SlideShare ist ein Scribd-Unternehmen logo
1 von 40
Downloaden Sie, um offline zu lesen
Security         Don’t tell anyone,
   Policy          my password is…..


 Never share
 passwords




A model for reducing information security risks due to human
                           error           By Anup Narayanan,
                                          Founder & CEO, ISQ World
Nelson Mandela offers you a glass of water….
This man…. offers you a glass of water
Question
Which water will you
      accept?
      Why?
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
We are here
              I. Differentiate between
                   “Awareness” & “Behavior”
              II. Case study
              III. Solution model
              IV. Resources


    © First Legion Consulting               5
Awareness?




  Do not share passwords!
             © First Legion Consulting   6
Shred
     documents
       before
      disposing




Behavior?




                  © First Legion Consulting   7
Putting it together….



 Awareness:    Behavior:                      Culture:

 I know        I do                           We do


                  © First Legion Consulting              8
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
              I. Differentiate between
                   “Awareness” & “Behavior”
We are here   II. Case study
              III. Solution model
              IV. Recap & Resources


    © First Legion Consulting               9
Case-study:

          Client: One of the largest mobile service
          providers in the world

          •   What? Spent US$ 100, 000 on a security
              awareness campaign

          •   How? Screen Savers, Posters, Emailers

          •   Who? Target - Entire employees
                  © First Legion Consulting           10
What did we do?

“Awareness vs. behavior” benchmarking
and produced a scorecard




       © First Legion Consulting    11
The scorecard




                © First Legion Consulting   12
Reason 1: Operational issues ….


           If I don’t share my password,
           salaries won’t get processed                     Response by HR
                                                               Manager
             here…including that of the
                  InfoSec manager.


        Message in the poster



           Don’t share
           passwords


                                © First Legion Consulting                    14
Reason 2: Confusion ... Too many rules




                                                  Which one
                                                  do I follow?




                      © First Legion Consulting                  15
Reason 3: Perception…




                Which is safer?
                    © First Legion Consulting   16
Reason 4: Attitude … influenced by cost…(peer
pressure, top management behavior)


         Nothing’s gonna happen to me
         if I violate the security policies?



          Well, I saw her doing it …shall
          I?



                        © First Legion Consulting   17
“Awareness” & “Behavior”: Independent but
               interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things

Question: A person knows the “information security rules”. Does
that make the person a responsible information security
practitioner?
Answer: Same as above

                  Knowing = Awareness
                    Doing = Behavior
                          © First Legion Consulting               18
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
              I. Differentiate between
                   “Awareness” & “Behavior”
              II. Case study
We are here   III. Solution model
              IV. Recap & Resources


    © First Legion Consulting              19
• HIMIS – Human Impact
             Management for
             Information Security
           • Objective – To provide a
             model to reduce security
             risks due to human error
           • Creative Commons
             License, free for non-
             commercial use
           • Download –
             http://www.isqworld.com
             , click on the HIMIS link
© First Legion Consulting           20
HIMIS solution model - Work backwards



                                                           Responsible
                                                           information
Define   Strategize   Deliver                     Verify   security
                                                           behavior




                      © First Legion Consulting                      21
Define    Strategize      Deliver                  Verify



• Choose ESP's (Expected Security Practices) information
  security awareness and behaviour requirements valid
  for the business
• Review and approval of ESP’s
• Baseline ESP assessment




                        © First Legion Consulting            22
ESP:
                                            Information
                                            Classification



                       Awareness                                   Behaviour
                        Criterion                                   criterion


                                                                  The employees must
   The employees must            The employees must
                                                                     actually classify
    know the different         know how to specify the
                                                                document in day-to-day
information classification         classification, for
                                                                 work. The evidence of
 criterion : "Confidential,    example, in the footer of
                                                                 this classification must
      Internal, Public"             each document
                                                                       be available.
                                    © First Legion Consulting                           23
Define          Strategize           Deliver                  Verify
• For awareness management
  –   Coverage
  –   Format & visibility: Verbal, Paper and Electronic
  –   Frequency
  –   Quality of content
       •   Impact visualization
       •   Clarity & ease of understanding
       •   Business relevance
       •   Consideration of cultural factors
  – Retention measurement.
• For behavior management
  – Motivational strategies
  – Enforcement/ disciplinary strategies
                                   © First Legion Consulting            24
Quality of content
•    Impact visualization
•    Clarity & ease of understanding
•    Business relevance                               Yup! Not the usual glorified
•    Consideration of cultural factors                       power point


        Wow! This security
     awareness video is so cool!




