Tokens, Shopping Carts and Security Awareness

What can grocery-shopping carts teach us about building security awareness that works to influence behavior change?

Turns out perhaps more than imagined.

During a recent hotel stay, I took a trip to a local grocery store to buy some snacks. I pulled into the lot, parked and headed to the store. Since I only needed a few items, I walked past the carts toward the entrance.

At the entrance a rather LARGE sign explained, “change machine for the carts inside store.”

Something about the sign encouraged me to stop; I needed to understand the need for change for a cart.

Turns out that the carts had a strapping mechanism that essentially tethered them together when stacked properly. Unlocking the cart required a quarter. When the cart was properly returned, the quarter was released and returned.

But a quarter is only $0.25

At first, this struck me as silly. Even in this economy, a quarter isn’t much and I thought it lacked the value to influence cart behavior. And it seemed like an inconvenience.

In the thick humid dusk of the evening, I took a few moments to look out and scan the parking lot. Not a loose cart in sight. So I looked harder and longer for a loose cart to prove someone bucked the trend and “just didn’t care.” Yet all of the carts were either in use or put away.

The token is engagement

Then it hit me: the quarter was only a token, a gesture. The money, in all reality, meant nothing. People put a quarter in, but they got it back. They weren’t renting the cart. At play was the physical act – the token – to connect individuals to the cart.

The token (the quarter) engaged people, connected them to the use of the cart and essentially redefined normal.

The use of a quarter to unlock and use the cart connected people to the process. Awareness of the condition to use the cart ensured people carried a quarter, sought change from the machine (inside the store) and served as subtle reminder to return the cart – if only to get their quarter back.

So how does this apply to security awareness and influencing behaviors?

With a different perspective, these carts taught me a lot about the value of engagement and commitment. By asking for a small value – which will be promptly returned, in full – the interaction changes.

The key here is the token.

It was more than symbolic – and it required some thought or action, but it was not onerous. I suspect shoppers at the store routinely had a quarter or two in their pockets, purses or cars… without complaint.

The low economic value of the token is important to the function. Engaging people in this way does require a shift in behavior (and the first shift is sometimes the hardest), but make it too complex or otherwise costly, and it will be summarily ignored or revolted against.

In the coming weeks and months, we will continue to explore parallels, amplify the good and advance our ability to address the human paradox, shift thinking and inspire behavior change through security awareness that works.

How are you using “tokens” in your efforts?  More importantly – how did you figure it out, how is it working and how is it evolving?

Share your experiences in the comments, engage me on twitter, send me an email or pick up the phone and call. I’d love to learn about the token in your efforts.

Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows

Considering the meaning, purpose and expression of security awareness is a personal and professional pursuit. In fact, it’s my sole focus and the reason I created the security  Awareness that Works™ system.

As a result, I regularly discuss successful security awareness programs, and I start most discussions with a simple question, “what does it mean to be aware?”

The range of answers – from blank stares and silence on the phone to lengthy lectures – have little to do with awareness. In fact, I had one executive suggest to me that trying to define awareness was akin to US Supreme Court Justice Potter Stewart attempting to define pornography when he wrote, “… I know it when I see it…”

I disagree.

And here is the challenge: without a clear understanding and functional definition of security awareness, it is impossible to obtain (for ourselves, let alone to influence the awareness of others). Worse, this means there is no vision, guidance or purpose to awareness that is easily understood; awareness becomes a burden to fund instead of an opportunity to invest.

Good news – it doesn’t have to be this way.

If the goal is to shape the culture and increase “awareness,” it is essential to understand what awareness is, what it can do, and how to recognize when people are, in fact, aware.

How do others define awareness?

Awareness is not a new concept. Here are three definitions that share common threads, easily applied to the challenge of generating awareness with regards to security and risk:

• Wikipedia defines awareness as: the state or ability to perceive, to feel, or to be conscious of events, objects or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.
• Awareness is also defined in personal injury claims: Conscious of stimulation, arising from within or from outside the person.
• Marketing is keen on awareness: a measure of respondents’ knowledge of an object or an idea. There are two main measures of awareness: spontaneous (or unaided) and prompted (or aided) awareness.

The common threads with these and other definitions are a sense of individual, recognition of actions and a measurable component related to some sort of message. Also consistent is the notion that awareness can be spontaneous and internal, or external to the person and aided.

These definitions prove a good starting point for considering what it means to be aware. But we also have to consider the underlying challenge individuals and organizations must solve: the human paradox (for more see: Why people are not the problem…).

