Upload File

the people risks

5
RISK MANAGEMENT THE PEOPLE RISKS PEOPLE POWER Events that lead to fortuitous loss can be divided into two categories: "natural causes", eg earthquakes, storms etc., and the actions of human beings. In the past the natural causes were the primary cause of losses; today the converse applies. The reason for this is that our use of high powered technological processes has put increasing power into the hands of the individuals responsible for safeguarding those processes. For example, include hazardous chemical and radioactive processes, where simple human errors have caused massive catastrophies such as those at Bhopal, Three Mile Island, etc. Computing technology gives access to similar power, although the consequences are more likely to be purely economic, without the spectacular destruction or pollution that has accompanied the disasters cited. For example: • The undetected programming error that caused a bank settlement computer to crash, resulting in massive deficits, incurring interest charges of $4 million and threatened the financing of the US budget deficit. (Bank of New York, 1986) The security guard and the clerk who because they had no security awareness, were fooled by an ex-consultant's story that he had a right to be on bank premises, and to ask for information that enabled him to initiate an electronic funds transfer of $10.2 million into his own Swiss bank account. (Rifkin/Security Pacific Bank). We tend to think in terms of obvious human motives such as direct fraud or malice and often overlook the ones that arise out of the very compl~,x range of human emotions and needs. Financial pressures can turn otherwise loyal and trusted employees into embezzlers or, as has happened on many occasions, saboteurs. Employees who would stop short of fraud or of physically damaging property have been able to reconcile their conscience with less dramatic acts. Similar problems arise when employees are made redundant or fear redundancy coming, feel underpromoted, overlooked, aggrieved for other reasons or simply bored. They arise out of other basic needs, including those relating to love, sex and other human relationships. Examples of UK cases that involve such motivation are: - Living standards under threat. (operators switching circuit boards to reduce efficiency, so maintain the need for overtime) - Financial pressures. 0he operator who was living beyond his means and sabotaged the computer to increase his overtime payments. He received an exta £687; it cost his employer £500,000) - Malice against a past employer. (The programmer, fired for gross inefficiency, who returned on the evening of her dismissal, gave every client the maximum discount the computer would allow and destroyed all original estimates and calculations) - Personal Malice. (The shift leader who discovered that one of the daytime operators was having an affair with his wife, gained entry to the data centre and systematically attacked the tape and disk libraries and the central preocessor) -Sexual infatuation. (The young programmer dismissed from his job, tried to contact a female computer operater by using his old password and access codes to dial into his previous employer's computer and amend a program so that it would fail, and cause her to ring him for advice) -Jealousy. (The operator with a nymphomaniac girlfriend who caused the computer to fail so that he would be sent home, and could check up on his girlfriend's activities) -To regain a lover's affections. (The lovesick Abbey National cashier, who embezzled £50,000 in a bid to regain her husband's affections) -Need for recognition. (The security guard who felt his value was unrecognised and started two fires so that he could put them out and be hailed as a hero. The fires got out of control and caused massive damage. He had served a term of imprisonment for two arson offences committed whilst employed in a similar position, but his employers had not checked on his previous jobs) -Need for attention. (The data entry supervisor who deliberately entered corrupt data, causing the database to repeatedly crash, because her manager had ignored her complaints and her attempts to discuss her problems with him) -Hurt Pride. (The Oregon professor who was given time on the State's Motor Vehicle Department computer, rather than be given one for his own use, despite his protests about lack of security on the State computer. He set out to prove how insecure the State computer was by getting into the operating system, and deleting the entire database, apart from the unpaid fines, traffic violations and other confidential data of State employees, which he left on the computer and printed out on all system printers, followed by some sharply critical messages about the administration) - Boredom. (The trainee on the Youth Training Scheme who used an automatic ordering system to order 999,999 batteries and 2,500 circuit boards). REASONS FOR MANAGEMENT APATHY An examination of many types of loss, such as those above, reveals that they rarely involve high level technical skills and could have been prevented by relatively elementary precautions. Preventative measures including employee selection, referencing, induction, monitoring, skills training, conditions of employment, motivation, awareness training, dismissal procedures, accident/error review procedures and stress counselling should be the responsibility of the management concerned. However: o Few senior level managers (board level directors) have sufficient understanding of computer technology to

