Computer Security and The Human Factor
Nudecybot has a thoughtful post on Computer security and the human factor. He takes a discussion we had, and organizes it well. He talks about airline safety vs computer safety, and how an anonymous reporting system has helped in the airline case.
I think there’s two bits that he misses that make the airline safety system work: First, reporting is mandatory. (Or so I understand.) Second, the reports are analyzed and summaries are published, trends are discovered, and results are discussed. CERT collects data, and doesn’t have the budget to analyze it regularly. They do publish Incident Notes. They’ve done two this year.
actually the reporting is not mandatory, according to Kim what make it work is:
1) voluntary
2) confidential
3) non-punitive
4) independent
Voluntary implies not mandatory. So the question remains are there any security organizations who meet (or are close to meeting) the criteria for setting up a positive feedback loop in the industry?
Presumably the problem is so great as to incent both CIOs and security product/service companies to take steps towards resolving it.
D’oh!
In that case, is there no mandatory reporting of problems? I know, err, thought the FAA steps in quickly if people die, but is that the trigger?
The whole point of the ASRS is to report problems before they cause fatalities, or “near misses” as they call them. When a plane crashes and people die there is an inquiry into the causes and lessons are learned. But the problem is – its too late! So the ASRS asks for voluntary feedback from pilots who run into serious issues but survive to tell the tale, which no threat of incrimination or punishment for mistakes made leading up to the incident.
Think the computer industry could benefit from something similar? I sure as hell would like to benefit from the lessons learned the hard way by security folk around the world. Well not that we don’t but we are learning more from anecdotal material than from a large sample size of detailed information.