When teaching basic concepts of information security, I think its helpful to start by discussing what the term “secure” means in this context. To make this easier, I defer addressing the difficult challanges of securing complex IT infrastructure or applications, and instead start with something way simpler. For example, I show students three photographs of a bicycle.
The firs
t photograph is of an sleek, modern gold bicycle that is handcuffed to the wrist of a uniformed, musclular, security guard in a busy public square. I ask the students, “is this bicycle secure?” Most students immediately say yes because they believe that the bike would never be stolen with that level of protection. However when I ask if the guard could be overtaken by a group of heavily-armed criminals equipped with bolt cutters, many change their answer. When I add that the bicycle is owned by Bill Gates and its value represents only a 1 billionth of his net worth, some students change their answer yet again.
The second photograph is of a typical bicycle attached to a ordinary bike rack using a standard cable lock. The bicycle is located in a prominent common area on a university campus. I again ask the students, “is this bicycle secure?”. Of the students that raise their hands, half say yes, while the other half disagree. The students that believe the bicycle is secure see the lock, the thick metal bars of the bike rack, and assume that people walking around the area will serve as a deterrent to a thief. The students that say that the bike is not secure mention that the bicycle lock cable could be cut, perhaps late at night when the campus is vacated.
The third photograph is of a badly rusted bicycle leaning against a deteriorating fence. There is no lock or any other device visible that would restrain the bicycle from being moved. Again I ask the question, “is this bicycle secure”? Some students comment immediately that the bicycle is certainly secure since no one would bother stealing a bike in such a decrepit condition. I then add that the photo was taken in a poor rural region within Sri Lanka. I add that the owner saved up most of his meagre salary for 18 months to purchase the bicycle and he uses it to transport small parcels for a fee, which is the only way he can afford to feed himself and his family. With this addition information, the students cannot agree if the bicycle is secure or not.
The point of the exercise is to show that many factors must be considered to determine if an asset is “secure”. Some of these are:
1) the inherent threat environment, which can change (number/type of attackers, new vulnerabilities)
2) the existing controls (lock) to prevent the adverse event (theft)
3) the impact to the owner of the adverse event (he just buys another bicycle versus starving to death)
4) the amount of risk that the owner is willing to tolerate
This allows me to segue into the next topic, IT risk management.
