Infosec antropology, the science of geographical, cultural and political perspective in Information Security. Needed? If so, what should we focus on?
The Information Security (INFOSEC) market is a very diverse and quickly expanding market. The market is besides growing in size and revenue also innovating at an enormous rate and gaining more and more social-, political- and business-impact around the globe. Concepts of corporate security, internal and external security, policing and even military operations are changing because of this very fact. A process that has only been accelerated by the "war on terror".
Vendors, consultants, systems integrators, telecoms, risk managers, continuity planners and the other residents of the INFOSEC community are but slightly aware of the growing impact of their business. Concepts, methods and theories that long have been known as good practices or common sense are all shaped to fit the majority of the former market share which consisted mostly of corporations and local governments. Serving people, cultures, military organisations, global governments, multinationals, third world financial institutions or even second- and third- world governments requires a rethink, or at least evaluation, of our current approaches. We need to add perspective to the INFOSEC business.
Good Answers (3)
Michael S
Information security survivor
Best Answers in: Information Security (12), Software Development (2), Education and Schools (1), Risk Management (1), Personnel Policies (1), Ethics (1), Using LinkedIn (1)
I love the saying "There is nothing new in the world, just different perspectives." INFOSEC is no different. We are grappling with the age old impact of human nature at it's worst. Greed, Malice, Hate, Envy, Spite - age old threats to any human endeavor. I once had a debate with another INFOSEC professional who was arguing that our industry had failed because we weren't *secure* yet. I ask you how can you secure something without changing human nature? After centuries of working on the same issue we still find the need for police, should we say we have failed because there is still crime?
As INFOSEC matures we will realize that we are not something new or special. We are just facing the same dark side of human nature expressed through different tools. Now we can sit here feeling special grappling for new ways to deal with the issue or realize that similarities and apply centuries of progress to the issue and go with what already works.
So what are we to do? First off dump that INFOSEC moniker, there is no such thing as security since there is no such thing as being "secure." All we can do is effectively and efficiently analyze and manage risk. By reducing the opportunities for crime to happen we can reduce the risk of loss. Again, this is a human psychology issue, we have to deter the criminal from bothering us. I refuse to speak in INFOSEC best practices. I view my job as risk management and loss prevention. While it isn't sexy as thinking of my job in sames terms of a security guard, my responses are more effective that way. Now if only that CD drive would hold donuts ....
Callum F
Telecoms & IT consultant
Best Answers in: Using LinkedIn (7), Computers and Software (5), Education and Schools (4), Venture Capital and Private Equity (2), Staffing and Recruiting (2), Telecommunications (2), Wireless (2), Regulation and Compliance (1), Certification and Licenses (1), Freelancing and Contracting (1), Accounting (1), Auditing (1), Treaties, Agreements and Organizations (1), Finance and Securities Law (1), Guerrilla Marketing (1), Organizational Development (1), Planning (1), Inventory Management (1), Small Business (1), Starting Up (1), Enterprise Software (1), Computer Networking (1), Information Security (1), Information Storage (1), Software Development (1), Web Development (1)
I think many elements of the things you mention are already well appreciated in the computer security community.
A key facet of computer security (indeed of all security) is appreciating that it's not a single problem with a single solution, but rather a set of classes of problems with a set of classes of processes that solve the problems.
Any time a security consultant is presented with a problem one of the first things he has to do, before any work on solutions, is to understand the context of the threat -- what's being protected, who's attacking, why are they attacking, why are you the target, are they trying to steal/copy/alter/destroy the resource, etc.
Similarly they need to understand what the constraints are, particularly in regards to how legitimate users utilise the resource -- a consumer's personal email, a banks financial data, and the military C3 systems for nuclear weapons have different security requirements, different tolerances of legitimate user inconvenience, and different levels of user training.
Almost all security solutions depend at least as much on effective implementation of processes as on specific technical products, and most security specialists have worked a lot on creating and implementing the necessary processes over the last decade or so.
That's not, of course, to say that the "right thing" always gets done -- though most good security specialists understand these issues, some don't, and there are many unscrupulous "experts" who are happy to sell black box snake oil.
Unfortunately, end user understanding of security is often a key part of the problem -- we already all know that users are one of the main vulnerabilities in any system, but the extent to which poor user training and misunderstood requirements impact on solution effectiveness is often under-appreciated.
There's been a lot of academic (and to a lesser extent commercial) work done on the economics of security, and this touches on a number of the areas you mention. in particular you may want to check out some of Ross Anderson's work.
It's a big issue, and always one worth debating, but my feeling is that it's one that's already on the table -- it's just that good answers haven't been found yet.
Links:
Javed I
Chief Security Officer at zSquad (http://www.zsquad.com), a Boston-based Information Security Consulting Company
Best Answers in: Information Security (43), Corporate Governance (2), Web Development (2), Risk Management (1), Corporate Law (1), Advertising (1), Quality Management and Standards (1), Career Management (1), Professional Networking (1), E-Commerce (1), Using LinkedIn (1)
Absolutely. In Japan, looking at driver licenses as you want to enter an office building would be unheard of. You know what they look at? Business cards, something you can run off in your laser printer. If you point that out, the response will very likely be, "why would anyone want to do that?" Of course, culturally this is very very different from the USA.
Every intro marketing book is full of stories of marketing gaffes when the company did not pay attention to the local culture (Gerber baby food made from Babies!) and there is no reason InfoSec should be any different.
Javed I also suggests this expert on this topic:
More Answers (1)
IMHO, there is no need for a new, artificial discipline. Security, risks and things related to them have been researched by existing "hard sciences" and "soft sciences" like sociology, biology, social-anthropology, psychology and so on and let it be so. Viewing information security from different points of view is certainly what we have to do but why bother generating a new discipline?
Michael said that managing security is managing risks. I agree. To answer the question "what should we focus on?" I suggest that we should try to concentrate on learning and understanding better different theories of and approaches to risk. Risk Society, Governmentality, technico-scientific theories and blame culture, to name some of them, give us valuable information about the concept of risk (and security) and introduces us to some interesting perspectives to risk.
