How might this rule apply as a defense against, detection of, or a defeat of human or social engineering attacks? What sort of tools can or should an organization use to mitigate such attacks, using this commonplace rule?
What about “outsiders,” such as competitors, other players in your marketplace, government regulators, etc.? How can “know your normal” be applied to help you detect and deal with any “funny business” that might indicate you have an information security and assurance problem? How might you respond to protect, defeat, and deter such? Next, let’s look more closely at how organizations are organized, and how they function, to see how this idea of “normal” might or might not apply.
In classical organizational theory, individual roles within the organization are supposed to be well-defined – thus, it becomes fairly straightforward to control access to information across functional areas, in order to protect against the overly inquisitive or the internal “harvester” looking beyond their job descriiption. But modern organizational theory is pushing us to flatten organizations, to declutter them by eliminating layers, chopping out bureaucratic hurdles, and empowering even the lowest badge-level employees so that they can do what needs to be done – without a lot of “mother-may-I” and review and approval by higher headquarters. (One interesting take on this is Decluttering the Company, (Links to an external site.) in the August 2, 2014, Economist.) How well does this management idea fit with knowing and using the normal to defend and protect against information security and assurance risks?
Are there limits to how much information or insight the organization can have, as to what is “normal” for what its employees are doing? What establishes these limits? How does this impact an organization’s ability to protect and assure its information?
Military planners and commanders know from painful experience that defeat often comes not from lack of military strength and numbers, but from the untested assumptions that one side (or both) base their plans and actions upon. The same is true for information security and assurance: it is what we assume, what we “know” to be “true,” that oftentimes turns out to be our own Achilles’ heel. The first step in avoiding such self-inflicted information wounds, it seems, is to become aware of our own misconceptions.
First, do some Internet or other research on this; find a few “false myths,” invalid assumptions, or just plain wrong-headed ideas “out there” with regards to information security and assurance. (One approach might be to ask your neighborhood sysadmin or information security shop: what did they once think was true, but painful experience has taught them otherwise?)
