[Margaret Ford] Educator and certifier of info-security professionals (ISC)2has just published a report on the online activities of primary school children, as part of its Safe and Secure Online programme. According to the report (available to its members at www.isc2.org.uk), 18% of 9-11 year olds have met up in person with a stranger they have met online. More worryingly so, 50% of these went alone. The report was published as part of National Cyber Security Awareness Month, celebrating its tenth anniversary this year.
A significant number of children have admitted to lying about their age in order to access popular social media sites such as Facebook. Having spent some time recently discussing online safety with 10 year olds at a local primary school, I have found that many of the children “know someone” who has an account on Facebook, despite being the account holder being well below the official minimum age of 13.
Apart from propagating some kind of digital ‘green cross code’, it can be hard to know how to approach e-safety with this age group. Many outstrip their parents in technical knowledge, and are naturally intensely curious. One approach may be to help them to build their own strategies for dealing with potentially risky situations. Materials such as videos and games can be used to encourage the children to express their concerns and work together to find ways to protect themselves online.
As part of the EU-funded TREsPASS project, Consult Hyperion is involved in exploring these same issues of trust, sharing and risk exposure at organisational, national and international levels. In the TREsPASS context, this involves the development of modelling formalisms and identification of practical ways to share risk information, to provide as much value as possible to the recipients, without overexposure of the originating organisation.
At present, the sharing of risk information is far from uniform: bilateral arrangements between organisations, governed by NDA, appear to be the norm. Multilateral sharing has evolved in some industries, especially those which involve Critical National Infrastructure and those which are heavily regulated – telecoms is an example of this. Before any meaningful sharing of risk data can take place, a sound structure for sharing has to be in place.
A key element mentioned at a recent meeting of the EU NIS working groupon information exchange and incident co-ordination is the need for a common view of normality. In cyber security, as in many other fields, this can in fact be very subjective and vary by sector, size of organisation and organisational culture. Where one company might regard repeated attacks as ‘business as usual’, another might regard those same incidents as a reason to invoke crisis management.
In order to find common ground, it is helpful to start with a common vocabulary. The FAIR taxonomy adopted by The Open Group provides a valuable structure for describing the range of risk concepts. We presented with fellow TREsPASS partner BizzDesign this week at the Open Group Conference in London, showing how the ArchiMate Enterprise Architecture tool could be extended to support risk modelling with reference to a practical case study. As a socio-technical project, TREsPASS is investigating complex social and organisational environments together with technical elements of risk.
Interesting announcements at the Open Group event included the launch of the Open FAIR Certification for risk professionals, based around the newly published updates to the FAIR risk taxonomy and risk analysis standards.
Over the course of the project, TREsPASS will produce a range of tools to support risk modelling and visualisation at enterprise level. It will also develop a risk toolkit tailored specifically to the needs of SMEs, taking into account their unique requirements and essential role in the European economy.
Keep an eye on this blog for further developments from TREsPASS as well as our involvement with this EU project.