Upload: martin-smith

Post on 21-Jun-2016

214 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The people risks

RISK MANAGEMENT

THE PEOPLE RISKS

PEOPLE POWER Events that lead to fortuitous loss can be divided into two categories: "natural causes", eg earthquakes, storms etc., and the actions of human beings. In the past the natural causes were the primary cause of losses; today the converse applies. The reason for this is that our use of high powered technological processes has put increasing power into the hands of the individuals responsible for safeguarding those processes. For example, include hazardous chemical and radioactive processes, where simple human errors have caused massive catastrophies such as those at Bhopal, Three Mile Island, etc. Computing technology gives access to similar power, although the consequences are more likely to be purely economic, without the spectacular destruction or pollution that has accompanied the disasters cited. For example: • The undetected programming error that caused a bank

settlement computer to crash, resulting in massive deficits, incurring interest charges of $4 million and threatened the financing of the US budget deficit. (Bank of New York, 1986)

• The security guard and the clerk who because they had no security awareness, were fooled by an ex-consultant's story that he had a right to be on bank premises, and to ask for information that enabled him to initiate an electronic funds transfer of $10.2 million into his own Swiss bank account. (Rifkin/Security Pacific Bank).

We tend to think in terms of obvious human motives such as direct fraud or malice and often overlook the ones that arise out of the very compl~,x range of human emotions and needs. Financial pressures can turn otherwise loyal and trusted employees into embezzlers or, as has happened on many occasions, saboteurs. Employees who would stop short of fraud or of physically damaging property have been able to reconcile their conscience with less dramatic acts. Similar problems arise when employees are made redundant or fear redundancy coming, feel underpromoted, overlooked, aggrieved for other reasons or simply bored. They arise out of other basic needs, including those relating to love, sex and other human relationships. Examples of UK cases that involve such motivation are: - Living standards under threat. (operators switching

circuit boards to reduce efficiency, so maintain the need for overtime)

- Financial pressures. 0he operator who was living beyond his means and sabotaged the computer to increase his overtime payments. He received an exta £687; it cost his employer £500,000)

- Malice against a past employer. (The programmer, fired for gross inefficiency, who returned on the evening of her dismissal, gave every client the maximum discount the computer would allow and destroyed all original estimates and calculations)

- Personal Malice. (The shift leader who discovered that one of the daytime operators was having an affair with his wife, gained entry to the data centre and systematically attacked the tape and disk libraries and the central preocessor)

-Sexua l infatuation. (The young programmer dismissed from his job, tried to contact a female computer operater by using his old password and access codes to dial into his previous employer's computer and amend a program so that it would fail, and cause her to ring him for advice)

-Jealousy. (The operator with a nymphomaniac girlfriend who caused the computer to fail so that he would be sent home, and could check up on his girlfriend's activities)

- T o regain a lover's affections. (The lovesick Abbey National cashier, who embezzled £50,000 in a bid to regain her husband's affections)

- N e e d for recognition. (The security guard who felt his value was unrecognised and started two fires so that he could put them out and be hailed as a hero. The fires got out of control and caused massive damage. He had served a term of imprisonment for two arson offences committed whilst employed in a similar position, but his employers had not checked on his previous jobs)

- N e e d for attention. (The data entry supervisor who deliberately entered corrupt data, causing the database to repeatedly crash, because her manager had ignored her complaints and her attempts to discuss her problems with him)

- H u r t Pride. (The Oregon professor who was given time on the State's Motor Vehicle Department computer, rather than be given one for his own use, despite his protests about lack of security on the State computer. He set out to prove how insecure the State computer was by getting into the operating system, and deleting the entire database, apart from the unpaid fines, traffic violations and other confidential data of State employees, which he left on the computer and printed out on all system printers, followed by some sharply critical messages about the administration)

- Boredom. (The trainee on the Youth Training Scheme who used an automatic ordering system to order 999,999 batteries and 2,500 circuit boards).

REASONS FOR MANAGEMENT APATHY An examination of many types of loss, such as those above, reveals that they rarely involve high level technical skills and could have been prevented by relatively elementary precautions. Preventative measures including employee selection, referencing, induction, monitoring, skills training, conditions of employment, motivation, awareness training, dismissal procedures, accident/error review procedures and stress counselling should be the responsibility of the management concerned. However: o Few senior level managers (board level directors) have

sufficient understanding of computer technology to

Page 2: The people risks

MAR - APR TIlE COMPUTER LAW AND SECURITY REPORT [1988-89] 6 CLSR

appreciate the problem. There is not therefore the leadership from the top that is needed to install a security culture into all aspects of corporate activity.

