Managing the Human Factor in Information Security E-Book

Table of Contents

Title Page

Copyright Page

Dedication

Acknowledgements

Foreword

Introduction

CHAPTER 1 - Power to the people

The power is out there . . . somewhere

An information-rich world

When in doubt, phone a friend

Engage with the public

The power of the blogosphere

The future of news

Leveraging new ideas

Changing the way we live

Transforming the political landscape

Network effects in business

Being there

Value in the digital age

Hidden value in networks

Network innovations create security challenges

You’ve been de-perimeterized!

The collapse of information management

The shifting focus of information security

The external perspective

A new world of openness

A new age of collaborative working

Collaboration-oriented architecture

Business in virtual worlds

Democracy . . . but not as we know it

Don’t lock down that network

The future of network security

Can we trust the data?

The art of disinformation

The future of knowledge

The next big security concern

Learning from networks

CHAPTER 2 - Everyone makes a difference

Where to focus your efforts

The view from the bridge

The role of the executive board

The new threat of data leakage

The perspective of business management

The role of the business manager

Engaging with business managers

The role of the IT function

Minding your partners

Computer users

Customers and citizens

Learning from stakeholders

CHAPTER 3 - There’s no such thing as an isolated incident

What lies beneath?

Accidents waiting to happen

No system is foolproof

Visibility is the key

A lesson from the safety field

Everyone makes mistakes

The science of error prevention

Swiss cheese and security

How significant was that event?

Events are for the record

When an event becomes an incident

The immediacy of emergencies

When disaster strikes

When events spiral out of control

How the response process changes

No two crises are the same

One size doesn’t fit all

The limits of planning

Some assets are irreplaceable

It’s the process, not the plan

Why crisis management is hard

Skills to manage a crisis

Dangerous detail

The missing piece of the jigsaw

Establish the real cause

Are you incubating a crisis?

When crisis management becomes the problem

Developing a crisis strategy

Turning threats into opportunities

Boosting market capitalization

Anticipating events

Anticipating opportunities

Designing crisis team structures

How many teams?

Who takes the lead?

Ideal team dynamics

Multi-agency teams

The perfect environment

The challenge of the virtual environment

Protocols for virtual team working

Exercising the crisis team

Learning from incidents

CHAPTER 4 - Zen and the art of risk management

East meets West

The nature of risks

Who invented risk management?

We could be so lucky

Components of risk

Gross or net risk?

Don’t lose sight of business

How big is your appetite?

It’s an emotional thing

In the eye of the beholder

What risk was that?

Living in the past

Who created that risk?

It’s not my problem

Size matters

Getting your sums right

Some facts are counterintuitive

The loaded dice

The answer is 42

It’s just an illusion

Context is king

Perception and reality

It’s a relative thing

Risk, what risk?

Something wicked this way comes

The black swan

Double jeopardy

What type of risk?

Lessons from the process industries

Lessons from cost engineering

Lessons from the financial sector

Lessons from the insurance field

The limits of percentage play

Operational risk

Joining up risk management

General or specific?

Identifying and ranking risks

Using checklists

Categories of risks

It’s a moving target

Comparing and ranking risks

Risk management strategies

Communicating risk appetite

Risk management maturity

There’s more to security than risk

It’s a decision support tool

The perils of risk assessment

Learning from risk management

CHAPTER 5 - Who can you trust?

An asset or a liability?

People are different

The rule of four

The need to conform

Understand your enemies

The face of the enemy

Run silent, run deep

Dreamers and charmers

The unfashionable hacker

The psychology of scams

Visitors are welcome

Where loyalties lie

Signs of disloyalty

The whistleblower

Stemming the leaks

Stamping out corruption

Know your staff

We know what you did

Reading between the lines

Liberty or death

Personality types

Personalities and crime

The dark triad

Cyberspace is less risky

Set a thief

It’s a glamour profession

There are easier ways

I just don’t believe it

Don’t lose that evidence

They had it coming

The science of investigation

The art of interrogation

Secure by design

Science and snake oil

The art of hypnosis

The power of suggestion

It’s just an illusion

It pays to cooperate

Artificial trust

Who are you?

How many identities?

Laws of identity

Learning from people

CHAPTER 6 - Managing organization culture and politics

When worlds collide

What is organization culture?

Organizations are different

Organizing for security

Tackling ‘localitis’

Small is beautiful

In search of professionalism

Developing careers

Skills for information security

Information skills

Survival skills

Navigating the political minefield

Square pegs and round holes

What’s in a name?

Managing relationships

Exceeding expectations

Nasty or nice

In search of a healthy security culture

In search of a security mindset

Who influences decisions?

Dealing with diversity

Don’t take yes for an answer

Learning from organization culture and politics

CHAPTER 7 - Designing effective awareness programs

Requirements for change

Understanding the problem

Asking the right questions

The art of questionnaire design

Hitting the spot

Campaigns that work

Adapting to the audience

Memorable messages

Let’s play a game

The power of three

Creating an impact

What’s in a word?

Benefits not features

Using professional support

The art of technical writing

Marketing experts

Brand managers

Creative teams

The power of the external perspective

Managing the media

Behavioural psychologists

Blogging for security

Measuring your success

Learning to conduct campaigns

CHAPTER 8 - Transforming organization attitudes and behaviour

Changing mindsets

Reward beats punishment

Changing attitudes

Scenario planning

Successful uses of scenarios

Dangers of scenario planning

Images speak louder

A novel approach

The balance of consequences

The power of attribution

Environments shape behaviour

Enforcing the rules of the network

Encouraging business ethics

The art of on-line persuasion

Learning to change behaviour

CHAPTER 9 - Gaining executive board and business buy-in

Countering security fatigue

Money isn’t everything

What makes a good business case?

