Imagine that you have decided to buy a car. And, of course, safety is really important to you so you will take into account safety characteristics in your buying decision.

 

The most direct way of knowing the safety characteristics of every model is asking how many NCAP stars each holds. The Global New Car Assessment Programme (Global NCAP) conducts independent research and testing programs that assess the safety and environmental characteristics of motor vehicles and their comparative performance and disseminates the results to the public. Those models with better crash protection and avoidance systems get more stars—5 stars being the best.

 

Does this mean that it is impossible to suffer injuries in case of an accident? No, of course not. Does it mean that your risk level is always lower when you drive a 5-star vehicle? No, again. Your risk also depends on other factors (e.g., your driving style, weather conditions).

 

Then, why do we look for the number of NCAP stars before purchasing? We look for NCAP stars because, under the same conditions, we are likely to be safer/suffer fewer injuries in a car with more stars.

 

The same principle can be applied to evaluating the security of ICT services as I explain in my recent ISACA Journal article.

 

The described rating system assigns every ICT service with a label, depending on the security measures it implements, the general conditions of the vendor and the resilience mechanisms in place. In my opinion, these labels should provide information about the three dimensions of security (confidentiality, integrity and availability), because users requirements could be completely different in each and the label has to provide enough information for users to make better decisions on what service to buy (if they want to consider information security in their decision).

 

So, when you look for an ICT service, it should be easy for you look at its security label and know which service offers better security conditions.

 

Read Antonio Ramos’ recent Journal article:
“Security Labeling of IT Services Using a Rating Methodology,” ISACA Journal, volume 6, 2013.

 

You can follow us on twitter.com/leet_security