How The Human Paradox impacts Awareness

When it comes to managing risk, information and the relationships with people, the real challenge is The Human Paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

The human paradox has an interesting impact on awareness: the more disconnected people are from the consequences, the more complicated – and costly – the effort to reconnect them.

This is why traditional “security awareness training” falls short: failure to address the human paradox. In some cases, these programs may actually increase the gap between individuals and consequences, creating more risk, increasing complexity and wasting money.

Security Awareness, Defined

For awareness efforts to be successful, we have to start with a clear definition. After considering awareness and the impact of the human paradox, I propose a short, clean and simple definition for awareness:

Awareness: an individual’s realization of the consequences of his or her actions (or decision).

When Awareness that Worksâ„¢ is obtained, the definition is enhanced by the ability to assess the impact of the consequences. Soon I will explain why we absolutely must reconsider consequences.

This definition of awareness actually shifts the purpose of the program. By improving the vision of awareness (we have more work to do there), the potential for training and other resources to provide measureable return is clearer.

Of course, there is more to consider: how to define the program, generate awareness, measure what matters and communicate what counts. But sometimes the simple shift of a definition and proper use of a concept is the spark that brings change.

So what does awareness mean to you?

As the son of a son of a sailor

I went out on the sea for adventure

Expanding the view of the captain and crew

Like a man just released from indenture

As a dreamer of dreams and a travelin’ man

I have chalked up many a mile

Read dozens of books about heroes and crooks

And I learned much from both of their styles

–Jimmy Buffet, Son of a Son of a Sailor

With Jimmy Buffet playing on the radio, we set “sail” in January in our forty-foot diesel pusher RV. With the roads as our sea, we set out for adventure, and more: we set out to change our lifestyle.

My family stopped collecting things and starting collecting experiences. And we are liberated.

The process of leaving the house included going through nearly every single thing we “owned.” It was an exhausting process filled with memories, discussions and the sober realization that it is easy to collect things. While we found some great purchases and reminded ourselves of great times over the last decade, we also realized we had unwittingly accumulated a lot of stuff.

The process of simplifying our possessions was powerful. As we fired up the diesel and headed south in search of warmer weather, we resolved to do thee things:

1. Simplify our lifestyle and schooling (road school is for all of us, not just the kids)
2. Streamline our fitness and nutrition
3. Simplify our business

In the short few months we have been “on the road,” we have managed to make great progress on all three goals. Pursuit of these may be a constant journey that evolves over time, but we live each day to the fullest and cherish the time we have with each other and those we meet on our journey.

Streamlining our lives, nutrition and fitness have obvious benefits. For me, the real breakthrough came on the business front.

It started in December, before we left, while speaking with a friend. After listening to my goals, he left me with these words from Bruce Lee:

“I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times.”

Sometimes the right words shared at the right time make the difference. For me, this was instantly profound, powerful and put my quest into context. I had run a successful business practicing a lot of kicks. It was time to mature and find what my “one kick.”

After a few weeks of active thinking, writing/journaling and speaking with friends (including clients), it the path that blended professional speaking, writing, training, information security, adult learning and my background in Human Ecology came into focus. A few more conversations and it became as clear to me as it had been to others: I needed to focus on awareness.

It is no secret I am disappointed with the industry efforts at “security awareness training.” More often than not, the traditional attempts waste money and even increase risk! I refused to simply do what everyone else was doing.

My “one kick” is Awareness that Worksâ„¢

So I took more time to consider my entire experience and the elements that worked. I am excited to share the result: Awareness that Worksâ„¢

Awareness that Worksâ„¢ connects people to the consequences of their actions, creating a shift in thinking that inspires behavior change. Individuals achieve understanding in their own context, and then are guided, shaped, and supported with materials and training tailored to them.

To be effective, awareness needs to be separated from training. This provides some concrete benefits and sets the stage for the right messaging, training and support to not only influence behaviors, but to provide needed insights and information to the organization.

I want to work with people who have a mandate for awareness and are ready to work with me to move the cost of working with people to an investment. The approach I created to guide organizations – tailored to the unique aspects of each – works so well that it pays for itself. In fact, I guarantee it.

This is my focus. 100% of my time, energy, effort, and research go into how we work together. And with this focus, I plan to write and share more.

I’m excited about the initial results – and the conversations about awareness I share every day.

Consider yourself invited!

If you are focused on addressing awareness (and the subsequent training), I want to speak with you. No strings, no selling. Just discussing.

And our journey continues.

The current plan (which is always subject to change) is to spend a few more weeks in Myrtle Beach, South Carolina. We’re enjoying the beach, finishing up repairs to the RV, and focusing on the launch of Awareness that Works™.

Soon, we head back on the roads for adventure. No doubt we’ll “chalk up many a mile” – blending with reading, writing, sharing and learning. The campfires will be many and the conversations plenty.

Life is good.

By Julie Fugett

So much of what we do in information security is immediately measurable: how many packets did the firewall drop? How many security incidents did we handle this week? Elsewhere, however, our reach can be more difficult to measure. How effective is our awareness program? Are we talking about the right topics to the right people? Does anybody even care?

My primary job duties center on security awareness, so it’s important to me that people care. I like to joke that I’m “justifying my existence” by compiling metrics regarding security awareness, but that’s only half the story. Showing that your security awareness program is reaching its intended audiences may have compliance implications as well. Regulations like HIPAA and contractual agreements like the Payment Card Industry Data Security Standard have security awareness requirements built-in. Depending on the type of data your organization handles, you may have some of these obligations placed at your feet!

You should ensure that your efforts are actually measurable. Posters on the break room bulletin board are great, but how do you know they’re having an impact? A banner on the company intranet draws attention to your cause, but have you taken steps to track how many people are clicking through to your website?  When you give presentations, how do you know if anybody even paid attention?

It can be overwhelming to think about all the data points you “should” track when it comes to security awareness. My advice: start small. Do the easy things. There will be time later to draw detailed conclusions about the efficacy of your campaign. If you are just beginning, try to put those things out of your mind—if you’re anything like me, you’ll get so caught up wanting it to be “perfect” that you’ll never take that first step.

One of the simplest things I do is count how many people I talk to during the course of a year. I have a spreadsheet where I record the date, the nature of the event, and how many people showed up. When you are showing your managers how effective your awareness campaigns are, it is far more effective to say “I talked to 1500 people in 2008” than “boy, we did a BUNCH of stuff for Security Awareness Month in October!” If you fight nerves during your presentations, have someone else count for you so you don’t forget.

Asking for specific, written feedback can be hugely beneficial. Bribing for it is even more so.  I teach workshops for which there is optional online feedback that can be given after the workshop is finished. Probably 10% of my students fill out that feedback. I see three reasons for this:

1.     It’s online. My presentations tend to make people skittish about the Internet for awhile, so they don’t believe me when I say the feedback is anonymous.

2.     It’s kind of long. The feedback form asks at least 10 questions—most of them about the class and the instructor.

3.     They get nothing for their time. No fun swag, no free soda, just a “thanks for your feedback.”

On the other hand, the feedback I solicit during Cybersecurity Awareness Month in October gets nearly 100% participation. Here’s why:

1.     It’s anonymous—I don’t even give them a place to write their name

2.     There are three questions, and they’re mostly about the student’s perceptions and concerns.

3.     The bottom of the feedback form tears off and enters the attendee in a drawing for prizes.

Finding out about what worries your coworkers about information security will help you learn where to focus your efforts. Knowing their frame of mind will give you an “in” so you can discuss your issues (encryption, document disposal, mobile devices, whatever) in a manner that is more meaningful to them.Tracking this feedback is another great way to show management that you are running and agile and responsive security awareness program.

Not surprisingly, these measures often fail and wind up polarizing our users against your efforts. Nobody likes to be told they are wrong. So we have to find ways to provide constructive and useful feedback that supports the behavior change we seek.

Information to Reinforce Good Behavior
Recently, the USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K. JOHNSON, Associated Press Writer). The point of the article is that people interested in losing weight have good results when they use a pedometer. If you are not familiar with pedometers, they are a simple device that can be worn on the belt, and when adjusted to your stride, help measure the steps you take in a day. It provides a way to measure your effort/output in a given period (normally, over a day).

Five Lessons Pedometers Teach us about Security Awareness Training
1. The pedometer provides an unobtrusive (and generally trusted) measure of the persons actions. Further, they can choose to share or keep their results private.

2. Most users keep a log of their “steps” per day – helping them build a visible trend. They naturally assess these trends and compare what they see to how they feel.

3. Most of us are motivated by a challenge – using a pedometer encourages the wearer to “take a few more steps.” Users get creative in how they are able to meet the challenge, stimulating a desire for more information that they then share!