Aligning with investment appraisal criteria

Translating benefits into financial terms

Aligning with IT strategy

Achieving a decisive result

Key elements of a good business case

Assembling the business case

Identifying and assessing benefits

Something from nothing

Reducing project risks

Framing your recommendations

Mastering the pitch

Learning how to make the business case

CHAPTER 10 - Designing security systems that work

Why systems fail

Setting the vision

What makes a good vision?

Defining your mission

Building the strategy

Critical success factors for effective governance

The smart approach to governance

Don’t reinvent the wheel

Look for precedents from other fields

Take a top down approach

Start small, then extend

Take a strategic approach

Ask the bigger question

Identify and assess options

Risk assessment or prescriptive controls?

In a class of their own

Not all labels are the same

Guidance for technology and people

Designing long-lasting frameworks

Applying the fourth dimension

Do we have to do that?

Steal with caution

The golden triangle

Managing risks across outsourced supply chains

Models, frameworks and architectures

Why we need architecture

The folly of enterprise security architectures

Real-world security architecture

The 5 Ws (and one H)

Occam’s Razor

Trust architectures

Secure by design

Jericho Forum principles

Collaboration-oriented architecture

Forwards not backwards

Capability maturity models

The power of metrics

Closing the loop

The importance of ergonomics

It’s more than ease of use

The failure of designs

Ergonomic methods

A nudge in the right direction

Learning to design systems that work

CHAPTER 11 - Harnessing the power of the organization

The power of networks

Surviving in a hostile world

Mobilizing the workforce

Work smarter, not harder

Finding a lever

The art of systems thinking

Creating virtuous circles

Triggering a tipping point

Identifying key influencers

In search of charisma

Understanding fashion

The power of context

The bigger me

The power of the herd

The wisdom of crowds

Unlimited resources - the power of open source

Unlimited purchasing power

Let the network to do the work

Why is everything getting more complex?

Getting to grips with complexity

Simple can’t control complex

Designing freedom

A process-free world

The power of expressive systems

Emergent behaviour

Why innovation is important

What is innovation?

What inspires people to create?

Just one idea is enough

The art of creative thinking

Yes, you can

Outside the box

Innovation environments

Turning ideas into action

Steps to innovation heaven

The road ahead

Mapping the future

Learning to harness the power of the organization

In conclusion

Bibliography

Index

Copyright © 2009

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England Telephone (+44) 1243 779777

Email (for orders and customer service enquiries): [email protected] Visit our Home Page on www.wileyeurope.com or www.wiley.com

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the Permissions Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to [email protected], or faxed to (+44) 1243 770620.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The Publisher is not associated with any product or vendor mentioned in this book.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Other Wiley Editorial Offices

John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809 John Wiley & Sons Ltd, 6045 Freemont Blvd, Mississauga, Ontario L5R 4J3, Canada

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data

Lacey, David.

Managing the human factor in information security how to win over staff and influence business managers / David Lacey. p. cm.

Includes bibliographical references and index.

ISBN 978-0-470-72199-5 (pbk. : alk. paper) 1. Information technology-Security measures. 2. Industries-Security measures. 3. Computer crimes-Prevention. 4. Management-Employee participation. 5. Electronic data processing departments- Security measures. 6. Management information systems-Human factors. I. Title.

HF5548.37.L33 2009

658.4’78-dc22

2008043719

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

ISBN 978-0-470-72199-5 (pbk)

Typeset in 10/12 Palatino by Laserwords Private Limited, Chennai, India

Printed and bound in Great Britain by Bell & Bain, Glasgow

This book is printed on acid-free paper responsibly manufactured from sustainable forestry in which at least two trees are planted for each one used for paper production.

For Gill, Musto and Cassie

Acknowledgements

I could not have written this book without the inspiration and support of my friends, professional colleagues and family. This is my opportunity to say thank you some of the people who made this book possible.

I’d like to thank John Madelin, Director of Professional Services for Verizon’s EEMA Security Solutions practice, for encouraging me to write a book, and for introducing me to my publisher. John is a kindred spirit, with tremendous vision and enthusiasm for innovation and technology.

I must also thank the UK Cyber Security Knowledge Transfer Network, led by Nigel Jones of Qinetiq, for inspiring the subject of this book. Quite rightly, this Government sponsored forum has recognized the growing importance of the human factor in information security management and assigned it a high priority.

And I have to thank Professor Gene Schultz for his very encouraging comments on the original outline for the book, which helped to inspire me to go forward with the project. Gene is not only a brilliant security technologist, but also a man with fine tastes in English beer, Californian wine and Dutch cigars.

I also owe a great debt to David Evans of Link Associates for teaching me many of the more sophisticated aspects of strategic crisis management, and for reviewing the chapters “There’s no such thing as an isolated incident” and “Zen and the art of Risk Management”. David has a unique perspective on organizations, having spent more than twenty years coaching managing directors in the art of crisis management. He notices many small, but important, details that others do not.

I have to also thank Professor Steven Furnell, of the University of Plymouth, and Andy Smith, of the UK Home Office National Identity Card Program, and Professor Fred Piper, of Royal Holloway University of London, for reviewing the early drafts of the book. Steven is one of the brightest, hardest working academics in the industry, and highly knowledgeable about networks and human factors. Andy has the largest collection of information security books of anyone I’ve ever met, several hundred of them, in fact, and he’s actually read them all. But I must especially thank Fred for contributing an excellent forward. I feel very fortunate and highly privileged to know Fred. He’s an inspiration for my academic side, as well as a perfect role model for his students and fellow professionals. Not only does Fred exude wisdom and integrity, he’s also one of the nicest people I’ve ever met.

