Tag Archives: security policy

Unterschätzte Risiken: Angstpolicies

Sicherheitsverantwortliche in Unternehmen und anderen Organisationen sind dazu da, dass man jemanden feuern kann, wenn etwas in die Hose gegangen ist. Policies – Verhaltensregeln für Mitarbeiter – dienen dazu, diesen Vorgang möglichst weit hinauszuzögern. Der Verantwortliche als Herausgeber einer Policy hat mit der Herausgabe etwas getan, er hat Risiken von sich auf andere verlagert. Und nebenbei vielleicht der Organisation geschadet:

»A recent survey conducted by Telus and the Rotman School of Management indicates that companies that ban employees from using social media are 30 per cent more likely to suffer computer security breaches than firms that are more lenient on the issue of workers tweeting and checking Facebook posts in the office.«

(Facebook bans at work linked to increased security breaches)

 

Swiss Cheese Security

I’m off for the New Security Paradigms Workshop in Oxford, where I will present what I currently call the Swiss Cheese security policy model. My idea is to model security mechanisms as classifiers, and security problems in a separate world model as classification problems. In such a model we can (hopefully) analyze how well a mechanism or a combination of mechanisms solves the actual problem. NSPW is my first test-driving of the general idea. If it survives the workshop I’m going to work out the details. My paper isn’t available yet; final versions of NSPW papers are to be submitted a few weeks after the workshop.