A very comprehensive report by the Boston Consulting Group, that assesses the value of digital identity, has been published by Liberty Global.

The Value of Our Digital Identity, describes consumers increasing awareness and desire for control and how user control increases the willingness of users to share data. The report highlights how unlike some commodities, as the volume and variety of digital data grows, so does its value. And this data explosion is being driven by digital services & media, online data transactions, the internet of things and the current boom in social media, In turn this can fuel economic growth.

The report attempts to define what digital identity is, quantifies the current and potential economic value of digital identity for organisations and consumers, identifies important trends and offers a set of guiding principles that could help responsible organisations benefit from the value of digital identity.

Topics included that may be of particular interest to those involved with application design and implementation include:

• Problems when there is a lack of transparency for users about how their personal data is collected and used
• The benefits of offering the right to be forgotten
• How the the form of consent should be based on the type of data requested
• The need for convenience (usability)
• Sector-specific variations in user behaviour
• The requirement to increase data security (and not just using technical controls)
• Why there should be flexibility in regulation to allow users to make their own choices
• How digital identity can be used to provide differentiation from competitors

The report suggests that organisations need to establish and promote a trusted flow of data, or otherwise there are significant lost opportunities for value generation. Read, digest and implement.

Following recent work by on of Nominet's issue groups, a consultation has been published on the current policy that provides registrants with a 90 day expiry period in which to rectify a mistaken non-renewal.

The Domain Expiry Policy Consultation describes the current recommendations which are the result of feedback from an initial version in February. The Domain Expiry Policy Issue Group has asked for feedback to be sent by email to policy@nominet.org.uk by 3 September 2012. Feedback may be published anonymously.

Nominet has provided some statistical data on .UK renewals.

ENISA has released a report on its recent study of the cyber insurance market.

The report Incentives and Barriers to the Cyber Insurance Market in Europe attempts to define cyber insurance, why cyber insurance could be an attractive measure for transferring financial risk, and describes current market offerings.

The report goes on to discuss barriers to the development of an effective cyber insurance market including:

• Uncertainty about the extent of risk and lack of robust actuarial data
• Uncertainty about what risk is being insured
• Ongoing technological evolution
• Lack of visibility on what constitutes effective protection measures
• The absence of an insurer of last resort to re-insure catastrophic risks
• Perception that existing insurance already covers cyber risks

The report provides recommendations to address the issues. At first glance you might consider the report is primarily of use to those within the insurance industry but I think it should have a much wider audience since it addresses many of the issues industry has in quantifying risks and justifying spending on security. Of course if your organisation is considering buying cyber insurance, or even believes it already has such insurance (possibly in error), the report will provide useful matter for consideration.

See also my recent post about Systematic Study of the Costs of Cybercrime and a 2009 post on E-Commerce and Insurance - The Definitive Guide.

Yes, had you forgotten it's Data Privacy Day tomorrow? See StaySafeOnline for events in the US and Canada. Not sure why it's a Saturday — maybe to give the weekend journalists a story they can prepare in advance, and then take the day off.

While there is a programme of events, data protection has been in the news this week following the publication on Wednesday of the European Union's proposed reform of data protection legislation, promoted under the banner of aiming:

There has been extensive documentation and justifications published to accompany the draft directive. There is of course plenty of coverage elsewhere, and I would recommend reading the following:

• Initial response from the ICO on the European Commission's proposal for a new general Data Protection Regulation, UK Information Commissioner's Office
• EDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area European Data Protection Supervisor
• Pan-EU consistency in data protection reform welcome, but burden on business a problem, says expert, Out-Law.com

So, what does it mean? For now, these are just proposals, and what will eventually be made into law will be something very different. But it does indicate the way things are going, and is a reminder to website and application owners & developers of the need to take privacy considerations into their projects now, since the cost of changes later may be prohibitive. And, they should be doing this already, but there may be more obligations for those processing personal data in the future. There is potentially more complex functionality required for tracking consent, achieving data portability, handling withdrawal of consent and undertaking data removal.

And, there is the topic of mandatory notification of "serious" breaches.

Data Privacy Day might be a day of reading after all.

The third semi-annual "State of Software Security Report - The Intractable Problem of Insecure Software" has been issued by Veracode (see my previous comments on volume 1 and volume 2).

This report provides even more data on the types of vulnerabilities found and further comparison between applications by industry sector, company type, purpose, supplier type and time to acceptable quality. There is a wealth of statistics which will be useful to anyone looking to reduce software vulnerabilities including developers, testers and those in the information security industry. I'm particularly impressed by the thought that has gone into the design of the data-rich charts and the honesty about whether trends are statistically significant.

One aspect mentioned is that newer applications tested on first time submission are not much better than older ones (in this case "older" means "a year or so ago"). The reasons suggested are either lack of secure development practices, or such practices were performed but inadequately. But I wonder if this may be the result of Veracode's customers beginning to work backwards through their legacy applications, to assess and thus rank them for remediation effort? Therefore, these legacy applications will not have had the same degree of care and attention as perhaps more recently developed software.