There are many other experts who have contributed to the wisdom contained in this book. In particular, I’d like to thank Phil Severs, Nick Bleech, Paul Dorey and Andrew Yeomans for serving as a sounding board for many of my ideas; Debi Ashendon and Almira Ross for their observations on the human factor; Robert Coles and Phil Venables for their perspectives on risks; Howard Wright for his coaching in innovation, and J.P Rangaswami for his views on identity and technology.

I also have a great debt to my colleagues at Shell, for helping to develop and prove many of the ideas in this book, as well as my excellent, award-winning team at Royal Mail, who helped to realize many of them in practice.

And, finally, I have to thank Birgit Gruber and Colleen Goldring of John Wiley for their encouragement, patience, and advice in putting this book together. It could never have been completed without their assistance.

Foreword

Many people argue that the technology to protect our information has been available for many years. Yet we continue to hear about serious data losses, large scale identity theft and the compromise of national databases. This illustrates the ‘obvious’ fact that information security is not a technology problem. In reality very few people have regarded it as solely a technology issue and, ever since the start of the information age, the cliché that “Computers do not commit crimes. People do.” has been quoted in numerous security presentations.

Our business information systems and data have been repeatedly undermined by design flaws, weak passwords, lost media, social engineering and numerous other bad practices. Furthermore these risks are growing with the increasing sophistication, complexity and networking of modern business systems.

People are the soft underbelly of our information security. They design, implement and operate our information systems. They use, misuse and abuse them. They manage the physical and logical access to our systems and data. In so doing they create mistakes, incidents and the weaknesses that enable criminals to steal, corrupt and manipulate our intellectual assets.

However, despite the fact that its importance has been widely recognized, the role and importance of people in information security has been consistently underestimated. This situation is slowly changing and human factor considerations are gradually beginning to enter the security management agenda.

Security is largely a game between ‘bad guys’, who aim to exploit other people’s assets, and ‘good guys’ who aim to protect them. We need to understand what makes both sides tick. When we make it easier for our users and customers to gain access to systems and data, we also make it easier for hackers and fraudsters to penetrate our systems. Getting the balance right is not easy, especially in a world of continually evolving threats and technology.

Human failings have long been exploited by spies, eavesdroppers and hackers. Cryptographers, for example, have generally learned this the hard way. Flaws are regularly found in the design, implementation and operation of their systems. Even the most secure of designs can be badly implemented, introducing technical vulnerabilities to potential attackers.

Information security researchers and practitioners have been slow to address the weaknesses introduced by the human factor but it is now finally getting the recognition it deserves, largely because of a series of high-profile security breaches. Increasingly the traditional physical and organizational security mechanisms used to mediate the human interaction with information processing technology are ‘disappearing’ as the complexity of the human dimension to information security comes more into focus. Nevertheless there is still very little written down about how to go about improving our influence over people and their security behavior or how to introduce an effective security culture into an organization.

This book pulls together an impressive amount of theory and practice developed across many different fields and industries. The author suggests many useful, practical ideas on how to design better security awareness initiatives, and how to go about changing people’s attitudes and behavior. He also suggests that the challenge of designing management systems and information systems that people can actually use should be a priority for all researchers and practitioners.

In effect, the author is arguing for an approach to information security management that is primarily focused on people and their relationships, rather than policies, procedures and processes. In addition to providing sound advice on what to do and how to do it, he also encourages the reader to think about what we are doing wrong and how to rectify the situation. The book is as much about thought provocation as about defining ‘good practice’.

He is right in challenging existing assumptions. We certainly need new ideas and a new approach to information security that takes account of the new risks presented by social networking and mobile computing. This requires an increase in interdisciplinary work within both the academic and practitioner communities and this book provides an excellent platform for its launch.

Changes need catalysts (like this book) and people who are prepared to think ‘out of the box’ and then put their ideas forward for others to study. Not everyone will agree with all of them, indeed some may agree with none of them, but they will set the dialogue rolling and are necessary for progress to be made. The author, David Lacey, is a leading authority in the information security profession, who is renowned for his foresight and innovation and I can think of no one better suited to this role. He has an enormous amount of experience in transforming security across large organizations, and a first-class track record of success in different environments. He has also conducted considerable research into a number of aspects of human behavior so that, as well as providing practical advice on security management, he provides a number of fascinating references for further reading in a wide range of related topics.

In addition to providing a major platform for an important, emerging subject area David has also provided a highly entertaining read that will undoubtedly become essential reading for all security professionals.

Fred Piper

Introduction

Some people say that Information Security is a people problem, rather than a technical one. Others claim it’s a blend of people, process and technology issues. The truth is that Information Security draws on a range of different disciplines: computer science, communications, criminology, law, marketing, mathematics and more. And like most things in life, success in all of these fields is underpinned by an ability to understand and manage the human factor.

You might ask what I mean by the “human factor”. In fact, I mean the influence of people in information security, the unpredictable factor that causes many of our best planned systems to fail, whether because of carelessness, complacency, apathy, spite, stupidity, criminal intent or just plain bad design.

“Human factors” is also a term that is commonly used, especially in the USA, to refer to the science of ergonomic design. I use it, however, in its broadest sense to encompass the impact that people have in manipulating systems or causing accidents, as well as the challenge of harnessing their capabilities to secure our information flows, and the considerations for designing security systems, controls and campaigns that actually work.

Technology is also essential to security, of course, and increasingly so, as we learn how to apply its leverage to manage our growing business and security problems. But technology is designed, implemented and operated by people. And it’s the human factor that shapes how we use or misuse information systems. People manage our physical security and grant access to our systems. They also cause, report, and manage our response to, security breaches and incidents.

