A talk that is based on my methodology HIMIS (Human Impact Management for Information Security) for reducing information security risks due to human error. To know more about HIMIS, visit http://www.isqworld.com/himis

1. Security Don’t tell anyone,
Policy my password is…..
Never share
passwords
A model for reducing information security risks due to human
error By Anup Narayanan,
Founder & CEO, ISQ World

2. Nelson Mandela offers you a glass of water….

3. This man…. offers you a glass of water

4. Question
Which water will you
accept?
Why?

5. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
We are here
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
III. Solution model
IV. Resources
© First Legion Consulting 5

6. Awareness?
Do not share passwords!
© First Legion Consulting 6

7. Shred
documents
before
disposing
Behavior?
© First Legion Consulting 7

8. Putting it together….
Awareness: Behavior: Culture:
I know I do We do
© First Legion Consulting 8

9. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
We are here II. Case study
III. Solution model
IV. Recap & Resources
© First Legion Consulting 9

10. Case-study:
Client: One of the largest mobile service
providers in the world
• What? Spent US$ 100, 000 on a security
awareness campaign
• How? Screen Savers, Posters, Emailers
• Who? Target - Entire employees
© First Legion Consulting 10

11. What did we do?
“Awareness vs. behavior” benchmarking
and produced a scorecard
© First Legion Consulting 11

12. The scorecard
© First Legion Consulting 12

13. Reason 1: Operational issues ….
If I don’t share my password,
salaries won’t get processed Response by HR
Manager
here…including that of the
InfoSec manager.
Message in the poster
Don’t share
passwords
© First Legion Consulting 14

14. Reason 2: Confusion ... Too many rules
Which one
do I follow?
© First Legion Consulting 15

15. Reason 3: Perception…
Which is safer?
© First Legion Consulting 16

16. Reason 4: Attitude … influenced by cost…(peer
pressure, top management behavior)
Nothing’s gonna happen to me
if I violate the security policies?
Well, I saw her doing it …shall
I?
© First Legion Consulting 17

17. “Awareness” & “Behavior”: Independent but
interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things
Question: A person knows the “information security rules”. Does
that make the person a responsible information security
practitioner?
Answer: Same as above
Knowing = Awareness
Doing = Behavior
© First Legion Consulting 18

18. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
We are here III. Solution model
IV. Recap & Resources
© First Legion Consulting 19

19. • HIMIS – Human Impact
Management for
Information Security
• Objective – To provide a
model to reduce security
risks due to human error
• Creative Commons
License, free for non-
commercial use
• Download –
http://www.isqworld.com
, click on the HIMIS link
© First Legion Consulting 20

20. HIMIS solution model - Work backwards
Responsible
information
Define Strategize Deliver Verify security
behavior
© First Legion Consulting 21

21. Define Strategize Deliver Verify
• Choose ESP's (Expected Security Practices) information
security awareness and behaviour requirements valid
for the business
• Review and approval of ESP’s
• Baseline ESP assessment
© First Legion Consulting 22

22. ESP:
Information
Classification
Awareness Behaviour
Criterion criterion
The employees must
The employees must The employees must
actually classify
know the different know how to specify the
document in day-to-day
information classification classification, for
work. The evidence of
criterion : "Confidential, example, in the footer of
this classification must
Internal, Public" each document
be available.
© First Legion Consulting 23

23. Define Strategize Deliver Verify
• For awareness management
– Coverage
– Format & visibility: Verbal, Paper and Electronic
– Frequency
– Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
– Retention measurement.
• For behavior management
– Motivational strategies
– Enforcement/ disciplinary strategies
© First Legion Consulting 24

24. Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance Yup! Not the usual glorified
• Consideration of cultural factors power point
Wow! This security
awareness video is so cool!
© First Legion Consulting 25

25. A 120 minute training plan
• 120 minutes of training in a year
– 45 minutes classroom or e-learning
– 15 minutes screen saver (12 X 1 to 1.5 minutes)
– 15 minutes posters/ wallpaper (same as above)
– 30 minutes through short videos (6 x 5 minutes)
– 20 minutes through quizzes/ surveys (2 x 10 minutes)

26. Behavior management: What works?
Let’s cut his Let’s talk to
email access him
Let’s fire him
© First Legion Consulting 27

27. Poor Security behavior Vs.
Inconvenience
Poor
security
behavior
In-convenience
© First Legion Consulting 28

28. Poor Security behavior Vs. Cost
Poor
security
behavior
Cost
(Enforcement)
© First Legion Consulting 29

29. Case study 1: Changing behavior (IT Service Provider)
• What we did?
– Quarterly “End-User
Desktop Audits”
– Findings were noted and
“Signed and Agreed by
Auditee”
– Disputes were noted and
“Signed”
– Audit findings were
submitted to InfoSec
Team
© First Legion Consulting 30

30. Case study 1: Changing behavior (Electronic Retail Store)
• Audit finding: Cash boxes are left open when
unattended
• Cost attached: Branch manager will lose 25% of
annual bonus for every violation
• Compliance today is above 98%
© First Legion Consulting 31

31. Define Strategize Deliver Verify
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
© First Legion Consulting 32

32. Define Strategize Deliver Verify
• Audit strategy
– Selection of ESP’s
– Define sample size
– Audit methods
• For awareness: Interviews, Surveys, Quizzes, Mind-map
sessions
• For behavior: Observation, data mining, Log review,
Review of incident reports, Social engineering?
– Reasonable limitations
– Behavior may not always be visible
© First Legion Consulting 33

33. © First Legion Consulting 34

34. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
III. Solution model
We are here IV. Recap & Resources
© First Legion Consulting 37

35. Recap
Responsible
information
Define Strategize Deliver Verify security
behavior
© First Legion Consulting 38

36. Tip! Get HR buy-in
People are my
People are my biggest threat!
biggest asset!
HR InfoSec
manager Manager
You must talk the same thing!
© First Legion Consulting 39

37. Conclusion
If you can influence perception, you can influence the
way people choose or react (behavior)
Perception is influenced if there is a cost for an
action
© First Legion Consulting 40

38. If I follow the information
security rules will I gain
something. If I don’t follow,
will I lose something?
When you get your users’ to think
this way, you are on your way to a
better information security
culture!
© First Legion Consulting 41

39. Resources
• Free security awareness videos –
www.isqworld.com
• Bruce Schneier – The Psychology of Security -
http://www.schneier.com/essay-155.pdf
• The Information Security Management
Maturity Model (ISM3) – www.ism3.com
© First Legion Consulting 42

40. Anup Narayanan,
Founder & Principal Architect
ISQ World, A First Legion Initiative
anup@isqworld.com
www.isqworld.com
© First Legion Consulting 43