Hi all,

I have been working on our wiki of late, specifically trying to assess the impact of IT security issues in different areas relative to each other. The purpose is to try and prioritize the need for action and commitment of resources, so it’s rather important.

I have a healthy ego and sublime confidence in my own abilities, but as my wife beat me at trivia last night and got a better score on Nintendo’s brain trainer, it might not be altogether a bad thing if I received a second or even a third opinion on some of this. That second or third opinion is, after all, why we are doing this.

Here are three examples. There are about 40 more on the wiki. How did I do?

Electronic Banking

We assign this an Impact Level of 1, our lowest level, as a large field of banks and commercial suppliers of information systems to banks will produce competitive pressure and ample incentive to address direct and indirect information issues, and the existence of a robust offline alternative to online banking lessens the potential impact of catastrophic failure of data systems. The existence of multiple regulatory bodies provides additional protection. We assign this a Maturity Level of 1, as the offerings of online banks are still rudimentary (essentially replicating what can be found at a branch) and the technology driving both threat and response is quickly evolving.

Human Rights (intersection with technology)

Both technology and IT security can be used to protect or threaten human rights–often the same tools or procedures can be used for either end. A typical example would be the human rights effects surrounding e-Voting, where increase in access to a service for many is in apparent conflict with the potential for abuse. Human rights issues related to technology are normally identified very quickly and follow a pattern that all too often ends in clearly identified political positions in full-scale conflict with each other. Hence this assessment focuses on the politics of human rights and technology.

We estimate the Impact Level at 3, due to the apparently unresolvable conflict between those who feel that identity is personal property inviolate and those who feel it is state-owned and controlled. Both those positions are at the far end of a spectrum of attitudes towards identity and its role in the state and its importance to all other human rights.

Champions of the position that the state should be prevented from, or severely limited in, collecting, storing and deciding how to use identity information are arguing loudly and often eloquently about the threat to human rights posed by large-scale IT projects proposed and being implemented by UK government. Some of these champions are writing here at Blindside. However, their political power is small at present, and their opinions are not shared by a majority of the public. Nonetheless, this issue is highly likely to be decided after implementation in the court system, and these champions are creating a body of work that could possibly lead a court to impose limitations on data collection and usage post implementation.

Receiving less attention at the moment from human rights campaigners are other technologies that are or potentially could impinge on human rights. Should political activism begin in these areas, the current generation of judges may well sympathize with rights-based arguments regarding CCTV, location-based services, univeral access issues, etc. Political activists may well be joined by specific groups regarding specific technologies, such as groups concerned with disabilities demanding that technology be used to provide access to information and/or the real world.

The groups exist in abundance, but they are not particularly strong, nor are they well-networked or actively co-operating at present. Hence, we assign this a Maturity Level of 2.

Spam

[edit] Impact and Maturity Level
We assign this an Impact Level of 1, our lowest level, as mechanims for successfully combating spam exist at the individual, organisational, ISP and backbone level, and industry trade groups and regulatory bodies have intitutionalised the fight against spam. The principal information assurance concern is when the volume of spam becomes so great as to constitute an unintentional denial of service campaign. We assign this a Maturity Level of 3, our highest level, as the large number of spammers and their opponents indicate that this issue is mature.

Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions.