Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 40 Anzeige

Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

Herunterladen, um offline zu lesen

A talk that is based on my methodology HIMIS (Human Impact Management for Information Security) for reducing information security risks due to human error. To know more about HIMIS, visit http://www.isqworld.com/himis

A talk that is based on my methodology HIMIS (Human Impact Management for Information Security) for reducing information security risks due to human error. To know more about HIMIS, visit http://www.isqworld.com/himis

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011 (20)

Anzeige

Aktuellste (20)

Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

  1. 1. Security Don’t tell anyone, Policy my password is….. Never share passwords A model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World
  2. 2. Nelson Mandela offers you a glass of water….
  3. 3. This man…. offers you a glass of water
  4. 4. Question Which water will you accept? Why?
  5. 5. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 5
  6. 6. Awareness? Do not share passwords! © First Legion Consulting 6
  7. 7. Shred documents before disposing Behavior? © First Legion Consulting 7
  8. 8. Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 8
  9. 9. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 9
  10. 10. Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 10
  11. 11. What did we do? “Awareness vs. behavior” benchmarking and produced a scorecard © First Legion Consulting 11
  12. 12. The scorecard © First Legion Consulting 12
  13. 13. Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 14
  14. 14. Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 15
  15. 15. Reason 3: Perception… Which is safer? © First Legion Consulting 16
  16. 16. Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 17
  17. 17. “Awareness” & “Behavior”: Independent but interdependent Question : A person knows the traffic rules. Does that make the person a good driver? Answer: Not necessarily, “Knowing” and “Doing” are two different things Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner? Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 18
  18. 18. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study We are here III. Solution model IV. Recap & Resources © First Legion Consulting 19
  19. 19. • HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link © First Legion Consulting 20
  20. 20. HIMIS solution model - Work backwards Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 21
  21. 21. Define Strategize Deliver Verify • Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements valid for the business • Review and approval of ESP’s • Baseline ESP assessment © First Legion Consulting 22
  22. 22. ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-day information classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 23
  23. 23. Define Strategize Deliver Verify • For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement. • For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 24
  24. 24. Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance Yup! Not the usual glorified • Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 25
  25. 25. A 120 minute training plan • 120 minutes of training in a year – 45 minutes classroom or e-learning – 15 minutes screen saver (12 X 1 to 1.5 minutes) – 15 minutes posters/ wallpaper (same as above) – 30 minutes through short videos (6 x 5 minutes) – 20 minutes through quizzes/ surveys (2 x 10 minutes)
  26. 26. Behavior management: What works? Let’s cut his Let’s talk to email access him Let’s fire him © First Legion Consulting 27
  27. 27. Poor Security behavior Vs. Inconvenience Poor security behavior In-convenience © First Legion Consulting 28
  28. 28. Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 29
  29. 29. Case study 1: Changing behavior (IT Service Provider) • What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 30
  30. 30. Case study 1: Changing behavior (Electronic Retail Store) • Audit finding: Cash boxes are left open when unattended • Cost attached: Branch manager will lose 25% of annual bonus for every violation • Compliance today is above 98% © First Legion Consulting 31
  31. 31. Define Strategize Deliver Verify • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt © First Legion Consulting 32
  32. 32. Define Strategize Deliver Verify • Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 33
  33. 33. © First Legion Consulting 34
  34. 34. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model We are here IV. Recap & Resources © First Legion Consulting 37
  35. 35. Recap Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 38
  36. 36. Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 39
  37. 37. Conclusion If you can influence perception, you can influence the way people choose or react (behavior) Perception is influenced if there is a cost for an action © First Legion Consulting 40
  38. 38. If I follow the information security rules will I gain something. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 41
  39. 39. Resources • Free security awareness videos – www.isqworld.com • Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf • The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 42
  40. 40. Anup Narayanan, Founder & Principal Architect ISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 43

×