Re-Thinking Information Security: The Value of Information

If someone you don't know approached you on the street and asked for your address, social security number, or ID number, would you give it?Since we consider it “personal” and a “huge violation of our privacy,” you probably wouldn’t, but since we don't think our email has the same value as a social security number or ID number, you would probably give your email address easily (in person, business cards, chats, surveys, forms, etc.). This happens everyday, and we don't even think it is "sensitive information," simply because we have a password, and without it, people can’t do anything...right?

Value of Information

What if we are, in fact, our own "worst enemy" when dealing with information security, because we don't see the value that something has for attackers? Giving our email opens us up to several possible attacks and also allows the attacker to track us online. The attacker can search for us, search for our information, and now (thanks to us), the attacker has an even easier job because we "invited" him in. By having our email, he now has a place where he can send malicious files and spam directly to us, even passing as a friend or client! Even easier, the attacker can earn some money by simply adding the email to a list of other emails and can sell it online. It is not much, but is one more to the list…When searching for people online, we find that names aren’t that good for the job. How many “Johns” or “Marys” exists online? Tons! But what about a “JohnDoe1997@gmail.com?” Not only is it easy to find, but it's easy to correlate and associate X data to X person, just in case we weren’t sure that is really that person we were searching for.We are taught at an early age that our personal data is "personal" and that “we shouldn’t give it away." But the truth is that most of us aren't really aware of the value of each piece of information, how it really affects us, or how sensitive it really is. Think, how many times a day do you give your email to strangers online or every time you create an account, a profile, invite someone on social media, etc.?That is why we need to re-think security, and to do that, we need to teach people the value of information, making them more aware. By standard models, "personal information" is anything that makes us identifiable. Of course, a nickname or email can easily be confused as “non-personal information” or data that is not sensitive, but in reality, it is our virtual identity. How many people can you find the first and last names of just by the email address on your contact list? What about when it's combined with a person's date of birth?

Email and Trackability

With an email address, an attacker can track us on online forums (and thus find out what we like), track us on social media (and find out whom we interact with), and even gather more information like our full name and birth date. With that, it is not hard to pass as someone else, stealing a real identity after the virtual identity has been stolen. Giving our email not only helps make us targets, but it also helps target our friends and family, making it easier for the attacker to create an email address similar to ours, mix it with some public pictures from social media, and simply pose as us…all this with information we provided willingly to the attacker.So, would you still share your email address with a stranger?