EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

4 Tips for building an effective Early Warning System – organizational and human resource issues

October 19th, 2006 · No Comments ·

We have previously pointed out the challenges and issues for building and maintaining an Early Warning System (EWS) that serves its constituencies well, see here:

Do CERTS differ from WARPS or should we create something different?

Infrastructure, reliability and security for users: Japan

Naturally, it is also quite difficult in assessing the success of such a unit using benchmarks:

CyTRAP Labs – guide – developing IT security metrics that work for you

Below we outline four tips that one should follow in trying to establish an EWS. Moreover, these apply regardless of the setting one uses (e.g., corporate versus government) and should help in all instances to improve the performance of such a unit.

1) An EWS for citizens and SMEs can be provided using a variety of organizational forms including but not limited to being part of a Computer Emergency Response Team (CERT). Regardless of where such a unit is being housed or the organizational structure it may use to work, it must have dedicated staff that produces the output relevant to the clientele to be served in a timely fashion including public holidays.

_Likely result if ignored: Technical alerts may be issued much earlier than non-technical ones. Also, relevant exploits for targeted groups may not appear to register on the EWS’ staff’s radar screens fast enough. In turn, timeliness may also become an issue.

_Possible solution: Staff dedicated to their cause having both, access at work and from home for regularly checking on the internet about updates (i.e. doing so even during weekends) can reduce delays, while help in improving timeliness and relevancy of warnings issued.

2) Some form of public-private partnership may be the most effective approach to achieve better targeted of user groups to be served.

_Likely result if ignored: Issuing advice suggesting the use of alternative Web browsers such as Firefox or Opera in addition to Internet Explorer was provided in summer of 2005 by CASEScontact.org – others did not issue such advice to citizens and SMEs until much later – Spring 2006.

Naturally, trust and confidence is fostered only, if the organization can issue timely advice independently of either corporate or public-policy interests.

Hence, neither outsourcing such services to a vendor nor a government organization may truly satisfy the independence criterion for such a unit.

_Possible solution: Similar to consumer advocacy groups that can be funded by government and industry (e.g., Germany ‘Stiftung Warentest’ freely translated “foundation for testing consumer goods�?) or a unit that specialices in these services being funded by private and/or government agencies to do so.

Being independent of vested interests except for those held by the targeted clientele is a viable strategy that will improve effectiveness and user satisfaction.

3) Creating virtual groups makes it much more difficult to create a ‘corporate’ brand.

Also, people whose primary interest and focus is on protecting critical infrastructure or doing police work may, unfortunately, not be the ideal choice for being seconded to a an EWS that focuses on conducting awareness raising campaigns in the area of information security for home users and SMEs.

_Likely result if ignored: Having staff conducting services for the EWS while being located in different departments (e.g., police and IT support unit for federal government departments or telco regulator) and locations will make co-ordination of work a challenge. Quality assurance will be difficult since different people with vastly different backgrounds and limited communication will issue output that does not represent a unified brand (e.g., issuing an alert for product X this time but not next time – different people have different opinions… how can one assure consistency?).

_Possible solution: People may be seconded to an EWS from other departments. Nonetheless, a more effective way is to assure that people’s primary task and responsibility is to the EWS unit. As importantly, their skill set must match the EWS’ demand for critical technical and/or communication skills (which type depends on targetet client groups).

4) The challenge is to identify and follow best practices that show that the efforts undertaken regarding awareness raising and better prevention created added value.

_Likely result if ignored: Many awareness raising efforts have been undertaken (e.g., Safer Internet Day across the European Union and other countries). Unfortunately, how much these have enabled users to become better prepared to protect their home PC remains a mystery.

_Possible solution: must be developed that allow assessing this issue across user groups.

_CONCLUSION

The above illustrates quite nicely that certain organizational issues (e.g., structure, hierarchy, stakeholders, market focus, etc.) as well as human resource matters (e.g., what type of employee, what skill set) must be addressed when trying to establish an EWS. Only then will this unit be able to launch and administer awareness raising campaigns successfully. Moreover, additional services provided to user groups will also likely add value and the risk for unnecessarily duplicating services or failing to deliver a better product will be reduced.

Hopefully such efforts will culminate in an improved level of prevention and, therefore , reduce the number of critical incidents that may violate users’ rights regarding their privacy, confidentiality and integrity of their data (e.g., identity theft).

As our work on Key Performance Indicators (KPIs) whould let us believe, however, we still have a lot to do in this area. Only then will we be able to deliver the goods.



|

→ No CommentsTags: solution · _likely · _possible