A model for reducing information security risks due to human error

“We a r e n o t
j u s t
s e c u r i t y
a wa r e , b u t
s e c u r i t y
c o mp e t e n t
A model for reducing security risks due to human error
a s we l l ”
Anup Narayanan, CISA, CISSP
Founder & CEO, ISQ 1

Focus of the talk
Don’t tell anyone,
Security
my password is…..
Policy

Never share
passwords

Addressing the human factor
using security “awareness” and
“competence” management
(C) ISQ. All Rights Reserved 2

The difference between “Awareness” and “Behaviour
(Competence)”

I know the traffic rules….


Does it guarantee that I am a good driver?


Awareness >> Behaviour >> Culture

Awareness Behaviour Culture
(Competence)

• I know • I do • We know
and do

An organization must aim for a responsible security culture


The problem (Mistakes that organizations are making)

I have an amazing security
awareness program but people
still make security mistakes!

The focus is only on
awareness, not behaviour
(competence) and culture


What organizations need?

A system that periodically
shows the current Awareness
and Competence Levels
Organization’s awareness score is 87%

LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS

Organization’s competence score is 65%

MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE


The power of perception

Why do people make security mistakes?


Imagine…

Nelson Mandela walks into this room
right now and offers you this glass of
water….

Will you accept it?

Now, imagine this…

This man walks into this room right
now and offers you this glass of
water….

Will you accept it?


Question

Which water did you
accept?

Why?


Analysis
Were you checking the water or the person serving
the water?

People decide what is good and what is bad based on
“trust”
Perception is influenced by Trust

Why must we address the human
factor?

(or)
Is the human factor worth addressing?


Reason 1: Security is both a “Reality” and “Feeling”

For security practitioners security is
a “Reality” based on the
mathematical probability of risks

For the end user (common man)
security is a feeling

Influencing the feeling of security
(what is safe and what is not safe while
handling information) makes a user
make the right security decisions and
apply it

8/8/2012 (C) ISQ. All Rights Reserved 14

Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:
So what? RSA was hacked
Technology & Processes

Awareness & Competence

The very smart attacker
4

Human – Recognizing a zero day attack,
3 Phishing mails, Not posting business
Risk severity/
Attacker information in social media
Smartness/
Attack
Efficiency 2 Technology + Human – Firewall configuration,
Choosing a secure Wifi

1 Automatic security controls – AV, Updates

Control All Rights Reserved
(C) ISQ. efficiency 15

Reason 3: How much of a trade-off are we willing to make?

The best way to stop people
from making information
security mistakes is to deny
them access to information.

Are you willing to make that trade-
off?

Security awareness and
competence management is a
trade-off that is affordable and
effective


Reason 4: The human factor is important…

Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?

Cars have become more advanced, but does it
mean that driving tests have become easier?

Medical technology has become more advanced,
but will you choose a hospital for it’s machines or
the doctors?


The Solution Model

Security Awareness and Competence
Management


The solution is based on HIMIS

• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use

http://www.isqworld.com/himis


ESP

Awareness
Assess,
Security Risk Identify the Improve, Re-
analysis human factor assess
Behaviour
(Competence)

Identify information security awareness
Define
and competence needs of the business.

Check change in awareness Create the strategy for
and competence. Improve. awareness and competence
Verify Strategize
management

Deliver

Execute the awareness plan

Strategy - Use ESP (Expected Security Practices)

ESP Awareness Competence
Component Component

Information Information Demonstrates correct
Classification classification criterion classification

Classification labels

Detects and reports a
Incident reporting Types of incidents
simulated incident

Incident reporting
procedures/ channels


Phase 1


Define

Verify Strategize
management

Deliver

Execute the plan


Case Study: Client Profile

• Type of industry: Retail
• No: of employees 5000+
• Position: Market Leader
• Type of Information handled: Customer data, Intellectual
Property
• Spending on Information Security Awareness: US$ 75,000


Awareness Vs. Behaviour

Awareness Competence/ Behaviour

• Sharing of • Customer records were
company/customer leaked to competitor
information is wrong • Salary information of top
• Sensitive Information executive was given to
must be protected head hunter
• Access Control Cards • Printouts lying
must be protected unattended
• Visitors can enter the
facility without informing
security guard


Problem Analysis - Visibility & Clarity

When you have too many
rules ….it gets complicated

Visibility - The degree to which one can see
Clarity - Free from obscurity and easy to understand


D o n ’t Which password? Network,
desktop, ERP….?
s h a r e
p a s s w
o r d s


Output of Phase 1

Organization’s awareness score is 87%


Organization’s competence score is 65%

MEDIUM
HIGH COMPETENCE


Detailed Scorecard

100
Score per ESP
90
89
90
82
80 76 78

70
70 67 67 67

60 56

50

40
33
30

20

10
0 0 0
0
Clear Policies Email Security Info Disclosure Password Security Physical Security Incident Reporting Social Networking/
Blogging

Awareness Competence


Audit strategies - Awareness

• For auditing information security awareness component
of the ESP:
– Interviews
– Surveys
– Quizzes
– Mind-map sessions


Auditing Strategies - Behaviour

• For auditing competence
– Social Engineering

– Observations: Observe for tailgating, observe how many meeting
rooms still have sensitive information on the board after the meeting

– Log review: Browsing and email patterns can be observed through
log reviews of corresponding systems

– Data mining : Mine through internet search engines to see how
much sensitive information about the company is available online

– Incident report review: Review of incident reports may show how
many laptops were lost and a further investigation may reveal the
cause as carelessness (poor behaviour) or not (may be the user
was physically attacked).


Phase 2 - Strategize

Define

Verify Strategize
management

Deliver

Execute the plan


Quality of content – Impact visualization

Show the impact of poor security awareness and competence to
the “non-information security” professional


Quality of content – Business relevance

Oops! My business is
held responsible if I
install pirated software
on my PC?

Show the impact of poor security awareness and competence to
the “non-information security” professional


Quality of content – Clarity and Ease
So..the email Email security
security policy – 5 quick tips.
is …6 pages Wow, that’s
long. cool!

Keep it very simple


Quality of content - Cultural factors
Sorry, that
information is
classified. Let me explain the
basics of password
security

Language or terms used, color and design, character representation


Retention measurement
Well…my emails have
disappeared. Which number
do I call?

• How much have they
understood
• How long do they
remember?
• Immediately
• 30 days later
• 60 days later


Coverage

• Identify the target workforce
• Tolerable deviation – How much
percentage of the workforce must
receive the training
• Set realistic expectations
• E.g. – Refer the visibility meter


Format and visibility

• Format – Different types of information security
awareness content
• Visibility – Channels through which the content is
delivered

Format Visibility

Verbal Live training sessions, Video conferences

Electronic Email
Intranet
Posters
Social media
Paper Posters, cards, quizzes or surveys


Frequency
• Gap between 2 awareness deliveries
• Critical – Gap should be minimal

Which is more effective – Drip irrigation or spraying a lot of water once a day?


Competence management/ Behaviour
Change

A case study


Creating the right environment

Motivational
Strategies

Disciplinary
strategies


Case Study : IT Business

• Company
– Offshore Development, 3
Centers in India
– Young workforce: Majority
between 22-27
• Security Rules
– Don’t forwards emails with
unofficial attachments
– No downloads of
videos, music, freeware
– No storage of personal
content in official systems


Case Study : IT Business
• What we did?
– Quarterly “End-User
Desktop Audits”
– Findings were
immediately “Signed
and Agreed by Auditee”
– Disputes were noted
and “Signed”
– Audit findings were
submitted to InfoSec
Team


Case Study : IT Business – The result

% of Non-Compliance
90
80
70
60
50
40
30
20 ? % of Non-
Compliance
10
0


Learning


Security Tradeoff Vs. Inconvenience

Security
Trade-Off

Personal
In-convenience


Security Tradeoff Vs. Cost

Enforcement or Cost
•Quality of Life
Security •Career
Trade-Off •Money
•Time

Cost (Enforcement)


Phase 3 - Deliver

Define

Verify Strategize
management

Deliver

Execute the plan


Define tolerable deviation

• It is almost impossible to
get 100% participation
• Define a number that is
reasonable
– 80% participation in the first
6 months
– 85% in the next 6


Efficiency

• Efficiency of channels in
delivering the program
– Emails must reach the target
workforce, not go to SPAM
– Videos must stream at an
optimum speed
– Training sessions
• Trainer must knowledgeable
• Able to articulate the topics
well
• Use tools and examples
• Encourage discussion


Collection of feedback

• Not to be confused with
“retention measurement”
1. The clarity of the content in
conveying the intended
message
2. The business relevance of the
content
3. Impact visualization
4. The quality of the trainer or
the efficiency of the delivery
channel
5. Other factors


Phase 4 - Verify

Define

Verify Strategize
management

Deliver

Execute the plan


Audit strategies - Awareness

• For auditing information security awareness component
of the ESP:
– Interviews
– Surveys
– Quizzes
– Mind-map sessions


Auditing Strategies - Behaviour

• For auditing competence
– Social Engineering

– Observations: Observe for tailgating, observe how many meeting
rooms still have sensitive information on the board after the meeting

– Log review: Browsing and email patterns can be observed through
log reviews of corresponding systems

– Data mining : Mine through internet search engines to see how
much sensitive information about the company is available online

– Incident report review: Review of incident reports may show how
many laptops were lost and a further investigation may reveal the
cause as carelessness (poor behaviour) or not (may be the user
was physically attacked).


Output of Verify phase

Organization’s awareness score was 87%
?


Organization’s competence score was 65% ?

MEDIUM
HIGH COMPETENCE


Summary

Technology
(Firewall)

Information

People Process

Technology and processes are only as good as the people that
use them

Free resources

• Free security awareness video –
http://isqworld.com/security-awareness-training-samples
• The Psychology of Security, Bruce Schneier -
http://www.schneier.com/essay-155.html


Let’s switch ON the Human
Layer of Information Security
Defence

Thank You
Anup Narayanan
@ CoCon 2012, Trivandrum, Kerala

A model for reducing information security risks due to human error

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to A model for reducing information security risks due to human error

Similar to A model for reducing information security risks due to human error (20)

Recently uploaded

Recently uploaded (20)

A model for reducing information security risks due to human error