Although I think the vast majority of people can be classified as "good," there is also plenty of evidence confirming the parallel existence of "bad" people. Law enforcement officials and the courts deal with the very bad, but the rest of us are unfortunately left to deal with the moderately bad - those people who cause various levels of disruption, some of which may be criminal. In fact, moderately bad people who are also computer-oriented cause disruption that can be measured in billions of dollars. These are the people who hack into our systems, forcing us to spend time and money to thwart their efforts. They are the focus of all our security measures, regardless of whether they are on the outside or are fellow employees.
While it is up to sociologists (or parents) to determine why these people (or children) never figured out the difference between right and wrong, we deal with the certainty that, sooner or later, the crackers will find their way to our systems. The way we deal with that reality is a combination of preparedness and dedicated security resources.
Fortunately, the most clever security-oriented people are on our side. Among other resources, we have a cadre of experts at our disposal who dedicate much of their time to finding ways to foil the nefarious. Scores of people involved in organizations such as Computer Emergency Response Team (CERT), the Computer Security Institute (CSI), SAGE, and SANS make their findings available to us through mailing lists, Net postings, and educational conferences. We applaud the efforts of these groups and the individuals who comprise them.
Also at our disposal are a variety of security products. Almost all current network hardware includes security features, for example. Additionally, software packages (both commercial and freeware) abound. These include encryption and email security products, firewalls, user authentication systems, and sophisticated intrusion detection systems. Careful planning and a well-designed security infrastructure can combine these elements in the most effective way. For all but the unconnected system, some or all of these elements are essential for maintaining security. How much time and money is spent maintaining security must be measured by the value of the information assets being protected.
In corporate environments, security is often just one more hat worn by the system administrator. Time spent dealing with security issues is time not spent on user needs. Larger organizations with multiple system administrators can spread the burden of security administration between members of the admin staff. At some point, however, we must recognize that security administration becomes a full-time job for one or more people, not just one of those "other duties, as assigned."
At that point, management's awareness of the issues and complexities involved in security administration becomes one of the most important security resources we have. That awareness must be developed and nurtured over time through reasoned communication. Such efforts we hope will provide the ultimate return on investment - budgetary support. n