• Even if there is an awareness the cost (monetary or time) of risk management measures has to compete with other items that are clamouring for inclusion in a tightening budget. The cost of preventing something that may not happen is seen as a non-productive, or negative item that seldom wins the battle for corporate resources, particularly when there is always the excuse "don't wor~ it's insured", an assumption that is seldom tested.

• Few managers see risk management as falling within their duties. In larger companies there may be someone who carries this specific responsibility, (the risk manager) which encourages other managers in their belief that "it is somone else's problem".

• Typically, risk managers are used to dealing with what they would perceive as less esoteric areas such as standards of machinery guarding, or the installation of sprinklers, where there are usually well laid down ground rules, and often assistance from insurance companies, manufacturers and others. They are simply not trained in handling the people risks, particularly in the areas of motivation, monitoring or awareness training.

• In areas such as employee selection and referencing there could be demarcation problems with the personnel department, and there is nothing as complex and energy absorbing as internal politics. However, personnel departments rarely get involved with risk management -functions.

• Inurance companies will give premium reductions for sprinklers and fire extinguishers, but not for people risk management, which is almost impossible to measure and quantify in precise terms.

• Even if it is decided to introduce a risk control measure, the action is often inadequate because of lip-service risk management.

LIP-SERVICE RISK MANAGEMENT Often management simply wants to be able to report to the board, or to their auditors or their insurance company, or simply for the sake of their own peace-of-mind, that they have done what they should do. They introduce security measures on the basis of what one of these august bodies have recommended, or on the basis of a line from an article or a comment from a colleague or fellow businessman. There is rarely any attempt to understand the thinking behind the control and often no procedure for ensuring that it stays in place. My own risk auditors report that they could almost produce two totally different risk profiles, one based on what management think is happening and one, showing a far worse risk, based on investigations at an operational level. This is extremely dangerous because, apart from the false sense of security that it introduces, it is the management with the rosy view of security that completes the insurance proposal form, innocently misrepresenting the true position, putting the insurance protection at risk. A common cause of lip-service security is to omit staff education and motivation.

STAFF EDUCATION AND MOTIVATION Often "security" is purchased at high cost, and yet the benefits of the purchase are virtually nullified because staff education

1Computer Security in Practice, HRGM Ltd., 1986 2Survey carded out amongst computer users at the Sydney Morning Herald

and motivation has been overlooked. For example: • Whilst 96% of sites use portable fire extinguishers staff have

been trained an motivate~l as to how to use them in only 4% of the sites sampled'. Unless they are trained staff could well be in the position of those of one company that had a serious fire and whose employees tried to read the label on the fire extinguishers in the thickening smoke with flames advancing rapidly and who finally panicked, threw the extinguishers on the flames and ran out in panic. Without motivation as to why the extinguishers are important they could be like the company that had a fire, ironically started by the fire officer as part of training, only to discover that the extinguishers were empty because the CO 2 had been used by computer staff in a hot summer to make fizzy drinks.

• Whereas passwords were used to limit system access in 96% of sites only 10% of installations issue guidelines to new users on the need for password security, how to create passwords or the disciplinary measures that would result from systems abuse.1 Without guidelines users, left to their own devices, invariably choose the easy way out and select joke words (superman, password, word, genius) personal words (wife's name, pet's name, favourite singer) logical words (program name, job title) or, particularly in Australia 2, expletives. Contrary to popular belief the thought processes that lead to the choosing of such words are far from unique and can be replicated with ease.

Whilst staff training has become a function that is practiced by many companies, and offered by specialist companies, motivation is not as well accepted because it is more esoteric, and indeed is greeted with suspicion by some companies. Motivation presents particular problems because, like physical fitness, it is not enough to do it once; it has to be continually applied, for example:

When he is first employed the security guard may be well aware that this could be the night that someone will choose to attack the property under his custody and should be alert to ensure that they are not successful. After five years of sitting in his gatehouse every night with no disturbances his perception of his objectives could well have changed and his primary goal could be to relieve the boredom of a succession of otherwise tedious and uneventful nights, possibly by bringing to work books, playing cards, a portable television or radio, and so on. Management may try to counteract this by introducing control procedures, such as checking in points to ensure that he really does patrol the premises, but his perceived objective regarding such measures could then be to have as entertaining night as possible whilst at the same time making sure that he keeps his job by complying with the system with the minimum of inconvenience.

STAFF SELECTION As we saw from the case of the security guard with previous convictions for arson, staff selection is another vital area. However, here again things are badly lacking: • Full references were not taken up by 22% of companies

audited. Of those that checked back 14% took one business reference, 18% took two business and two personal references and 6% used outside agencies for vetting. The remainder used various other methods. 2

3

Page 3: The people risks

MAR - APR FHI:I C O M P U I ' [ R LAW AN[) SICURII~Y R [ P O R I ~ :~88-8~ ~ ~ i~i :

In any event, the value of a written reference must be seriously questioned. The writer has experienced many examples of imcompetent employees, those suspected of dishonesty and even those who have admitted to crime being given an acceptable reference as part of the "deal" to terminate their employment. This seems to be particularly prevalent in computer circles.

CONCLUSIONS: LOOKING TO THE FUTURE In the past computer security relied upon "fortress mainframe", in which access to the computer was controlled by access to the computer room. That concept is now completely dead, as networking has provided access from points many hundreds, even thousands, of miles from the central processor. The next phase of development, now well under way, is to devolve computing power away from the fortress, by means of the intelligent terminal, the pc, either standing alone or linked to the central processor, and, in future, the supermicro and supermini computers that are currently being developed. The implications for security are significant. Users have depended upon the password system to prevent unauthorised access to terminals, but repeated studies, both of security standards and of computer fraud and misuse losses, have revealed that few users can be bothered to remember complex passwords and chose, instead, simple words that can be easily outguessed by a would-be attacker.

Similar problems arise with other aspects ot security, aria ~,~t~ situation will worsen as greater computing power is placed in the hands of the computer user, who may be far less aware than his DP equivalent of the implications of his corner-cutting actions. The computer security industry may develop new approaches to combat these problems but they may well run counter to the objective of increasing user-friendliness and ease of access, which is one of the keys to successful exploitation of the new technology. In the short term at least these trends have thrown all of the emphasis onto security by the user. Selection, motivation and training have become vital issues. Equally important is the creation of a security culture so that users appreciate the significance of the systems they operate, and the value of the data to which they have access. And yet this area has been overlooked by most companies, who have sought to control security by the passwords, and physical access controls, that have been so abused by un-motivated employees. We are in the Emperor's clothes syndrome; sooner or later computer users will realise, to their cost, that "the King is in the alltogether." If nothing else, that will force companies to take seriously the measures needed for the control and motivation of the people to have access to their powerful computing technology.

David Davies Risk Management Editor

COMPUTER SECURITY-THUS FAR, ANY FURTHER?

The computer is here to stay, of that there can be no doubt. The IT revolution is already affecting business, the economy, society and our everyday lives every bit as much as did in their time the agricultural and industrial revolutions, and it has not even really got into its stride yet. We have still to realise the full potential of these new tools at our disposal, and as we bring them to bear with increasing accuracy and effectiveness they will change and then must eventually control our lives. If there is any doubt as to this phenomenal rate of growth in IT technology and influence, cast your mind back only, say, five years and reflect on how much progress has been seen in that short span of time. And the next five? As this reliance on IT spreads so too does the potential for loss, corruption or compromise of data, from whatever cause. As more businesses become "computerised" - and so far only a quarter, it is estimated, have been converted to IT-and are thus dependent on the machine, the greater the chance of them going to the wall if that technology fails them in any way. It is the task of the computer security fraternity to highlight to this growing population of computer users the dangers which are associated with this apparent panacea for all their problems and offer practical and cost-effective defences and counter-measures. Unless we try, we shall be failing in this our primary function. Unless we succeed there is little point in us turning up for the game.

LACK OF SECURITY AWARENESS But the signs are that we are not achieving with computer security the same degree of progress as the IT industry as a whole. There remains widespread ignorance of computer security- both the problems and workable solutions. Little new thought seems to be emerging except an obscure and continuing distillation of the technical solution. Truly original initiatives are rare. Attendances at computer security conferences, seminars and courses are falling: the faces on both

sides of the podium remain very much the same and come from the committed rather than from the outside groups who should be involved-primarily the managers. The available literature is still limited, difficult to read except to those experts who know the subject anyway and arguably do not need it, and unattractive to the non-experts who need more than anyone to grasp the essentials of the problems and answers. Such awareness amongst the general public about computer security is virtually nil; the only exposure they get at present is to the monumentally superficial scare stories in the popular press and TV about viruses and hacking, both relatively minor problems compared with the scale of our unpreparedness as a whole. Perhaps most damning evidence of all against the computer security industry is the dearth of usable information about the exact nature and extent of the problem. We desperately need a database, a library, of computer security incidents (including crimes, disasters, errors and technical fail ings-the whole gambit), from which we may deduce techniques and trends, define strategies, and allocate priorities; yet this is still little more than a fanciful suggestion at present. How can we convince an audience that there is a problem when we cannot even prove it to ourselves, or describe it since we are not even sure what it looks like? How can the dragon be fought when we do not even know what it is? Firms are reluctant, understandably, to divulge their embarrassments and mistakes, but we are doing too little to overcome this barrier and educate them of the merits of cooperation and honesty. We continue to plug with our fingers those holes in the dam we can see, but do not really know the size of the leak. Indeed, the dam may have already been breached but to be brutally frank we would not know if it had. The technology is moving away from the mainframe to distributed resources, taking computing from the IT experts and putting massive power on the desks of workers and

Page 4: The people risks

MAR - APR THE COMPUTER LAW AND SECURITY REPORT [1988-89] 6 CLSR

managers, most of whom still belong to the generations who missed out on IT training. The increasing networking of systems within and between, organisations, nations and continents, itself creates a whole new and vast range of vulnerabilities. The company mainframe isolated from the outside world and housed safely in its controlled environment, tended lovingly by its computer-literate and relatively disciplined wardens, was natOrally immune to many of the hazards. Now, we have introduced computing power of awesome magnitude into the office, linked it directly to unknown and possibly hostile outsiders, and handed over its control to staff whose depth of understanding about automated data processing (ADP) may often be limited to the whereabouts of the on/off switch and a passing affinity with the Iogon/off procedures. The dangers and the need for sound computer security have never been greater and they are increasing all the time. Then why is the child failing to thrive? There are possibly many reasons; the two greatest seem to be Who and How.

DOES THE SECURITY INDUSTRY DELIVER? The dominant element of the current caucus of computer security experts, coming as it does from the computing specialisation, displays an almost religious belief in the merits of hardware and software security, an obsessive devoutness which excludes all else. Traditional security amended and applied to the ADP environment is ignored, not understood, dismissed as unimportant or, worst of all, deliberately rejected. Computer security is viewed by them entirely as a machine problem, with the answers lying within those machines. The rest is dismissed as the "environment"; somebody else's problem. It is easy to understand how this has come to pass. Any expert in whatever field will be as much limited by his knowledge as aided by it. The mother is the last person in the world to see little Johnny or little Clara's faults. It takes a kind friend to tell her. Even then she will find it hard to accept the faults pointed out to her. It is thus with the computer security world, dominated as it is by the computer specialists with deep knowledge ofthe systems, and complete faith in the machine's infallibility bolstered by a total belief in its ability to cure any ills from within, from its own immune system. This misconception must lie at the root of our problems today. Computer security is a combination of computers and security; it is, to distort a famous saying, too important to be left just to the computer experts. It is easy to be critical, and it is necessary to qualify these sweeping assertions. Firstly, why should the computer expert be expected to be conversant with the intricacies of the art of security, as much these days a specialisation as any other? Of course there is a major technical component to any computer security solution as flight safety must include a great involvement by pilots and medical safety must be monitored, controlled and enforced by doctors. Every man to his trade, they say. But non-technical security is the other part of computer security; it is vital and only healthy that the expert security view is included in the deliberations. Computer security cannot be, nor must we let it be, dealt with solely by the computer people, yet this is what is happening now. Secondly, computer security is a people problem, not a machine one. There are far more road accidents caused by bad drivers than by unsafe cars. Human error accounts for more aircraft crashes than any other factor. Miscarriages of justice are rarely caused by bad law, only by bad lawyers. Most computer insecurities and disasters are caused by the users, not the machine; computers do not commit crime, only people; accidents do not just happen, they are caused. Most computer security incidents are not the result of highly sophisticated attacks against the technology. Low tech insider crimes and

