Information security, very broadly, concerns itself with three main principles:
- Confidentiality – information is only available on a need to know basis.
- Integrity – the information, when accessed, is accurate and has not been tampered with.
- Availability – the information is available to access when needed.
Confidentiality is a good place to start because that’s probably the most common way of framing discussions about security: hacks, breaches, leaks, etc. tend to be talked about as bad people getting information that they’re not supposed to have. But this is an overly simplistic view.
Identity theft is definitely a failure of confidentiality – your social security number and credit card numbers were supposed to stay secret but didn’t. But they’re also failures of integrity – a stolen identity means that your credit history is no longer accurate, thus the importance of reacting quickly when it occurs. And to do this, putting a credit freeze maintains that integrity by reigning in the availability of your credit so that it can’t be abused for financial gain.
These are important distinctions to make because what you think it valuable about a particular resource isn’t necessarily what an attacker might consider valuable. So figuring out what you need to protect depends just as much on the context as the content.
The reason why major data breaches have started with email phishing attacks is not because attackers expect email accounts to contain confidential information, although some do. It is because you can use those email accounts to impersonate a legitimate employee or customer and use that to escalate your attack. So while many people probably think of email security as a confidentiality issue, it is also just as much an issue of the integrity of your communications.
Encryption is often used to preserve both confidentiality and integrity of data – not just to keep it secret but to make sure it doesn’t get tampered with. But while encryption is definitely effective for that task, it doesn’t help you if the encrypted data is simply taken away from you. Ransomware is another good example of this type of thinking at work. So is this.
In addition to affecting the valuation of our information, keeping in mind all three security principles is also useful in protecting you from shooting yourself in the foot. Don’t just encrypt something for the sake of encrypting it because you might find yourself locked out later on. You have absolute confidentiality but had to pay for it in zero availability. Likewise, you might want to upload all of your files to the cloud so it can be available anywhere, but you might be making a trade-off in confidentiality.
Regular email communication is simple and quick, making it very available. You already know that email lacks confidentiality but it’s also easy to forge emails, which means it lacks integrity as well. The value of your personal information, even stuff that comes up in casual conversations with people you barely know, can change dramatically if the person you’re talking to isn’t really the person you’re talking to.
When it comes down to the “what” of what you want to secure, don’t just think in terms of information to keep confidential. Integrity is about making sure the information you act on is accurate (ie, don’t trust everything you see on the Internet) as well as not allowing your reputation and relationships online to be subverted for malicious use (ie, don’t be the person who fell for the phishing email and got all of their friends infected with malware). And as for availability, there are some exceptions but I tend to find that anything valuable enough to be worth securing loses its value if I no longer have access to it.
Days Gone Bye
Last year I did an episode of BiblioLab because, as everyone always says to me, I’ve got a face for radio.
And Another Thing
Human beings are bad at assessing risks. It turns out, our brains just aren’t wired right. Risk assessment is a horribly complex thing precisely because it needs to work around the way our brains have evolved (or, rather, haven’t evolved). People make bad decisions all the time and people smarter and better-educated than you have made lots of horrible decisions.
The real skill isn’t so much in getting it right all the time (because you won’t) but by developing a better thought process that enables you to get it right more often than not.