Last updated: 
3 weeks 20 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

The Human Side of Information Sharing

Tuesday, June 24, 2014 - 20:28

There are quite a few talks at the FIRST conference this week about getting computers to automatically receive, process and distribute information about security events. However I was particularly interested in a session on the human issues that need to accompany any such information exchange.

Organisations, which ultimately means individuals, need to trust one another before information exchange can be effective. Providers of what may well be sensitive information need to trust that the recipients won’t misuse it; and recipients need to trust that providers have gathered and analysed the information accurately so they don’t feel the need to redo all the analysis and duplicate the providers’ efforts. Although anonymity is sometimes suggested as a way to start building trust, it was suggested that this actually produces a slower build-up of trust than if individuals know who is providing the information and who is using it. Instead, a trusted exchange may be easier to establish if it is (initially, at least) narrowly focussed on a common problem that all participants want to solve.

Even a collaboration towards a specific goal is likely to need support to establish and build trust. Using (and abiding by) a clear set of rules on how information may be shared is probably the best known tool. Non-Disclosure Agreements are one possibility, and may be needed if there are legal concerns about sharing, but can be too rigid. The ability to attach distribution rules to individual items using the Information Sharing Traffic Light Protocol may be sufficient to give providers confidence. A good complement to this is to let the provider of information see who has accessed it, both so that breaches of the rules are visible and, I would imagine, to encourage providers that others found their input useful. Having too many passive consumers ("lurkers" or "sinks") in any information sharing partnership is unhelpful – if hosts can actively seek these out to find out what is preventing them contributing then this can increase both information flow and trust.

On the information consumer side it was suggested that one of the most useful, but also scarce, resources for any information sharing partnership is someone who can ask the right questions, prompting others to look at, and share, their own information in a new light. Having frequently said myself that sharing needs everyone to contribute,  it strikes me that insightful questions might themselves be a significant contribution justifying an individual’s and an organisation’s participation. Recipients of information also need to trust the providers, especially if they are going to make technical or business decisions on the basis of the information they receive. That needs a high level of confidence in others’ human and technical abilities, which may well only be possible if organisations share not only their information, but knowledge of how it is gathered and used.

The goal of an effective information sharing partnership was nicely summarised: computers share data, humans share insights and questions.


This matches well with the talk I gave at the AusCERT conference last month.

A lot of information sharing communities seem to suffer from a "tradgedy of the commons" type situation where anyone can join and benefit from hearing what's going on in the room, but fewer people are willing to take the risks of standing up and having something to contribute back, or simply just joining in with the conversation.

To some extent I'd advocate a JFDI approach - to do security well you need to be doing this sort of thing (and working with people who are successfully doing it) and you'll never eliminate all the risks entirely except by avoiding the situation entirely. Start somewhere, start small, find your comfort level and try not to be that person who is not contributing.

Yup. I think the talk here suggests that a good starting point is a topic, ISTLP, and a small group of people including some who can ask good questions.