Five Irrefutable Laws of Information Security

This week I am hammered by a lot of spam messages on my Facebook page. I was sure those were from my lovely friends clicking on malicious links on their own page. I eventually posted a note and asking them to 'stop and think' before clicking on inviting links. A colleague responded and reminded me law #4 of Malcolm Harkins' Five Irrefutable Laws of Information Security - Users wants to click. It suddenly dawned on me that Malcolm's insight was so true. Fortunately, I'm still proud to say that I haven't fall as a victim of the malicious links and spamming my friends yet. Some of those inviting links I encountered were obviously macilious. However, some were on the border line of being legitimate. I had to hold my urge to click. Of course, some of them proved to be bad ones, too, after my friends clicked on them.

Here are the 5 laws from Malcolm. You can find them from Intel IT's whitepaper on Rethinking Information Security to Improve Business Agility.

  1. Information wants to be free - People want to talk, post, and share information
  2. Code wants to be wrong - We will never have 100 percent error-free software
  3. Services want to be on - Some background process always need to be running and can be exploited by attackers
  4. Users want to click - People naturally tend to click when they see web links, buttons, or prompts. Malware creators know this and take advantage of it.
  5. Even a security feature can be used for harm - Security tools can be exploited by attackers, just like other software. This means laws 2, 3, and 4 are also true for security capabilities.

Under the new connected, always on, and social internet age, how are you, or in fact, how should we all respond to the new paradigm and new kinds of information security risks? In my recent experience, the user is still the weakness link.