Articles, Papers and Presentations

Since setting up JLIS, I have written a large number of articles and papers.  These include reports written for IAAC (the Information Assurance Advisory Council), papers relating to TBSE, papers about how to use security data, and many others.  These can all be downloaded from this page.

Featured reports
In May 2014, the European Court of Justice issued a ruling on what is being called the "Right to be Forgotten".  This is an important personal right and the ECoJ has made it clear that Data Controllers are required to allow people to exercise it.  However, I do believe that the ruling exposes an imbalance in current Data Protection legislation that warrants renewed attention.  I also believe it raises the bar for all organisations that put people's personal data online, not just for search engine operators.  Here you can download a copy of the paper I wrote explaining my views.

In March 2010, the ICO released "The Privacy Dividend: the business case for investing in proactive privacy protection".  This is the report articulating the business case for protecting privacy that I wrote jointly with Colin Watson of Watson Hall.  You can download a copy here.

In May 2010, I wrote "A Guide to IT Security for Growing Businesses".  Written with the support of Symantec Hosted Services (formerly MessageLabs), this gives SMEs a security plan that fits their perspective, is appropriate to their needs and capabilities, and that grows with them as they grow.  You can download a copy of this three-part Guide from the MessageLabs web site or from here: Part 1; Part 2; Part 3.

IAAC Reports
I took over the running of IAAC's research programme towards the end of 2006.  After that, interest in IAAC and its workshops increased enormously.  I picked up IAAC's research on Identity Assurance and carried it through to completion in late 2008.  I then started IAAC's research on People-Centric Information Assurance (PCIA) and have carried that to completion in June 2011.  For both topics, I devised and set out the workshop programme, ran each of the workshops, developed the findings and wrote the reports.  All the reports are available from IAAC as well as from here.

Identity Assurance
Workshop Reports
♦  Report  In this workshop we explored the needs and concerns citizens have relating to national identity schemes.

♦  Report  In this workshop we explored what the UK Government could do to win the support of the citizen for national identity schemes.

♦  Report  In this workshop we explored 'Citizen Control', i.e. the citizen having the control they need within identity infrastructures so they feel adequately protected.  Citizen Control incorporates informed consent plus much more.

♦  Report  In this workshop we explored the development of a Digital Identity Governance Framework.  This is the type of governance framework that is needed if identity infrastructures are to find the right balance between the interests of those developing national-scale identity infrastructures and the interests of the citizens whose identities are being managed.

Concluding Report
♦  Report  This is the report I produced on the conclusion of our work on Identity Assurance.  I identified the main obstacles that had impeded progress on national identity schemes in the UK, suggested what was needed if these obstacles were to be overcome, and developed a roadmap of activities for the coming years.  This report was launched at an event hosted by Demos in February 2009.

♦  Report  A shortened version of the summary of the above report, for those too impatient to read the (only slightly longer) summary in the full report.

People-Centric Information Assurance
IAAC's first two PCIA workshops looked at the issues people have with the use of so much of their personal information within the digital society, and what sort of approach would be needed to start to address those issues.  In each of the third and fourth workshops, we took up one particular issue and explored it in greater depth.

♦  Report  The first of our PCIA workshops, exploring the nature of how people might use the systems and infrastructures of the digital society, the personal information people might provide about themselves, or gather and use about others, and the harms people might be caused.

♦  Report  The second workshop, exploring what should be done in response to the issues raised in the preceding workshop.

♦  Report  Generally, people do not object to providing personal information if it is relevant to the services they want to access.  However, there are limits to what people are prepared to accept.  In this workshop, we explored how processors of personal information, whether from the public or private sector, could stay within these limits and manage not to alienate people, acquiring and using the personal information they need whilst maintaining respect for the limits of people's tolerance.

♦  Report  This report looked across the first three PCIA workshops as a whole and brought the main messages together into one summary report.

♦  Report  The objective of this workshop was to explore how people feel about the sharing of their personal information, and to suggest what this might mean for the custodians of people's information when sharing requests are made to them.  The particular focus was on how public sector bodies can build and maintain the public’s confidence in their sharing decisions in those situations where sharing people's personal information might be in the public interest but potentially conflicts with the personal interest of the individuals concerned.

The second half of IAAC's PCIA work had the theme "Helping people fend for themselves online".  While government and industry work together to make the digital devices, networks and systems people use when online continually more trustworthy and secure, there will always be many aspects of personal online safety and security that people will need to take care of for themselves.  The goal of this series of four workshops was to understand which aspects of safety and security people need to take care of for themselves and what it is that government, industry and other actors can do to help them take those responsibilities on.
♦  Report  The first of these four workshops looked at what can be expected from the providers of the commodity digital products people use such as PCs and smart phones.  Understanding industry’s view of what it needs to do to keep its products adequately trustworthy and secure helps us to understand the challenges left for people to deal with.

♦  Report  The second workshop looked at the role of Government.  Understanding the government’s view of its role and responsibilities for facilitating a safe, secure and trustworthy digital environment for people to live within helps us understand more about the challenges left for people to deal with.

♦  Report  The third workshop looked at people’s expectations and attitudes regarding online safety and security, and at how this marries up with the challenges and issues they face.

♦  Report  The fourth and last workshop looked at what government, industry and others can do to set people’s understanding and expectations so they can fend for themselves online as fully, simply and conveniently as can be.

TBSE-related papers
♦  Paper  This paper appeared in Computers & Security in 2003 (Vol 22, Issue 6, Sept 2003).  It talks about how to think of Information Security as an engineering subject rather than a craft (or dark art), and hints at some of the benefits this could lead to.