operator error and carelessness are the greatest threats; the countermeasures need to be similarly complicated and no amount of technical wizardry will adequately compensate for the disaffected, ignorent or careless employee. Computer staffs by their nature, training and work are logical, intelligent, mathematical, clinical. Their tool is a machine, their involvement is mainly with that machine. Their contact with the human element is limited, their abilities at man-management not necessarily finely honed. The business manager, in contrast, and his personnel staff and security officers are used to dealing with people-this is their tool in trade-and are thus better qualified to tackle the people problem which is computer security. Again, why should we expect the computer staffs to be familiar with management, training and supervision of personnel when this is not their sp~cialisation or role? Yet, again this is what is happening now. And the How question? The offerings on the table at the moment, driven as they are by the technicians rather than the man-managers and security staffs, are centred around the software and hardware. We are tending to ignore the other elements of security essential for a rounded and effective defence in depth - physical, document, personnel, procedural, management and contingency planning, training, welfare and supervision, all based on a clear understanding of the threat and an unambiguous and firm statement of security policy. Instead, magic pills are being put forward which can never be satisfactory in isolation. Furthermore, the technical solutions must be reaching its economic limits; the packages offered with most large systems these days already provide excellent, sophisticated and (for most people) entirely adequate access control, audit and separation facilities and little is to be gained from further enhancement. Very few organisations need more especially if they operate it within a safe and secure environment liberally splashed with traditional security measures and perhaps some encryption for the more sensitive of their data iinks. The experts and pedlars of computer wares are beginning to over-refine and over-complicate the product to outdo their rivals, and outpricing themselves in the process.

SHORTCOMINGS OF THE TECHNICAL APPROACH We have painted ourselves into the corner; the technical path we have so far chosen to follow has narrowed and we are nearing its natural end. The time has come for us to review our way ahead. No fault is suggested for the story so far. It was natural and has served us well. But we must return to basics, to first principles. We must recognise the significance of defining security policies. How important to us is our computer? What are the threats? What effort is reasonable to protect the electronic data? What can be easily achieved? How exactly are we to defend ourselves, and with what and in what way? What risks can we afford to take, and which must we not ignore? How can we educate our staffs? Security measures must be chosen which are the most cost-effective, simple and reliable. They should, whenever possible, be traditional and non-technical, fit into the existing practices and morals of the organisation, and exclude the fancy or the innovative or the unprovable. The computer staffs must talk to the security staffs, and both groups must explain the dangers to convince, connive and cajole management into committing the necessary resources and manpower into the company's computer security effort. Medical staff, personnel managers, financial advisors, yes even marriage guidance agencies and the Samaritans all have a part to play too, a happy, healthy staff member with no nagging professional or personal worries will display increased efficiency and loyalty and thus greater

Page 5: The people risks

MAR - A P R THE C O H P U ' I [ R LAW AND SECURITY REPOR"! i ~ 8 8 - 8 ~ ¢, ¢ ! -~

security. There is an overall package to be considered here. Computer security cannot be shoe-horned into a convenient box labelled "Solution". It has to be worked at, and by everyone. Awareness-o f the threat and the available countermeasures- is the fuel which will make it come to pass.

THE PEOPLE FACTOR IN COMPUTER SECURITY Little of this is being achieved at present. We seem to have stalled. Fresh thoughts are needed. Security staffs, personnel staffs and management need to be brought into the equation far more, and the computer staffs must learn to accept advice and help in this important aspect from such apparent outsiders. Computer security is not a machine problem. Computer security is a people problem. There is at present a new initiative applying lateral th inking to the computer security issue, in an at tempt to break the current log-jam. Their answer, if these good people could only see it, is right in front of them. Look now to the user; ~chere is no such thing as an insecure computer~ only insecure people.

There is nothing particularly special about the computer, ii: needs protecting, certainly, but this should prove no more~ diff icult than protecting other valuable assets. The Crow~', Jewels, aircraft, our own personal safety, our homes and their contents, even our lives are all safeguarded in differing ways and to differing extents depending upon the value we place upon the item in question. The basic principles, though, remain constant. Computer security is not a diff icult problem It need not be expensive, it is not complicated and it is certainly not impossible. It is within the grasp of every organisation to achieve satisfactory computer security wi th a reasonable effort, using familiar techniques at an affordable cost. That this is not happening th roughout the wor ld of commerce, industry and Government is not yet the direct fault of the computer security industry; it will be judged as our failing if we do not now see to it that everything possible is done to bring this to pass.

Sqn. Ldr. Martin Smith Editorial Panelist

This article is written to stimulate discussion and to explore new lines of thought. Its contents are the personal opinion of the author and do not represent the views of any organisetion with which he is associated.