The mine of information presented over 50 pages also discusses the relatively low level of security knowledge of developers, and the need to provide better awareness and training. But a new section in this report attempts to examine the remediation efforts. I really appreciate the effort that has gone into this and the presentation of so much data analysis. We have to thank Veracode's customers for allowing their data to be included in this aggregated data.

The report also discusses how there is a growing usage of third-party risk assessments, where the software is assessed independently using multiple testing techniques. In some sectors, software suppliers are increasingly being held accountable for the security quality of the applications they produce. I think that is a good thing.

While there is a comparison of different sectors, I wonder if it will be possible to delve greater into some details in future? For example, some large providers of outsourced development are also active in the software security space, and have their own products for static & dynamic security testing, and even provide software security consultancy services. Do those companies take their own medicine? Do they apply the knowledge and tools they offer in another part of their business in their own software development services? We probably won't find out any time soon, but it would be fascinating to know.

The report's data suggests web applications are still plagued by vulnerabilities such as cross-site scripting (XSS), information leakage and injection (SQL injection as CRLF injection). Meanwhile the most frequently found issues for non-web applications are buffer overflow, error handling and potential backdoors. Cryptographic issues are also very common. The majority of applications tested suffer from these well-known defects, and all of which are well documented and have a range of methods to solve them.

Good reading for the beach this weekend!

On Sunday morning, I was intrigued to read on Web Application Security - From the Start about a security vulnerability supposedly found on the Child Exploitation and Online Protection Centre (CEOP) web site.

But it is apparently true, the short story on the BBC web site seemed to be confirmed in their interview with CEOP which was mentioned by @StewartRoom, @xklamation, @siliconglen, and received further coverage yesterday in IT Pro and IT Week. I wondered where this report came from and how the Information Commissioner's Office (ICO) became involved so quickly. IT Week suggests a member of the public tested the CEOP site and then told them of the problem; presumably CEOP then reported it to the ICO.

Don't get me wrong, I think the ICO should investigate whether there has been a breach of the Data Protection Act 1998, but some of the information released so far doesn't seem correct. The BBC story includes several statements supposedly attributed to CEOP's Chief Executive Peter Davies. But I cannot quite believe CEOP would say some of these things about a web form to report alleged offenders, so perhaps sadly there is some over-zealous PR going on, or misinterpretation by the BBC's journalist.

A later item on The Register Child protection Website Insecurity Fixed paints a slightly different picture, suggesting the form is, and always has been, using SSL only, but that there was a link to a non-SSL address which then redirected. I must say, I'm inclined to believe The Register's version more than the BBC. I think we have to leave it up to whoever is investigating to get to the true facts, but it does seem to be creating a link between personal data protection and the use of SSL.

It is perhaps not always clear to government agencies what administrative, physical and technical security practices should be implemented to protect a web site, and who makes the decisions. The government's Central Office of Information (COI) have never published any web standards and guidlines on security or privacy protection, perhaps feeling it is some other agency's responsibility (maybe CESG, CPNI or even the ICO?).

The security measures implemented for a web form like this ought to be similar to those defined in open standards, and common sense alone would tell you this is an obvious place for using appropriately designed HTTPS. Anyone auditing or verifying the security aspects would have made this clear in large red letters, but waiting until after being made live is incomprehensible too. Security and privacy need to be considered from early stages in every project, and built in to the final system. There are existing standards for that too.

But I am concerned about some statements which have been reported. If they are true, I am worried.

"All secure website carried the prefix https, compare[d] to http for insecure ones"

False. Using HTTP over SSL does contribute to the protection of a user's, or organisation's, data in transit and also gives some degree of identity assurance. There is even a campaign to increase adoption. But SSL is not the same thing as a web site being secure. A web site using SSL can still be vulnerable to attacks (e.g. SQL injection, cross-site scripting, cross site request forgery) leading to contamination with malware or data damage, loss and destruction.

SSL does not stop breaches of the Data Protection Act.

"It's been fixed now"

Really, that quickly? There's more to implementing SSL than just turning it on. Last year I mentioned some other concerns about CEOP and trust, but you cannot check or test a web site without authorisation. On Sunday, @siliconglen also asked why they CEOP were not using an extended verification (EV) SSL certificate. For many purposes I'm on record as saying EV certificates are not needed, but here I agree, I think an EV certificate should be used. And really, why not have the whole site SSL.

Of course, all organisations would do well to ensure that their SSL certificates are valid, applied appropriately to the applications and that SSL is configured securely, such as ensuring weak protocols and ciphers are not available. They should also think about whether any data can be cached locally on the web browser, whether other domains have access to the web page contents, and what exactly is done with the sensitive data once it is saved on the web site. How secure are the information systems and subsequent processes?

Fix and verify.

