I really like Bruce Schneier who writes about computer security. He writes in a way that a non-expert can follow, without dumbing it down. A recent post titled “Identifying People from Mobile Phone Location Data” delivers exactly what it promises.
His latest post Security Awareness Training has meaning in other realms. Firstly, it is an excellent explanation of why such training is by and large pointless. He uses a bunch of health examples that make lots of sense. But secondly, it is a great exercise in the importance of numeracy and the failures of innumeracy.
Schneier’s point is that for some problems lowering the average is important, but for others it doesn’t matter. In his example of HIV/safe sex training, averages are important. If half the people in a group/country/region practice safe sex, then the incidence of HIV/AIDS drops significantly in the whole population (biological sense population, not statistical sense). His point is that computer security is the opposite. If 99% of a workplace or lab, practice safe computing, it won’t matter because the one wanker who doesn’t can infect the entire network. For computer security, raising the minimum, not the average is what counts.
Whether or not you agree with Schneier on the particulars of computer training, it is still worthwhile to understand how information, infection and viruses of the biological and computer types travel and are transmitted. Some illnesses are like HIV and averages count, and some are like computer viruses and the weakest link/ minimum is what matters.