BOOK REVIEWS PLANNING FOR DISASTER RECOVERY Planning for Disaster Recovery Edited by Elizabeth Sowton and Carol Cline. (IBC Financial Technology Publishing LTD, 04PP). £65 +VAT. ISBN 1-852-710705. It has been estimated that of the firms that have suffered a major computer disaster; 80% have 'ceased to trade' soon after. It is likely that, of the remainder, only a few were able to recover within time to avoid serious financial penalty. The 'few' had undoubtedly taken the precaution of compiling a clear, concise and above all; workable contingency plan. This book is designed to provide an introduction to the art of contingency planning. Its contributors, who are based in the UK, USA, Finland and Italy, offer five chapters of sound advice and case studies, and a final section dedicated to a suppliers index. In the first chapter, entitled "A Management Guide" Judy Orr provides a general guide to 'Planning for a Disaster' and 'Contingency Planning'. She commences by posing questions such as; What are the threats? Who needs to be involved? What needs to be done? Each question is answered briefly but succinctly. The chapter ends with 'A Checklist for your Contingency Plan' which provides a good aide memoire. The second chapter, written by Paul Musgrave, deals with 'Assessing and Protecting Against Risk'. Using a case study the author takes a practical view of the task of risk assessment. Chapter three comprises two offerings from the USA. Written by John Jackson and Scott Ramsey respectively, the/look at Hot Site selection and provide advice on points to consider when negotiating a contract for a hot site. Cold sites are also discussed as 'finding a place as the long term (two to 12 months) solutions following more immediate recovery'. Chapter four comprises six example case studies, four of which are e~amples of how disaster planning has fulfilled the needs of the organisations concemed. The remaining two, however, are tales of woe involving floods, evacuation and fire, and as consolidation give impact to the requirement for comprehensive planning. The fifth and final chapter is written by Dr David B Everett and is described as 'assessing the risks from a technical viewpoint' although in reality he briefly discusses most, if not all, aspects of computer security. This is not criticism, the more the information available to would be contingency planner the better the chances of success. However, I would question Dr Everett's description of a 'Trojan Horse' as the given scenario would best befit a 'Trapdoor'. In conclusion the book is well written and presented and is correctly aimed as an introduction to Contingency Planning. A little pricey at £65 but informative.

INFORMATION SECURITY YEARBOOK Information Security Yearbook. Edl¢lld by Jack Smith (IBC Technical Services LTD, 170PP). 5. ISBN: 852710497.

Many surveys have been carried out by major consultant organisations and all have identified that, generally, management lack awareness, and in many cases initia~d~, when confronted with computer security issues. The Editorial of this book, entitled "Management Complacent about Security Risks'; states the case for management awareness and sets the trend for the following chapters. Chapter one includes the Editorial and comprises four additional articles; "IT Security Within Industn/-How the DTI is helping': "Security in Personnel", "Physical Security" and "Economic Aspects the Risk Management". The second chapter headed "Network Security" contains three articles discussing access control, network communications and a call for a common standard for the definition of 'IT Security' and for continuing work in improving the standard of the security applied to commercial computer systems. Chapter three is concerned with Mini and Micro security. The first of the two reports details the 'new National Threat' in the use of PCs in US governmental dept.s. The second considers hardware/software security facilities for the PC. In chapter four, dedicated to "Data Security", five articles outline Data communication security, secure destruction of documents, the 'theft' of information and the necessity for "An Integrated Security Policy" in which the author rightly states "Computers do not commit crime - people do". Encryption and Key management is the subject is discussed in some depth in a series of three articles. The sixth and last chapter is appropriately given to the subject that, unfortunately, many consider last; Contingency Planning. The two offerings are brief but the message is clear, as Dr Ken Wong states "The message for the need to have sensible but adequate standb and contingency provisions built in computer systems and networks must get across to corporate executives". The remaining 74 pages is given to a comprehensive "A to Z of Manufacturers and Suppliers" and a "Classified Directory of Products and Services".