The influence of human factors is, in fact, increasing as we evolve from a largely process driven business world to a more joined-up, nomadic, information society. Technology, and the networks that spring from it, are creating a new business environment, in which intellectual assets are the new engine of wealth creation, and information flows across empowered, flattened team structures, rather than in strict, vertical stove pipes between management and their staff. Individual actions are now shaped less by decrees and policies from on high, and more by the opinions of networked colleagues. As information security managers, we need to understand how to influence and harness these personal relationships if we are to be truly successful in harnessing the benefits of these new ways of working.

Security professionals have long acknowledged the importance of the human factor in safeguarding business and personal information from hackers, spies and fraudsters. But, in practice, we’ve rarely paid more than lip service to it. Our best practices have been little more than the publication of an occasional leaflet or an assortment of uninspiring intranet pages. That needs to change. We must all raise our game if we are to build an environment that delivers the compelling cues for good security practice.

It’s now become an imperative for all enterprises to ensure that computer users really understand the security risks they face, and actually take the trouble to implement corporate security policies. It’s vital also to ensure that project managers and development staff appreciate the importance of developing secure systems, based on intrinsically secure protocols and coding standards. And it’s essential that we encourage good practices beyond our enterprise boundaries, extending across our supply chains, and encompassing our customers.

Human factors are climbing the business management agenda, and they will stay there for as long as we have to manage the consequences of people’s failings. That problem will not go away within our lifetime. And it will become increasingly important with the growth in social networking and mobile working, and the potential for ever larger breaches of sensitive data.

More and more security professionals are acknowledging the importance of the human factor in information security. Bruce Schneier saw the light a decade ago, and has since become an evangelist, encouraging his fellow professionals to pay more attention to addressing the psychology and economics of security. A few years ago, Debi Ashenden, a senior fellow at the UK Defense College of Management & Technology, announced that the future of information security was “pink and fluffy”. Debi tells me she now regrets that quote. She’ll probably regret it even more, now that I’ve drawn your attention to it. But she’s absolutely right. The fact is that security and risk managers can now learn more from psychologists than from technologists.

The UK Cyber Security Knowledge Transfer Network has correctly placed a high priority on the study of human factors, and has established a working group to help identify the problems and potential solutions. But it will take many years for the information security community to understand the nature of the problem space, identify the underlying root causes, and develop new initiatives to improve the situation on the ground.

This book aims to identify and make sense of the wide range of human and organizational challenges that we face in managing security in today’s networked world. It provides helpful advice on how to manage incidents and risks, design and sell management systems, promote security awareness, change attitudes and behavior, and how to leverage the power of social networks to get the best out the organization.

Information security is still a relatively new subject area, a fascinating blend of art and science, which draws on many existing sciences and techniques. But it has a long way to go. Our everyday practice is primarily the result of unproven theories and self-taught skills. Donn Parker, of SRI International, used to refer to our information security practices as a “folk art”, because it lacked the broader knowledge base and objective research that we expect to find in other disciplines.

We’ve certainly developed this art quite a bit in recent years, filling many gaps in research, knowledge and good practices. Information security today, however, remains an immature science. But that’s also an exciting opportunity for all professionals. We’re all party to the creation of a new field, one guaranteed to grow in importance alongside the emergence of the new, networked information age of the 21st Century.

Driving the growth of a new set of security risks are the collaborative Internet technologies that we term Web 2.0. A few years ago, Symantec hijacked the term Security 2.0 for their security product strategy. But that was largely a marketing ploy. A more appropriate use of the term Security 2.0 is, in fact, to describe the new problem space and solution space, associated with Web 2.0 developments. These challenges require a different response from the process-focused security strategies that we have been employing to address the security risks associated with traditional IT systems. In particular, we need a much stronger focus on people, their context and their relationships.

This book aims to provide a road map to help navigate the new knowledge base that underpins the new paradigm of Security 2.0. We are in the midst of a revolution to create a new form of security. It’s a paradigm shift from a focus on systems and processes to a focus on people and their relationships. Whatever we call it is irrelevant. The important thing is to develop the vision, principles and the knowledge base to support it.

Creating a common body of knowledge was a key driver for the team of security professionals that developed the original British standard BS7799 in the early 1990s. We saw a business need and an opportunity to collect, document and agree commonly applied, proven practices. It was an exciting and important breakthrough. The material we assembled drew on just about everything we knew about information security at the time.

But BS7799, and its successor ISO27001, are based on a compliance-based approach to security, conceived more than fifteen years ago. They represent the practice of information security management in a process-driven business world, a world of scripted procedures based on industrial age, mass production principles. Networks are slowly dissolving the rigidity of repeatable processes. Tomorrow’s information age security needs are more demanding. We need a new, complementary approach to security, one more in tune with a real-time generation operating in a nomadic, networked world.

This book is written in the same spirit as the original BS7799, aiming to fill the gaps in our security knowledge base with insights, theories and principles adapted from other academic fields, as well as from pioneering work in the information security field. I set out to pull together the most comprehensive overview of theory and practice that I could conceive of, and to present it in an entertaining style. There will no doubt be gaps, and I will aim to rectify those in future editions.

Most of the techniques described in this book are tried and tested. They’re based on my personal experience of designing and implementing information security programs for large, complex organizations, such as Shell and Royal Mail. This is a book written by an information security professional for his fellow professionals, and for anyone else that might find it useful or interesting. I sincerely hope that you enjoy it and that you will learn many things that are interesting, helpful and illuminating.

David Lacey

CHAPTER 1

Power to the people

What is power? And who holds its key? Many seek it. Some try to seize it. A few get to exercise it. Not all are successful. Power is an elusive goal.

Most people imagine power in terms of a kind of force or strength being exerted. That might be true for some types of power. But it’s the wrong perspective for understanding power over people. Because in practice, such power is less about personal status, physical strength or money – though these things help - but more about how other people respond to you. Power over people is in the eye of the beholder. And you can’t always buy that or gain it through status or force of arms.

