8th Layer Blog

So the New Zealand Foreign Affairs Minister has his personal email account hacked.  Big deal? It shouldn't be until we discover he had asked that official emails be forwarded to his private email account.

In many organisations forwarding work emails to private accounts is explicitly prohibited.  All sorts of reasons abound, some security related, some not. The risk of unauthorised disclosure, theft of IP, time wasting...

It is hard to believe that a minister of the crown would not have simi...

Do you manage risk or are you managed by risk?

Paul Proctor discusses this briefly in a Gartner Paper. 

"Risk managers must take a proactive approach to risk assessment and management, so that they are managing risk, not being managed by it."

Assuming this is lowercase 'risk' rather than upper case 'Risk' (as in the Risk division of your company) what might it mean for awareness?

We should base an awareness programme on actual risks identified cooperatively with non-security colleagues fro...

A colleague recently posted a comment in a LinkedIn group criticising some wording in a COBIT document. The document (Process Assessment Model - PAM) described process measurement as:

"A measure of the extent to which measurement results are used to ensure that performance of the process supports the achievement of relevant process performance objectives in support of defined business goals." COBIT Process Assessment Model (PAM)

Did you just read that more than once? I had to re-read it to ...

Abstract ideas and principles are harder to convey and harder to remember than concrete examples. It’s why war stories are such a popular way of getting a security message across, although you should avoid using the really scary ones because it’s too easy for your audience to say “that’ll never happen to me”.

If you can’t find a suitable story, and you won’t always, then analogies are another great way of bringing abstract concepts to life. As a designer of awareness activities...

How do we go about challenging the assumptions we in security make about awareness namely, awareness is one big problem, telling people works, and people don’t care about security.

I've argued before that people are aware, and do care about security, and that 'tweaking' the work environment might go a long way to creating the mystical 'culture of security'. But that doesn't mean there isn't still work to be done. So here are some starters to think about when working on your security aware...

I have a motivational poster in my cubicle of Bruce Schneier. The caption reads 'SECURITY – You’re doing it wrong'.

You may ask "How can this be motivational?". For me, it reminds me to reflect regularly on my approach.

With the help of a presentation at the ISF by Prof Costas Markides, and a great little book called ‘Switch’  I’ve come to the conclusion that in our Security Awareness efforts we make three big assumptions.  And until we challenge these, we’ll never understand ...

With the royal wedding now a distant memory and the dawn of #AntiSec I thought I'd write about a piece of 'urban mythology'. Well it hasn't quite made it to urban myth status yet but it was a damn good try. You may have had in your inbox the images of Kate and Will's side by side with some frames from Disney's Cinderella. In case you haven't:

A lot of people were caught out by this image, including some very capable infoSec pro's in my aquaintance. Call me a cynic, party pooper or...