IT security is not just about locks

Trust and risk are essential concepts to master when building security systems

Recently the Americans lost communication with about 70 of their nuclear-tipped missiles for 50 minutes, but I am more concerned about a text message I received, coupled with a Ghanaian email address.

I know I should be more concerned with the former threat, but the text informing me I'd won lots of money was closer to home. The email address looked decidedly dodgy and when I checked the sender's number, it was from Ghana.

These scams rely on three things to succeed: greed, gullibility and technology.

I recently advised a client based in a shared tenancy building that he couldn't rely on door locks as the outsourced cleaning firm had free access to the building overnight. So on top of the logical security we built a CCTV recording system with motion sensors and off-site transmission of any triggered recordings and SMS alerts.

When the system was operational, the chief security officer had a few busy, heart-stopping days while it was bedding in and he watched the cleaners systematically opening any unlocked cupboard or drawer.

Security in depth is what I desire when I am asked to provide assurance that things are OK, but a chain is only as strong as its weakest link. I have a pseudo-mathematical technique for measuring control effectiveness, which although not perfect, removes some of the judgemental errors in reaching a conclusion.

Most control systems are based on trust and optimism, rather than pragmatism.

I rely on my security officer colleagues to identify the current and future threats and to suggest appropriate controls. I then sit down with them to evaluate the effectiveness of the proposed controls. Will this control manage the likelihood or the consequence? Is it preventive or detective?

They often retort that, as the likelihood of a particular threat crystallising is low, it doesn't much matter if the control is weak. I answer that they may not have suffered a heart attack, but it would be useful if they could detect the symptoms early enough to get to hospital before having a full cardiac arrest. So we find that, even with our best intentions, the residual risk remains stuck in the "amber" zone. Even more so now that the threats may be out of our hands because of outsourcing and cloud computing.

When managers are aware of and willing to tolerate a risk at a particular level, my job is done. Despite that, the people risk still fascinates me. I have never known a computer to attack me of its own accord. Even those 70 million zombie hosts out there still need a human hand to direct their assault.