CyRise ran a launch session event in Brisbane last night. I found great interest in the project. CyRise is a fantastic initiative designed to launch new Australian Cyber Security startups. The accelerator program provides seed funding, a close mentorship with awesome mentors (e.g. Casey Ellis from Bugcrowd), a workspace for 6 months in Melbourne in an incubator environment dedicated to Cyber Security, a trip to Israel to get immersed into arguably the best environment for Cyber Security innovation and startups in the world and CyRise also provides other benefits. CyRise will select 5 lucky candidates for the 6 months program. I can’t wait to find out about them and see some of them take over the world and do as well as Bugcrowd and UpGuard. I also had the pleasure of speaking with Scott Handsaker, CEO of CyRise, and found great insight in his experience in developing startups. Check it out at https://www.cyrise.co.
The complex cyber security bridge for individuals
The CyRise launch session fostered an open group discussion lead by a panel (Nicole Murdoch and Simon Stahn) on current cyber security matters. A point of discussion strongly resonated with some thoughts I have on cyber security for individuals. A member of the audience provided the following analogy (thanks John!):
You are driving a car over a bridge. The bridge collapses, because of a lack of maintenance. You crash. Are you to blame for your own lack of security due diligence of the bridge? You could probably have identified some signs of weakness and a risk that you wouldn’t have accepted by doing a few checks yourself. In this case, you rely on the government to manage the risk for you.
Now, think of the case where you use the internet to transact online. It seems that you are responsible to check the website certificate and other controls. It’s your problem and not the government’s. Can you effectively assess this risk? Are you educated enough about it? Should the government do more about it?
The analogy (bridge & internet) can probably be argued. However, individuals are certainly held responsible, including by government, to manage the risks applying to their online personal information even when that information is managed through government services. For example, the OAIC has published some advice to citizens using the government service MyHealthRecord. The advice includes Ten tips for protecting the personal information in your My Health Record. This is 10 things to think about to protect your data when you use one government service. The 10 tips are good, but I would argue it may be unrealistic to expect mums and dads, elderly citizens and the wider online citizen population to effectively comply with those all the time. What if users don’t effectively apply all recommendations and they become the subject of an identity theft and fraud? Are they to be blamed?
Cyber Security is not easy. It is not easy for organisations, even for those well resourced in technology, mature processes and security expert people. I think it is currently an unrealistic expectation on citizens and I concur with Bruce Schneier view on the subject:
Stop Trying to Fix the User… Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it — “stress of mind, or knowledge of a long series of rules.” (Schneier)
I’d love to see an Australian cyber security startup tackling the issue of cyber security for citizens :o)