It’s National Cyber Security Awareness Week, and the InfoSec industry is celebrating it in perhaps the only way it knows how… with a tsunami of studies and figures about the ominous threats flooding the internet.
There’s numbers on everything. From facts around how many people actually change their passwords, to titbits about how many consumers feel that using email is a security risk. Once again, the industry has measured it all. It’s not a new tactic. In fact, creative studies that draw curious – and sometimes plain obscene - conclusions are quickly becoming a norm when it comes to promoting the InfoSec sector.
But while the figures are everywhere, actual solutions to the problems highlighted are few and far between.
While the research serves a valuable purpose in measuring the progress of the cybercrime trend, perhaps it's time to shift the focus from measurement to action.
Road rules for the internet
For Nigel Phair, the director of University of Canberra's Centre for Information Security, the solution lies in the online industry mirroring the metamorphosis of the car industry.
He explains that when cars were first invented people drove them around without any concerns. There were no seatbelts; there were no road rules; just a belief that any concerns would eventually sort themselves out.
But of course, that’s not what happened. Fatalities started to mount, studies were comissioned, and then finally government had to intervene. Flash-forward to modern times and the roads are regulated to minimise accidents and consumers now purchase cars based on their safety rating.
Don’t mistake Phair’s metaphor as a call for mass internet regulation. He’s suggesting that - just like road rules - there are universal usage guidelines that are followed to ensure safety. No-one would be punished for breaking the rules, but in doing so they would risk their own security online.
(Though, to keep the metaphor alive, Phair did quip that cyber-criminals could be treated like rogue P-platers and be put on some form of internet probation.)
The monster of all change
Jokes aside, Phair calls this shift “monster of all change” but adds that it’s necessary if we want to continue to reap the “productivity and social benefits” of the internet.
“We need people to invest more time, more effort and more money in every aspect,” Phair says. And he’s not alone in his sentiment.
National Australia Bank’s head of cyber security Nick Scott agrees that substantial investment of time and money is required to fuel this shift. And the flow of funds needs to be constant and sustained, rather doled out as cash injections.
Scott’s hopeful that a change is already taking place in society. He says that everyday users are a lot more suspicious about links attached to emails from unknown people and handle them with care.
“Five years ago, people would have said: ‘what’s wrong with that’,” Scott says.
With user behaviour evolving, albeit slowly, Scott says that the next step needs to be a matter of building on that existing knowledge rather than starting from scratch.
Dangers evolving faster than the education
The one truism in the cloak and dagger world of cyber security us that the threats are always evolving faster than any form of public education.
That's why Sourcefire’s Chris Wood reckons there will always be “lagging education” across the society with this trend, raising doubts as to whether the public will ever be fully across everything they need to know to ensure their safety. However, Wood argues that as long as the systems that are in place to defend against these activities don’t lag, the delay is acceptable.
As for what areas require immediate attention, Wood says that's where the studies and the deluge of data released by vendors become useful, in that they highlight the areas where public knowledge is lacking.
Which brings us full circle, back to the deluge of numbers that hit Australia to mark National Cyber Security Awareness week.
But Wood does concede that too much data can have some negative side effects. Firstly, too many studies dilute the relevance and impact of those that actually measure something worthwhile. And secondly, some use the claims raised by these reports to garner publicity rather than to actually contribute in a meaningful way to the efforts to educate the public.
Wood adds that the InfoSec industry isn’t the only sector that’s guilty of using data as a form of PR stunt. And he does have a valid point there.
Perhaps the InfoSec Sector could learn a thing or two from Australia's Transport Accident Commission, who has been using both studies and targeted marketing campaigns to change behaviour on our roads.
As things stand it seems that the facts and figures are just another element of the overall equation for cyber-security. However, given the sheer volume of studies thrown at the public at a daily basis, one can't help but think that in some way they're also part of the problem.