My recent presentation at cOcOn, an international Cyber Security and Policing Conference in Trivandrum Kerala. The talk focuses on reducing information security risks due to human error using information security awareness and competence management solutions.
Human Factors of XR: Using Human Factors to Design XR Systems
A model for reducing information security risks due to human error
1. “We a r e n o t
j u s t
s e c u r i t y
a wa r e , b u t
s e c u r i t y
c o mp e t e n t
A model for reducing security risks due to human error
a s we l l ”
Anup Narayanan, CISA, CISSP
Founder & CEO, ISQ 1
2. Focus of the talk
Don’t tell anyone,
Security
my password is…..
Policy
Never share
passwords
Addressing the human factor
using security “awareness” and
“competence” management
(C) ISQ. All Rights Reserved 2
3. The difference between “Awareness” and “Behaviour
(Competence)”
I know the traffic rules….
(C) ISQ. All Rights Reserved 3
4. Does it guarantee that I am a good driver?
(C) ISQ. All Rights Reserved 4
5. Awareness >> Behaviour >> Culture
Awareness Behaviour Culture
(Competence)
• I know • I do • We know
and do
An organization must aim for a responsible security culture
(C) ISQ. All Rights Reserved 5
6. The problem (Mistakes that organizations are making)
I have an amazing security
awareness program but people
still make security mistakes!
The focus is only on
awareness, not behaviour
(competence) and culture
(C) ISQ. All Rights Reserved 6
7. What organizations need?
A system that periodically
shows the current Awareness
and Competence Levels
Organization’s awareness score is 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score is 65%
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
(C) ISQ. All Rights Reserved 7
8. The power of perception
Why do people make security mistakes?
(C) ISQ. All Rights Reserved 8
9. Imagine…
Nelson Mandela walks into this room
right now and offers you this glass of
water….
Will you accept it?
(C) ISQ. All Rights Reserved 9
10. Now, imagine this…
This man walks into this room right
now and offers you this glass of
water….
Will you accept it?
(C) ISQ. All Rights Reserved 10
11. Question
Which water did you
accept?
Why?
(C) ISQ. All Rights Reserved 11
12. Analysis
Were you checking the water or the person serving
the water?
People decide what is good and what is bad based on
“trust”
Perception is influenced by Trust
(C) ISQ. All Rights Reserved 12
13. Why must we address the human
factor?
(or)
Is the human factor worth addressing?
(C) ISQ. All Rights Reserved 13
14. Reason 1: Security is both a “Reality” and “Feeling”
For security practitioners security is
a “Reality” based on the
mathematical probability of risks
For the end user (common man)
security is a feeling
Influencing the feeling of security
(what is safe and what is not safe while
handling information) makes a user
make the right security decisions and
apply it
8/8/2012 (C) ISQ. All Rights Reserved 14
15. Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:
So what? RSA was hacked
Technology & Processes
Awareness & Competence
The very smart attacker
4
Human – Recognizing a zero day attack,
3 Phishing mails, Not posting business
Risk severity/
Attacker information in social media
Smartness/
Attack
Efficiency 2 Technology + Human – Firewall configuration,
Choosing a secure Wifi
1 Automatic security controls – AV, Updates
Control All Rights Reserved
(C) ISQ. efficiency 15
16. Reason 3: How much of a trade-off are we willing to make?
The best way to stop people
from making information
security mistakes is to deny
them access to information.
Are you willing to make that trade-
off?
Security awareness and
competence management is a
trade-off that is affordable and
effective
(C) ISQ. All Rights Reserved 16
17. Reason 4: The human factor is important…
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Cars have become more advanced, but does it
mean that driving tests have become easier?
Medical technology has become more advanced,
but will you choose a hospital for it’s machines or
the doctors?
(C) ISQ. All Rights Reserved 17
19. The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
(C) ISQ. All Rights Reserved 19
20. ESP
Awareness
Assess,
Security Risk Identify the Improve, Re-
analysis human factor assess
Behaviour
(Competence)
Identify information security awareness
Define
and competence needs of the business.