Conclusion

Other public and private sector organisations take note. It will be interesting to see the outcome of the ICO investigation and whether this incident leads to a change in attitude, or even sets a precedent for online data protection requirements.

SSL has its problems, see here, here and here, but it would be wrong not to implement it. After all we've been using it for over ten years to help protect credit card data in online shopping; information from children about possible offenders is an order of magnitude more important than payment card data.

I just hope some of the statements that appeared in the BBC article about SSL were misinterpreted, and don't become the accepted understanding. CEOP please set the record straight.

Investment decisions for loans, mergers & acquisitions in primarily online businesses need just as much care as investing in more conventional businesses.

This month I contributed to the Autumn 2010 newsletter of DeVere & Co, risk management, fraud and asset recovery specialists, with an article about Ecommerce Due Diligence. In the article I discuss some of the specific issues relating to due diligence of online/e-commerce websites and applications including intellectual property, third parties, sensitive data, security operations and customers.

E-commerce sites often link many different systems and it is necessary to identify the relationships, boundaries, agreements and assumptions. Asset ownership is not always as clear-cut as expected. Let the buyer beware!

Information in a web application could be the most valuable asset. A research study of UK executives' attitudes to data protection risks and data breaches was published by the Ponemon Institute at the end of March.

The report, Business Case for Data Protection - A Study of CEOs and other C-level Executives in the United Kingdom (and a US version), was sponsored by Ounce Labs (now part of IBM). A representative sample of 115 respondents were surveyed across a range of small, medium and large enterprises. Almost 80% of the organisations surveyed had suffered a data loss in the previous 12 months. The report lists a useful priority ranking of the six most critical types of data to business operations:

1. Financial information
2. Intellectual property
3. Non-financial confidential information
4. Employee information
5. Business customer information
6. Customer or consumer information

Of course other parties (e.g. partners, suppliers and customers) might view the last two as most important to themselves.

The findings were broadly similar to the 2009 survey. Maintaining reputation and brand was the most commonly stated important organisational goal that depends on data protection and there seemed to be many fewer organisations for which ensuring regulatory compliance was such a goal. The ranking of business functions the respondents felt needed to collaborate to achieve data protection goals changed somewhat, but generally the survey seems to add weight to the previous year's findings. Even the "average cost per compromised record" seemed to be about the same (the number is in the report if you are interested).

But determining the impacts (direct and indirect costs) of data breaches is one aspect of calculating the value of information. Recently judges in the US have been trying to determine the loss when data were stolen in the case of Albert Gonzalez for the TJX breach (who has now been sentenced).

The ICO's report on the business case for investing in proactive privacy protection, The Privacy Dividend, describes alternative aspects for valuing information—and not just from the business' own perspective. This seems to be the discussion the US judges were having.

Another report, published two weeks ago, from SAS and the London Business School on Valuing Information as an Asset discusses the internal business value. The report argues for a proactive, asset-centric, value-based approach to the management of information, rather than a security-centric approach, which could otherwise limit access to data rather than enabling its exploitation. Without placing a value on information, and therefore an economic incentive, data breaches (real breaches not lost media) will continue.

Information in web applications should add value and therefore it needs to be protected from internal and external threats. That shouldn't mean it can't be exploited to fulfill its potential (within appropriate legal, ethical and other constraints). By considering what this potential is and its values to various parties are during the design of the system, appropriate security and privacy measures can be built in that support and enhance the business functions, not detract from the organisation's goals.

Nowadays many organisation's main assets are their information and networks rather than physical things like office buildings. Also, the protection of the privacy of employees, customers and the public is a growing issue.

At a talk organised by the Insurance Institute of London, Emily Freeman of insurance brokers Lockton explained why conventional insurance policies such as general commercial liability, professional indemnity, errors and omissions (E&O) liability, criminal damage, privacy and property protection are very unlikely to cover the effects of information damage or loss. If you want insurance to offer worldwide protection against damage and consequential losses, possibly with the involvement of insiders, you need an explicit policy—typically called cyber liability insurance.

Not all cyber liability insurance products are the same and the package should be discussed with your existing broker or one that specialises in cyber insurance. The aspects to consider are:

• data network availability and damage
• loss or damage to sensitive data
• internet defamation, copyright and trademark infringement
• data breach notification and crisis management
• regulatory investigations, fines and penalties.

Apparently there is now a trend in litigation moving on from omissions and correctness, to "is it doing it securely?".

Something, then, to be considered more in web application specifications and acceptance testing.

Web site operators (especially those that collect personally identifiable information, rely on the web site for critical business processes, operate in a more highly regulated environment, or who allow users to contribute content) should investigate the risks and possible benefits of cyber liability insurance. No web-enabled system can be completely secure, but you'll need to demonstrate that you are applying and monitoring security best practices—otherwise you might not be able to transfer any risk at all to an insurer.

The recent data breach at Heartland Payment Systems in the United States reminds us that compliance is not security. It seems the data was copied using a technique requiring a high level of system access. Take care!