g. making phonecalls and arranging their work calendar), although the defendants in these cases argue that in these situations employees instead engage in “non-work activities”.
A concern that is raised from a Trust Economics perspective is that this is a simple case of computer infrastructure management decisions (specifically power-management policies) affecting user productivity in an ambiguous way. It may not be too much of a leap to imagine similar situations where information security infrastructure can have a bearing on an employee’s ability to use their workstation (e.g. waiting for virus scans of externally-connected devices, configuring security software on a machine at start-up etc.).

Prominent information security specialist Charles Cresson Wood recently talked to ThreatChaos about the future of information security policies. Among other things, discussion touched upon the importance of user education within the organisation, and the use of expert systems and instrumentation to automatically determine policy compliance.

A recent Network World article rounds up a number of experts from the field of information security to discuss some of the prevailing beliefs that they encounter. The article covers a series of interesting topics, such as regulatory compliance (“You can be extremely secure but not compliant. Just as you can easily be compliant but not secure.”), the virtues of open source software, and the measurement of security Return-on-Investment (ROI).
One particular section focuses on the training of employees to behave in a more secure manner. As one of the experts, the 451 Group’s Nick Selby, points out: “… resisting social engineering is really, really hard, as most people you’d want to hire are socially disposed to try to be, at the very least, helpful”. If the goal of an organisation is to train their staff to behave in a more predictable and security-conscious manner, care should be taken so as not to stifle the ‘human factor’ altogether (e.g. unpredictable behaviour doesn’t necessarily always produce bad results). It is often this same ‘human factor’ that is relied upon to further the prospects of the organisation.

A Computer Weekly article discusses comments made by RSA’s Art Coviello during the RSA Europe Conference 2008. Discussion focuses on Coviello’s view that an urgency to comply with industry regulations is distracting security practitioners from those security projects which may serve the ambitions of the organisation. As the article puts it, “regulation has to be focused on an intended result and not on a prescriptive list of controls”.
These comments highlight the need to consider how the implementation of industry regulations must be approached on a per-organisational basis, so as to benefit an organisation in its pursuit of specific productivity targets without putting unnecessary barriers in the path of the activities that ultimately contribute to those targets. Furthermore, a reasoned and transparent consideration at board-level of how regulatory compliance should be approached would help to clarify instances where resources are being diverted away from security projects towards compliance procedures.

The Office of the UK Government’s Information Commissioner has released a press release to coincide with a speech given by Information Commissioner Richard Thomas. The speech highlights some views towards the handling of personal data within organisations.

Two opinions expressed by Mr. Thomas are especially pertinent to Trust Economics:

• Top-level directors should take more responsibility for the protection of personal data held by their organisation within databases etc. This includes demanding that appropriate data security policies be put in place, that privacy be built into software applications used within the organisation, and that employees be suitably trained to manage data security risks. In relation to Trust Economics this implies both that workable policies be enacted, and; that in a general sense, company staff be educated not only in how to interact with the security controls that protect the data they work with, but also in the procedures to follow when those security controls fail (some activities have possible negative consequences that make them seem ‘risky’ in the first place). Mr. Thomas asks “How many staff do not tell their managers when they have lost a memory stick, laptop or disc?” - just as it is important to learn from reported data breaches, it could be equally of use to glean an understanding of the behaviour and working culture that promotes silence on the subject in so many cases.

• An increased capacity to store personal data can have its own associated risks (to the degree that Mr. Thomas refers to information as a “toxic liability”). With this it could be argued that organisations should develop a greater awareness of what their system users are capable of achieving with the data that they have access to. Instead of securing data to the point of making interaction with it impossible, organisations should seek to allow potentially productive access to personal data only if and when necessary, and when it is necessary, it is important to have an informed understanding of what an employee can then do with that data (and just as importantly how and why they may do what they do).

There is also a BBC article that discusses Mr. Thomas’ speech.

Securing the desktop and still allowing for flexibility - discusses the need to balance the security of a system with the capacity to allow employees to do things that they would feel are acceptable within their job (including catering for those who believe they are within their rights to use Facebook at work!). An interesting quote: “The first stage is understanding what’s going on. Before you can actually control what people can do, you have to have a sound basis for making the decisions about what is and what is not allowed”. This could be interpreted as a requirement to understand employee behaviour in relation to both the resources that are within their reach, and the security controls that are either in place or available to limit or manage access to those resources.

Electronic information sharing is key to effective government - an article that discusses how document-centric information security can promote co-operation between disparate organisations (or distant parts of the same organisation). Information exchange between organisations can lead to increased productivity and knowledge development, but this exchange needs to be secured in a manner that doesn’t simply make the entire process unwieldy.

Can too much IT security be bad for business? - IT professionals attending the IT Security Forum ring alarm bells about how an increased expectation of the use of information security controls affects their organisations. This includes how limiting use of USB storage devices can in turn limit the capacity for information exchange, and concerns about the strict nature of policies concerning the inclusion of sensitive information in unencrypted e-mails.

These articles all highlight a need to balance:

• the use of information security controls in an organisation;
• the potential benefits to an organisation of using the information that is available to it;
• the ways in which members of an organisation use information to realise those benefits.