Check change in awareness Create the strategy for
and competence. Improve. awareness and competence
Verify Strategize
management
Deliver
Execute the awareness plan
(C) ISQ. All Rights Reserved 20
21. Strategy - Use ESP (Expected Security Practices)
ESP Awareness Competence
Component Component
Information Information Demonstrates correct
Classification classification criterion classification
Classification labels
Detects and reports a
Incident reporting Types of incidents
simulated incident
Incident reporting
procedures/ channels
(C) ISQ. All Rights Reserved 21
22. Phase 1
Identify information security awareness
and competence needs of the business.
Define
Check change in awareness Create the strategy for
and competence. Improve. awareness and competence
Verify Strategize
management
Deliver
Execute the plan
(C) ISQ. All Rights Reserved 22
23. Case Study: Client Profile
• Type of industry: Retail
• No: of employees 5000+
• Position: Market Leader
• Type of Information handled: Customer data, Intellectual
Property
• Spending on Information Security Awareness: US$ 75,000
(C) ISQ. All Rights Reserved 23
24. Awareness Vs. Behaviour
Awareness Competence/ Behaviour
• Sharing of • Customer records were
company/customer leaked to competitor
information is wrong • Salary information of top
• Sensitive Information executive was given to
must be protected head hunter
• Access Control Cards • Printouts lying
must be protected unattended
• Visitors can enter the
facility without informing
security guard
(C) ISQ. All Rights Reserved 24
25. Problem Analysis - Visibility & Clarity
When you have too many
rules ….it gets complicated
Visibility - The degree to which one can see
Clarity - Free from obscurity and easy to understand
(C) ISQ. All Rights Reserved 25
26. D o n ’t Which password? Network,
desktop, ERP….?
s h a r e
p a s s w
o r d s
(C) ISQ. All Rights Reserved 26
27. Output of Phase 1
Organization’s awareness score is 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score is 65%
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
(C) ISQ. All Rights Reserved 27
29. Audit strategies - Awareness
• For auditing information security awareness component
of the ESP:
– Interviews
– Surveys
– Quizzes
– Mind-map sessions
(C) ISQ. All Rights Reserved 29
30. Auditing Strategies - Behaviour
• For auditing competence
– Social Engineering
– Observations: Observe for tailgating, observe how many meeting
rooms still have sensitive information on the board after the meeting
– Log review: Browsing and email patterns can be observed through
log reviews of corresponding systems
– Data mining : Mine through internet search engines to see how
much sensitive information about the company is available online
– Incident report review: Review of incident reports may show how
many laptops were lost and a further investigation may reveal the
cause as carelessness (poor behaviour) or not (may be the user
was physically attacked).
(C) ISQ. All Rights Reserved 30
31. Phase 2 - Strategize
Identify information security awareness
Define
and competence needs of the business.
Check change in awareness Create the strategy for
and competence. Improve. awareness and competence
Verify Strategize
management
Deliver
Execute the plan
(C) ISQ. All Rights Reserved 31
32. Quality of content – Impact visualization
Show the impact of poor security awareness and competence to
the “non-information security” professional
(C) ISQ. All Rights Reserved 32
33. Quality of content – Business relevance
Oops! My business is
held responsible if I
install pirated software
on my PC?
Show the impact of poor security awareness and competence to
the “non-information security” professional
(C) ISQ. All Rights Reserved 33
34. Quality of content – Clarity and Ease
So..the email Email security
security policy – 5 quick tips.
is …6 pages Wow, that’s
long. cool!
Keep it very simple
(C) ISQ. All Rights Reserved 34
35. Quality of content - Cultural factors
Sorry, that
information is
classified. Let me explain the
basics of password
security
Language or terms used, color and design, character representation
(C) ISQ. All Rights Reserved 35
36. Retention measurement
Well…my emails have
disappeared. Which number
do I call?
• How much have they
understood
• How long do they
remember?
• Immediately
• 30 days later
• 60 days later
(C) ISQ. All Rights Reserved 36
37. Coverage
• Identify the target workforce
• Tolerable deviation – How much
percentage of the workforce must
receive the training
• Set realistic expectations
• E.g. – Refer the visibility meter
(C) ISQ. All Rights Reserved 37
38. Format and visibility
• Format – Different types of information security
awareness content
• Visibility – Channels through which the content is
delivered
Format Visibility
Verbal Live training sessions, Video conferences
Electronic Email
Intranet
Posters
Social media
Paper Posters, cards, quizzes or surveys
(C) ISQ. All Rights Reserved 38
39. Frequency
• Gap between 2 awareness deliveries
• Critical – Gap should be minimal
Which is more effective – Drip irrigation or spraying a lot of water once a day?
(C) ISQ. All Rights Reserved 39
41. Creating the right environment
Motivational
Strategies
Disciplinary
strategies
(C) ISQ. All Rights Reserved 41
42. Case Study : IT Business
• Company
– Offshore Development, 3
Centers in India
– Young workforce: Majority
between 22-27
• Security Rules
– Don’t forwards emails with
unofficial attachments
– No downloads of
videos, music, freeware
– No storage of personal
content in official systems
(C) ISQ. All Rights Reserved 42
43. Case Study : IT Business
• What we did?
– Quarterly “End-User
Desktop Audits”
– Findings were
immediately “Signed
and Agreed by Auditee”
– Disputes were noted
and “Signed”
– Audit findings were
submitted to InfoSec
Team
(C) ISQ. All Rights Reserved 43
44. Case Study : IT Business – The result
% of Non-Compliance
90
80
70
60
50
40
30
20 ? % of Non-
Compliance
10
0
(C) ISQ. All Rights Reserved 44
46. Security Tradeoff Vs. Inconvenience
Security
Trade-Off
Personal
In-convenience
(C) ISQ. All Rights Reserved 46
47. Security Tradeoff Vs. Cost
Enforcement or Cost
•Quality of Life
Security •Career
Trade-Off •Money
•Time
Cost (Enforcement)
(C) ISQ. All Rights Reserved 47
48. Phase 3 - Deliver
Identify information security awareness
Define
and competence needs of the business.
Check change in awareness Create the strategy for
and competence. Improve. awareness and competence
Verify Strategize
management
Deliver
Execute the plan
(C) ISQ. All Rights Reserved 48
49. Define tolerable deviation
• It is almost impossible to
get 100% participation
• Define a number that is
reasonable
– 80% participation in the first
6 months
– 85% in the next 6
(C) ISQ. All Rights Reserved 49
50. Efficiency
• Efficiency of channels in
delivering the program
– Emails must reach the target
workforce, not go to SPAM
– Videos must stream at an
optimum speed
– Training sessions
• Trainer must knowledgeable
• Able to articulate the topics
well
• Use tools and examples
• Encourage discussion
(C) ISQ. All Rights Reserved 50
51. Collection of feedback
• Not to be confused with
“retention measurement”
1. The clarity of the content in
conveying the intended
message
2. The business relevance of the
content
3. Impact visualization
4. The quality of the trainer or
the efficiency of the delivery
channel
5. Other factors
(C) ISQ. All Rights Reserved 51
52. Phase 4 - Verify
Identify information security awareness
Define
and competence needs of the business.
Check change in awareness Create the strategy for
and competence. Improve. awareness and competence
Verify Strategize
management
Deliver
Execute the plan
(C) ISQ. All Rights Reserved 52
53. Audit strategies - Awareness
• For auditing information security awareness component
of the ESP:
– Interviews
– Surveys
– Quizzes
– Mind-map sessions
(C) ISQ. All Rights Reserved 53
54. Auditing Strategies - Behaviour
• For auditing competence
– Social Engineering
– Observations: Observe for tailgating, observe how many meeting
rooms still have sensitive information on the board after the meeting
– Log review: Browsing and email patterns can be observed through
log reviews of corresponding systems
– Data mining : Mine through internet search engines to see how
much sensitive information about the company is available online
– Incident report review: Review of incident reports may show how
many laptops were lost and a further investigation may reveal the
cause as carelessness (poor behaviour) or not (may be the user
was physically attacked).
(C) ISQ. All Rights Reserved 54
55. Output of Verify phase
Organization’s awareness score was 87%
?
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65% ?
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
(C) ISQ. All Rights Reserved 55
56. Summary
Technology
(Firewall)
Information
People Process
Technology and processes are only as good as the people that
use them
(C) ISQ. All Rights Reserved 56
57. Free resources
• Free security awareness video –
http://isqworld.com/security-awareness-training-samples
• The Psychology of Security, Bruce Schneier -
http://www.schneier.com/essay-155.html
(C) ISQ. All Rights Reserved 57
58. Let’s switch ON the Human
Layer of Information Security
Defence
Thank You
Anup Narayanan
@ CoCon 2012, Trivandrum, Kerala
(C) ISQ. All Rights Reserved 58