Security technology cargo cult: buy more boxes (part 2)

In Part 1 we looked at the deterrence quality of security controls. It’s one of the three attributes of security controls that are often ignored; sometimes consciously but more often due to ignorance. Now we will look at another attribute that is too often neglected: awareness. Typically when discussing…

Read this article

Security technology cargo cult: buy more boxes

Fear of reprisal is one of the most potent stimulants for action. It is also one that information security generally ignores. To that end the need to “improve security by buying more technology” is the prevalent course of action for most IT shops in large and small organisations. That this…

Read this article

Wassenaar Arrangement and dual-use computer code

The Wassenaar Arrangement is frequently mentioned in information security (and vulnerability research in particular) since inclusion of computer code as dual-use good. The Agreement does not clearly specify what is and isn't considered a controlled good that should be subject to export controls, making a number of security researchers and…

Read this article

Information security and the observer effect

The initial empirical study of the observer effect (Hawthorne effect), which said that people change their behaviour to the better when observed, has seen equal measures of criticism and support over the years. Whilst a lot of the critiques were typically academic (i.e. no impact on the end effect…

Read this article

Microsoft, No-IP and lawfare

In the grand gesture of protecting public wellfare Microsoft exposed just how fragile the internet really is when a large organisation decides to use lawfare. All that's needed is a pliable judge. This isn't Microsoft's first such grand gesture or use of lawfare, or using law as a weapon of…

Read this article

The value of risk management to the organisation

Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so. The quote is from a good article in Strategic Risk Global about the value of risk management and why many risk managers can't seem to make a difference…

Read this article