• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• BL Club
• Smartbuy
• Books

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

D. Murali

Your pick this week.

D. Murali

Security managers are increasingly turning to security metric scorecards, hoping to produce business cases for spending and to drive accountability outward to business units, writes Nina Godbole in Information Systems Security ( www.wileyindia.com). She explains how these scorecards identify key risks within the organisation, target remediation/mitigation action, measure internal compliance with organisational poli cy, discover internal process breakdown, and take advantage of security-related sunk costs.

In the past, the effectiveness of security spending used soft measurement factors such as the size of a security staff relative to that of the annual budget, or the speed of resolution or patches based on new vulnerabilities or viruses, the author narrates. “This left a large gap, because it did not demonstrate cost savings of preventing digital attacks. The method was reactive, and not quantifiable.”

There are, however, challenges to any organisational security metrics programme, Godbole cautions. Typical challenges include the lack of correlation of data to specific business units, leaky processes that allow multiple paths to the same result, and change in controls during the measurement period.

Also, ‘data owners’ may be reluctant to share their data owing to perceived sensitivity, territoriality, and insecurity. “Another common challenge faced in assessing data’s metric relevance is that control operators often collect only tactical data. This is common with technical controls, such as firewalls, IDS and system process monitors; these controls produce so much data that without pruning or summarisation, storage becomes problematic.”

The author observes that when data owners prune, summarise or discard the fields that make their data suitable for metric generation, “we risk being unable to report behaviour related to these controls on the business unit scorecard.”

Recommended addition to the security professionals’ shelf.

Statistically, India seems to have fared better than the global average in preventing security-related incidents, finds a recent survey of information security. In the last one year, only 17 per cent of the respondents were unaware of any security incidents and breaches as against a global benchmark of 40 per cent; also, 46 per cent of the Indian organisations reported that there have not been any security incidents in the last one year against the global 22 per cent.

Thus notes From Strength to Strength ( www.pwc.com/India), even while hastening to add that these numbers should not be a reason for complacency, “as organisations reporting no negative security incidents may not have adequate processes or awareness for detecting or reporting incidents.”

Okay, where do organisations get information about incidents? Nearly a half of the respondents detected incidents from server or firewall logs, the report informs. “Incidents reported by colleagues or employees were the second-most common way of unearthing an incident. In contrast, automated tools, such as intrusion detection systems, came only third.”

This highlights the fact that security awareness plays an important role in not only preventing but also detecting security incidents, the report’s authors infer.

Valuable insights.

The advent of computers heralded a new age for many forensic sciences and among the first to utilise the technology was the science of fingerprints, writes Max M. Houck in Forensic Science: Modern methods of solving crime ( www.macmillanindia.com). “Capturing, storing, searching, and retrieving fingerprints via computer is now a standard practice among police agencies and forensic science laboratories,” he adds.

The book describes AFIS (pronounced ‘AYE-fis’), the automated fingerprint identification system, as computerised database of digitised fingerprints that are searchable through software.

“An AFIS can store millions of prints which can be searched in a matter of minutes by a single operator. The core of this electronic system is a standard format developed by the FBI and the National Institute of Standards and Technology (NIST), which provides for the conversion of fingerprints into electronic data and their subsequent exchange via telecommunications and computers.”

Houck rues that, despite the data format being a standard, the software and computers that operate AFIS are not, with several vendors offering products to law enforcement and forensic science agencies. Going forward, therefore, interoperability will be a key challenge before forensic practitioners.

Prescribed study.

Where does the true developer stuff start for an engineer aspiring to be a Sun Certified Mobile Application Developer? In ‘The MIDlet,’ say Ko Ko Naing, Sathya Srinivasan, Chad Davis, and Sivasundaram Umapathy in SCMAD Exam Guide: Exam CX-310-110 ( www.tatamcgrawhill.com).

“If a configuration is like the skeleton of the human body, the profile forms the rest of the body — the skin, muscles and so on. Following this analogy, sunglasses, tattoos and jewellery would translate to Bluetooth support, video capture and other technological bling — the optional packages,” the authors begin, in a chapter that shows ‘how to actually write applications for mobile phones.’

They define MIDlets as high-level conceptual applications much parallel to Java servlets and applets.

“These applications do not contain main method entry points like the lower level applications. These higher level applications are executed by being deployed in some other lower level application, such as a servlet container or a JRE plug-in.”

Right pick for the avid techie.

You are one of those nameless shoppers. Is there something that researchers can learn about you? Plenty, says Stephen Baker in The Numerati: How they’ll get my number and yours ( www.landmarkonthenet.com). “By the patterns of your purchases, and the amount you spend week after week, they can see if you’re on a budget. They can calculate your spending limit. If they add some semantic tags to the data, they can draw other conclusions.”

What conclusions? Such as the inference that you’re on a diet from your buying of skim milk or miracle milkshakes, or that you are in celebrating mode! Researchers also can score each shopper’s brand loyalty.

The author cites Accenture’s findings that shoppers forget an average of 11 per cent of the items they intend to buy. “If stores can effectively remind us of what we want, it means fewer midnight runs to the convenience store for us and more sales for them.”

Baker sees the possibility of randomised experiments with shoppers, driven by data-mining algorithms, and computers whirring through our purchases and looking at billions of combinations.

“Just as they’ve helped medical researchers find genetic markers pointing to certain types of breast cancer and Huntington’s disease, they might tell grocers what kinds of fruit to promote to buyers of canned food or what types of magazines dog-food buyers tend to read.”

Gripping narrative.

dmurali@thehindu.co.in

Tailpiece

“When users began complaining of suspected ghost employees using their terminals past midnight…”

“You launched a company-wide headcount?”

“Plus, we included a psychiatrist in the systems support team!”

More Stories on : Books | Security | Books 2 Byte

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Copyright © 2009, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line