It’s harder to manipulate people when they’re joined up through networks. And that trend is growing. That’s why, these days, even prime ministers and presidents can appear powerless. And it’s why captains of industry find it difficult to drive change across their organizations.

I asked a top CEO what it felt like, today, to be in charge of a big modern organization. He replied:

If you work in a large enterprise, you’ll already have noticed this phenomenon. It’s becoming harder to make an impact on your fellow managers and staff. That’s never been easy of course. But it’s more challenging today. And the situation on the ground is much worse than you imagine. You’d be shocked if you carried out a review of how many company staff actually understand and follow your corporate policies.

I know this because I recently carried out such a survey, across dozens of organizations. The results made grim reading. The fact is that many corporate policies are not understood, communicated, implemented or enforced. Yet policy is the basis of information security. So either we’ve failed to get the message across, or for some reason, it’s being widely ignored. But that’s not just down to our own lack of competence. In fact, it’s a characteristic of a modern, networked society.

In today’s fast-changing, information-rich world, people have many distractions. The relentless flood of e-mails is only the tip of the iceberg. A typical information worker will check his or her e-mail at least 50 times a day. But they will also look up a similar number of websites. And even more disruptive is the growing flow of real-time, instant or text messages.

Lost productivity from such distractions is estimated to be costing many hundreds of billions of dollars a year, though nobody seems to have measured the corresponding increases in efficiency that the technology brings. The jury is therefore still out on the balance of the benefits and costs presented by new network technologies.

But new technology is necessary to attract young graduates. And that provides a major edge in the growing competition to attract new talent. It’s not surprising, therefore, to find that top companies that aim to attract the best staff, such as Goldman Sachs, until recently are amongst the most advanced companies in introducing the latest network technologies.

The end result is that people today have to be selective about what they pay attention to. They will concentrate on the issues that are most relevant to their immediate, personal needs.

Modern managers have little time for quiet reflection about speculative, security risks and their consequences. And, increasingly, they will prefer to consult networked colleagues or public websites for advice on new issues, rather than asking official advisers.

It’s also hard to get subtle points across on complex subjects. And it’s virtually impossible to communicate lengthy policies and procedures with any real degree of success. When, for example, was the last time you read an instruction manual? Yet that’s what information security managers expect from company staff. And even if you can find the time to read it, how much of it would you remember? And what would prompt you to apply it?

In fact, traditional approaches to information security, such as publishing a thick manual of policies and standards, no longer work. They might be fine for enabling you, and your management, to tick your compliance boxes, to demonstrate that you’re discharging your corporate responsibilities. But lengthy edicts are ineffective as a means of influencing staff. They should be consigned to the corporate dustbin.

We need to rethink and re-engineer the way we communicate and enforce our security policies. And that’s no trivial feat, because the content is getting lengthier, and ever more complex. At the same time, many employers claim that literacy rates in the West are plummeting. It’s becoming an enormous challenge to communicate complex security policies to a volatile organization that’s constantly restructuring.

These are major challenges. We don’t have all the answers. But there’s quite a lot of change and improvement that needs to be applied. In particular, we need to shift from implementing security less on the basis of a ‘tick-the-box’ culture of defensive policy setting, and more on the basis of how people now think and behave.

We need to embrace, understand and exploit the social networks that are increasingly used by our colleagues and staff. Electronic networks are, in fact, both the source of the problem and the key to its solution.

Social networks empower managers, staff and customers. They don’t operate on the same lines as traditional organization structures. They resist dominance, and they erode the traditional, hierarchical power bases in organizations. Social networks are disempowering head offices and corporate centres, weakening the influence of corporate security policy in organizations.

The nature of decision-making is changing, decisively, and for good. It’s now much more a bottom-up, rather than a top-down process. Our thought leadership is no longer in the exclusive hands of a privileged group of central policy makers, and their consultants. It’s out there in the peer-to-peer networks running across our enterprise infrastructures. Power is moving to the people.

Forrester Research, an independent technology and market research company, has been tracking this trend for several years. Amongst other things, they’ve noted that trust in institutions is progressively weakening, and that social networking is undermining traditional business models.

We can see this in many types of business. You no longer need a travel agent to sort out your holiday arrangements. You don’t need to buy a copy of the Good Food Guide to find a decent restaurant. There are plenty of free opinions available on the Web. And they’re just about good enough for most people.

The same holds true for most other sources of independent advice. Professional, independent experts are on the run. In fact, social networking might even make obsolete research analysts, such as Forrester themselves. At a Chief Information Officer Summit in Monaco a few years ago, I put this observation to Brian Kardon, their Chief Strategy Officer. ‘Yes, that’s a very good point. We’ve grasped that and are already working on the challenge,’ he admitted.

In fact, the future of research is likely to be one that favors the specialist, niche operators. The broader, more general stuff can be freely accessed on the Internet.

The phrase ‘The Long Tail’, coined by Chris Anderson in a Wired magazine article, describes the tendency for business products, especially intellectual ones such as information services, to increasingly fragment in order to satisfy the individual needs of customers. The future of business is selling less of more. And the same is true of security. We need to develop a broader portfolio of tailored advice that caters more closely to people’s specific needs.

Smart stakeholders instinctively respond to this trend and seek to engage with their customers. Forward-looking companies increasingly seek the views of the general public on their activities.

The Royal Dutch/Shell Group, for example, tries to engage with citizens by encouraging people to pose questions to Shell executives. They learned the importance of such public dialogue many years ago, following a high-profile media campaign mounted by Greenpeace in reaction to their proposed method of disposal of the Brent Spar oil storage buoy.

