Wednesday, August 25, 2010

I Love Boobies and Information Security

If you work in Information Security, or any form of security for that matter, you're probably used to noticing things. Maybe we just pay a little more attention to the details around us. And if you're working on a college campus, maybe you've noticed the number of people wearing bracelets that say "I love boobies" or "I heart boobies."

Turns out that it is part of a breast cancer awareness campaign and it seems to be quite effective. How effective? So much so that one day while working up in my office I saw three customers in a row come in with the bracelet on. It seemed so rare to me that I asked one of them why there were so many people with the bracelet on. Interestingly, she didn't know of any organized campaign to get people to wear the bracelets and didn't realize that so many people were.

So I decided I should take a moment to figure out how many of our female students on campus are wearing these bracelets. Male students are kind of irrelevant because breast cancer isn't a major concern for them and they probably love boobies for reasons not associated with cancer. So I wanted to know what percentage of female students on campus are wearing this particular kind of bracelet.

This is where reading Douglas Hubbard's book on How to Measure Anything comes in handy. There are some people who would instantly tell me that I wont know unless I take a census of the female students on campus or at least survey about 1000 of them. But since I've read Hubbard's book I know that I don't need as much information or precision as my gut first tells me. I also know that the best way to go measure something is to go out and do it.

So I walked out the door of my building and counted 30 female students at random as I walked from one building to another. If I was able to get close enough to a woman to observe both of her wrists then she was counted, otherwise not. Out of 30, I saw one girl wearing such a bracelet. This very simple observation is enough to tell me that I can be 90% confident that the percentage of female students on campus wearing such a bracelet is between 8% and one one-thousanth of a percent (one observation divided by 7817 female students). I actually decided that I wanted to have more precision so I made a few more observations whenever I had to walk from one building to another.
So there you have it. With a few really simple observations my uncertainty about the number of female students with this bracelet on has been reduced and I can express the measurement as a number. If someone were to ask me, I could say that between one and five percent of the female students on my campus are wearing the bracelet. If the people behind the bracelet were hoping to have ten percent of college girls wearing them then without spending any money or any tremendous amount of time I could tell them that it is unlikely that they met their goal. If the goal was 3% I could tell them that they are close but that additional study is necessary to get a better answer.

So what does this have to with Information Security? Mostly it's just a demonstration that it isn't hard to measure things when you deconstruct the problem and measure it. If we wanted to measure the effectiveness of the I heart boobies bracelets, we have to deconstruct it to find out what the observable characteristics are. In this case, number of students wearing the bracelet. So what if you wanted to measure the effectiveness of your information security awareness program?

First, you have to deconstruct it down to the observable characteristics. If you want to know whether it worked or not, what might you see? One idea that jumps into my head is the number of unattended workstations left unlocked might go down. Sweet. I can observe that, and using the same technique that I used to measure boobie lovers on campus I can get an idea of what percentage of office computers are left unlocked. Or you could send a phishing email to several randomly selected people and count how many answer it. Take before and after measurements and see if there is a noticeable improvement in the numbers.

So what can boobies tell us about Information Security? You can have a lot of fun looking at and measuring things you cant touch.

No comments: