Standards, Guidelines, and User Engagement

First of all, a link to another thoughtful commentary by Kurt Wismer, about whether AMTSO is a “standards” organization, in which he makes an important distinction between creating standards (in the sense in which AMTSO tends to use the term) and enforcing them. In that context, I agree that the use of the term in the AMTSO name is not necessarily inappropriate.

Nevertheless, most of the discussion I’ve seen in the past week or two seems to centre on the idea that what AMTSO actually does is partly or totally compromised (depending on whose blog you read) by what people think it does. That’s discouraging, but it is, as they say, what it is.

In a subsequent comment he says that “i don’t think AMTSO is wasting it’s time, but do think there’s some obvious room for improvement.” There, at least, I suspect that all parties can agree. I happen to think that AMTSO has accomplished a great deal in the two years of its (formal) existence, but clearly some of the issues that have preoccupied us (interesting technical output and deadly dull but utterly necessary administrative processes in order to comply with legal and other requirements) are of no interest to most of the world, and some of the other issues flagged here have made less conspicuous headway, though that doesn’t mean that progress hasn’t been made.

Let’s return to the issue of user engagement, an issue on which one of our critics persistently accuses AMTSO of not commenting. Well, I’m not the voice of AMTSO, but when Kevin Townsend asked for my comments on the organization for his first article on the topic, here’s something I said in my response that he didn’t quote.

AMTSO runs on a not-for-profit model, but it isn’t cheap to run (and even then it relies mostly on the hard work of a few volunteers and the good will of some of the member organizations in helping out with resources). The subscription fee is going to be too high for most individuals (there are a couple of individual members at the moment, though). The AMTSO blog is partly an attempt to give non-members a voice, but it’s too low-profile right now to get much input. Personally, I’d like to see a two-tier (or more) model, with something like the Anti-Phishing Working Group’s $50 basic membership, which doesn’t give a subscriber voting rights or access to all available resources, but certainly meets that need.

However, I personally think that the need that AMTSO needs to address, sooner or later, is output: that is, to impart information and give the community at large a better understanding of a difficult technical area. Input -from- large user groups might be valuable, and I think we should work on that, but input from too many individuals would inevitably degrade the signal-to-noise ratio. (A fee would go some way towards ameliorating that, though.)

Does that address all of Kevin Townsend’s concerns? Probably not. Is AMTSO going to do something about user engagement? I would imagine so. The topic has been on the table for a while, and since there’s been an upswell of interest in individual applications in the past few weeks, it needs to be addressed sooner rather than later, I guess. As I also said here:

…I don’t think giving Joe User a voice is the same as giving him a vote – I can’t think of a surer way for a voluntary organization to bog down both procedurally and in debate. But I don’t think a dialogue, perhaps on the basis of a second-tier, cheap basic membership fee, is too much to ask…

But that’s not an issue I can resolve all by myself. So, pending further internal discussion, if no-one minds, I’m going to spend some time on my day job…

David Harley CITP FBCS CISSP
Not claiming to speak for AMTSO or for ESET