MANAGING RISK THE HUMAN FACTOR · IDES 5 Executive summary 6 Section 1: Recognising the risks ... Integrating people risks into our enterprise risk management approach gives a more

This Is Health | Point of View Series Managing people risks … · 2020-05-18 · people risks can lead to business disruptions. Some of these risks have been clear for decades, such

Making people safer - alerting24.comalerting24.com/images/5_Descargas/SlideShow_Alerting/En/ALERT2… · Alert Managment (risks and threats) ALERT24-AM allows to represent the risks

Managing the risks in an ever-changing threat landscape · Managing the risks in an ever-changing threat landscape Why focusing on people makes a difference to your cyber security

Older People are Less Pessimistic about the Health Risks of Covid … · Older People are Less Pessimistic about the Health Risks of Covid-19 Pedro Bordalo, Katherine B. Coffman,

When facts fail. talking to people about risks of ionizing radiation clarke

210.226.6169 Wavefront-Guided …your eye heal. What are the risks of LASIK? Like any surgery, LASIK carries risks of problems or complications you should consider. Some people have

People Risks, Compliance Motivation and Culture Part 2 Ve 20090818

This Is Health | Point of View Series Managing people ... · people risks can lead to business disruptions. Some of these risks have been clear for decades, such as lower output from

Runaway Risks - Center for Biological Diversity · 2016-03-19 · RUNAWAY RISKS Oil Trains and the Government’s Failure to Protect People, Wildlife and the Environment By Jared

The Struggle for North America Why do people take risks?

Reducing risks, protecting people · REDUCING RISKS, PROTECTING PEOPLE HSE’s decision-making process iv 62 Appendix 3: Some issues relevant to assessing risk reduction options 62

Shipyards: Builders risks & conversion risks · Shipyards: Builders risks & conversion risks . Global Marine. ... approach to people and risk is a path to growth. Powered by market

A Look at Biases and Risks MOST PEOPLE WOULD SAY SHARKS

RISKS TO THE UK PEOPLE - Contact Us

Preventing and managing risks to work-related ...€¦ · The following tools will help you assess and prioritise your risks: People at Work survey This survey helps organisations

PEOPLE RISKS IN M&A TRANSACTIONS...This is the first M&A research of its kind, providing an exclusive focus on the key people risks and related value drivers in M&A transactions. In

The benefits and potential risks that young people face online: A look at what the data say

LIST OF ATTEMPTED QUESTIONS AND ANSWERS · LIST OF ATTEMPTED QUESTIONS AND ANSWERS Match The Following Question Correct Answer Your Answer Political Risks People Resistance People

What risks do simulated gambling activities pose to …...What risks do simulated gambling activities pose to young people? Preliminary results from the SAMUS project Lead author:

Pathways to manage cascading risks and protect people in

INTERNATIONAL RISKS...People risk, supply chain issues and regulatory compliance are the top three risks for doing business across international borders THE SURVEY People risk is the

People Issues in Mergers ISSUES IN PRIVATE and ... studies/People...Key leaders across the deal..... The role of HR ..... 3. Doing the Deal: Examining People Risks in Due Diligence

Managing the risks of business travel - Zurich Canada · 2019-06-13 · Managing the risks of business travel As business people hit the road, ... with no ready access to local legal

PEOPLE RISKS IN M&A TRANSACTIONS - Marsh McLennan

Guide to Social Networking: Risks - Home - Westerville ... · Guide to Social Networking: Risks ... On these sites, young people share personal profiles, pictures, videos, blogs,

Flood Risks to People - GOV.UKrandd.defra.gov.uk/Document.aspx?Document=FD2321_3436_TRP.pdf · R&D OUTPUTS: FLOOD RISKS TO PEOPLE: PHASE 2 FD2321/TR1 v The “Risks toPeople Phase

This Is Health | Point of View Series Managing people risks … · 2020-06-28 · Managing people risks through employee benefit plans — COVID-19 BENEFITSTM. There’s nothing

Make People Productive Anywhere Manage Risks through Enhancing Security and Control Manage Risks through Enhancing Security and Control Reduce Application

Reducing Risks: Protecting People - HSE's decision making process

resilient, smart, and like minded people risks, looking

Background and Some General Considerations. The Basic Dilemma in Risk Communication The risks that kill people and the risks that alarm them are completely

ERGONOMIC RISKS IN THE WORKPLACE OF THE CENTRAL FRAME · ERGONOMIC RISKS IN THE WORKPLACE OF THE CENTRAL ... people involved in the central hardware (engineers, technicians, ... below

Older people in emergencies identifying and …...Older people in emergencies – identifying and reducing risks This document systematically reviews the main risks (defined as potential

EXECUTIVE SUMMARY: PEOPLE RISKS IN M&A TRANSACTIONS · 2018-05-24 · EXECUTIVE SUMMARY: PEOPLE RISKS IN M&A TRANSACTIONS 2016 MERCER ... due diligence before making a binding