Thanks for the link!

Originally posted here by catch
Hmm actually the majority of IS security technology is flawed and do lead to a good number of failures.
Point taken - but aren't these flaws the result of either human failure (e.g. the coder) or of management failure (e.g. focus on features instead of secure system developemnt)?
Not that you or I as humble IS managers can do anything about this, of course. So we resort to security policies and procedures to work around the fact that our IT is fallible. All failures you encounter now are again either human failures (e.g. patch not applied, despite a procedure telling you to do so) or managment failures (forgot to put procedure in place, or decided not to based on risk/value assessment). Frameworks like BS7799 help us to think of the most common areas to evaluate and address.
I know it's not the most common viewpoint - what's anyone's feeling on this?

In regards to the research - I'm not stuck up on UK only participation, the only issue will be that all the face2face work will need to be replaced by other means (email, phone, instand messaging etc). Get in contact if you're interested, and I'll send you additional information on what I'm looking to do in detail.