Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

The difference between the Reality and Feeling of Security

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 30 Anzeige

The difference between the Reality and Feeling of Security

Herunterladen, um offline zu lesen

A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security.

Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"

A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security.

Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"

Anzeige
Anzeige

Weitere Verwandte Inhalte

Ähnlich wie The difference between the Reality and Feeling of Security (20)

Anzeige
Anzeige

The difference between the Reality and Feeling of Security

  1. 1. She looks I’m gonna steal trustworthy your toys The difference between the “Reality” and “Feeling” of Security Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
  2. 2. Focus of the talk • The Human Factor in Information Security • From “Security Awareness” to “Security Awareness and Competence” • Solution model • What others are doing? 2
  3. 3. Awareness I know the traffic rules…. 3
  4. 4. Competence? Does it guarantee that I am a good driver? 4
  5. 5. Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do An organization must aim for a responsible security culture 5
  6. 6. What organizations need? A system that periodically shows the current Security Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 6
  7. 7. The power of perception Why do people make security mistakes?
  8. 8. Imagine… Nelson Mandela walks into this room right now and offers you this glass of water…. Will you accept it? 8
  9. 9. Now, imagine this… This man walks into this room right now and offers you this glass of water…. Will you accept it? 9
  10. 10. Question Which water did you accept? Why? 10
  11. 11. Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 11
  12. 12. Why must we address the human factor? (or) Is the human factor worth addressing?
  13. 13. Case Study 1 LinkedIn Password leak 13
  14. 14. The most popular passwords in LinkedIn link jesus 1234 connect work monkey god 123456 job michael 12345 jordan angel dragon the soccer ilove killer sex pepper 14
  15. 15. Analysis You may think you are safe when you are actually not People get more terrified thinking of getting eaten by a shark then dying of heart attack…..but more people die of heart attacks 15
  16. 16. Analysis People exaggerate risks that are abnormal Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy 16
  17. 17. Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 17
  18. 18. Reason 2: Not every attack(er) is that smart People exaggerate risks that are spectacular or uncommon: So what? RSA was hacked Technology & Processes Awareness & Competence The very smart attacker 4 Human – Recognizing a zero day attack, 3 Phishing mails, Not posting business Risk severity/ Attacker information in social media Smartness/ Attack Efficiency 2 Technology + Human – Firewall configuration, Choosing a secure Wifi 1 Automatic security controls – AV, Updates 18 Control efficiency
  19. 19. Reason 3: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 19
  20. 20. The Solution Model Security Awareness and Competence Management
  21. 21. The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 21
  22. 22. 1. Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, Security Risk Identify the Improve, Re- analysis human factor assess Behaviour (Competence) ESP – Expected Security Practice 22
  23. 23. 2. Visualize, engage ….and influence perception 23
  24. 24. 24
  25. 25. 3. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 25
  26. 26. 4. Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 26
  27. 27. Threat forecast 27
  28. 28. Emerging threats 2013 (report by ISF) • Natural disasters • Economic espionage • Diminishing end user • Introduction of new devices security awareness (smart phones etc.) • Moving to cloud • Online leaks • Social media proliferation • Fast development and & data leaks release of apps without • Corporate frauds testing • Attacks using GPS • Smart outsourcing resulting in tracking less workforce loyalty
  29. 29. Summary Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 29
  30. 30. Let’s switch ON the Human Layer of Information Security Defence Thank You Anup Narayanan www.isqworld.com

×