Tuesday, March 10, 2009

Mobile Devices - Part of the Corporate System
Gerald Trites, FCA, CA*IT/CISA

The fact is that most people now have cell phones and/or PDAs like Blackberrys. The cell phones are getting smarter too, which means they have the capability to handle email, access the internet and run a number of applications that can process data.

Cell Phone and PDA owners usually like to use their devices and increasingly have been wanting their employers to give them access to corporate data. For productivity reasons, the employers often want to provide the data. The problem that arises is that there is a security risk. To confound the problem, the mobile devices are normally (not always) owned by the individuals rather than the company, making it difficult to install and enforce corporate security policies. So we have a situation where the two players - the employee and the employer - have a single desire (effective use of corporate data), but conflicting goals (the employee wants to use their own device to their own ends while the employer wants to use the device to achieve business objectives safely and efficiently.

The answer may be found in game theory - specifically the classic prisoners dilemma, in which two prisoners are separated and asked which is guilty. If one betrays on the other and the other is silent, the silent one gets the maximum penalty. If both betray each other, then they both get a lesser penalty. If both remain silent, they both get a very minor charge and soon go free.

Since nether knows what the other is doing, the rational course is to betray the other, because this way each will be assured of minimizing their penalty. However, clearly the best outcome for them is to both remain silent. Thus cooperation is the best way to handle the situation, but in the case of the prisoners dilemma, cooperation is impossible.

In the case of the mobile units, cooperation is possible and this is the best way in which to proceed. This means the employer develops policies in cooperation with the employees and encourages them to accept the security safeguards, which may be passwords and encryption. If the employees are involved, there wil be a greater chance they will accept the security measures and not disable them.

So this is a new challenge for IS departments. Mobile devices are becoming a very important part of the information system. Maintaining security over the data, which can be sensitive, means working with the users closely to achieve the goals of both the employers and the employees. Accenture has produced a great article on this approach, which is available at their site.

No comments: