iTnews
  • Home
  • Features
  • Technology
  • Security

Users not to blame for failure of policy fads

By Stephen Wilson on Mar 10, 2011 1:09PM
Users not to blame for failure of policy fads

It's too easy for the information security industry to shift the blame to those who shouldn't have to know better.

In cyber security and online privacy, user awareness, education and training have long passed their used-by dates.

We have technological problems around identity security and mutual authentication that need technological fixes, yet governments and businesses are averse to investing in security and the long-standing policy fad is to educate users out of trouble. It’s a massive policy failure.

We see a policy fixation everywhere. The dominant philosophy in security is process-based. The international information security standard ISO 27001 is a management-system standard; it has almost nothing to say about security technology. Its focus is on documentation and audit box ticking. It’s intellectually a carbon copy of the ISO 9001 quality management standard, and we all know the limitations of that.

I urge all infosec practitioners to read this 10-year-old article: Is ISO 9000 really a standard - it should ring some bells.

Education, policy and process are almost totally useless in fighting identity theft. Consider this: those CD ROMs with 25 million financial records lost in the mail by British civil servants in 2007 were valued at 1.5 billion pounds, using the going rate on the stolen identity black market. With stolen data being so immensely valuable, just how is security policy ever going to stop insiders cashing in on such treasure?

In another case, after data was lost by the Australian Tax Office, there was earnest criticism that it should have been encrypted. But so what if it was? What common encryption method could not be cracked by organised crime if the data was worth millions of dollars?

The best example of process and policy-dominated security is probably the Payment Card Industry Data Security Standard, PCI-DSS.

Its effectiveness was considered by a US Homeland Security Congressional Committee in March, 2009.

In hearings, the National Retail Federation submitted that “PCI has been plagued by poor execution ... The PCI guidelines are onerous, confusing, and are constantly changing”.

They noted the irony that “the credit card companies’ rules require merchants to store credit card data that many retailers do not want to keep”. The committee chair remarked that “the essential flaw with the PCI standard is that it allows companies to check boxes, but not necessarily be secure".

"Compliance does not equal security," he said. "We have to get beyond check box security.”

To stop ID theft, we need proper technological preventative measures, not more policies and feel-good audits.

The near exclusive emphasis on user education and awareness is a subtle form of blame shifting.

It is simply beyond the capacity of regular users to tell pharming sites from real sites, or even to spot all phishing e-mails.

What about the feasibility of training people to "shop safely" online? It's a flimsy proposition, considering that the biggest cases of credit card theft have occurred at backend databases of department store chains and payments processors.

Most stolen card details in circulation probably originate from regular in-store card-present transactions and not from Internet sites. The lesson is even if you never ever shop online, you can have your card details stolen and abused behind your back. All the breathless advice about looking out for the padlock icon on your web browser is moot.

In other walks of life we don’t put all the onus on user education. Think about car safety. Yes, good driving practices are important but the focus is on legislated standards for automotive technology and enforceable road rules.

In contrast, internet security is dominated by a wild west, everyone-for-themselves mentality, leading to a confusing patchwork of security gizmos, proprietary standards and no common benchmarks.

Stephen Wilson is an expert on identity management, authentication and information security and founder of Australian consultancy, Lockstep, where this opinion was originally published.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
cardcreditfraudindustryisopaymentpcidsssecuritystandardusers

Partner Content

Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Stephen Wilson
Mar 10 2011
1:09PM
0 Comments

Related Articles

  • Police arrest thousands in global crackdown on social engineering
  • ACMA clamps down on SIM-swap frauds
  • Visa pilots enumeration attack prevention requirement in Australia
  • Euro police break up large online fraud gang
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Australia scraps digital passenger cards for international arrivals

Australia scraps digital passenger cards for international arrivals

PayTo rollout kicks off

PayTo rollout kicks off

Services Australia spends $50m on IBM Power hardware upgrade

Services Australia spends $50m on IBM Power hardware upgrade

Westpac sets sights on hybrid meeting spaces

Westpac sets sights on hybrid meeting spaces

Digital Nation

Case Study: Good360 deploys NetSuite, Magento and Salesforce
Case Study: Good360 deploys NetSuite, Magento and Salesforce
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: EY invests in AI to improve approach to flexible working
Case Study: EY invests in AI to improve approach to flexible working
Case study: AFL kicks goals with its new digital platform
Case study: AFL kicks goals with its new digital platform
Personalisation strategies need to be built from the ground up
Personalisation strategies need to be built from the ground up
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.