The Tortoise and the Hare - Why speed may be less important than awareness when it comes to truly effective cyber security

Written by Mark Johnson on Friday September 14, 2012

A Jumbo Jet only travels fifty times faster than a horse and buggy.  A modern computer processes data thousands or millions of times faster than its own forebears.  In fact, Quadrillions of times faster in at least one case. Meanwhile, the human brain, having taken millions of years to evolve to its current state and has changed little (if at all in my case) since the era of wooden hunting sticks.

It is little wonder that we collectively struggle to comprehend, much less cope with the speed of modern data processing and computing applications.  In fact, system output must be dramatically slowed down to a crawl or frozen temporarily on a screen, in order for us to process and absorb it.  On the other hand, no computer ever built can come close to us in terms of our ability to make reasonably intelligent choices most of the time, based on the limited amounts of data we can hold in active memory.  Our brains process about 400 Billion bits of information per second, but we are only aware of 2000 bits.  And even 2,000 sounds like a lot!

When viewed in the context of cyber security, this mismatch between computing speeds and human capabilities takes on a special significance.  Cyber crime access is gained and exploits are conducted in fractions of a second.  While automated prevention and detection tools can operate at computer speeds, investigative, incident response and related processes often run at human speed, and slow human speed at that, because rational decisions are required that factor in many parameters not easily captured in a data table.

The discrepancy is compounded by the fact that our business processes and tools may focus more on the breach of security than they do on the resulting exploitation of that breach.  This was exemplified during the 2011 Sony Online Entertainment (SOE) episode, when SOE was able to report on a series of intrusions, but seemingly unable to provide a confident estimate of how much data had actually been taken, how it might be used, and what the potential harm might be to the business and its customers.  Even if SOE did know the answers, it badly mishandled the media side of the incident and did much damage to its own brand in the process.

It may be that there is a systemic focus on incidents rather than consequences.  This might be a result of the fact that incidents occupy the attention of a relatively tiny group of security and IT administration specialists, while the consequences of a breach demand the attention of a much wider and more senior audience.  The wider audience often lacks the awareness of the issues necessary to support the development of rational appreciations of the impact of events, or the conduct of good crisis management.

This provides part of an explanation for why so many leading blue chip firms handle post cyber security incident responses and communications so badly - the people in charge don't understand the topic they are attempting to address, while those who do understand are considered too junior to be put in charge of the crisis, or even to speak to the media.

Collectively, we run the risk of finding that we are shackled by the constraints of our risk-averse hierarchical organisations, once platform and services level risks actually assume strategic proportions.  Our fear of potential risks undermines our ability to deal with manifest risks.  The bumbling, confused and often incoherent response of our political leadership to the 2011 UK riots gave us a taste of the quality of management we can expect during a national cyber security crisis.

The solutions to this challenge are simple in theory but challenging in their realisation.  They involve a mix of activities including, but not limited to the following:

1. Greatly improved awareness of data and systems security risks and impacts at all levels within both business and government.  Data is now one of our key assets and we need to understand it just as we do any other important business or national asset.
2. Enhanced incident response, business continuity and disaster recovery planning, within each business and nationally, combined with regular crises management exercises ranging from the complete loss of Internet services to the handling of social media content.
3. Shared accountability for security and incident response across the organisation at all levels.
4. Improved data classification schema and data segmentation projects that place the kinds of personal data exposed during the SOE breach, and other similar incidents, in much more secure locations than those in which they were reportedly held.
5. A shift in the onus of responsibility for installing and updating security and anti-malware applications away from consumers and users and onto the shoulders of the suppliers of the devices, software and services.
6. The introduction of proper cyber security awareness classes into the National Curriculum for children aged 5 and above.

Absent a complete technical (and resultant economic) collapse, our cyber-dependency seems likely to remain a permanent feature of our lives.  If you want to identify your greatest risk, you simply need to identify your greatest dependency.  The continuation of the cyber security status quo leaves us exposed to potential crises of immense proportions

Mark Johnson is the founder and Chairman of The Risk Management Group, a high-tech risk control consultancy specialising in the delivery of training, advice and solution design to firms and vendors in the financial services and communications sectors.  This article is an extract from Mark’s upcoming book, Cyber Crime, Security and Digital Intelligence, to be published by Gower Publishing. Mark is co-author of ICA's upcoming cyber risk management programmes.