Posted by George Huhn on Sun, Mar 28, 2010 @ 08:29 PM
I do a lot of work in industries where there is a tremendous amount of proprietary and confidential information passed around in mountains of documents. It is the type of information that might help a competitor tremendously to shorten their development and cycle times considerably.
So, you’d think that these companies would be among the first to use encrypted electronic communications, but you’d be wrong. Until last week, I had not received an encrypted document from a single client or ever been asked about encrypting the data that they provided to me on my business computers (I do anyway). I have been in places where the companies have been extremely careful about controlling their paper documentation, but seemingly oblivious to the risks of sending those very same documents out in e-mails without any encryption or password protection.
So I must say that I was delighted to receive an e-mail from a contractor who had actually encrypted and password-protected the document attached to it. They even knew that they shouldn’t send the password and the document together in the same e-mail. That’s progress!
The lack of using even the most basic document protection when sending sensitive documents by e-mail is a fundamental security risk to these companies. Perhaps the reasons that they don’t do it are because of the effort that would be required by the IT department to develop and enforce a policy around securing documents sent by e-mail, the belief that a security breach due to interception of a proprietary document “won’t happen to them,” and the inconvenience of applying the security layer to each e-mail.
I wonder if they have ever done a cost risk analysis for implementing such a procedure. It would be an interesting analysis to perform because the cost of implementing a secure e-mail documentation system would have both fixed and variable costs associated with it. Fixed costs would include items such as developing the systems, purchasing the software, training, implementation, and monitoring. Variable costs would include the time required to secure each individual e-mail that is sent or secure only certain high-value e-mails.
They could justify the fixed cost based on a risk analysis. For example, if a security breach could $500 million and the annual risk of that breach was one-half of one percent then the expected annual loss is ($500 million)*(0.005) or $2.5 million. If implementing a security system costs less than that, it is a no-brainer to do it.
As an aside, I wonder how many people really think that those long wordy legal statements that are often attached to corporate e-mails claiming confidentiality are adding any security.
What are the best uses of your company's dollars and resources? Optsee
® can tell you. Optsee
® is a project portfolio management and budgeting optimization tool unlike any that you've ever seen.
Click here to find out more.
Posted by George Huhn on Thu, Nov 26, 2009 @ 08:07 AM
The debate over global warming is heating up again. A group of allegedly stolen e-mails is giving fuel to the fire to those who believe that global warming caused by human activities or Anthropogenic Global Warming (AGW) is a scientific fraud of massive proportions.
However, the question shouldn't be whether or not global warming is caused by AGW. It isn't a yes or no question.
The question should be: What is the percent probability that AGW will have catastrophic effects (between 0 and 100% probability)?
(Those of you who truly believe that the percent probability is 0% can stop reading now. And if you don't believe that any kind of global warming is occurring then you can also stop reading.)
After we have estimated the percent probability, we need to estimate what the economic costs will be if AGW causes a global catastrophe because we did nothing to stop it.
Let's assume the costs would represent millions or billions of dead human beings, beneficial ecosystems destroyed, and mass extinctions of animal and plant species. (I recognize that putting this in sterile economic terms will seem heartless to many, but we don't really have another good way to put a number on it.)
Once we have these two values, we can calculate the "expected value" of the cost of AGW. We'd take the cost of a global catastrophe and multiply it by the probability of it occurring:
Cost($) * Probability of occurrence(%) = expected value of the cost of AGW($)
Once we have that value, it would be prudent of us to figure out what the cost and risks of trying to stop or ameliorate the severity of AGW would be. If the cost to stop it is less than the expected value of the cost of a global catastrophe caused by AGW and the associated risks trying are acceptable, then we're fools as a species not to consider paying the costs of trying to stop it.
What do you think the expected value is?
What are the best uses of your company's dollars and resources? Optsee
® can tell you. Optsee
® is a project portfolio management and budgeting optimization tool unlike any that you've ever seen.
Click here to find out more.