June 2008 Computer Fraud & Security 17 History demonstrates that there is nothing new under the sun and while we expect to see a significant change in the focus of attacks and new types of sophisticated technical attacks, the four elements of the quartet – people, motive opportunity and means – still provide the key. Remove or reduce the risk from any one of the elements of the quartet and the threat of malicious attacks can be significantly reduced or diverted elsewhere. Getting the quartet to play in tune will be the difference between doing business and losing business. About the author Andy Jones is a senior research consultant at the Information Security Forum (ISF). WAR & PEACE IN CYBERSPACE Now for the good news – scientists and educators are keeping the flame alive Dario Forte and Richard Power Forte and Power delve into breaking research at Carnegie Mellon after digesting a few industry surveys. The news is rarely good. And whenever it is “good,” we are suspicious (and usually for good reason). Consider the findings of a recent report conducted for (ISC) 2 by Rob Ayoub at Frost & Sullivan: “The major data breaches that have received mass media coverage are driving so-called ‘C-level’ executives to become actively involved in their organization’s security policies … ‘CEOs are asking their security professionals important questions about how they’re prepared to not become another TJX,’ Ayoub explained. ‘We’ve heard a lot in the past about upper management taking a role in security; this time it is validated.’ “Ayoub also said the report indicated companies planned to spend more money on security training, and that security professionals are ‘optimistic’ about their job. ‘“All this points to the conclusion that more C-level executives are ‘showing actual concern about what their security professionals are doing and not just pay- ing lip service,’” Ayoub said. (SC Magazine, 9 March 2008) Why aren’t we impressed? Well, let’s just say we have developed a healthy skepti- cism over the years. Sometimes it seems as if the “C” in C-level stands for cynicism. Another interesting study was recently released, this one was con- ducted by Deloitte Touche Tohmatsu: “The 2007 Technology, Media and Telecommunications (TMT) Survey indicates that 46% of more than 100 respondents have no formal information security strategy. However, 69% of the respondents surveyed said they’re “very confident” or “extremely confident” in their abilities to deal with security challenges.” Excuse me? No, you heard it right. Less than half of the organisations responding to the survey have any for- mal information security strategy and yet almost 70% of them are feeling good about their chances. Now that sounds more like the upside down world we know. And the findings of this study strike us as particularly illustrative of the kinds of companies surveyed, i.e. technology, media and telecommunications. According to Rena Mears, who leads Deloitte’s privacy and data protection team: “‘When you look at the survey, 38% say they have the skills and capabili- ties to respond effectively to security chal- lenges – that’s less than 40%,’ she said.” “Forty nine percent of respondents said they’re falling behind on security threats. Just seven percent replied that they thought their security situation was improving, and only five percent said they had increased security spending by 15% or more. A major problem, Mears explained, is that many organisations consider security to be an IT initiative only. Thirty-eight percent of respondents said their senior executives do not con- sider security to be a strategic issue.” (SC Magazine, 7 February 2008) Richard Power Dario Forte