4. The challenge can be spread to others. Everyone likes healthy competition.

5. Users are aware, they are consciously engaged in the process. That consciousness opens them to new ideas and stimulates their desire for knowledge.

One you stimulate the demand for more knowledge, you have to be prepared to present information that is useful, relevant and meets the needs of your users. Building on these lessons will help you build a highly effective security awareness training campaign.

Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.

I’m ready to get this out there – and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.

I could use your help
If you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?

Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview – let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.

When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!

If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.

At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.

I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.

One of the principle missions of the Federal Trade Commission is to protect American consumers against activities such as false advertising and unfair business practices. Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth.

The FTC held a two-day forum earlier this month regarding online advertising and privacy. The meeting concerned the tactics of behavioral targeting, which is used by online publishers and advertisers to deliver ads based on user’s web-browsing behavior. Advertisers believe that this information helps them deliver better information to consumers and increases the effectiveness of their campaigns. Opponents and civil liberty advocates warn against the erosion of privacy and lack of consent by consumers. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination.

Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick. While Google collects the history of its users through its search engine, DoubleClick tracks what websites people visit. In order to do this, DoubleClick creates profiles for users based on their IP address, domain, browser, local time and date, operating system, and page viewed. The ability for one company with the power to collect data on millions of individuals without any government oversight is disconcerting, to say the least.

The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them. There has even been recent controversy as to whether this type of targeted advertising is even legal or not.

Past attempts to stop behavioral targeting have been unsuccessful. In 2001, a class action lawsuit was brought against DoubleClick for keeping cookies stored on internet user’s computers without their consent. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site. The court held that since the user consents to Double Click’s access by visiting the website affiliated with the advertisement, there was no law being violated.

As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting. Privacy organizations are calling on the FTC to establish, among other things, an opt-out policy similar to the one applied to telemarketers. They would like to see fines for non-compliance and disclosure of all data-collection practices clearly visible on websites that engage in behavioral targeting.

Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon. The most successful internet companies rely heavily on advertising dollars to sustain their growth and need this capital to generate new technologies. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.

The Google-DoubleClick acquisition has put online privacy at the forefront of government concern. Congress and the EU have scheduled hearings on the impact that these two companies will have on consumer’s online experience. Proposals for government intervention will surely be considered in order to control how information is used and stored. The debate as to whether there should even be state intervention in this country appears to have begun.

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.

If you’re like me, you routinely ignore the email disclaimers that many messages seem to have attached to them these days. For the most part, disclaimers have been added by the company, automatic and out of the hands of the users. Some users include their own, both serious and sometimes to be funny. I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?

During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient). In this case, it wasn’t really a big deal, but then he asked me if he needed to start using an email disclaimer.

It’s been a while since someone asked me if they needed a disclaimer, and my instinct was that it simply wasn’t necessary. Rather than give him a wrong answer, I promised that I’d look into it. With the help of Patrick Romero, this is what we found:

Some Background on Disclaimers
Turns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability. However, the most common type of disclaimers are those that guarantee the privacy and confidentiality of documents. They usually look something like this:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message.

So now that we have examined the basis for email disclaimers, let’s dig deeper and explore if they provide any value or serve any purpose.

Can e-mail disclaimers guarantee the privacy and confidentiality of documents?

Generally speaking, e-mail disclaimers are not legally enforceable.

The misconception that they are stems from a lack of knowledge that surrounds the interception of electronic communication. The relevant statute that supports this belief comes from the language of the Electronic Communications Privacy Act of 1986 (ECPA) which includes language that criminalizes the interception of electronic communications. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” A narrow reading of the statute would insinuate that only information that has been acquired illegally can be found to be intercepted.

One of the many courts that have defined “intercept” this way is the 8th Circuit. The Court held that electronic communications that have reached their destination are ineligible for interception and, therefore, are outside the protections of the ECPA. As a result, unless an e-mail has been intercepted in transit, the ECPA will not provide legal authority for individuals seeking to prevent disclosure of a misdirected e-mail.

If you are concerned about the privacy and confidentiality of your email, we offer three basic considerations:
1. Use encryption
2. Use the “envelope within an envelope” approach
3. Write carefully, review and think before pressing send

1. Can encryption provide privacy and confidentiality email?
I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.

I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications. In general usage, the message is encrypted (and signed in most current applications) before being sent. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).

