Two simple ways to improve utility and confidentiality of e-mail

* User behaviors can lead to better information assurance

Two of the six fundamental attributes of information that information assurance is supposed to protect are utility and confidentiality. In this column, I want to address damage to utility and confidentiality resulting from two of the most common errors in using e-mail: mislabeling the subject and making the addresses of everyone in the distribution list public.

Many people make the mistake of creating new messages to a correspondent by finding any old message from that person and replying to it. The problem is that these people usually leave the old subject intact, resulting in ridiculous situations such as finding a critically important message in July in an e-mail labeled, “Birthday party 12 May.”

Not all e-mail messages are created equal; some are destined for the trash heap, if not of history, at least of the e-mail system. That decision is sometimes made automatically as a function of the subject line. For example, I usually flag e-mail messages that have resulted from jokes and that consist of additional comments tacked to the top of ever-expanding copies of previous messages. Once I add the subject line of these messages to my filter, my e-mail program automatically routes the jokes to a junk mail folder. Anyone inserting operationally important information into such a data stream is out of luck.

Another problem with mislabeled subjects occurs when someone embeds more than one distinct topic in an e-mail message whose subject line implies otherwise. For example suppose an e-mail message subject reads “Next week’s meeting” but the sender includes an urgent request for action today on some critical issue; there’s a good chance the receiver may not open the message right away if other messages seem more important.

Try to make your subject line as descriptive as possible without turning it into a paragraph. Some e-mail systems truncate subject lines in the display of messages that a user sees; it makes sense to put keywords at the front of the subject. I encourage my staff to use prefixes such as “MSIA:” or “OGP:” to help organize their messages. Using standard formats in subject lines can help, too. For example, in our work in the MSIA, I have asked that faculty and staff referring to an issue in a particular seminar use the form “MSIA c.s” in their subject line, where c represents the class (e.g., 7 for students starting in September 2005) and s represents the seminar number.

As for confidentiality, consider that using the “To” and “CC” (“carbon copy” - _there’s_ a bit of historical detritus for us) fields in e-mail makes all recipient addresses visible to all recipients. This situation is usually helpful in internal e-mail because team members can see who has gotten the message, but it can be annoying in external e-mail. Why should a list of dozens of even hundreds of names of strangers be distributed freely among them without the explicit permission of all concerned? Who knows where that information will end up? If you are sending a message to a list of people who do not know each other, I think it is a simple matter of courtesy to use the BCC (“blind carbon copy”) field to reach everybody without making the list public.

The BCC field is also useful for internal e-mail when the list of recipients is very large but it is not important for people to know exactly who received the message. I have seen large distribution lists consume half a page of space in an e-mail message with no obvious benefit to anyone.

These simple suggestions can make e-mail more effective as a communications tool. I hope you will try them and tell your users about them in your IT and security newsletters. Remember that you are always welcome to provide URLs for articles in the Network World archives or even to reprint these security columns in internal newsletters (with attribution).

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT