CSFG
English Deutsch Beta Español Beta język polski (2.6.0)
Chapters Curriculum Guides Appendices

Computer Security
10.7. Policies and practices

Computer Security

  • 10.1. What's the big picture?
  • 10.2. Offence and defence
  • 10.3. Technology, people, process and compliance
  • 10.4. Updates
  • 10.5. Firewalls
  • 10.6. Viruses and malware
  • 10.7. Policies and practices
  • 10.8. The whole story!

Because many people without expertise in computer security need to have access to sensitive information in a business or organisation, educating users about secure practices may not be enough, and an important part of security is having policies and practices in place that enforce safe computer usage. Of course, these rules can annoy the users, since they are being forced to trade Availability for Integrity and Confidentiality, and a lack of availability is a more immediate annoyance.

Policies and practices are sometimes published, and sometimes follow standards, but they are most visible when a user is told what they can and can’t do. Here are some ways that you can find out aspects of a policy on a local system:

Discovering system policies Exercise
  • On a couple of systems that you regularly access, try changing your password to “qwerty” or “password”. Does the system allow it, or are you told a policy of what must be in the password? How is it enforced? Why is that policy there?
  • What happens if you type an incorrect password? (Be careful - for some sites their policy may make your life difficult if you make too many mistakes!) Does it allow you to make some mistakes? Can you keep on trying forever?
  • On an online supermarket site, try ordering 5,000,000 rolls of toilet paper. Is there a policy that prevents this?
  • On a takeaway site, try ordering a negative number of an expensive item that balances the cost of another item - can you get your order for free? For example, for a while there was a loophole in the McDonalds discounts that allowed customers to get free burgers.
  • Explore a company’s website to see if they publish a security policy (e.g. Xero). If the company’s security is important to its clients then they will probably publish a security policy; this will reassure users that they won’t accidentally leak the user’s private information, and it also helps users to understand why there are some inconveniences (like requiring complicated passwords, two-factor authentication, and not supporting old browsers).
  • If you have trouble finding a security policy, try a company’s privacy policy. It’s not the same as a security policy, but it will explain what data the company collects; this in turn can tell you how important security is for the website.

Many policies are relevant regardless of which organisation is using them, so there are some common security standards used for security. These tend to be expensive to obtain, and require technical knowledge to read, but you can find general information about them online. Some you may come across are:

  • ISO27001
  • SOC2
Payment possibilities Exercise
  • If you were to get hold of someone’s contactless payment card (such as Paywave, which can make payments without giving a PIN number), what stops you using it to buy lots of goods? How did the policies on contactless purchases change during the Covid-19 pandemic? What policies are there that make it not worthwhile? What disincentives are there to try your luck with a card you find on the street?
  • What kind of PIN numbers are you allowed to use for your phone/bank card etc. e.g. is 1234 allowed? Why are there restrictions?

Organisations need policies to protect their security. For people operating on their own private computer, they will have some policies forced on them by external organisations that they interact with (and possibly even from the operating system), but in the absence of policies, education of users is the best defence in this situation, so that they are aware of how to avoid falling into common traps.

Previous:
Viruses and malware
Next:
The whole story!

Looking for something for primary schools? Check out CS Unplugged.

The Computer Science Field Guide is an online interactive resource for high school students learning about computer science.

Useful Links

  • About
  • Chapters
  • Interactives
  • Curriculum Guides

Community

  • Twitter
  • YouTube
  • GitHub

Help

  • Search
  • Glossary
  • Feedback

Switch to teacher mode

English | Deutsch | Español | język polski (2.6.0)

The Computer Science Field Guide material is open source on GitHub, and this website's content is shared under a Creative Commons Attribution-ShareAlike 4.0 International license. The Computer Science Field Guide is a project by the Computer Science Education Research Group at the University of Canterbury, New Zealand. Icons provided generously by icons8.

3.12.6

This definition is not available in English, sorry!