Politicians are also well advanced in embracing and exploiting web technologies and other forms of social networking. Most have their own websites. Some engage in daily web chats and invite electronic petitions. Number 10 Downing Street, for example, has, for some time, run a website where e-petitions can be created by the public. And most political parties religiously consult focus groups of citizens before taking a view on any aspect of public policy.

Even the Royal Society now spends as much time engaging with the public as it does debating the finer points of scientific developments. This famous institution firmly believes that science is a wider part of our culture and cannot flourish without the support of the wider community. Their ‘Science in Society’ program consults with members of the public from all walks of life and all geographic regions across the UK. That’s something that could not have been contemplated a hundred years ago.

All corporate communications managers monitor the ‘blogosphere’. It’s an evolving network that links huge numbers of personal web logs, enabling them to connect, interact and amplify the thoughts of popular individuals.

A few years ago, Reuters encountered the power of the blogosphere when bloggers discovered that a photograph of an Israeli F-16 firing missiles on Lebanon had been slightly doctored, in order to make the photo appear more sensational. This incident had a major impact on Reuters’ reputation, forcing them to rethink their news gathering strategy and to review the way they authenticate photographic images from their agents.

But more significant is the greater challenge that news agencies, such as Reuters, face as they contemplate moving towards a future news gathering process that is increasingly based on images captured by members of the public, rather than snapped by their trusted agents.

Blogging is very different from journalism. It’s more conversational and it has a greater focus on personal views than objective reporting. And, unlike newspapers, blogs are interconnected, resulting in a powerful network aggregation effect.

Karl Schneider, a former executive editor of New Scientist and an expert on new forms of media, sees major changes in the role of journalists. He believes they will progress from being ‘creators of news’, to acting in a role similar to a ‘disk jockey’, becoming ‘curators of information’ and ‘sowers of seeds’. Professional news gathering is changing, and will never be the same again.

It’s interesting to speculate on the longer-term future of professional news services. Several years ago a flash movie called EPIC 2014 appeared on the Internet. It provided a fascinating glimpse of how news gathering might evolve over the next decade, shaped by competition from the progressive mergers and increasing dominance of big Internet companies.

The film also introduced a new word ‘Googlezon’ to the English language. As we’ll see in a later chapter, it can be a useful marketing trick to invent a catchy word or phrase, if you’re aiming to make a lasting impact with a memorable message.

In the film, Googlezon is a fictional company created when Google merges with Amazon. Eventually the company creates a news product called EPIC, the ‘Evolving Personalized Information Construct’, which automatically creates news that is tailored to individuals, without the need for journalists.

This eventually leads to the ‘news wars’ of 2010, in which Googlezon triumphs, triggering the downfall of the New York Times, which is forced to move offline, becoming ‘a print newsletter for the elite and the elderly’.

Whatever your views on the conduct or capability of the media, it’s clear that the death of professional news services would be a major blow to society. Whether or not professional journalists can survive, it’s certain that the future of news will be based on assemblies of citizen information, of varying accuracy and reliability, increasingly personalized to meet consumer tastes, defined by their historical network activity.

Social networks are surprisingly powerful, perhaps more so than most people realize. They threaten to undermine any long-standing institution that fails to engage with them. Networks are a powerful leveller, with little respect for status or authority, and a potent means of leveraging individual ideas and initiatives.

Some people can single-handedly transform organizations, cultures or countries. Great men like Gandhi and Nelson Mandela seem to effortlessly change the mindset of huge numbers of people. In the field of technology Bill Gates, Tim Berners-Lee and Steve Jobs have also driven through large-scale culture change. They were exceptional individuals, of course. But how did they do it? Were they lucky, timely, charismatic, or did they discover a magic formula for persuading people to follow and support them?

Perhaps it’s a combination of all or most of those things. But one thing is certain. However they approached it, their success was achieved by creating a critical mass of support across a social network. Either by chance or by design, they acted in a way that appealed to people, they created a compelling message. And at the same time, they were able to harness the power of social networks. They created a virtuous circle, a positive feedback loop that grew and grew.

In an increasingly networked society that’s the key to success. Whatever you’re trying to achieve, you have to find an effective means to capture people’s attention, develop a compelling justification, communicate in the language they understand and exploit their support, not just on an individual, one-to-one basis, but across a networked community.

Networks are the engine of the information age, arguably the modern equivalent of the factory to the industrial age. Wherever you look, digital networks, and the flows of knowledge and ideas they convey, are transforming the balance of power across business, society and politics.

Networks are flattening organizational structures, extending supply chains beyond traditional borders, enabling the globalization of markets, businesses and beliefs. They’re making billionaires out of twenty-something, Californian geeks. They’re changing the way we live and work, and they’re upsetting the balance of political power in the world. And there’s a lot more change to come.

Where will it lead? What will be the long-term impact on our everyday life? In fact, there are numerous dimensions to the impact of networks. And many are uncertain or unknown. But we already know some of the implications.

Urban planners, for example, have long experience of studying the impact of disruptive infrastructure changes such as the introduction of roads, railways, electricity and piped water. So it’s not surprising to find that leading experts in this field have already assessed the impact of the Internet on urban life.

Around 10 years ago, Professor William Mitchell, Dean of the School of Architecture and Planning at MIT, published an illuminating book called e-topia, setting out some of the implications of digital networks for urban planning. In particular, he spotted a number of interesting trends in US planning.

Technology companies, for example, have been progressively moving out of cities, in search of knowledge workers who prefer leafy suburbs. Millionaires prefer to migrate to upscale resorts, with good airport connections. That leaves the cities to young, single people and the businesses that need to employ them. ‘Sex brings cities alive’, as he puts it.

Observers in Seattle have already spotted radical, new patterns in commuting, such as the ‘reverse commute’ where male computer scientists, from Microsoft’s suburban complex, race downtown after work each day in search of females.

