Post on 01-Apr-2015
transcript
Copyright 2004. Melissa Guenther, LLC. All rights reserved.
Creating a Zero Incident Culture
Measurement
Measuring the effectiveness of security awareness programs usually becomes an assessment of security incident statistics.
This is basically an exercise in measuring luck.
• A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future.
• Involvement in security awareness efforts in academia, Fortune 100
and small businesses – variety of situations with one constant. People.
• Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work.
• Getting people involved in the process - because people are the ones
who make changes work - is key. “Organizations don’t change – people change. And then people change organizations.”
What is a Zero Incident Culture?
It is not:
• Having absolute security
• Regulatory compliance
What is a Zero Incident Culture?
• It is the presence of security, not the absence of threats/vulnerabilities.
• Behavioral security awareness programs, like Zero Incident, optimize secure work practices and make line workers and supervisors jointly responsible for security. – Management’s role is to determine causes of incidents
or potential incidents. – Supervisors focus on secure practices, even if it slows
work. – And workers focus on getting the job done securely,
making it a priority equal to getting the job done.
Why Strive For Zero?
• Accepting a certain level of security incidents in your organization means accepting avoidable risk and loss – financial, public perception, legal, productivity and operational.
• Anything less than Zero as an operatingphilosophy and goal is unacceptable.
What is a Zero Incident Culture?
• A culture that views every incident as an
operational error.
• A culture in which security is integrated into all operations..
What are the Benefits
• Protection of our most important assets
financial savings / ROI
• Transcends security – improves quality, morale, productivity, profits & employee knowledge and ownership of success.
Danger Signs
• Unclear who is responsible for what.• Belief that everything is ok, “we are in good shape”• Belief that rule compliance is enough for security (If we’re in
compliance – we’re ok)• No tolerance for whistle-blowers
– “culture of silence”
• Problems experienced from other locations not applied as “lessons learned”
• Lessons that are learned are not built into the system• Defects / errors became acceptable• Security is subordinate to production• Emergency procedures for severe events is lacking
• Policies and Procedures are confusing, complex and “hard to find”
• Security resources and techniques are available but not used.
• Organizational barriers prevent effective communication.
• There are undefined responsibility, authority, and accountability for security.– Security belonged to “IT”
• The acceptance of defects / errors becomes Institutionalized.
– Because nothing has happened (or we are unaware of what has happened), we’re ok.
• Culture is resilient, hard to change, and will revert to old habits if not steered by leadership.
Danger Signs
Company Culture
Production Culture - vs. - Security Culture
Due to high costs of incidents there is no way a
pure production culture can be profitable to it’s
fullest potential.
What is a Production Culture?
• Belief that only production matters.
• Whatever it takes to get the job done.
• Security performance is not measured.
• Security performance is not part of
supervisor’s job.
Security Culture
• Security is not a priority - it is a corporate
Value.
• All levels of management accountable.
• Security performance measured & tied to
compensation.
• Security integrated into all operations.
3 Major Steps to a Zero IncidentCulture
To get there you must take AIM
• Assess your current culture
• Implement the 12 upstream elements
• Maintain the culture change
Assessing Security Culture
Diagnosing Organizational Health
What Ails Us
Symptoms• Coughing• Pale skin• Constricted pupils• Pain• Deformity• Nausea/vomiting
Signs• Elevate temperature• High/low Blood
sugar• Rapid pulse• Shallow respiration
Confirmed by:Palpitation - X-rays - Blood tests - Urine Tests - Examination
What Ails An OrganizationSymptoms
• Uncorrected vulnerabilities
• Low employee
involvement/accountability
• Fear
• Lack of feedback
• Poor security practices
• Zero-reporting
• Leaders not walking the
talk
Signs
• High incident rates
• High frequency rates
• Low incident reporting
• Low security audit scores
• Increased cost per
employee work-hour
Confirmed by:Culture Surveys – Focus Group Interviews – Management
Interviews
Why Measure Perceptions?
• Perceptions are reality.• Regardless of management’s intent regarding
security – reality is what employees perceive about security.
Security Opinion Survey• Survey measures the drivers of a security culture
against a potential perfect score of 100%.• The gap (how far from 100%) in each driver will
help focus security efforts on lower scoring drivers.
Key Drivers of Security
• Risk/Hazard Correction
• Security
Communications• Behavioral
Reinforcement
• Security Values• Management
Credibility• Accountability
Security Opinion Survey
• Survey also measures the difference in what
employees and management perceive about
the security culture.
• Typical results are that management perceives security as more positive than do employees.
• The larger the gap the greater the problem.
