Casting the Runes

Are you like Coleridge's walker on that lonesome road who having once looked round, walks, on and turns no more his head; for he knows a fearful fiend does close behind him tread?

Essentially as we go about our business we may and that is very much a may be aware of risks. These risks may be important nevertheless, but the pressure of delivery ensures that caution is thrown to the wind. We get on with the job in hand. Hope plays an important part. If we're really sophisticated perhaps we carry out a risk assessment and where we apply descriptors of high, medium, or low. Or perhaps we use a rather more malleable 1 to 5 scale. Then we probably fudge things a bit to make sure that the risk treatment easy to implement or better still show that it doesn't really need implementing at all. (Please note that I am observing here! This is not a confession, but the sad scene of many an organisation that I have found at the start of a consultancy assignment.)

We trust in hope. Trust is good. Hope is excellent. But divine providence expects you to do your bit too. Again Mr Pratchett observes that million to 1 chances crop up nine times out of 10. It doesn't matter if it all averages out okay when the real doozy of a risk is realised and knocks you for six. Attitude to risk is an interesting thing. It's an area where the proverbial "little knowledge" can create far too much complacency. As we search our souls and realise that terrorist threat may not be so fanciful. We now hear established figures who step out of the shadows to warn us of the delicate balance of our economy across devices of which many know relatively little and those with criminal intent know far too much. In fact forget the pseudo glamour of the hacker; we will doubtless hear on-going tales of misery resulting from software being 'upgraded'.

This is nothing new. War stories include Ariane rockets and the Department for work and pensions. Of course it's a technical issue! It involves information technology. And it's also a security issue.

Information security is about being assured that information is distributed at the right level of confidentiality (that means no confidentiality without availability to those who need to know), and wherever it turns up and for whatever it is required for, the integrity of the data must be free from suspicion. Sometimes that requires a momentary degree of verisimilitude; sometimes even the best guess has utility.

There is a reason that everybody repeats the well-worn mantra that security comprises confidentiality, integrity, and availability (and thanks Lucky, for putting non-repudiation in the same sphere). The reason is that it simply reflects the truth. When the IASME Consortium set out the information security standard for small businesses as a route map to get them towards ISO/IEC 27001, it was bound to feel a bit like 27001 itself. The concepts they encompass so basic any good model of security is indistinguishable from the set of controls that we are all hoping we won't need. (In much the same way that Messrs Pratchett and Gaiman suggest that any tape left in a car for long enough will turn into Queen's greatest hits.)

Well Coleridge put the vulnerable hiker on a lonesome road. And that's our biggest risk: tackling the problems by ourselves. The SME has to become part of a greater gestalt rather than face the slings and arrows of those who want outrageous fortune as a result of others' work. Cybernetics is on their side but the old adage about safety in numbers has never been truer. By taking at least the basic precautions we can create our own requisite variety. Whether you look to the 20 critical controls of SANS or you remind yourself of the basics which have been helpfully reiterated by the office of the information commissioner. And although it is well-known that credentials may not always be as they seem, there are certain licenses which give us at least a token ring of confidence as to who we can deal with. It becomes a very personal decision. It may be based on Moody's ratings, the net effects of reactive attachment disorder, or any combination thereof. It could be complex, complicated, both. Some trust marks have thrived, others have failed, others have yet to make ... well I suppose, their mark. Understanding what makes one trust a mark is part of the social challenge that informs the creation of rules and then technology to make implementation of those rules much easier. Academic rigour must again meet the relevance of business. Which is why I have a student at the University of Manchester working on a project inspired by E RADAR. It's not going to provide a security panacea; but it is going to provide on more security butterfly in the oncoming storm of intrusion.

Why not flap your wings and take part in the research. How else can you expect the systems designers to know where you want to go. Keep off t'moors lads.