Why are we so “emotional” in

security?

March 10th, 2016

Steve Furnell - Chair

1

Introduction

• None of us agree easily on risks, issues, scale of the threat, seriousness of vulnerabilities, speed to market, need for connectivity (in the context of IoT), recommended solutions, implementation of standards, best / good practice, evidence of compliance for audit or legislative purposes

• We seem to spend a lot of time admiring the problem, collectively and yet in reality "we" are failing. Continually, more breaches are being reported - and experienced. So we cannot hold our heads up high and claim that we are succeeding.

• If we always do what we've always done, we'll always get what we've always got... We clearly need to consider working differently.

2

First came Emotional Intelligence

Emotional intelligence (EI) or emotional quotient (EQ)

is the capacity of individuals to recognize their own,

and other people's emotions, to discriminate between

different feelings and label them appropriately, and

to use emotional information to guide thinking and

behavior.

https://en.wikipedia.org/wiki/Emotional_intelligence

3

Then came Human Factors

• Human factors and ergonomics (HF&E), also known

as comfort design, functional design, and systems, is

the practice of designing products, systems, or

processes to take proper account of the interaction

between them and the people who use them.

• https://en.wikipedia.org/wiki/Human_factors_and_er

gonomics

• We’ve been seeking to address this for more than 16

years – from our “security” viewpoint

• We have insufficient evidence of success

4

Growing Pains

• But what about:

– Passion

– Drive

– Petulance - the quality of being childishly sulky or bad-

tempered

– Ego

– Histrionics - melodramatic behaviour designed to attract

attention

– Trust

– Belief

– Management Hubris

– Dumbing Down – read this – its spreading! http://www.sott.net/article/313177-The-cult-of-ignorance-in-the-United-States-Anti-intellectualism-

and-the-dumbing-down-of-America

• Find the time to learn rather than know

5

The Grant of Royal Charter

First Royal Charters were granted in the 13th Century –

to the Universities of Cambridge and Oxford

Thereafter, trade guilds, academic institutions and

charities

First chartered body – recognised as a traditional

profession – the Royal College of Physicians

(established in 1518)

Only 3 or 4 more in the next 300 years

19th Century – Industrial Revolution

Next 300 Royal Charters granted in just 80 years,

including solicitors, accountants, engineers, architects

and surveyors (and in 1890, even journalists)

6

Change is a constant

• Concerns now exist – suspicions remain

• From the outside in: Professions seek protectionism and

restraint of trade

• From the inside out: slow to change and obstruct

development of new and better ways of working and

collaborating

• Loss of public trust

• Tectonic shift in professions

• Professions perform a valuable role and are adaptable

• Change can be both inexorable and an existential threat

• Requires imagination, innovation and information to maintain

forward looking solutions

7

Characteristics of a Profession

• Control by a governing body which directs the behaviours of its

members, sets adequate standards of entry-level education and

continuing competence, and sets ethical rules and professional

standards

• Rules and standards are higher than those established by the general

law and are designed for the benefit of the public and not for private

advantage

• A membership which is independent in thought and outlook, but

subordinates its private interests in favour of support for the governing

body and observes its rules and standards

• Disciplinary action if rules and standards are not observed or in the event

of bad work

• Providing leadership:

– At an institutional level - an obligation to develop and disseminate a genuine body of knowledge

– At an individual level - the requirement to exercise judgement

Source: Lord (Henry) Benson, 1992 House of Lords debate in Morrell, P. (2016),

Professions pulled from their pedestal, Management Today, February, p.44

8

Features of Professions

• Forward-looking educational standards

• Benchmarking the expertise of members

• Transparent and enforced code of ethics

• Moving from a tendency to exclusivity (centred on

members’ interests) to one of inclusivity (centred on a

defined duty to serve the public interest)

• Development and dissemination of a relevant body of

knowledge

• Demonstration of leadership on some of the great issues

of the day

• Thus, represents a vocation

Source: Morrell, P. (2016), Professions pulled from their pedestal,

Management Today, February, p.46

9

10

ISC2 Code of Ethics

• All information systems security professionals who are certified by (ISC)² recognize

that such certification is a privilege that must be both earned and maintained. In

support of this principle, all (ISC)² members are required to commit to fully support

this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly

violate any provision of the Code will be subject to action by a peer review panel,

which may result in the revocation of certification. (ISC)² members are obligated

to follow the ethics complaint procedure upon observing any action by an (ISC)2

member that breach the Code. Failure to do so may be considered a breach of

the Code pursuant to Canon IV.