Encryption solutions are available for commercial and personal use. If you’re looking at this for corporate use – please start with your requirements and then select your solution.

2. It’s all about positioning
If you’re convinced that you need to continue to use a disclaimer, then you might consider where you place it. Arguments have been posed that by placing the disclaimer at the bottom of the e-mail, the user is undermining the enforceability of the disclaimer.

Think about it – how can you comply with a disclaimer after having read the content of the e-mail? As a result, there are some who advocate (albeit annoying for those who rely on email) that the disclaimer appear at the top of the e-mail. This option is known as the “envelope within an envelope” approach. The confidential information is sent as an attachment and the text of the e-mail only contains the actual language of the disclaimer.

While this does not guarantee that the recipient will not open the attachment, it could provide some greater standing in litigation if disclosure does occur. Such evidence would be relevant into providing proof that the sender took reasonable measures to ensure the confidentiality of documents.

3. Stop. Think before you press send.
One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).

Every organization should put in place a company policy with regards to sending confidential information through e-mail. This could range from a “no forwarding” policy to restrictions on what information can and cannot be sent. Clear guidelines within an organization can provide directions for individuals to understand the proper use of e-mail and decrease disclosure of sensitive information.

In the end, some do, some don’t and you get to chose

Currently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers. With the prevalence of internet use, it is understandable that individuals would attempt to ensure some level of privacy when sending e-mails. Unfortunately, the law today does not provide protection for the misuse of confidential information sent over the internet regardless of a written disclaimer. Companies and individuals need to determine, on their own, the risk of disclosure and how to best protect their privacy.

Meet Patrick
Patrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal. He speaks Spanish, French and Arabic.

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  – 8% of Americans are deep users of the participatory Web and mobile applications;
  – Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  – 10% rely on mobile devices for voice, texting, or entertainment;
  – 10% use information gadgets, but find it a hassle;
  – 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem “down”, rushed, angry and lacking hope.

So we start a year where we feel down trodden, upset, dejected and hopeless?

Open Culture (http://www.oculture.com/weblog/2007/03/famous_stanford.html) recently ran a story about the (in)famous Stanford Prison Experiment. After reading it, I remembered back to the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate. Since I “got my start,” I have always remembered that first conversation – mainly in the context of watching how many people in technology have been treated and how they chose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
– Wikipedia entry (http://en.wikipedia.org/wiki/Stanford_prison_experiment)

In the experiment, the behaviors of both the guards and the prisoners escalated quite quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

Wikipedia: http://en.wikipedia.org/wiki/Stanford_prison_experiment
The Official Website: http://www.prisonexp.org/
interesting overview: http://www.holah.karoo.net/zimbardostudy.htm

Some of you are probably reading this, recalling the experiment from your college days and wondering… do I think that we are the prisoners or the guards? Short answer is: “yes.”

Reading about and remembering my cursory study of the Stanford prison experiment also made me realize that as “protecting information” has grown in importance, many people in the field of security have been given an opportunity they have never held – a chance to influence and sometimes to enforce. After years of receiving abuse, they find themselves in positions of power – and sometimes without guidance. So we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

In some cases, we have folks that act like the guards; some act like prisoners and some, I believe, *were* prisoners that now have the role of guard – and they have a lot of memories guiding their actions.

Now, let me be clear – with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. In fact, I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Regardless, this is a situation we cannot accept. Period.

We cannot accept this approach: reboot the industry

What happens when your computer doesn’t respond as you would like? Many of us check for run away processes and consult the logs. If you’ve ever worked with windows or supported windows users, a more common answer is: reboot the system.

In security today, I suspect we could “check the logs” and look for runaway processes, but I feel like we need a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

I believe that the better way to practice the protection of information protection is through a positive approach that stresses inclusion and builds partnerships. In the last year, I have watched people in our industry alienate the very people that have helped them. I have coached organizations away from taking a punitive approach to security. I have confessed that I love to learn, love to teach and truly enjoy working to simplify security and relate our concepts to people in a language they understand.

In Speaking About Security, we explore the power of the narrative. We learn through story (you can really see this in children). On a recent flight home, I was treated to “Night at the Museum” (http://www.imdb.com/title/tt0477347/). While it might not have been a movie I would have normally selected, I was amazed by the story. Without revealing details, the success came after abandoning a process of restriction and following a path of inclusion.

I’m not suggesting that Hollywood holds the answers, but we cannot ignore the fact that the “story” of this movie and the movie itself were both successful. They are natural to the human experience and something we need to strive for in our practice of security (and the protection of information).

After reboot: It’s time to get grounded and follow a new vision for security

I believe in a new vision. I see a way to practice security that minds the past while focusing on the basics. The future for us focuses on protecting information – and everyone has a role. Protecting information is dialogue; it cannot be simply a directive. The current strategy of relying solely on technology is not working, and it’s time to follow a better way. I believe that means we have to follow an inclusive strategy.

We have to foster a sense of trust among each other and our users. We have to reintroduce the concept of accountability and foster a culture that embraces and expects personal responsibility.

I tend to be the sort of person who prefers action to words. This approach influenced me to share more of my ideas through the blog and podcast this year and led me to create the inclusive and supportive Security Catalyst Community (http://community.securitycatalyst.com/forums/index.php). As that community continues to grow and thrive, I have met many other passionate professionals that have challenged and supported my growth – reinforcing to me that collaborating with others can be truly powerful.

I have decided to spend some time focusing on three key areas:

1. Architecting a shared new vision for approaching how we can protect information (security). It’s not *my* vision – it’s *our* vision and I invite you to join in the conversation and practice a new way.

2. Help security professionals find their voice. As a parent, I have watched my children struggle with communication and sometimes resort to hitting, tantrums or what we generally call “melt-downs.” I believe that our success in security is tied to our ability to successfully communicate in speaking, writing and presentations.

3. Providing organizations and security professionals the support needed to be successful at our jobs.

I have decided that for our profession to effectively protect information, I want to help each of you become more successful in what you do.

Supporting Your Growth and Development

Through a lot of conversations with clients, friends and even ISSA and Infragard chapters, it was revealed to me that I was already offering some of what people were looking for. As a result, I have improved some programs we already developed and accelerated the development of some new ones.

To help people get grounded, focused and be able to “do more with less” without burning out, we have updated “Are you making a living or making a life?” – which is now available in a keynote, workshop and private workshop session. It’s an approach that shares how we can break the cycle, lead more “integrated lives” – as opposed to seeking “balance” – and build more effective relationships with those around us. Rather than acting out the Prison Experiment, it allows us to pursue a strategy of inclusion, to work together to protect information.

In March, we launched “Speaking About Security” to improve the ability of security professionals to communicate more effectively, inspiring their colleagues to take action.

Mike Rothman and I just announced the formation of the Security Education Network (SEN), which includes the Security Salons I have been forming, as a method to provide the information, insights and support needed to bring your performance to a new level. I’ll be writing more about that in the coming days.

This summer I launch my book, “Into the Breach: Why Corporations Fail to Protect Sensitive Information – and What Can be Done About It” — where we explore breaches and propose an approach to protecting information that allows business leaders to shift their culture away from the “security diet” to a “mindset of protecting information.” I look forward to sharing this with you.

We’re currently working on some different ways to get some needed information, resources and training to you. As soon as some plans firm up, I’ll make some announcements.

I am excited about this journey. I am passionate about my focus and my ability to help guide you and your organization. I firmly believe we need to learn from the past and work toward a better way. I offer up my approach of positive reinforcement, inclusion and education. I look forward to blending my passion, insights and approach with yours and with those of others. It’s time for a change, and I’m excited!

We plant plants…

We show you how to improve your gardening skills…

You grow gardens.

PS: I think I have finally fixed the formatting issues. – Santa 11:19a

Read/Write Web: Google Apps Premier Edition Launches – One Small Step Towards Google Office

eWeeks’ Google Apps Premier Edition Takes Aim at the Enterprise
What I found interesting, though, is a general lack of discussion around the “security” of the application. If you’ve been reading this blog for a while, you may have picked up on how I’m focusing less on the word “security” and more on the concept of “protection of information.” I would posit the same holds true here. My colleagues in the security profession hopefully realize that the difference is largely semantics, but the concept of how to communicate what we do is much clearer when explained as “helping to protect sensitive information.”

So back to Google. Well, the focus is Google (today), but they aren’t the first or only company to offer well-designed solutions that users will gravitate toward. So back to discussing how web-centralized applications are working to protect our information…

I enjoyed reading Marshall Kirkpatrick’s piece in Tech Crunch, It’s G-Day: Google Launches Apps Premier. In fact, this is the first piece that I read (so perhaps not the first piece in general) that mentioned the security aspect. What I also liked is that it revealed to me (again, not sure if he was the first) that GE and P&G were signing up to be Google Apps customers. Now, often times in an announcement like that, it’s not the *whole* company, but some part of it. Either way, my reaction is “Are you kidding me?”