I wondered how these trends might play out across in other countries, such as the UK, so I asked a logistics professor at a London university whether he expected to see the same type of changes. ‘No,’ he replied, ‘that won’t happen here, for all sorts of reasons, such as planning restrictions.’ ‘What might it be like then?’ I asked. ‘Just a lot more urban sprawl,’ he replied.

But however the land lies, mobility, and the nomadic working style it enables, will have a progressive impact on our working methods, and our office and social life. Multi-tasking - checking our e-mails, sending text messages and answering telephone calls, whilst travelling, cooking a meal or attending a meeting - is here to stay.

Dilbert-style cubicles are no longer necessary for staff that can hot-desk or access everything they need while travelling. Who needs an office when there are plenty of Starbucks coffee houses and wine bars in which to meet or touch down?

William Mitchell also suggests that 21st century building design and aesthetics will probably turn out to be the exact opposite of the sci-fi chic that futurists of the past imagined. Modern architects are now thinking more in terms of light, air, trees and gardens. And future building designs will also need more nooks and crannies, in order to provide privacy for individual laptop workers.

One of the most significant impacts of the growth of the connected society is a major shift in focus, from networking with people who happen to be within physical reach, to cooperating more with on-line, distant colleagues. People are becoming more dependent on the stronger ties they develop over networks, rather than the increasingly weaker ties they make through physical encounters.

We can reach many people through networks, but, perhaps paradoxically, digital networks also encourage the growth of isolated, always-connected, virtual cliques, making it harder for outsiders to gain attention. They strengthen digital families and established communities and weaken the influence of strangers. This phenomenon introduces both threats and opportunities for security managers aiming to make an impact on a workforce that is increasingly networked and mobile.

Networks, and the globalization they enable, have also transformed the international political landscape. The World is now positioned at a crossroads, where political power is shifting to new regions and countries, and existing regional and international institutions are struggling to exert their traditional level of influence.

The US National Intelligence Council regularly conducts long-range research and consultation exercises, to provide their policy makers with a view of how global developments might evolve over the next 15 years. Their recent report Mapping the Global Future, published in 2005, considered global trends up to the Year 2020. Amongst other things, they noted that:

Futurists Alvin and Heidi Toffler were amongst the first to understand the transformational power of technology and networks. They set out their theories in a classic series of books published in the seventies and eighties. The ideas set out in these books were decades ahead of their time, so few business managers and citizens paid much attention to them.

But the Tofflers made a deep impression on governments and political stakeholders. Their book The Third Wave became a bestselling book in China, the second ranked bestseller of all time just behind a work by Mao Zedong, and an underground cult book in countries such as Poland. It helped transform US military doctrine, encouraging smarter tactics and weapons. And it transformed politic thinking across the globe, even though these days you’d be lucky to find a copy in a British bookshop.

I experienced a flavour of this book’s influence when I visited Romania in the mid 1990s. My driver, like many locals, was naturally inquisitive about my lifestyle. He asked me what I did. I told him I worked in information technology. ‘That’s great,’ he said, ‘I’m just reading Alvin Toffler’s book: The Third Wave.’ I was impressed. ‘It’s also one of my favourite books,’ I confided. Then, as he dropped me off at the airport, he leaned over and asked ‘Will you ever meet Alvin Toffler?’ ‘I don’t know,’ I replied, ‘it’s possible. And if I do, I’ll pass on your compliments.’ ‘No,’ he said, ‘please convey to him the thanks of one million Romanian citizens.’

I never did get to meet Alvin Toffler, but I did manage to close the loop. Several years later, I was having a beer in an Amsterdam Hotel with John Perry Barlow, founder of the Electronic Freedom Foundation and one-time rancher and Grateful Dead lyricist. I commented on how much his ideas aligned with Toffler’s. ‘That’s because I admire him, and he’s a good friend of mine,’ he replied. So I told him the story about my experience in Romania. ‘Wow, that’s cool,’ he said, ‘I’m seeing Alvin next week. I’ll tell him. He’ll be knocked out.’

It’s remarkable to think that a driver in Romania could be a mere three steps away from his literary hero, a person who inhabits an entirely different business and social world, in a continent many thousands of miles away. And that’s just through the power of a physical, social network. Just imagine what electronic ones could do.

The concept of a ‘network effect’, the idea that a product or service can grow in value as more and more people adopt it, is an old one, first pointed out by Theodore Vail, president of Bell Telephone, around a century ago. It’s fairly obvious, of course, that the more people who have a telephone, the more calls you can make. But it took many years for the idea to be studied seriously by economists.

In fact, academics who study network effects, such as the former Stanford University Economics Professor Brian Arthur, have been both in and out of fashion in recent years, with theories of how positive feedback loops in networks might channel global wealth into the hands of a handful of first-mover, electronic commerce conglomerates.

As with many other dot-com predictions, that didn’t happen as fast as many investors had hoped, so much of the excitement about network effects in business and economics has now calmed down. But there’s a strong tendency for people to overestimate what will happen in the next year and underestimate what will happen in the next decade.

Many economists believe Brian Arthur got it wrong. Positive feedback loops present difficulties for economics. And there’s little hard evidence to support his theory. But a lot of people didn’t listen closely enough to the points he made. He differentiated collaborative networks, which grow more powerful with each new member, from others. There’s plenty of the latter but few of the former.

For example, if we all buy a book from Amazon or a similar website, there’s little collaborative value generated. In contrast, networks like e-Bay, Skype, Wikipedia and Facebook, get more useful with each new member or transaction. But there aren’t enough examples of such sites, even though they are fantastically successful. The truth is that we’ve not been sufficiently imaginative to conceive, develop or exploit collaborative network effects. But that will, undoubtedly, come with time.

