What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  Phishing, malware and disclosure of personal information.

  Modern malware includes keystroke loggers (generally used for phishing), spybots (generally used for unwanted advertising, but also for phishing) and botnets.

  Botnets are of particular interest because they are not generally targeted at the owner/user of the computer, but rather at third parties, with the user as an unwitting accomplice. Botnets have various uses, the most common being to send spam and to execute distributed denial of service attacks.

  Because the user is not the target, it is entirely possible for the user to remain unaware of the presence of bots on his machine. Often bots are identified instead by the user's ISP or by victims of the bot.

  Disclosure of personal information seems to be on the rise—a great example was AOL's recent publication of search history, supposedly anonymised, many of which were then linked back to the people performing the searches simply be looking at what was searched for. Another example that occurs regularly is compromise of users' credit card details.

  The interesting thing about this threat is that the user has almost no way to mitigate it, other than not using the Internet for search or commerce—which rather defeats the point of the 'net.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  The scale is enormous—for example, estimates of botnet size indicate that there are nets of up to a million machines under the control of a single person, and that a significant percentage of machines on the Internet are infected (I have heard estimates as high as 25%).

  Security breaches affecting individual users are often not detected, and almost certainly not recorded. Certainly there is no consistent framework for such recording.

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  Pursuing the perpetrators of attacks on users with more vigour should lead to improved security.

  Often suggested, but in my opinion wrong-headed, alternative is to make software manufacturers liable for security breaches by their users. This seems to me to be the wrong approach for at least two reasons:

(a)  It favours large companies over small ones.

(b)  It is entirely incompatible with the increasingly important open source model for software: since this is largely created and maintained by volunteers for no direct gain, liability for security issues would probably vastly reduce the availability of open source software.

  However, encouraging users to use more secure software, perhaps by publishing security metrics would seem to be a good idea, though I do fear that this would be manipulated by those with large budgets to make their software appear better than it actually is.

What factors may prevent private individuals from following appropriate security practices?

  The main factor has been shown to be that individuals just don't care about security. That is, if you ask them to spend money in order to be more secure, generally they will not. This is particularly true for privacy, where studies have shown that users will sacrifice privacy for rewards as small as a chocolate bar, and are generally unwilling to pay anything at all for improved privacy, at least until something bad happens to them (when, of course, it is too late).

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  The hardware design required for security is largely understood (except, perhaps for the digital rights management kind of security, which works against, rather than for, the user) and consists of facilities in hardware for compartmentalising individual pieces of software from each other. Once this is achieved, security then becomes purely a matter of software. Most modern computers have everything required for software to be secure.

  However, all prevalent operating systems and most of the software run on them, are not designed with security as a primary goal—indeed, they all derive from systems where users were largely trusted, as was the environment the machine runs in. It is exceedingly hard to "add security" to these existing, inherently insecure, frameworks—which is why we seem to have made no progress at all in the last decades on improving security.

  In my experience (and my job is to do security reviews of new products) the attention paid to security is highly variable—designing for security is a specialised skill, not easily acquired, and many do not have an aptitude for it. Also, many companies see security as a barrier to fast release times and flexibility and ease-of-use and so deliberately do not prioritise it.

How effective are initiatives on IT governance in reducing security threats?

  The main problem with IT governance as a means to reduce security threats is that governance is national and security threats are not.

  A secondary problem is that the easy target for governance is the manfacturer or vendor of computer-based products—but this works against small organisations and open source, as I've mentioned above.

How far do improvements in governance and regulation depend on international co-operation?

  It seems to me this is absolutely vital. As we've seen many times, making something illegal in one country just drives the perpetrators to other jurisdictions and does nothing to help the users.

Is the regulatory framework for Internet services adequate?

  It seems to me that regulating Internet services has nothing to do with improving security. One of the problems with malicious versus legitimate activity is that they look the same. Only the outcome distinguishes them.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  The biggest barrier is a huge quantity of legacy software which cannot have security retro-fitted. Improving security radically really requires starting again from scratch, redesigning operating systems from the ground up, and rewriting all of the software that runs on them.

  This is obviously a massive undertaking—and becoming more massive every day.