I don’t mean that as a shot against google, GE or P&G. But by suggesting a company of this size is going to put potentially sensitive documents on a shared drive (or in a shared, web-based location) that they do not control and cannot control, it just seems odd. By odd, I mean: how is this good for the protection of information? Oh, and if you think a *policy* about what can and cannot be stored there will stop someone – think again. See, I *do* believe in the power of the user, but a user just wants to get their job done. As such, if Google Apps (or *ANY* online application) makes their job easier, my experience suggests they will use it.

Now, when GE or P&G decided to go this route, I really hope that their security teams got involved in the evaluation. My instinct suggests otherwise, and that makes me shudder. If you know otherwise – drop me a line (securitycatalyst@gmail.com).

One major concern that hangs over the head of tonight’s news is the ongoing question of Google security. TechCrunch asked for months whether business users would or should trust Google Apps with sensitive business information given the regular lapses of security experienced by the company’s hosted services. See a timeline and discussion of those lapses in this post.

To break it down easy – there is no guidance for companies trying to decide if using Google Apps Premier (or any other service like it) makes sense when they are also obligated to protect information. I run a company. And we launched a community. In both cases, looking at online solutions (especially since both the company and the community have virtual/location considerations) is appealing. In both cases, we have opted to only use them in limited circumstances. We’re small enough that controlling the information outside our walls is a bit easier. So how does the average company decide if using Google Apps, Microsoft Live or Amazon’s S3 storage is a good idea — when it comes to protecting information (if they even consider that)? I have no clue – since we have no commonly accepted framework.

Let me be clear: I’m not suggesting that Google (and others) is not taking this seriously and providing security. Look beyond Google – especially with some of the new and exciting Web 2.0 start-ups. Is designing a system that is “secure” on the forefront of their mind? I don’t think is it for most…. yet. The implication then? Well, we saw with identity theft that while I could steal only your identity, it’s more lucrative for me to break into a system and steal MANY at the same time. So I believe it’s reasonable to consider then that as more of these services go online and more sensitive information is stored on them, the focus of attackers will shift. So while you “trust” Google, Microsoft or Amazon – that’s not good enough for me (or anyone, really).

Interestingly enough, I’m not the only one thinking like this, when Larry Dignan asks, “Will you trust Google with your data?”

When I talk about Security 2.0 (and I still need suggestions for a better name), this is precisely the second component: security professionals need to get engaged in the process of developing and protecting these solutions. But it goes deeper… we need to work as a community to develop a framework and a method to be able to assess these solutions and decide if they are acceptable for us or not. Think about it – no provider can effectively go through a myriad of audits *each* day just to prove they meet the requirements of specific company. Same time, I don’t accept the Trust-E seal or “hacker safe” logos. I’m not knocking them – they serve a purpose; but for a corporation to decide to leverage a service to store data… we need something more.

Aside: I know the name Security 2.0 needs to change. This isn’t about numbers and versions. It was named to build on the success of Web 2.0; the approach still leverages the power of social media to affect a new way of practicing the protection of information. It is about bringing power and ease of use/design to the user. It’s about building a new approach and developing new skills. In the end, this my humble offering for how to move from being on a security diet to having a security mindset. I’m open for suggestions for a new name; until then, we’ll call it the “Catalyst Security Approach.” Clearly, I need some branding help here:)

Now, I don’t like to pose a question without a solution. I believe that what we need in order to assess companies is what I am calling a “security wellness index.” My background is in economics – and this is an approach that blends security with economics, engineering, social sciences and the like. I have a brief 2-3 page overview and have started some discussions to have this research project funded. It’s probably a 2008 effort – but if you are interested, shoot me a note and we’ll talk. I’ll save more details for another post.

But we have solutions if we are willing to apply the time, brain power and energy to making them work. This is not a new problem to solve. We need to change our way of thinking and make sure that, as a community, we all engage and work to implement common solutions. I know, easier said than done – but if we don’t have the conversations and make it happen…

Oh – and since these new web-solutions work, our users will absolutely move to them whether we want them to or not. So ignoring or banning the use of these solutions is not a solution. We have to be proactive and get engaged if we hope to make a difference. If we don’t, we’re doomed for bolt-on security (at best) for another generation – and to me, that means we failed. Besides, how many of you have “banned” gmail at work? Did you see this great posting explaining how to defeat your attempts to ban it: 5 tips for accessing your blocked Gmail (lifehacker)? If something works better than what you designed, they will move to it. The protection of information, therefore, needs to be integrated from the beginning.

