11 December 2009

Awareness

Posts relating to the category tag "awareness" are listed below.

11 December 2009

Consultation on the Personal Information Online Code of Practice

On Wednesday I attended the Information Commissioner's Office (ICO) Personal Information Online Conference 2009 at which the ICO launched their consultation on the new Personal Information Online Code of Practice.

Photograph of an old office block and new apartment block in the heart of Manchester, near to the conference venue, the Lowry Hotel

Manchester and Salford gave us a beautiful sunny day for the event which briefed delegates on the ICO's approach to data protection and an outline of the collaborative process used to develop the draft code of practice. Iain Bourne, Head of Data Protection projects, noted that fewer than hoped public sector organisations had been involved to date, and they would like more feedback from this sector in particular during the consultation phase that ends on 5 March 2009.

Photograph of David Smith, Deputy Information Commissioner, giving the Personal Information Online Conference 2009 keynote address at the Lowry Hotel, Manchester

My first impressions are this will be a useful document for organisations without staff dedicated to data protection or compliance, especially once the examples and SME checklist are added. The structure and content are still a little raw, but probably about right for the start of a 12-week consultation process. Areas where I am already considering providing feedback are:

  • local storage of personal information (not just cookies)
  • verification of protection
  • suppliers, sub-contractors and staff
  • monitoring and anomaly detection
  • transmission of personal information
  • inclusion of third party content in web sites
  • using cookies to enforce an opt out
  • additional reference materials.

The full text and consultation document is available as a PDF.

Feedback on the Personal Information Online Code of Practice can be provided using the ICO's consultation portal with further background available in the related press release.

Posted on: 11 December 2009 at 10:56 hrs

Comments Comments (0) | Permalink | Send Send

04 September 2009

Internet in Britain 2009

The results of the Internet in Britain 2009 survey by the Oxford Internet Institute highlights people's usage and concerns about the internet and web sites.

Partial screen capture showing the cover of the Internet in Britain 2009 report by William H. Dutton, Ellen J. Helsper and Monica M. Gerber of the Oxford Internet Institute

Some aspects of the report relating to e-commerce, trust, fraud and privacy are summarised below.

  • Confidence in the Internet and the commercial services that it offers remains high.
  • Use of the internet is leading to greater trust in the technology as a source of information and medium of communication and services.
  • Since 2007, people are now just as concerned about credit card fraud, and the right to anonymously express opinions, but less concerned about the threat of computers and the internet to privacy.
  • Negative experiences of the internet are not as great as portrayed in the media.
  • The survey examined what personal information people are willing to provide when registering on websites.
  • A general desire for greater regulation of the internet.

Read the report for the methodology, full information and detailed analysis. The report also provides useful data on internet penetration and usage patterns such as for web 2.0 and mobile technologies.

Posted on: 04 September 2009 at 13:48 hrs

Comments Comments (0) | Permalink | Send Send

21 August 2009

Stupid Security?

In this month's PC Pro magazine, Davey Winder commented on the Information Security Awareness Forum (ISAF) concerning their recommendation to have "report abuse" links on web sites.

Scan of the PC Pro magazine showing the top corner of Davey Winder's column titled 'Stupid Security'

In his column titled "Stupid Security" in the Online Security section of Real World Computing, he says there are too many "click this" links on most sites and that a report abuse link on a fake site is likely to give you a fake answer. Very true.

But that doesn't get away from the problem that people still need to have somewhere to go to ask for help, to query account entries, to answer concerns or to report suspicious emails and web pages. That's why we have phone numbers printed on credit cards, bank statements and even on web sites.

The ISAF and its member organisations are doing more than many others, including their excellent Directors' Guides, and they didn't deserve this. Perhaps PC Pro will become a member and contribute to the effort to promote and improve information security awareness.

Posted on: 21 August 2009 at 08:14 hrs

Comments Comments (0) | Permalink | Send Send

28 July 2009

Colour Overload with IE8 Tab Grouping

Do people understand tab grouping in Internet Explorer version 8 (IE8)? This was a new idea introduced to collect together and identify tabs originating from the same source.

Note this isn't grouping based on the web site (domain name)—it's grouping from which other tab you clicked. The group colour is selected randomly, so yesterday's blue might be today's yellow.

My concern with tab grouping is not the concept, but the use of colour. Not because of the accessibility difficulty that some people may have distinguishing between colours, which is partially addressed by Microsoft in a tab naming convention, but because the colours can lead to confusion about SSL certificates. Take this example with four tabs open, the first tab selected and a current Extended Validation (EV) SSL certificate in use:

  1. Bank No X online banking login (domain A / SSL)
  2. Bank No X information page (domain B / non-SSL) opened using a link on page 1
  3. Bank No Y home page (domain C / non-SSL)
  4. Bank No Y business banking login (domain D / SSL) opened using a link on page 2
Partial screen capture of four browser tabs in Internet Explorer 8 (IE8) where they are grouped into two tab groups, one pair highlighted in the color green and the latter two in the colour blue / the first tab which is selected is also an SSL site with a current Extended Validation (EV) SSL certificate making the address bar a green color

What does green mean? How about if we have an invalid SSL certificate and the tab group is green:

Partial screen capture of four browser tabs in Internet Explorer 8 (IE8) where they are grouped into two tab groups, one pair highlighted in the color green and the latter two in the colour blue / the first tab which is selected is also an SSL site with an invalid SSL certificate making the address bar a red color

Confusing? Yes. It can lead to this type of misunderstanding:

That must be what I am seeing because it's not always the same colours. I had thought it had to do with security.

Helping people to identify and reject invalid SSL certificates is important—IE8 users are being put at a disadvantage by Microsoft. I'd like to see tab grouping turned off by default for now, and some other indicator of tab groups used instead of distracting colour-coding. Perhaps, since new tabs are always opened adjacent to their 'parent', even something as simple as this mock-up might suffice:

Mock-up of four browser tabs in Internet Explorer 8 (IE8) where they are grouped into two tab groups, without any special colouring, but with a separator bar between the two groups instead / the first tab which is selected is also an SSL site with a current Extended Validation (EV) SSL certificate making the address bar a green color

Is this easier to understand? What do you think?

Posted on: 28 July 2009 at 08:21 hrs

Comments Comments (3) | Permalink | Send Send

17 July 2009

Risk and Responsibility

It came as news to me that there is a UK Risk and Regulation Advisory Council (RRAC). It has been considering how distorted perceptions of risk can encourage poor policy-making and unnecessary laws.

The RRAC's report on Response with Responsibility Policy-Making for Public Risk in the 21st Century includes some useful discussion and ideas on the perception of risk. I think there are many parallels with information security risk such as the un-necessary spreading of Fear, Uncertainty and Doubt and risk perception & risk-reduction behaviour in The Psychology of Security.

Information privacy and security professionals would do well to read the case study on "Tree Safety – The Role of the Risk Actor" on page 15 of the RRAC report which discussed a proposal for tree safety management and a lack of participtaion during the consultation stages except for arboriculturalists ("tree consultants").

...the draft specified at least one professional arboriculturalist's inspection every five years – for all trees. This would replace the uncertainty of legal liability with a certainty of cost...

The privacy and security industry need to make sure, we don't blindly recommend the ALARP principle (As Low As is Reasonably Practical), or be seen as promoting our own vested interests, whether by being a product vendor or provider of consultancy services. Yes, risks should be kept as low as reasonably practicable, but they need to be considered in the context of the individuals, the business and society.

Posted on: 17 July 2009 at 10:48 hrs

Comments Comments (0) | Permalink | Send Send

03 July 2009

Nominet Best Practice Challenge Awards 2009

Last night I had the pleasure of attending the Nominet Best Practice Challenge Awards 2009 at Banqueting House in Whitehall, London.

In the Best Security Initiative Award, OWASP Board member Dinis Cruz, OWASP London chapter leader Justin Clarke and I were representing The Open Web Application Security Project. Our entry for the 2009 Best Practice Challenge had been shortlisted in June.

The judges were impressed by [OWASP's] ambitious work and conference programmes and the way [OWASP] has developed and widened its reach

It was interesting to see the innovative work being undertaken across the UK in security, access, diversity and openness. The Yorkshire Business Crime Reduction Centre (BCRC) won the Best Security Initiative Award. The BCRC is supported by South Yorkshire Police and the Regional Development Agency, and undertakes e-commerce and physical security assessments for small and medium-sized enterprises (SMEs) in the area. Their recent E-Crime Guide is a very useful introduction to the issues.

It is good to see an increasing awareness of online and e-commerce security, and this looks likely to continue with the recent announcement by the Prime Minister of new initiatives to secure the UK from cyber threats, following publication of the Digital Britain report last month.

Posted on: 03 July 2009 at 11:16 hrs

Comments Comments (0) | Permalink | Send Send

22 May 2009

Poor Security Instructions in IE8

How can we use security awareness to train users to spot security threats? Having consistent instructions in our applications is one way for regular users to detect changes that may be malicious.

Therefore I was surprised to see this reality vs. instructions mis-match in Internet Explorer 8 when accessing the Microsoft Updates site:

Partial screen capture showing Internet Explorer 8 web browser accessing the Microsoft Updates website shortly after its initial installation - the browser is warning about installing a component and asks us to click on 'Run Add-on' if we trust Microsoft, but the page instructions and illustration tell us to 'Install ActiveX Control'

The warning suggests you need to click on "Run Add-on", but the help information in the body of the page says to click on "Install ActiveX Control". And would I want to "Run Add-on on All Websites"? I'm not really sure. Does "run" mean "install" or does it suggest something less permanent?

I think we have a mixture of re-branding and Windows Vista syntax leakage, but it doesn't help end users—it just adds to security information noise. If Microsoft do it, phishers and malware writers can too.

We should do better than this in our own web applications.

Posted on: 22 May 2009 at 09:17 hrs

Comments Comments (0) | Permalink | Send Send

Awareness : Web Security, Usability and Design
http://www.clerkendweller.com/awareness
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/awareness
Requested by 38.107.191.116 on Wednesday, 10 March 2010 at 15:36 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2010 clerkendweller.com