Apparently unrelated areas such as medicine and aviation have insights that infosec would do well to use.
One of the things I love about the world of information security is the way I find insights into it from apparently unconnected areas. My natural – some say morbid – interest in disasters, for instance, not from a voyeuristic perspective but an analytical one, has given me an appreciation of the complex ways apparently simple failures can interact.
So when I recently read two fascinating books by US surgeon and journalist, Atul Gawande, it was no surprise to find parallels in my own world. I had enjoyed his earlier book, Complications: A surgeon's notes on an imperfect science (Picador, 2002), during a brief hospital stay.
In Better: A surgeon's notes on performance (Picador, 2008), Gawande describes a number of ways that modern medicine has improved – just by modifying procedures. A topical case is the treatment of battlefield casualties in Iraq.
Despite huge improvements in medical technology, fatality rates for combat injuries had barely improved since World War II. Simple, detailed analysis of the specific causes of death in the field and the application of step-by-step procedural improvements, have now more than halved the fatality rate in the theatre of war; similar improvements are being implemented back in the civilian world.
With the achievement of stricter enforced handwashing regimes and appropriate triage (prioritisation) of patients with ‘superbug' infections, many hospitals have seen great reductions in infection rates (if you think MRSA and C difficile are UK-only problems, think again). Equate handwashing with an equally simple infosec principle – say, ‘not clicking links in email' – and you could see similar benefits in the infosec world.
In Gawande's latest book, Checklist Manifesto: How to get things right (Metropolitan Books, 2009), he tells the story of the implementation of a simple checklist by the World Health Organisation and its staggering effects on patient care. Even in well-funded US hospitals, adoption of a pre-surgical checklist has reduced serious complications by a third and halved the number of surgical deaths. That's a better improvement than almost any technological fix in the history of medicine.
The benefits of procedure over technology are highly relevant to the infosec world, where almost every new threat is countered by a new piece of software or hardware, with its associated costs. This is the easy ‘black box' fix and, in some cases, it has merit.
However, in many cases, changing the way we do things might be a better (and cheaper) approach. Giving non-security staff input into risk analysis, for example, might seem heresy, but the Protection Poker (http://bit.ly/c4XMVO) scheme has shown that staff with little security expertise can make a valuable contribution.
Then there's the ever-hated topic of paperwork/record-keeping. IT people in general and security people in particular seem to loathe filling in metrics and the like, but without them it is impossible to perform decent analysis of the performance of security systems. As Gawande points out, combat medics in Iraq found the time to record statistics, without which no improvement would have been possible: still think you're too busy to do the same?
It is important to measure what's useful, though. This is even more so in computing, where it is trivially easy to generate huge amounts of accurate yet useless data.
Checklists have a pretty poor reputation in infosec. The ‘ticking the boxes' approach to risk management is often derided as mere lip-service, but this is really a criticism of specific checklists, not of the use of them in general. There's a very useful ‘checklist for checklists' at www.projectcheck.org.
If checklists are used widely in complex areas such as aviation and medicine, they are certainly worth serious consideration for infosec.
I have had to oversimplify Gawande's outstanding work here. You can get his books from all good bookstores, check out his website at http://gawande.com, or view a recent Scientific American podcast by him at http://bit.ly/iKPdG. I am sure you won't be disappointed.