Group items tagged

In his State of the Union address, President Obama announced that he had signed an executive order (EO) on cybersecurity. The order uses a standard-setting approach to improve cybersecurity. However, such a model will only impose costs, encourage compliance over security, keep the U.S. tied to past threats, and threaten innovation. While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO's inability to provide critical incentives such as liability protection. As a result, this order could result in few modest changes, or it could result in substantial negative effects. The Scope of the Order The EO uses a very broad definition of critical infrastructure, defining it as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Such a broad definition could be understood to include systems normally considered outside the cybersecurity conversation, such as agriculture. While there is no way of knowing how far implementation will actually go, this broad definition is certainly concerning. Inhibited Information Sharing In Section 4, the EO attempts to expand information sharing in several noteworthy ways. It calls for the federal government to quickly move unclassified information to the private sector and increase the number of security clearances given to appropriate owners of covered infrastructure. Additionally, the EO expands already existing information-sharing systems such as the Defense Industrial Base (DIB) Enhanced Cyber Services and Cyber Security/Information Assurance Program. These objectives are worthwhile, and the President should be applauded for including them.

i would like to thank you for the efforts you have made in writing this article. thanks for your blog, big help.

"We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever," Schneier writes in a wonderfully entertaining blog post. "And people are forever ignoring the lessons. One basic reason is psychological: we just aren't very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald's Super Monster Meal sounds really good right now." "Similarly, computer security is an abstract benefit that gets in the way of enjoying the internet. Good practices might protect me from a theoretical attack at some time in the future, but they're a lot of bother right now and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy; no one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: security is never salient." Schneier expands his ideas by looking at areas where awareness training or education initiatives work (driving, HIV prevention) and where they fail (training the general public to wash their hands, make drug decisions at a pharmacy, food safety). He summarises the obstacles in the path of effective security training. "The threats change constantly, the likelihood of failure is low, and there is enough complexity that it's hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats. "We should stop trying to teach expertise, and pick a few simple metaphors of security and train people to make decisions using those metaphors," Schneier concludes, adding that another problem is that "computer security is often only as strong as the weakest link". Read more: http://www.theregister.co.uk/2013/04/23/security_awareness_training/ Video Related: http://www.dailymotion.com/video/xzbyhi_compute

this subject is a lot interesting, it would help you so much.