LyPC

This site is dedicated to understanding information security risk, risk metrics, and usability.

Software developers have been dealing with usability for some time now, operational IT has become a commodity, and other more traditional risk models (financial, insurance, etc.) have a higher level of maturity behind their risk management. These disciplines need to come together in order to advance Information Security and become a real player at the Enterprise Risk Management table by building a more transparent, robust risk model for information security.

In other words; to spark frank conversation between different risk management disciplines about measurable, common sense approaches to managing risk. The goal being to translate those techniques and models into something people can actually use for making sound decisions about information security without sacrificing usability.

The point here is that having the crisscross of understanding risk from different disciplines provides for some interesting perspectives on security, usability, and the impact of risk across development, infrastructure, and people. Maybe it will help people and businesses understand their risk profile just a little better and the impact on usability when making different risk management choices.

We have all see a lot of things in our lives; some that worked and some that didn’t. My hope is that this forum will provide for the sharing of that information.

I like to hink I have an interestingly dichotomic life, but really who doesn’t?

My professional life is focused around information security, project management, and trying not to impact usability. While I have worked closely with senior leadership of various corporations, it also allows me to dive into technology and the personal issues of implementation. You can find my professional profile at LinkedIn.

On the flip side, I have very creative outlets; web design, photography, music, performance, etc. You can find one of those adventures at Ten Seconds of Harmony.

Now, I’m sure there are plenty of people with similar situations of a less creative profession, but very creative outlets. Some people would even say that my professional life is just an extention of my creative nature; program creation, policy and standards development, figuring out different ways to implement different solutions, etc.

My personal belief is that we now live in an age where we don’t have to make the choices that sacrifice long term usability (i.e., no more Y2K’s, please), and we have the power to provide the usability of choice that goes beyond even our own usefullness. We all have the capacity to understand and make decisions based on our own personal risk tolerance, and we have to trust others to do the same (i.e., let me fail and learn while still protecting ourselves).

NOTE: Please, before you flame me on my previous comment, it is a generalization and doesn’t take into account outliers like mental disorders that prevent people from choosing or knowing right from wrong.

Also, I’m not saying people don’t make stupid mistakes, we do, I should know, I've made some.

It is a simple way to help people to understand risk, or a nice little joke to play (see "Pass It On" ).

So, does it really make my information more secure by locking my computer when I walk away from it? IMHO, basically, no, for the majority of the time it does not.

I'm sure that's making a few of my security peers cringe, but if you really take a look at the probability, threat, vulnerability, and potential impact it does not make that big of difference.

What I mean, is that if you are sitting in a coffee house then the probability of someone seeing information they shouldn't goes up (i.e., your risk goes up), but you have to think about how often you are in a coffee house looking at something that shouldn't be public knowledge.

Also, if your computer is in a protected office space with reasonable controls and with people that have access to the same information, then your risk goes down. So, you should you have to sacrifice your usability?

So, for those that need it spelled out, what I'm really trying to say is think about what your threats and vulnerabilities truly are and make an informed risk decision.

Now, I will say this, locking your computer when you walk away from it is a good habit to get into. You never know who is watching or what access people really have, and if you're in the habit of doing it, then when you are sitting in the coffee house...