Fellow CISSP Cragin Shelton made this very pertinent observation and gave me permission to quote him.
The long thread about the appropriateness of learning how to lie (con, `social engineer,’ etc.) by practising lying (conning, `social engineering’, etc.) is logically identical to innumerable arguments about whether “good guys” (e.g. cops and security folk) should teach, learn, and practice
engaging in any other practice that is useful to and used by the bad guys.
We can’t build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.
Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.
We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.
Threats are external. They are not under your control.
The article title is clearly confusing THREATS with RISKS.
There are aspects of risks which ARE under your control.
You can control how EXPOSED you are to threats and how they will IMPACT you – or more specifically your assets. In this case the mobile devices.
You can’t prevent threats, you can only mitigate their IMPACT.
You can instigate preventive measures.
Mobile devices and the data on them are ASSETS, not threats.
Correct terminology leads to correct thinking.
Eliminating misunderstanding and confusion leads to effective results.
#1: Plug into the wall without surge protection
#2: Surf the Internet without a firewall
#3: Neglect to run or update antivirus and anti-spyware programs
#4: Install and uninstall lots of programs, especially betas
#5: Keep disks full and fragmented
#6: Open all attachments
#7: Click on everything
#8: Share and share alike
#9: Pick the wrong passwords
#10: Ignore the need for a backup and recovery plan
Well, they seem interesting, but …
The big “but” gets back to one of my favourite phrases: