Following the Road Rules

It struck me this evening while driving home that there is a nice analogy to be made between information security and road safety. All that maintains our roads in the organised state of chaos that they are, rather than total anarchy, is a set of conventions that ensure that we drive on the left (in Australia), stop at stop signs and give way to the right at round abouts.

I would imagine, though I have nothing to back this up with, that a large proportion of car accidents happen in situations where it is unclear what is expected of the driver. As a case in point, as I drive home there is a place where two lanes merge into one, however, there is nothing to indicate which lane is ending. This lack of direction causes the occasional irritated honk of the horn or shake of the fist from drivers who believe they have been wronged and, if it hasn't happened already, at some stage a minor collision is inevitable.

The same applies for information security, whether browsing the internet, opening an email from an unknown source or disposing of sensitive documents, where a well known course of action exists the decision is easy, it is when users are presented with the unfamiliar that trouble strikes (scammers are well aware of this and utilise the familiar to make targets feel comfortable). Ensuring that users know the correct course of action requires an ongoing education program coupled with a strong set of policies to guide users on the right course of action.

I have this picture in my head of the users of a network, be it a corporate network or the internet, as drivers in vehicles of all different sorts, some in Abrams tanks, others on mopeds (the ones in the Abrams are likely Mac users blindly driving around opening files without regard to the consequences).

Other parallels exist too, particularly in corporate networks where user activity is much more heavily regulated, particularly the use of incentives both positive and negative to ensure compliance with the rules. When drivers don't comply with the regulations they may be fined and if caught infringing enough times may lose privileges or be compelled to take remedial training. In much the same way users of a corporate network may be more inclined to comply with and contribute to information security endeavours where it is assessed as part of their job performance and tied back to bonuses, pay increases and advancement within the company. A points system similar to that used with Australian drivers licenses may actually work quite well to identify users requiring remedial training. More on incentives in a later post.

Some credit for the ideas in this post has to be given to the paper I am currently reading from he Internet Security Alliance (ISA) and the American National Standards Institute (ANSI)

0 comments:

Post a Comment