♦  Paper  This paper appeared in Computers & Security in 2004 (Vol 23, Issue 1, Feb 2004) and follows on from the preceding paper.  If security is to be an engineering discipline, we will need to develop the analytical methods that allow security systems to be built according to engineering principles.  This paper presents TBSE as just such an engineering method, and expands on some of the benefits that TBSE can provide.

♦  Presentation  This is a presentation I gave to the BCS ISSG Annual Conference in March 2004.  It talks about how to model security risk in a non-deterministic manner and how security could be turned into an engineering discipline.

♦  Presentation  This is a presentation given to the ISACA London Chapter in September 2004.  It talks about how to think of security as an engineering subject and shows some early TBSE results.

♦  Paper  This was written for the first international conference on (security) Quality of Protection.  It introduces TBSE as a stochastic risk modelling technique and shows some of TBSE’s early results.  It shows how TBSE can be used to forecast risk in objective numerical form as a direct function of the measured threat profile and countermeasure settings.  It shows how security engineers could design security solutions that provably meet stated protection targets, and technical managers could perform cost/benefit analyses of proposed security measures.

The use of security data

The Accuracy Project is a project I undertook with MessageLabs in 2008/9 in which we analysed the huge volume of data MessageLabs generated within its malware detection systems.  The purpose of the project was to show objectively, i.e. based on hard data gathered according to a scientifically-designed fair test, how good or bad the MessageLabs' hosted e-mail service was at protecting customers from harmful malware.  We developed two side-by-side tests.  The first pitched the MessageLabs service against the best a customer could achieve using commercial AV products they ran themselves.  The second pitched the MessageLabs service against the equivalent service from Google (following Google's purchase of Postini).

We showed, in real objective terms, the malware risk a customer would face under each of the three options.  The malware risk is the probability, calculated as an actual percentage likelihood per month or per year, of a customer suffering a serious harmful malware incident.  We calculated this risk for the MessageLabs service, the Google/Postini service and for customers running their own commercial AV products.  We then (using published ISBS 08 incident cost data) showed what the customer could expect that level of risk to cost them in terms of annualised clean-up costs and lost business.  The annual incident cost differential between MessageLabs and the other options is then the absolute security benefit provided by the MessgeLabs service over those other options.  This cost differential could then be used to offset any price differential customers might see between the MessageLabs service and the other approaches on offer.

♦  Presentation  This is a presentation I gave to a select group of MessageLabs customers in London in December 2008 showing the results from the first half of the Accuracy Project.  This part of the project compared the security effectiveness of the MessageLabs hosted e-mail service to the best that an organisation could achieve using commercial AV products it ran itself.  The data showed that the MessageLabs service was astoundingly good at blocking malware.  It also demonstrated that it was possible to put a real number to security effectiveness and to convert that number into a pounds and pence figure for the security savings each security option provides.  That pounds and pence figure enabled us to determine the security benefits the MessageLabs hosted e-mail service provides to its customers.

♦  Report  The second part of the Accuracy project compared the MessageLabs hosted e-mail service to the equivalent service from Google/Postini.  The data showed that MessageLabs was very much better than Google at protecting clients from harmful malware, and allowed us to put a pounds and pence value on the relative security benefit provided by MessgeLabs.  This paper showed the results for large customers.

♦  Report  This version of the above report gave the results for small customers.

♦  Report  To show that the Accuracy Project results were indeed fair and unbiased, and that the risk calculations I performed were correct, we asked the University of London (Royal Holloway College) to undertake an independent review of the methodology I had used.  The review concluded that the design of the tests was fair and that the results did correctly substantiate that the MessageLabs hosted e-mail service offered significantly superior performance both to commercial AV products and to the equivalent Google service.

I wrote a series of three papers for Datawatch, the ISACA London Chapter journal, talking abut how to get the best out of the security data available within companies.  The series posits that most security professionals would be able to get much more value out of the security data available to them if they had some guidance on how to unlock the security insights stored within it.
♦  Paper  The first paper in the series.  This paper talks about how to use incident data to create incident profiles that provide deeper insights into which countermeasures are and aren't working.

♦  Paper  The second in the series.  This paper talks about how to measure threats so they give meaningful guidance as to where security effort needs to go.

♦  Paper  The third in the series.  This paper talks about how compliance results can be fashioned into a powerful tool to generate meaningful discussion of security risks and to motivate risk owners to make the security improvements compliance results show are needed.

Other papers
♦  Paper  A critique of the DTI's Information Security Breaches Surveys.  The Information Security Breaches Surveys are amongst the most quoted surveys in the UK on the security problems companies suffer from and the security controls they do or don't apply.  These surveys might make interesting reading but they give very little actionable information for companies wanting to understand the risks they face and to improve their security postures.  This paper explains what the surveys are missing in the hope that future surveys could be made more useful.

♦  Paper  This article on how to improve the security behaviour of users first appeared in Computers & Security in 2004 (Vol 22, Issue 8, Dec 2003).  It talks about how to influence users' security behaviours for the better.  The internal threat is predominantly the result of poor user security behaviour.  Yet, so many Security Awareness programmes seem designed to put users to sleep.  This article discusses the influences that affect a user’s security behaviour and outlines how a structured approach that focuses on improving those behaviours could be an excellent way to take some of the security slack out of an organisation and achieve a high return for a modest, low-risk investment.

I will add further articles and papers from time to time, so please do check back.