Code of Ethics Preamble:

• Safety of the commonwealth, duty to our principals, and to each other requires

that we adhere, and be seen to adhere, to the highest ethical standards of

behavior. Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:1. Protect society, the commonwealth, and the infrastructure

2. Act honorably, honestly, justly, responsibly, and legally

3. Provide diligent and competent service to principals

4. Advance and protect the profession

https://isc2chapter-phoenix.org/index.php/membership/isc-2-code-of-ethics

11

BCS Code of Conduct

• BCS, The Chartered Institute for IT champions the global IT profession and the

interests of individuals engaged in that profession for the benefit of all.

• Applies to all members, irrespective of their membership grade, the role they fulfil, or

the jurisdiction where they are employed or discharge their contractual obligations.

• Professional Competence and Integrity

You shall:a) only undertake to do work or provide a service that is within your professional competence.b) NOT claim any level of competence that you do not possess.c) develop your professional knowledge, skills and competence on a continuing basis,

maintaining awareness of technological developments, procedures, and standards that are relevant to your field.

d) ensure that you have the knowledge and understanding of Legislation* and that you comply with such Legislation, in carrying out your professional responsibilities.

e) respect and value alternative viewpoints and, seek, accept and offer honest criticisms of work.

f) avoid injuring others, their property, reputation, or employment by false or malicious or negligent action or inaction.

g) reject and will not make any offer of bribery or unethical inducement.

http://www.bcs.org/category/6030

12

ISSA Code of Ethics

• The primary goal of the Information Systems Security Association, Inc. (ISSA) is to

promote practices that will ensure the confidentiality, integrity, and availability of

organizational information resources. To achieve this goal, members of the

Association must reflect the highest standards of ethical conduct. Therefore, ISSA

has established the following Code of Ethics and requires its observance as a

prerequisite for continued membership and affiliation with the Association.

• As an ISSA member, guest and/or applicant for membership, I have in the past and

will in the future:• Perform all professional activities and duties in accordance with all applicable laws and the

highest ethical principles;• Promote generally accepted information security current best practices and standards;• Maintain appropriate confidentiality of proprietary or otherwise sensitive information

encountered in the course of professional activities;• Discharge professional responsibilities with diligence and honesty;• Refrain from any activities which might constitute a conflict of interest or otherwise damage

the reputation of or is detrimental to employers, the information security profession, or the Association; and

• Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers.

http://www.issa.org/?page=codeofethics

13

ISACA Code of Ethics

• ISACA sets forth this Code of Professional Ethics to guide the professional and personalconduct of members of the association and/or its certification holders. Members and ISACA

certification holders shall:

• Support the implementation of, and encourage compliance with, appropriate standards and procedures

for the effective governance and management of enterprise information systems and technology,

including: audit, control, security and risk management.

• Perform their duties with objectivity, due diligence and professional care, in accordance with professional

standards.

• Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and

character, and not discrediting their profession or the Association.

• Maintain the privacy and confidentiality of information obtained in the course of their activities unless

disclosure is required by legal authority. Such information shall not be used for personal benefit or released

to inappropriate parties.

• Maintain competency in their respective fields and agree to undertake only those activities they can

reasonably expect to complete with the necessary skills, knowledge and competence.

• Inform appropriate parties of the results of work performed including the disclosure of all significant facts

known to them that, if not disclosed, may distort the reporting of the results.

• Support the professional education of stakeholders in enhancing their understanding of the governance

and management of enterprise information systems and technology, including: audit, control, security

and risk management.

• Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or

certification holder's conduct and, ultimately, in disciplinary measures.

http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx

14

IISP Code of Ethics

• A profession is distinguished by certain characteristics, including:

• mastery of a particular intellectual skill, acquired by training , education and experience;

• adherence by its members to a common set of values and code of conduct; and

• acceptance of a duty to society as a whole.

Objectives

• This code of ethics recognises that the objectives of the information security profession are that its members should work to the highest standards of professionalism and that their work should fully satisfy the needs of all stakeholders and those of society as a whole. These objectives require that three basic needs are satisfied, namely:

• Trust - for employers, clients, regulators, other interested parties and for society as a whole there is a need for trust in information and information systems and in the practitioners working in those fields

• Quality - there is a need for assurance that all services obtained from an information security professional are carried out to the highest levels of performance

• Standards - users of the services of information security professionals should be confident that a framework of professional ethics and technical standards exists, which governs the provision of those services.

https://www.iisp.org/imis15/iisp/Member/IISP_Code_of_Ethics.aspx

15

Compliance

Good Security

16

And yet….

17

Debate

• What are the top five things that we could do or change to improve our lot to protect and survive?