                                © First Legion Consulting                        25
A 120 minute training plan
• 120 minutes of training in a year
    –   45 minutes classroom or e-learning
    –   15 minutes screen saver (12 X 1 to 1.5 minutes)
    –   15 minutes posters/ wallpaper (same as above)
    –   30 minutes through short videos (6 x 5 minutes)
    –   20 minutes through quizzes/ surveys (2 x 10 minutes)
Behavior management: What works?

                 Let’s cut his                   Let’s talk to
                 email access                        him
Let’s fire him




                     © First Legion Consulting                   27
Poor Security behavior Vs.
Inconvenience



       Poor
     security
     behavior


                        In-convenience

                   © First Legion Consulting   28
Poor Security behavior Vs. Cost




       Poor
     security
     behavior


                      Cost
                 (Enforcement)
                   © First Legion Consulting   29
Case study 1: Changing behavior (IT Service Provider)

• What we did?
   – Quarterly “End-User
     Desktop Audits”
   – Findings were noted and
     “Signed and Agreed by
     Auditee”
   – Disputes were noted and
     “Signed”
   – Audit findings were
     submitted to InfoSec
     Team


                               © First Legion Consulting   30
Case study 1: Changing behavior (Electronic Retail Store)


• Audit finding: Cash boxes are left open when
  unattended

• Cost attached: Branch manager will lose 25% of
  annual bonus for every violation


• Compliance today is above 98%
                         © First Legion Consulting          31
Define    Strategize      Deliver                  Verify


•    Define tolerable deviation
•    Efficiency
•    Collection of feedback
•    Confirmation of receipt




                           © First Legion Consulting            32
Define     Strategize      Deliver                  Verify

• Audit strategy
  – Selection of ESP’s
  – Define sample size
  – Audit methods
     • For awareness: Interviews, Surveys, Quizzes, Mind-map
       sessions
     • For behavior: Observation, data mining, Log review,
       Review of incident reports, Social engineering?
  – Reasonable limitations
  – Behavior may not always be visible

                        © First Legion Consulting              33
© First Legion Consulting   34
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
              I. Differentiate between
                   “Awareness” & “Behavior”
              II. Case study
              III. Solution model
We are here   IV. Recap & Resources


    © First Legion Consulting              37
Recap



                                                            Responsible
                                                            information
Define    Strategize   Deliver                     Verify   security
                                                            behavior




                       © First Legion Consulting                      38
Tip! Get HR buy-in
                                                        People are my
             People are my                              biggest threat!
             biggest asset!




            HR                                      InfoSec
            manager                                 Manager


            You must talk the same thing!
                        © First Legion Consulting                         39
Conclusion
If you can influence perception, you can influence the
way people choose or react (behavior)


Perception is influenced if there is a             cost   for an
action




                           © First Legion Consulting               40
If I follow the information
  security rules will I gain
something. If I don’t follow,
    will I lose something?



    When you get your users’ to think
    this way, you are on your way to a
    better information security
    culture!

  © First Legion Consulting        41
Resources
• Free security awareness videos –
  www.isqworld.com
• Bruce Schneier – The Psychology of Security -
  http://www.schneier.com/essay-155.pdf
• The Information Security Management
  Maturity Model (ISM3) – www.ism3.com



                   © First Legion Consulting      42
Anup Narayanan,
     Founder & Principal Architect
ISQ World, A First Legion Initiative
                anup@isqworld.com
                 www.isqworld.com

   © First Legion Consulting           43

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISADee Moone
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsFernando Reiser
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonPatricia M Watson
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management ServicesMarlabs
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security InvestmentConferencias FIST
 
“The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” “The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” Timothy Bosworth
 
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...TEO LT, AB
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10  - perspectives on risk itWall street journal 22 sept 10  - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program   2011Triangle InfoSecon Conference program   2011
Triangle InfoSecon Conference program 2011Travis Barnes
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Dahamoo GmbH
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperIBM India Smarter Computing
 
RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012Robert Colombo
 

Was ist angesagt? (20)

Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
“The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” “The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.”
 
