Because many people without expertise in computer security need to have access to sensitive information in a business or organisation, educating users about secure practices may not be enough, and an important part of security is having policies and practices in place that enforce safe computer usage.
Of course, these rules can annoy the users, since they are being forced to trade Availability for Integrity and Confidentiality, and a lack of availability is a more immediate annoyance.
Policies and practices are sometimes published, and sometimes follow standards, but they are most visible when a user is told what they can and can’t do.
Here are some ways that you can find out aspects of a policy on a local system:
Discovering system policies
- On a couple of systems that you regularly access, try changing your password to “qwerty” or “password”.
Does the system allow it, or are you told a policy of what must be in the password?
How is it enforced?
Why is that policy there?
- What happens if you type an incorrect password? (Be careful - for some sites their policy may make your life difficult if you make too many mistakes!)
Does it allow you to make some mistakes?
Can you keep on trying forever?
- On an online supermarket site, try ordering 5,000,000 rolls of toilet paper.
Is there a policy that prevents this?
- On a takeaway site, try ordering a negative number of an expensive item that balances the cost of another item - can you get your order for free?
For example, for a while there was a loophole in the McDonalds discounts that allowed customers to get free burgers.
- Explore a company’s website to see if they publish a security policy (e.g. Xero).
If the company’s security is important to its clients then they will probably publish a security policy; this will reassure users that they won’t accidentally leak the user’s private information, and it also helps users to understand why there are some inconveniences (like requiring complicated passwords, two-factor authentication, and not supporting old browsers).
Many policies are relevant regardless of which organisation is using them, so there are some common security standards used for security.
These tend to be expensive to obtain, and require technical knowledge to read, but you can find general information about them online.
Some you may come across are:
- If you were to get hold of someone’s contactless payment card (such as Paywave, which can make payments without giving a PIN number), what stops you using it to buy lots of goods?
How did the policies on contactless purchases change during the Covid-19 pandemic?
What policies are there that make it not worthwhile?
What disincentives are there to try your luck with a card you find on the street?
- What kind of PIN numbers are you allowed to use for your phone/bank card etc. e.g. is 1234 allowed?
Why are there restrictions?
Organisations need policies to protect their security.
For people operating on their own private computer, they will have some policies forced on them by external organisations that they interact with (and possibly even from the operating system), but in the absence of policies, education of users is the best defence in this situation, so that they are aware of how to avoid falling into common traps.