Electronic networks might be based on technology, but the resulting behaviour they generate bears more resemblance to an ecological system than a Swiss watch. Man-made, hub-and-spoke designs can create networks of surprising complexity and unpredictability. They are part of a class of networks called ‘scale-free’ networks, and they exhibit many unusual topological characteristics. They are, for example, more resistant to random failures than natural, organic networks, but they’re also more vulnerable to deliberate attacks that target big hubs or spokes.

We are only just beginning to understand the strange properties of complex networks. Many researchers are now looking at parallels between network activity and other scientific fields. One interesting theory proposed by Ginestra Bianconi, a graduate student, is that, under certain conditions, a single node in a network can become dominant. This theory, which is based on an analogy with gaseous condensates in physics, suggests that some of the phenomena we observe in competitive networks, such as the ‘first-mover advantage’, the ‘fit get richer’ or the ‘winner takes all’ outcomes might actually be phases in the underlying evolution of networks.

A consequence of this theory is that the largest or fittest node, at any one time, does not always end up as the eventual, dominant participant. Networks appear to favour certain members at particular times, accelerating their influence to positions of high dominance. It’s an advantage gained by being in the right place at the right time.

It might, in fact, be that large-scale success in networks is as much down to luck, as it is to skill, judgment or hard work. Networks are a great leveller. But they can also be a powerful kingmaker, under the right conditions.

Identifying value at risk is a key element of modern security and risk management. It shapes our priorities, countermeasures and enterprise programs. But where is the value in business today? It’s not just in the fixed assets and bank deposits. Increasingly it’s in our intellectual assets: the brands, reputation and the knowledge and skills of our employees.

For many years, technologists and economists have been studying the nature and value of intellectual capital. Much of it resides in social networks. But how do you recognize it or measure it?

At the height of the dot-com boom in May 2000, a few months after the NASDAQ hit its peak, I attended a conference in Washington DC on ‘Value and Values in The New Economy’. The conference was organized by TTI Vanguard, a private technology circle advised by luminaries including Gordon Bell, Alan Kay, Nicholas Negroponte, David Reed and Peter Cochrane.

The conference was attended by technology directors, economists and academics, and it focused on the shift of economic emphasis from ‘things’ to ‘connections between things’. Amongst other things, the speakers and attendees debated how we could measure the true value of dot-com companies.

At that time it appeared that the main reason for the huge valuations placed on Internet companies was their potential for leveraging large numbers of customer relationships. Various formulae were proposed to quantify the future potential of a start-up company. For example, by calculating the number of customers they might be able to win, the value of each relationship they control, and the capability of the company to exploit these relationships. There were some fascinating theories and algorithms put forward to help assess intellectual value. But they were largely discredited when the dot-com bubble burst.

There were also some interesting ideas on security and risk management put forward at that conference. Professor Peter Strassman, for example, suggested that security effort should be exclusively focused on employees that generate the maximum intellectual value. This might turn out to be a trader, researcher or strategist, for example.

It’s an interesting view, unfortunately too far ahead of its time. I could see it being impractical during a period when most organizations were struggling to patch up the weakest links in their infrastructure, rather than harden the protection around their crown jewels. But in the future, when basic security measures become pervasive, intellectual assets become easier to identify, and security threats become increasingly targeted at our most valuable assets, Peter’s ideas will certainly be worth revisiting.

Nevertheless, there is huge theoretical value lurking in networks, at least in theory. Metcalfe’s Law, named after Robert Metcalfe, co-inventor of the Ethernet and a founder of 3Com, claims that the value of a network is proportional to the square of the number of users of the system.

This assertion is based on the number of relationships between individuals, the number of pairs that you can make. It assumes of course that some form of value can actually be derived from each relationship.

The way that pairs of relationships increase with the size of a network is quite unexpected. We often experience this phenomenon when we clink champagne glasses at a celebration. When there are only three or four people, it’s quite easy. Just a handful of clinks and it’s done. But if you have a dozen people, it’s surprisingly harder, requiring more than sixty clinks. And if you have than twenty people, it then rises to a couple of hundred clinks.

Robert Metcalfe was one of the most influential technologists of the 20th century. He’s attained near legendary status in the industry. But he didn’t always get his forecasts right. Amongst other things, he predicted the imminent collapse of the Internet and the death of open source software! When the Internet failed to collapse, Robert was compelled to eat his words, literally, by placing a paper copy of his forecast in a blender.

In fact Metcalfe understated the network relationship potential. Reed’s Law, named after David Reed, an adjunct professor at MIT Media Lab and former Chief Scientist for Lotus Development Corporation, points out that the value of social networks scales exponentially with the number of members. That’s because network relationships are not just confined to pairs. We also need to take account of larger sub-groups.

Exponential growth is a much faster rate of growth, proportional to the function’s current value. For any exponentially growing quantity, the larger the quantity gets, the faster it grows. It’s the sort of growth you get by progressive doubling, or even tripling. It’s a sneaky form of growth, starting low and rising fast.

For example, if you place a single grain of wheat on the first square of a chessboard, then two grains on the next square, and so on, then by the time you reach the last square, you’ll have reached more than a thousand times the total annual wheat production of the Earth. Early in the doubling sequence, the true power is not apparent to an observer. But after a few dozen operations the numbers become enormous.

Figure 1.1 overleaf illustrates the difference in growth between these two laws.

Theories, such Reed’s Law, are purely academic if we don’t know how to exploit them for real business value. But the potential prize is massive. There is huge latent value, perhaps waiting to be tapped in any large social network. This is why venture capitalists have been paying so much attention to investments in social networking technologies.

How hard can it be to exploit the power lurking in networks? That’s the 64 dollar question. If we could find a way to tap just a small percentage of this power, then it would be valuable. In fact, there are some features of social networks that suggest it might be easier than we imagine.