Yesterday morning, I managed to find some time to attend the 9th INFOSECURITY CONFERENCE in Hong Kong. One of the keynote speakers was Bruce Schneier, a security guru and founder and CTO of BT Counterpane – an information Security firm offering managed security services. Bruce, the author of several best-selling books on the subject, presented an excellent talk on his views about security concepts. Some of his books that I have on my shelf are: Applied Cryptography, Secrets and Lies, and the recently published Beyond Fear.

Bruce began the discussion by stating the difference between two types of security in our lives. One type has to do with what you feel about security, and other type is about the reality of security.

These are two separate things. You can feel secure yet not actually be secure. On the other hand, you can have real security but not feel it. These two tend to diverge from each other. But what surprises us is that in linguistics, we do not find two different words to describe these two types of security. We have only one word in English and it seems the situation is quite similar in other languages.

Perhaps the reason for this is that in the ancient world, while our languages were being developed, these two types did always go together. You can observe the physical environment with your five senses and judge whether it is secure or not. So essentially you feel secure when you really do in fact have physical security.

But today in the information world, these two types of security do not go together all the time. We have security measures installed in our information systems that “safeguard” our information assets, even when we do not actually “see” or “feel” them.

What is worrisome is that most of the time we may not actually “feel” there is lack of security in our system when in fact it does contain serious security flaws.

So the first thing we need to do in regards to security is educate people to be more aware of the need for security. Educate them so they have the knowledge necessary to “see” the security measurements installed in their systems.

What helps us do this, according to Schneier’s idea, is to use “systems” to explain the security implementations in our society. System refers to the simplification of the real world situation into models, to help people understand in a simpler way how something works. For example, we can explain the mechanism of a camera surveillance system in a way that helps people understand its value in not only monitoring a crime taking place, but also in helping to deter the crime from happening as well, since criminals know that its presence increases the risk of being caught.

By helping people understand the working mechanism behind a camera surveillance system, people are more likely to support its implementation, and to be less likely to object to the concern about privacy issues involved with a surveillance system.

As I have always emphasized, successful security management has to first be built on the trust, support, and understanding of people. After all, it is always a tradeoff to obtain security. You need to forgo first convenience, and second, the time and money invested in the security system in exchange for something you cannot really “feel,” even when has been properly put into place.

So security is kind of a “second thought” in many people’s minds. People tend to think of many excuses not to commit to the best security practices simply because they don’t really feel insecure, even when they do not have proper security measures in place.

All in all, I think Bruce used a very good approach to present this idea at the conference. If you want know more about Bruce Schneier, visit his personal website here: http://www.schneier.com/.

For details of the conference, please visit: http://www.infosecurityproject.com/

Tags: Information Security Awareness