Tag Archives: Information security

Security Mindset

User big brother 1984

User big brother 1984 (Photo credit: Wikipedia)

I’m a big fan of Derren Brown, perhaps not so much of his actual performance stuff, but rather his later work on psychology and human manipulation. I’ve not seen all of his programmes, although I plan on going looking for some since I found they existed through the wikipedia link above, but I did just finish watching the “Fear & Faith” pair that I had recorded from a few weeks back on Channel 4 in the UK. There was one particular point that he made that was of interest to me:

People behave better when they have the impression that they are being watched.

Now, after an earlier discussion about AUPs on Forensic Focus where I wrote a draft, simple AUP, I realise that this is what I left out. There is neither mention of consequences, nor is there mention of monitoring – an oversight which I acknowledge leaves the policy toothless. In my defence though that wasn’t the point that I was trying to make at the time !

The research study by Max Ernest-Jones, Daniel Nettle and Melissa Bateson at Newcastle University on “Effects of eye images on everyday cooperative behaviour: a field experiment” further builds on previous research by Terrence Burnham and Brian Hare ( here ) showing that even computer generated “eyes” watching will influence behaviour.

I recall from my first ( and last ! ) permanent role, a Government issued poster, hanging in what very much resembled something that was very reminiscent of Chernobyl ( unsurprisingly really, as it was Hanger 4 at Harwell, home of GLEEP. ) We kept our backup tapes in a room which used to house a Cray – I’d be lying if I said I knew which one, it was long gone by the time I arrived, but I do know that it was one with integral seating … – and it had all of the security that you’d have expected of a data centre on a nuclear site – man-trap doors, security office, etc. – and, some of these posters – I wish now that I’d “redistributed” them before we left the building and it was pulled down – but I was young and foolish, and had no idea that I’d be writing this blog now … The one that sticks in my mind was rather creepy, hanging between the two doors of the man-trap as it was, bored people had messed with it – picking out the eyes with pins giving the poster a very unnatural stare. I don’t know if I behaved any better for it, all I had to do was collect and drop off tapes as it was – the room was cold, empty and unfriendly I didn’t hang around long enough too misbehave. I’ve tried my best to find a copy of it online now, but with no success. I did get these though:

security_poster_1960 security_poster_1962

This first one ( Don’t Brag ) is from 1960 ( I’m told ). And the second from 1962 ( again, I’m told ).

Both are notable for their lack of eyes, as, oddly are many, if not all of the ones that I could find that are currently being circulated.

CESG

I rather like these Welsh ones by Rebecca Lloyd as she says herself – inspired by the very popular iPod adverts.

welsh1 welsh2 welsh3

Quite entertainingly, the most intimidating poster by far and the one with the most eyes, with massive reference to 1984 and a horrendous secret state is this one from Transport for London. Nothing to do with InfoSec per se, but general CCTV surveillance of society.

TFL_CCTV

That’s the sort of thing that nightmares are made of ! On the other hand, if that was stuck before me on a bus, I might well not misbehave – which is a win on the part of the designer !

So there are two things that we should consider then – first off – my oversight on the AUP with regard to consequences and monitoring should be resolved – the addition of something like :

We like to be sure that nothing untoward is happening the machines which are our responsibility, so we do monitor them for things that we have said we don't like. If, once you have signed this document to signify your understanding, you choose to break the agreement you've made, we will have to take disciplinary action, depending on the seriousness of the breach, this could include losing your job.

Secondly, as ongoing awareness of Information Security is a requirement of pretty much every set of best practice guidelines ( and if it isn’t, it should be ! ) perhaps we should make sure that we make use of strategically placed posters with eyes in order to get our point across with the maximum uptake ? How about the following:

Poster1Poster2Poster3

I know that for two out of three, they aren’t exactly “watching” eyes, but there needs to be a line drawn on the amount one intimidates one’s employees !

I leave you with a Seasonal Poster – courtesy of the US Archives ( which are fabulous by the way, can we have a UK one of these please ? ) You’ll need to view it full size to see what the “security” message is.US Christmas InfoSec Poster

 [Actually, you know what, if people send me UK posters, I’ll make an online collection available to everyone myself … ]

Tagged , , , , , , ,

It’s all about managing risk …

Well, what an interesting turn up for the books, it seems that a group of CISOs have gotten together, in what I am sure were challenging circumstances ;-), in Hong Kong to figure out that Information Security isn’t all about technology ( http://www.theregister.co.uk/2012/04/25/ciso_advice_risk_management/ ) … I’d like to take this opportunity to point you to my article on “What is ‘good enough’ information security ?” (http://articles.forensicfocus.com/2011/09/19/what-is-good-enough-information-security/) from a while ago.

I re-iterate – as security consultants we are risk managers – it needs to be fit for purpose – not a technical solution to a problem that doesn’t exist !

Tagged , , , , , ,