The latest airport security 'pat-down' debacle has made me think hard about security of systems.  To those who do not deal with security issues it might appear that all of the security measures that have been put in place in airports over the last decade are both necessary and good for us all (or at least those in airplanes). But the truth is very different from that indeed.

It is impossible to prove a negative, that means that we cannot know for sure what might have been had these measures not been put in place. That means that the lack of any successful terrorist attack via airplane since 9/11 cannot be attributed to these measures, there is simply no evidence either way and despite our emotional desire to find a connection (if for no other reason than to justify the intrusion), there simply is no data to support either side of the argument. We cannot know how many might have been averted. But I would point out that had any explosive materials been found in any liquids taken from any airport security sweep anywhere in the world, we would all have learned about it very quickly.

If one is conspiracy minded it is easy to come up with reasons for this response that have nothing to do with the security of air travel. While such speculation is sometimes fun, and certainly it could be the case that any one of the conspiracy theories are correct (I still can't prove a negative) it does not require a conspiracy to account for the stupidity, our natural response is sufficient. Certainly when we heard about the Shoe Bomber it seems to make sense to the layman we should be checking shoes for bombs and so it doesn't surprise anybody that their shoes are removed and x-rayed.

But these shoes aren't physically examined and although I am most definitely not an explosives expert, I know enough about C4 and X-Ray machines that I am reasonably certain shoes with C4 insoles could easily slip through the screening ... not that such screening is routinely or consistently applied (it is really only a US-based activity). One might argue that knowing that shoes would have to be removed and x-rayed stops people from trying to repeat the failed shoe bomber approach, but I'd argue that the shoe bomber was a one-off crazy person who didn't really want to bring down the airplane or he wouldn't have done things they way he did ... he wanted to be seen trying to bring down the plane, there may even be some part of his crazy brain where he wanted to actually bring down the plane, but he did it in a way that guaranteed he would not bring down the plane. None of us are safer because we stand in our socks on a dirty, cold floor. Instead we should be looking for crazy people -- but we don't know how to do that, we DO know how to x-ray shoes.

So what does this have to do with computer security? Well, the same sort of ignorance that allows us to put up with useless and invasive security in airports can allow us to create a computing environment that is rife with "useless and invasive" security measures ... or at least it might appear to be so. To those without a real interest in and little knowledge about computer security, any action that a so-called security expert tells you is required to address some problem must, in fact, be a real problem and so whatever intrusion on their life to combat that is justified. I think such folks look at security as a black-and-white issue, things are either secure or not. But security is not binary, it is a continuum.

We all already know this about other things in our lives. None of us would put a bank vault in our basement to hold our wallets, the expense and inconvenience of keeping your wallet / purse in such a place simply couldn't be justified, but nobody could deny that doing so would definitely keep our wallets and purses more secure than not doing so. Of course most of us already know that wallets and purses are far more at risk outside the home then inside, that the real risk to the wallet and purse in your home is minimal and it would be almost impossible to convince anybody to put a vault in their basement.

At the same time, few of us need to be told that keeping $1million under your mattress is far too risky; such a large amount of money requires significant security or it will get stolen as soon as its existence becomes known. What makes these examples so obvious is our real-world knowledge about money, bank vaults, theft, and physical security. There is no clear cut line we'd all agree on that says $X is the right amount for keeping in a bank versus under your mattress, but we all agree there is a line there.

So it goes with computer security ... it too is a continuum that clearly has the equivalent of bank vaults in basements and money under the mattress. The real problem with this continuum is that very few people truly have enough domain knowledge to evaluate the situation properly and know when either of those two extremes are in play. One of the reasons for this isn't because we don't understand computer security as much as we don't understand the value of information. It is this exact problem that Records Management is supposed to address but RM to most people feels like taking your shoes off in an airport ... a useless and pointless exercise. The burden of RM is theirs to feel but the benefits are fleeting at best and not enjoyed by those taking on the burden.

A good Records Management program should be able to identify valuable content and a good ECM system should be able to isolate that content and treat it differently. It is  possible to put valuable content in a vault and less valuable content under your mattress ... which not only contains costs but, if done correctly, improves the computing experience of the person using the ECM system and thus likely leading to improved productivity. A poor RM program, however, could be devastating because if that content is misidentified then it might well be the case that $1million is hiding under a mattress and nobody even knows it is there.

The equivalent of a bank vault for your ECM application is absolutely possible and like any bank vault it can be broken into given the right motivation; nothing is theft-proof. But again like bank vaults, it is possible to make breaking in to a vault an incredibly expensive venture such that it won't be attempted unless it is already certain that there is something valuable enough in the vault to overcome the expense. At the heart of Enterprise Content Management should be Information Management and when it is done right it is not only possible to segregate content appropriately, it is relatively easy to do so.

The problem is the way most organizations practice Enterprise Content Management, they do not really have a good understanding of the information in their environment and instead treat all the "content" as more or less equal regardless of it's classification.

There ARE some good automated solutions available that solve much of the problem; Content Server's Automatic Classification provides the required infrastructure. It is possible to algorithmically and automatically determine the type of information a piece of content represents, (re-)classifiy it and then store and manage the access to that based upon that classification. Not all content and certainly not content that is deliberately trying to subvert such analysis, but for many real-world business processes the tools exist today to identify and differentiate between valuable (types) of content.

The truth is, however, that very few organizations are using ECM in this fashion at all ... while RM is in place it is used almost exclusively to reduce the legal risk of content, it is rare to see that information leveraged appropriately either to put the valuable content in the vault or to save money by not worrying about (and removing) the invaluable content. What is happening with your ECM program? Are you managing the information or simply the content?