Dear FATG:

First of all, this is not a conundrum. This is a simple business issue. If you want a conundrum, I will give you one: Why do people purchase vanity license plates? Do you know what I mean? Those cute little license tags that say things like MY RED BMW or IT GEEK. Isnt that clever? Is it a mnemonic device or just plain idiotic? When was the last time you had to remember your license-plate number? The only time I ever need it is when I stop at one of those funny motor lodges with the purple carpet and the red roof. There always is a place on the registration for tag number. And I always leave it blank. Then, what happens if you get fired and youre stuck with the ME CIO license plate? Thats where the real trouble begins. Unless you live in Holland, you are going to have a hard time finding a license plate big enough to display WALMART GREETER. Now, thats a conundrum.

Back to the problem at hand. This really is a business issue. Corporate America is driven by the bottom line. The bottom line depends on generating enough revenue at the top line to make the bottom line the right magnitude and the right color. If you give away your product by not protecting it, you will not generate sufficient revenue. Case closed. But there is more to this. It is necessary to strike the proper balance between ease of access and protection of the product.

The biggest problem in striking this balance is proper education of the customer. Remember, on the Internet no one knows you are a dog. If customers are willing to fork over big bucks for your product, they also have the right to expect the product will not be available to others who were too cheap to pay for it. Your marketing people need to sell this value proposition to the customer.

If the information service truly provides up-to-date information, then you need to offer it online. And if it is online, you need to secure it. There are ways to implement really tight security, such as using a USB dongle or a single-use installation script, but these are cumbersome and difficult to manage. You do want your customers to be able to access their information easily and efficiently. The most common scheme runs something like this: When users first purchase or activate the product, a cookie is placed on their computers. The cookie identifies the users when they return to the site. A login screen even may be prepopulated with information provided by the cookie and a database look-up. However, users generally are expected to type in their password. Just like an ATM. As soon as I stick my card in the machine, it knows Dr. G.s card has been presentedbut it doesnt assume it is dealing with me until I key in my password. As long as I am interacting with the ATM and it still has my card, I can perform multiple transactions.

Likewise, as long as I have a browser window open, I possess a session cookie (assuming I have logged correctly on to the site), and I can use my information service as much and as long as I want. However, as soon as I close my browser windows, the session cookie disappears and I am once again an anonymous user. Just like pulling your card out of the ATM. This is not unreasonable. In fact, it is very low security. I accidentally have accessed strangers secure accounts using machines in Internet cafes. Web browsers and Web sites have become so user-friendly with features including auto-completion and remember my password for this site that Internet security in reality has become virtually meaningless. Typing in a password is just one step above saying Joe sent me, but it does provide a modicum of surety.

If you have a question for Dr. G., please send via e-mail to [email protected]. And, please, no conundrums.

Readers are invited to send their questions to Dr. Gigabyte for response in this column. Letters are for purposes of exploring insurance IT issues only and may or may not be contributed by any particular individual.