What are the advantages and disadvantages of blending digital + physical security


#1

First thing first: I am not an expert in any of those fields but I am interested in information security, although I am poor practitioner (didn’t I use my professional email address to register to Huridocs? :blush: )

A. It seems to me that physical security is naturally being enforced on an individual level by the person itself. In general, people do care and try not to put themselves in risky situations when it comes to their own personae. Or, when it comes to digital security, the picture is vastly different: they tend to have no ability to apply even the simpler defensive mechanism; they completely surrender their trust to their machine (“My machine is secure enough, it is made by XXX”); or they even consciously undermine their own security (“Hahah, I am using a weak password and it worked”).

How can holistic security helps to make the user more conscious and start to also enforce a kind of digital security? Or should it be used this way?

B. Digitial security is already a concept that is hard to swallow (but “thanks” to WannaCry and the like, it seems that people are starting to slowly get it).

Is there any disadvantage in trying to blend digital and physical security into another concept ?

C. The digital world is a place with its own laws, and sometimes it just vastly differs from the real world to the point it is hard to make any meaningful analogies.

Is there any instances or examples where we shouldn’t mix digital and physical security? Where does both concepts do not overlap?


About the Holistic Security category
#2

Hi there Lucy,

No doubt this will be touched on more tomorrow when we have our webinar on Holistic Security. A few brief thoughts that occur to me in response to what you say here…

A. It seems to me that physical security is naturally being enforced on an individual level by the person itself. In general, people do care and try not to put themselves in risky situations when it comes to their own personae.

Well, to some extent, sure. Through our evolution, we all developed an instinct for our protection. Moreover it’s something that on an ‘everyday’ level we have a great capacity for analysing and taking decisions on. All the same - it’s important to keep in mind that it’s still a question of our perception, and our perception can be challenged by a number of factors. This is certainly the case with digital security.

How can holistic security helps to make the user more conscious and start to also enforce a kind of digital security? Or should it be used this way?

Of course, I think it can and should. People don’t usually respond very well to “just do this (insert good digital security practice) because I, an expert/trainer/whatever, have told you to”. It’s very important to highlight the inter-relatedness between digital security, physical security, the legal/administrative aspects, and indeed the psycho-social aspect. Especially if you can facilitate people coming to their own understanding of this, in their context. In my experience, people respond very well to this.

Another approach which tends to help in my experience is to politicise the issue of digital security. This is something that the ‘cyber-feminist’ movement has done extremely well, among others. That is: highlight the relationships between the state of the technology industry, digital surveillance etc., and the broader oppressive structures against which HRDs are battling.

I think, for example, if you try to ‘force it’ too much or aren’t clear, it can confuse people even more. Or the classic of using scare tactics, that can have a very negative impact. But that’s more about how you do it – not whether or not you should.

That’s very interesting. There might well be, but I don’t know of any. It would be interesting to explore. For sure, the search for the best analogies continues…

All the best,
Daniel


#3

Hi, Sergey here :slight_smile:

physical security is naturally being enforced on an individual level by the person itself

NGOs and media groups are also our target audience. It’s common that there are physical security issues not related to any particular member of a collective. A simple example: there are working places and computers and people who’re responsible for them. However, there’s an old desktop resting somewhere in a corner; it has no owner and no one is responsible for it. Moreover, people tend to see it as a bulky piece of metal, a physical thing, not a container for any data (anymore). While other (newer) computers are protected, this old one is not. When police comes and grabs all hardware (or someone crashes the door and steals all stuff deep at night) this old data storage can become the weakest spot in the whole organizational security system. See, it’s physical + digital security = it’s holistic security. Is this forgotten piece of metal valuable to anyone? You? And you? And you? Probably not. “Come on, here’s my laptop and that old computer is something I have no relation to”. Is there any digital risk? Yes, and it could be really high. “Look, there’s an old version of your database with personal data, and (sadly) a bunch of “pirated” copies of software, and this may cost your organization (here we add legal issues to our holistic security arguments), say, $5,000 fine and your director may be imprisoned for 2 years” - “Oh, wait, we need to do something with this problem urgently!” This is how holistic security can motivate people in rather difficult cases when a single approach (physical security) doesn’t work good.


#4

How can holistic security helps to make the user more conscious

For example, changing setting for a Facebook account is a digital security thing. However, the reason for making these changes may also relate to physical, legal and psychological security. For instance: “You better not give everyone your permission to post in your chronicle; someone may post something illegal/offensive there and you will face legal charges”.

Or: “If you allow everyone to comment your posts there’s a good chance that you will spend much more time online fighting with anonymous offensive users; you will be in a situation of stress all the time and this will influence your ability to do your job - so allow commenting to your friends only”.

Is there any disadvantage in trying to blend digital and physical security into another concept ?

Probably there’s a holistic security concept only. What we do sometimes is that we ignore parts of it and talk about its digital (psychological, legal, physical) side only.

We can play a game: imagine a security incident and try to find how many sides it may have (with direct possible consequences). Let’s try to find “a purely digital” case for example.