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10  - perspectives on risk itWall street journal 22 sept 10  - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
 
Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program   2011Triangle InfoSecon Conference program   2011
Triangle InfoSecon Conference program 2011
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paper
 
RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012
 

Ähnlich wie Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012LRNcorporation
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforceKeyaan Williams
 
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford   gdpr or how to eat the elephant a bit at a time - andy powellCWIN17 telford   gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCapgemini
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Emm Introduction 2013
Emm Introduction 2013Emm Introduction 2013
Emm Introduction 2013Lee Schlenker
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementWilliam McBorrough
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementWilliam McBorrough
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk MgmtAlfred Ouyang
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security serviceDeep Rajbhandari
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
The Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 PresentationThe Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 PresentationMerck
 
Dlp content-discovery-best-practices
Dlp content-discovery-best-practicesDlp content-discovery-best-practices
Dlp content-discovery-best-practiceslookout4raj
 

Ähnlich wie Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011 (20)

Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated Workforce
 
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford   gdpr or how to eat the elephant a bit at a time - andy powellCWIN17 telford   gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Emm Introduction 2013
Emm Introduction 2013Emm Introduction 2013
Emm Introduction 2013
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security service
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
The Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 PresentationThe Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 Presentation
 
Dlp content-discovery-best-practices
Dlp content-discovery-best-practicesDlp content-discovery-best-practices
Dlp content-discovery-best-practices
 

Kürzlich hochgeladen

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Kürzlich hochgeladen (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

  • 1. Security Don’t tell anyone, Policy my password is….. Never share passwords A model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World
  • 2. Nelson Mandela offers you a glass of water….
  • 3. This man…. offers you a glass of water
  • 4. Question Which water will you accept? Why?
  • 5. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 5
  • 6. Awareness? Do not share passwords! © First Legion Consulting 6
  • 7. Shred documents before disposing Behavior? © First Legion Consulting 7
  • 8. Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 8
  • 9. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 9
  • 10. Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 10
  • 11. What did we do? “Awareness vs. behavior” benchmarking and produced a scorecard © First Legion Consulting 11
  • 12. The scorecard © First Legion Consulting 12
  • 13. Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 14
  • 14. Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 15
  • 15. Reason 3: Perception… Which is safer? © First Legion Consulting 16
  • 16. Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 17
  • 17. “Awareness” & “Behavior”: Independent but interdependent Question : A person knows the traffic rules. Does that make the person a good driver? Answer: Not necessarily, “Knowing” and “Doing” are two different things Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner? Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 18
  • 18. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study We are here III. Solution model IV. Recap & Resources © First Legion Consulting 19
  • 19. • HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link © First Legion Consulting 20
  • 20. HIMIS solution model - Work backwards Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 21
  • 21. Define Strategize Deliver Verify • Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements valid for the business • Review and approval of ESP’s • Baseline ESP assessment © First Legion Consulting 22
  • 22. ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-day information classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 23
  • 23. Define Strategize Deliver Verify • For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement. • For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 24
  • 24. Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance Yup! Not the usual glorified • Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 25
  • 25. A 120 minute training plan • 120 minutes of training in a year – 45 minutes classroom or e-learning – 15 minutes screen saver (12 X 1 to 1.5 minutes) – 15 minutes posters/ wallpaper (same as above) – 30 minutes through short videos (6 x 5 minutes) – 20 minutes through quizzes/ surveys (2 x 10 minutes)
  • 26. Behavior management: What works? Let’s cut his Let’s talk to email access him Let’s fire him © First Legion Consulting 27
  • 27. Poor Security behavior Vs. Inconvenience Poor security behavior In-convenience © First Legion Consulting 28
  • 28. Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 29
  • 29. Case study 1: Changing behavior (IT Service Provider) • What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 30
  • 30. Case study 1: Changing behavior (Electronic Retail Store) • Audit finding: Cash boxes are left open when unattended • Cost attached: Branch manager will lose 25% of annual bonus for every violation • Compliance today is above 98% © First Legion Consulting 31
  • 31. Define Strategize Deliver Verify • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt © First Legion Consulting 32
  • 32. Define Strategize Deliver Verify • Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 33
  • 33. © First Legion Consulting 34
  • 34. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model We are here IV. Recap & Resources © First Legion Consulting 37
  • 35. Recap Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 38
  • 36. Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 39
  • 37. Conclusion If you can influence perception, you can influence the way people choose or react (behavior) Perception is influenced if there is a cost for an action © First Legion Consulting 40
  • 38. If I follow the information security rules will I gain something. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 41
  • 39. Resources • Free security awareness videos – www.isqworld.com • Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf • The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 42
  • 40. Anup Narayanan, Founder & Principal Architect ISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 43