Ed Gelbstein, Ph.D.
Information technologies have advanced in huge leaps and cause a significant disruption to familiar models, which happens roughly every 10 years. These advances also drive massive and rapid increases in the numbers of people with access to them.
The speed of these changes has no precedent in human history, and the power of these technologies has transformed both the work environment and our personal lives and brought with it many positive contributions.
However we have by now learned that technology is never perfect; hardware vulnerabilities and software errors can be assumed to be impossible to totally avoid by design. For those with good knowledge of mathematical logic, there are Gödel’s axioms on incompleteness
from 1931 that can be used to demonstrate that error-free software is theoretically impossible.
This opens the door for researchers and hackers to find such vulnerabilities and the consequent stream of updates, fixes and patches. But then, this is only half the challenge: these imperfect devices end up in the hands of people who may not have sufficient knowledge of good security practices—the article refers to this knowledge as “digital hygiene”—and are, therefore, exposed to infection as a result.
Well-meaning awareness programs may not be enough to change how people approach digital hygiene. My 2013 book Good Digital Hygiene
lists 41 measures that can help protect systems and data. Sadly, most people say these measures are a good idea and that they will do something about it “one of these days,” but they usually do not act until after something has gone wrong.
My Journal article
concludes with 4 actions that information security professionals can take to help their organizations. The last action suggests learning from marketing people, whose approach is to stimulate a wish to do or acquire something. This works a lot better than using an approach that outlines what cannot be done.
Many who use sophisticated technologies have limited knowledge or even awareness of security issues and what their roles are in managing them. Without a behavioral change from these individuals, we can expect the risk of security breaches with increasingly severe consequences to remain a hot topic.