IT security for private users

January 17, 2008

The handling of IT security is today left too much to the individual user. The present situation is neither reasonable nor appropriate considering the need to maintain a desired security level in society as a whole, states a working group appointed by The Danish Board of Technology. The working group has published a report containing concrete recommendations on security increasing initiatives.

Project description

Dealing with IT security in private homes is mostly up to the users themselves. They do, however, have difficulties in handling this responsibility to the detriment of their own security and the overall societal security. Unsafe computers facilitate the spread of malware and may also be used as a middle station for criminal activity.

Awareness raising activities are important but such efforts cannot stand alone. There seems to be a need for redistributing some of the responsibility regarding security handling, e.g. through adjustment, co-ordination and automation of the effort. However, a more centralized approach to IT security might also involve value-based and controversial trade-offs. For instance scanning emails for virus may be considered an invasion of users’ privacy and the automation of security updates might limit consumers’ ability to design their own solutions.

This project seeked to identify the solutions that could relieve the private users of some of the responsibility for their IT security while at the same time raise the general level of IT security. It presented these solutions and the trade-offs involved to private users and on this basis pointed at viable ways of improving the overall IT security.

Method

A working group appointed by the Danish Board of Technology identified and formulated, during the spring and summer 2007, IT security solutions aiming to redistribute some of the responsibility of IT-security handling thus increasing the general security level.

In the second phase of the project about 25 ordinary IT-users from the Odense municipal participated in an interview meeting in November 2007. Before the meeting written material had been mailed to the participants describing the selected IT security solutions. During the interview meeting the participants expressed their opinions by answering of individual questionnaires succeeded by group debates.

The project was concluded on Tuesday the 22nd of April by the publication of a report containing a presentation of the IT security solutions including trade-offs, an analysis of the results of the interview meeting together with the resulting recommendations of the working group. The report is in Danish but includes a summary in English. Further is available an English extract of the Danish report. See the links at the bottom of this page.

Members of the working group

  • Jakob Illeborg Pagter, Alexandra Instituttet (The Alexandra Institute)
  • Susanne Karstoft, Juridisk Institut, Aarhus Universitet (Aarhus University School of Law)
  • Birgitte Mikkelsen, Finansrådets it-sikkerhedsgruppe (The Danish Bankers Association, IT-security Group)
  • Nicholai Kramer Pfeiffer, Cybercity
  • Per Tejs Knudsen, cBrain
  • Steffen Stripp, Dansk Metal (The Danish Metalworker’s Union)

Time frame

The project was commenced in March 2007 and terminated in April 2008.

Project Leadership at the Danish Board of Technology

The project manager was Bjørn Bedsted ( see contact in the sidebar). Project assistant was Julie Refsgaard Lawaetz.

 

About the Danish Board of Technology and IT security

At the year-end of 2005 the IT security Council was closed, opening the way for a new construction involving the Danish Board of Technology and the newly established IT security Panel (this panel was in 2008 replaced by the IT security Commitee). Through this construction, the IT security Panel (from 2008 the IT security Commitee) advises the Ministry of Science, while the Danish Board of Technology was responsible for holding activities to encourage the debate and the learning. The Danish Board of Technology has earlier been engaged in IT security projects (see i.e. “The vulnerability of the IT infrastructure” and “IT security beyond borders”), but following this new arrangement, IT security became a permanent part of the Board’s annual program.