The protection of information is a cultural shift.

So we have an opportunity here. Google is a big company that seems to have an interest in Security. They seem to have attracted other large organizations (again with large, I hope, security teams). This is the perfect recipe for working to establish transparent frameworks to embed security into this Web 2.0 (and beyond) applications in a way that we can more readily assess their ability to protect our information and satisfy our corporate policies and goals.

If we ignore this, we do so at our own peril. If we use this as the catalyst to have the needed discussions about how to make this work, we advance on many levels. I’m willing to help, I want to be part of the solution. What about you?

“But if you want the word to spread, if you expect me to take action I’ve never taken before, it seems to me that you need to do something that hasn’t been done before. It might not feel safe, but if you do the safe thing, I guarantee you won’t surprise anyone. And if you don’t surprise anyone, the word isn’t going to spread.” – Seth Godin

For years I have felt that as a security professional, I had to overcome a generally held negative stigma about the way “we” act: we ignore others, we skip meetings, we tell people what they can’t do. Most security teams don’t have carry a positive connotation with them… whether earned or not. When is the last time you heard someone say “oh good, the security team got invited.”

It’s time to change our approach. We have to learn how to communicate more effectively. We have to listen more. To build on what Seth Godin shares (hey, I happen to like bald New Yorkers) – we have to be remarkable. Whether you work as a consultant or are part of an internal organization, we have clients that we serve, and we have to “wow” them at every opportunity. Now I’m not suggesting this is easy, but it’s clearly needed and worth it.

You can get started today (or on Monday) by approaching the situations you take on with a different attitude. Do this enough and you will stand out… here are five suggestions to get you started:

Bring donuts to a meeting
I mean it. If you’re health conscious, bring bagels. Bring fruit. Food is a great peace offering, shows you thought enough about others to make a difference and is a nice gesture. But wait – when people have enough blood sugar, they think better, are generally less snippy and are able to focus better. Think about when your meetings are scheduled and cater to the needs of the people attending. So do you really have to bring donuts? You decide. It is important, though, to think about the others you are working with and work aggressively to meet their needs.
Answer the phone with a smile – don’t growl.
Seriously. When someone calls, do you sound annoyed and overworked? Maybe you are, but how do you feel when you call a company and the person on the other ends makes you feel that you are an inconvenience? I don’t know about you, but I get defensive, irritated and generally enjoy the experience less. Is that what you expect from your colleagues? You have the power to make a difference – answer the phone with a smile in your voice and actually focus on the person on the other end. You’ll both walk away with a better experience.

Ask a user what their biggest security challenge is – and then explain it to them in a way they understand
A lot has been written lately about users. Want to get a different perspective? When you find yourself with some time for lunch, invite a non-technical colleague to join you. During the conversation, ask them about a challenge they have at home with security (or at work). Let them explain it – don’t jump in immediately with the solution. Ask some questions, pay attention and then offer to provide some insight, like this, “would it be useful if I shared some of my experiences with you when I dealt with that?” – see, that sets you up to share – and not tell in a condescending way. Then take some time to find a common ground and language, and work to explain a possible solution to your colleague in their words. This is decidedly a challenge, but if you make a habit of this – you’ll truly grow your abilities to explain how to protect information.

Follow-up with a helpful solution
We’ve all been part of meetings where a solution isn’t immediately clear to us. When that happens, have you ever actually though about it a bit and then provided your insights to the group? In my experience, we in security always get knocked for stopping progress and not helping advance it. So flip it around. Many of us in security have broad access to the company and with it, broad experience. Bring a helpful solution back and be considered part of the success. Good things will follow (especially if you make this a habit).

Point out what is RIGHT with a solution, and then help improve it
In technology, most of us get hit about the head and body when a mistake is made – and therefore it becomes a common mechanism to how we deal with others. Someone makes a mistake (perhaps even one that we made a long, long time ago) and we jump all over them. Have you ever taken the time in a meeting to point out what you LIKE about the solution? How was security considered, or how the choices made really support the ability to protect information? By celebrating and acknowledging others, you are then able to contribute your skills, insights and knowledge to the solution. After all, isn’t that our job as a security professional?