29 Apr 2008
Trust is an important concept in security but few awareness programs give it the coverage it deserves. This month’s NoticeBored module brings together trust, integrity, fraud in an IT context, and touches on closely related concepts such as honesty, governance and whistleblowing.
Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as the recent incident at Société Générale Bank) and numerous other information security incidents provide no shortage of topical content for our 60th module.
We’ve all had our share of disappointments and incidents in life due to misplaced trust in someone or something. Such painful experiences are all part of the rich experiential lessons from life’s School of Hard Knocks. With hindsight, things would have been different, we hope. On the upside of risk, we are sometimes pleasantly surprised when people and systems deliver on their promises, or even better exceed expectations. Such is the way in which trust is built up.
Trust comes in two flavors: blind faith means we ‘just trust’ something or someone with no rational basis beyond our belief system. In most cases, however, trust must be earned, in other words a level of trust is established gradually over a period of successful interaction and performance. By the same token, trust can be damaged or destroyed by negative events – when a person, organization or system “lets us down”, we are naturally more dubious about it the next time.
There can be immense personal satisfaction in being trusted and respected by someone else. Computer systems and other inanimate objects may not have feelings but those that prove their worth accrue value above those that are unreliable in practice. How would you feel about, say, a heart monitor that sporadically shut down or gave nonsensical readings? Do you dread getting into an elevator that sometimes jerks or stops between floors? That subconscious sense of unease tinged with fear is the result of not being able to trust something.
Technological controls alone are seldom adequate to reduce the risks, placing emphasis on human controls through training and education, policies and procedures, and various forms of management supervision (including, by the way, the IT audits we covered last month).
In relation to information, specifically, trust brings up related subjects such as integrity and fraud. The NoticeBored awareness materials explore these concepts through presentations, briefing/discussion papers, case studies and more. We’re delivering a bundle of 30 different types of awareness material (see below), too much for all but our largest customers to use perhaps but that’s not the intention. Customers are encouraged (through the ‘awareness activities’ paper provided) to review the materials and pick out the pieces that are most appropriate for them, given their circumstances and the maturity of their awareness programs.
Content of the module
May’s NoticeBored security awareness module is out now. If you're not already a NoticeBored customer, see what you're missing on the NoticeBored website.