Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 45 Anzeige

Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India

Herunterladen, um offline zu lesen

A brief overview regarding risks to information security due to poor awareness and irresponsible behavior. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis

A brief overview regarding risks to information security due to poor awareness and irresponsible behavior. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (16)

Andere mochten auch (18)

Anzeige

Ähnlich wie Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India (20)

Aktuellste (20)

Anzeige

Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India

  1. 1. Information Employees Creating a RESPONSIBLE Information Security Culture Presented by Anup Narayanan, First Legion Consulting 1
  2. 2. 2 What is the problem?
  3. 3. Poor Information Security Awareness and Behavior impacts the business Most problems are a cultural issue, •The new generation employees Business Information talk about business in Facebook and Orkut or while storing Client/ Customer Regulatory data information in mobile devices data •Many make mistakes while sharing Financial Employee Data data information through email, phone, printing or even while traveling etc. 3
  4. 4. If you are interested in financial data! 4  *Average annual loss due to computer crimes shot up to $350,424/ per company in 2007 from $168,000 in 2006  *Insider abuse of network access or e- mail is the No:1 threat  Note - The numbers are debatable, but what matters is that “money” is involved and hence it matters *Source: Computer Security Institute Survey
  5. 5. Principal focus: “Awareness” is not “Behavior” 5  Awareness: Everyone knows traffic rules  Behavior: Few follow them  Reason  Culture  Quality of enforcement (C) First Legion Consulting. All Rights Reserved 12/29/2008
  6. 6. Definitions: Awareness, Behavior & Culture 6 Awareness Behavior Culture • Knowledge or • The action or • The attitudes understanding reaction of a and of an object, person under “BEHAVIOR” idea or specific that are thought circumstances characteristic of a particular social group or organization”
  7. 7. To change behavior??? 7 “ All behavior is learned through the consequences that follow. If a person likes the consequence, the behavior will be repeated; if a person does not like the consequence, the behavior is less likely to be repeated.”
  8. 8. 8 What is the challenge?
  9. 9. The Challenge 9 Stage 1: I don’t Stage 2: I know but Stage 3: I know know I don’t do and I do • I don’t know • I know about • I practice about password password password security security security No •( • (Awareness) • (Awareness awareness) and Behavior)
  10. 10. Focus on the “3rd” angle of Information Security - PEOPLE 10 Technology and processes Technology (Firewall) are only as good as the people who use them Process People?? (ISO 27001)
  11. 11. 11 Case Study Why focusing only on “awareness” does not produce results?
  12. 12. Analysis of an Information Security “Awareness” Project 12  Client name: with-held  Type of industry: Retail  No: of employees 5000+  Position: Market Leader  Type of Information handled: Customer data, Intellectual Property  Spending on Information Security Awareness: USD 100, 000
  13. 13. Spending Vs. Returns 13 Awareness that was spread Behavior Created: What we found ?  Sharing of  Customer records were leaked to competitor company/customer  Salary information of top information is wrong executive was given to head hunter (job recruiting  Sensitive Information firm) must be protected  Printouts lying unattended  Access Control Cards  Visitors can enter the facility without informing must be protected security guard  More….  More….
  14. 14. 14 What was the problem? Problem 1: Poor “Visibility” & “Clarity” Problem 2: Poor “Enforcement”
  15. 15. Problem 1: Poor Visibility & Clarity 15  An organization has many “rules” and “regulations”  Where is the “information security rule?”  The workforce is confused !!
  16. 16. Example: What are the employees saying? Message in the campaign Employee reaction (3 employees) • Don’t share passwords • Which password? Desktop, Sales ERP, Document passwords? • I am stuck in Traffic Jam, have to update my sales calls by 6 p.m. Tell me what I should do? • I am sorry, but I didn’t know that there was a policy like this Message in the campaign Employee reaction • Protect Sensitive Information • To me all information is sensitive • Does this mean that I cannot share it even with my colleagues • How do I protect?
  17. 17. More reactions!  “It takes 48-96 hours to get a password reset – What should I do, not do my work?”  “I get these annoying “Security Screen Savers” every 90 seconds. Why so much overkill!!”  “We have 100 new employees every month, whereas the security training is once in 6 months. How will you handle these “unaware” employees”
  18. 18. Root cause analysis  Poor Visibility - 50% of the workforce are off-role employees, they don’t have an email ID – Not covered in the campaign  Poor Clarity – Examples  “See something suspicious – Report it”  “Don’t share passwords”  “You have zero privacy anyways – Get over it”  Poor business relevance  Generic  Not business specific  Poor enforcement
  19. 19. Problem 2: Poor Enforcement 19 Migration is determined by ENFORCEMENT Awareness: Behavior: “I know, but I “I know and I don’t do” do”
  20. 20. Remember !!  The poster near the water cooler is great for the 1st 2 weeks  Then it BLENDS into the environment
  21. 21. 21 Solution model Methodology  Content (Awareness)  Enforcement
  22. 22. First, Methodology 22 Enforcement Content Methodology
  23. 23. Methodology: 23  First Legion HIMIS Human Impact Management ™ for Information Security  Creative Commons License, Free for Non-Commercial use  Download from www.himis.org, created and owned by First Legion
  24. 24. What can you do with HIMIS? 24 1. Assess the current level of Information Security Awareness and Behavior 2. Understand the business impact 3. Define “Desirable Information Security Behavior” for each function group (HR, R&D, Finance etc.) 4. Define “Enforcement Strategies” 5. Create a roadmap, measure and monitor
  25. 25. HIMIS: Notes 25  DNV (Det Norske Veritas), a leading “Safety Risk Management Company”, has created an “Independent Assessment Model” for HIMIS  HIMIS is the first “Information Security Behavior” methodology to achieve this  Vodafone India is the first organization to undergo the verification assessment through DNV
  26. 26. Next, Content 26 Tool Content Methodology
  27. 27. Importance of Content 27  Content is a key propellant for creating good Information Security awareness
  28. 28. Qualities of a good Information Security Awareness Campaign 28  Defined by HIMIS  The campaign must have  Reach  Visibility  Content must have the following qualities 1. Business relevance: Not generic but Specific 2. Impact visualization: Show what can go wrong 3. Consider cultural factors: Consider the characteristics of the population 4. Clarity & Ease of understanding: Keep it simple; Less Jargons
  29. 29. People are busy! “I can’t attend the information security training” I am traveling on I have a meeting business I have to prepare a I will be on report vacation 29
  30. 30. Fact: Inputs to designing a good security awareness campaign How clear Is the is my impact language? visualized clearly? What information do they Who am I access? talking to? What’s my workforce? Security Awareness Campaign
  31. 31. Next, Enforcement 31 Enforcement Content Methodology
  32. 32. Remember! 32 Migration is determined by ENFORCEMENT Awareness: Behavior: “I know, but I “I know and I don’t do” do”
  33. 33. Solution Model 33  Create two teams,  The Core Information Security Management Team  A Team of Information Security Champions  Tasks  The Core Information Security Management Team will create the “Enforcement Strategies”  The Information Security Champions will assess the awareness and behavior levels, create awareness and provide feedback  The Core Information Security Management team will enforce awareness strategies based on the feedback
  34. 34. The Solution: Steps of Execution 34  Step 1 – Core team defines the Enforcement Strategies  Step 2 – Create a team of “Information Security Champions”  The champions will be trained on Information Security Awareness and Behavior Management  They champions will be given tools to analyze and record awareness and behavior levels  Step 3 – Support the champions with “Information Security Awareness Content”  The champions will be given a set of content to be distributed to their target group  The content will be created after taking the inputs from the champions  Step 4 – The champions provide the feedback to the core team for enacting enforcement strategies
  35. 35. What is the benefit of this model? 35 1. Information security enters a micro level (functional level) rather than being at a superficial top level 2. Information security awareness is tailor-made for each functional level  Eg:- A champion from Finance team will focus on protecting financial data  Eg:- A champion from HR team will focus on protecting privacy of employee records 3. Business relevance – The champions will give inputs for creating information security awareness content
  36. 36. What is the benefit of this model? (Contd….) 36 4. The champions will be assigned targets that will be monitored and measured 5. You gain an internal capability to manage information security awareness rather than depending on an external consultant
  37. 37. 37 Case Study The importance of Enforcement & how it produces results
  38. 38. Case Study 1: IT Business 38  Company  OffshoreDevelopment, 3 Centers in India  Young workforce: Majority between 22-27  Security Rules  Don’tforwards emails with unofficial attachments  No downloads of videos, music, freeware  No storage of personal content in official systems
  39. 39. Case Study 1: IT Business 39  What we did?  Quarterly “End-User Desktop Audits”  Findings were immediately “Signed and Agreed by Auditee”  Disputes were noted and “Signed”  Audit findings were submitted to InfoSec Team
  40. 40. The key: Repetition and Consistency 40 ?
  41. 41. 41 Remember!! Whatever “Enforcement Strategy” you may decide, the key is “Repetition and Consistency”
  42. 42. Time and resource requirements 42  A roadmap of 3 years  A team of InfoSec Champions for year 1 targeting approximately 5% - 10% of the total workforce (One champion per 50-100 users’)  Average effort of 18 man-hours per champion per year 6 hours in quarter 1  4 hours each in remaining 3 quarters
  43. 43. Additional notes 43  The solution model is ISO 27001 aligned  The targets that this solution will achieve will help in complying to the “Human Resources Security (Domain A.8 of ISO 27001: 2005)
  44. 44. Closing notes: To change behavior 44 “ All behavior is learned through the consequences that follow. If a person likes the consequence, the behavior will be repeated; if a person does not like the consequence, the behavior is less likely to be repeated.”
  45. 45. Presented by Anup Narayanan CISA, CISSP Founder & Sr. Consultant anup@firstlegion.net www.firstlegion.net 45

×