Risk/Vulnerability Correction
• Measures employee beliefs about the importance
a company places on identifying and correcting
risks/vulnerability.• A belief that effort and resources are expended
to correct risks/vulnerability supports a positive perception regarding the company’s commitment to security.
Accountability
• Measures whether respondents believe that
supervisors are truly accountable for security performance.
Communications
• Security communications, or the lack of them, shape perceptions regarding the company’s security commitment.
• Measures employees perceived freedom to discuss security issues.
• Determines employee fears regarding communicating security issues.
Behavior Reinforcement
• Measures perceptions regarding effectiveness (or lack of) adequate feedback and reinforcement.
• Also measures perceptions on how effectively
leadership “values” security.• Measures perceptions of how well the “actions of
security” are modeled.
Security Values
• Measures perceptions regarding the company’s commitment to security as a value.
• Also measures how the individual values security, as well as, their co-workers, leaders, and company as a whole.
• The higher security is valued, the better the security performance.
Management Credibility
• Measures how employees perceive
management’s support for security – and how believable leaders are.
• Sometimes “words” used by leaders are on
target but their “actions” undermine their
credibility.
Culture Assessment Report
Provides gap analysis of security in the “real
world” as opposed to the “ideal” security
process.
Defines the security culture – “what it’s really
like” in the minds of employees.
Measures disparity gap between management
and employee perceptions.
Zero Incident Culture
Stairway to Zero Security Incident Excellence
Continuous Improvement
Behavioral Security
Incident Analysis
Training and Education
Planning
Perf. Coaching
Leadership
Employee Owned
Communications
Accountability
Values
Vision
Each step is a building block
supported by the steps below
VISION
Vision answers the question “where are we going?”
The Importance of Vision
• Vision refers to a picture of the future and
discusses why people should strive to create that future.
• Clarifies any confusion – “Is this in line with the vision”.
VISION
• One of the most famous vision speeches was made
by John F. Kennedy regarding space travel. He
committed that the United States would send a man to the moon within 10 years and bring him back alive.
• It was certainly a stretch – great minds of the time
said it was impossible.
VALUES
• Values are the ideals or principles of society(organization)
• Values define the ground rules (behaviors) forpersonal interactions in a company.
• Clearly defined organizational values are thespringboard for all other security efforts
VALUES vs. PRIORITIESPriorities can be shifted – values cannot
Organizational Values
• All companies have values, whether or not
they have identified them.
• Many managers may believe security is a
value in the company, when in fact, it is not.
Individual Values
• Individual values can influence group
values.
• This influence can be positive or negative.
Espoused Values
• Are not the actual values in a company.
• These are “what a company would like for it’s values to be.”
• If security is violated frequently, it is simply an espoused value.
Security as a Core Value
The vast majority of people will adopt the organizations values if they perceive this is what upper management truly wants.
• Employees who will not align themselves with the values of the organization do not fit
– (regardless of position)
Accountability
“The Engine That Drives Security”
Accountability
• Accountability can take us from the reactive mode of constantly putting out fires, to a proactive mode of making sure the security process is in fact working at the operational level
Accountability Defined• Someone is accountable when their performance
is measured• When someone is responsible, their performance
is not necessarily measured• The objective is to motivate performance
Accountability Defined
• Obligation to perform duties to an accepted
standard…………or else.
• Has measurement system, evaluation, and
consequences.
Accountability
• Supervisors are usually measured on
schedule, production, and cost.
• They are often not measured on security
performance, or not measured effectively and fairly.
Accountability
• “What gets measured, gets done”
• We tend to “get done” what is measured by our supervisor
Management Accountability
• All levels of management and supervision
must be held accountable
• Security performance must be measured
objectively
• Must be controllable – Must be fair
Who Should Not Be Accountable?
• Those without ultimate control……
The security Professional!!
One of the most common structural mistakes
Measuring Performance
• Upper management should be measured on
results and activities.
• Front line supervisors should be measured
mostly on activities.
Measuring Performance
• Remember – The absence of threats is not
the same thing as the “presence of security”
• Focus on defining what the Presence of
Security would look like—then develop a
system to measure it
Results
• Results measurements may include:– Incident Rates– Incident Costs– Cost per man hour– Audit scores– Observation Frequency
Activities
• Activities may include:– Self Inspections– Awareness– Security and Training and Education– Desktop Meetings– Security Planning– Task Analysis– Behavioral Reinforcement
Accountability Systems
• Performance Appraisals– Should be at least annual, more is better, the
more communication regarding performance, the more effective
– Security should have equal weight to other performance measures
The Difference BetweenIncentives & Accountability
Incentive Programs• Employee focused• Reward for “no
incident” (trinkets)• Short-term (contest)• No real consequences• May not motivate
Accountability Process• Mgr/Spvsr focused• Rewards performance• Long-term / On-going• Impacts compensation• Impacts career path• Motivates
performance
Security Communications
• Communicating Vision & Values
• Eliminating Fear from the Workforce
• Communicating Instructions / Procedures
Communicating Vision & Values
• You cannot over-communicate vision & values
• Takes up to 50,000 communications to anchor in culture
• Must use a variety of methods / forums
Balancing Security with Production Messages
• Management often sends mixed messages
• Think about how many production or schedule messages employees receive daily in relation to security messages
“Fear is at the root of all the time
people spend in meetings not saying
what’s really on their mind”
Vice President of
Fortune 500
Company
Fear in the Workforce
• If people are afraid to bring up security issues a serious flaw exists in the security process
• It is not possible for a company to move tosecurity excellence unless this problem is
corrected
Communication
• Build trust & drive out fear of bringing up security issues
• Open up lines of communication with employees
Communication
• Provide feedback & reinforcement
• Provide regular forums (committees) with high employee involvement
• Actively solicit & reward employee input about security vulnerabilities, issues, & improvements
Communication
• Get personally involved in providing security awareness, training and education
• Actions speak louder than words – set the
example
Communicating Instructions /Procedures
• Never assume that because we told
someone what or how to do something, they
understood
• Explain, then have them to repeat
• Follow-up and re-direct as necessary
• Communication Includes Listening– Listen with the intent to understand
Employee Ownership
• No one knows more about security needs than the people doing the work.
• Lack of involvement (buy-in) is epidemic in
traditional security programs
• Caused by top-down management
• Employees will get involved if you “make it
safe for them to do so”
Employee Ownership
• Start with involvement—work toward ownership
• Get employees involved in:– Setting security policy, procedures– Inspections / audits– Behavioral observations & feedback– Conducting security training– Functional security committees
Leadership
Developing Leadership for Security
“Walking the Talk”
• If the “audio don’t match the video” you lose credibility
• One of the most common complaints by
employees
• Management actions / decisions must be
aligned with what we say about security
Performance Coaching
Effective leaders help their teams
practice perfection
Don Shula
Why Employees Don’t Do What They are Supposed to Do
• Don’t know:
– Why/how
• They think:
– Your way won’t work
– Their way is better
– Something else more
important
– They’re already doing it
• Rewarded for not doing
• Punished for doing
• No consequence for not doing
• Obstacles beyond their
control
Problems in the workplace are often created not by what we do, but by what we fail to do.
Aubrey Daniels
New Focus
“Catch me doing something right”
• Traditional security only addresses the negatives
• If people are not told they are appreciated – they will assume the opposite
EMPLOYEE MOTIVATION
• SOON - CERTAIN – POSITIVE
• “WHAT GETS REWARDED---GETS
REPEATED”
What Gets Rewarded Gets Repeated
• The job of the effective leader is to create positive
consequences for positive performance• Decrease undesirable behaviors by arranging
consequences that will stop them• Increase desirable behaviors by arranging
consequences that will positively reinforce them
5 Steps for Effective Coaching
1. Observe the behavior
2. Reinforce all positive behaviors
3. Provide performance feedback (non-invasive)
4. Re-direct (if necessary)
5. Follow-up & reinforce new behaviors
Security Planning
• Planning is a major differentiatorbetween a security process that is proactiverather than reactive
• When to plan for security– New operations / processes– New equipment– Shut-downs– Acquisitions / mergers– Downsizing
Security Planning
• Plan for emergencies – develop a disaster recovery management plan and PRACTICE.
• In a post 911 world, there is no excuse for
failure to plan for emergencies.
Task Security Analysis
• The single most effective technique for preventing
incidents.• Organized system for breaking jobs into
sequential
steps.• Results in a secure work procedure (much more
efficient than relying on “security policy, procedures and rules”).
Task Security Analysis
• Perform for all high-risk activities
• Use brainstorming process
• Get employees involved in the process
Effective Security Awareness Training and Education
The only thing worse than training people and losing them
is not training them and
keeping them.
Security Awareness, Training and Education
• Who will conduct training
• When, how often, who will keep
documentation?
• Account for:– Language barriers– Translation / Spanish trainers
Security Awareness,Training and Education
• Supervisory and Management Training– Security Management– Leadership Training– Performance Coaching
New Hire Orientations
• Most Important Security Training
• Highest Rate of Incidents
• Compliance Required Training
• Buddy System
New Hire Orientations
• Job Specific Security Awareness and Training
• Job Rules
• Incident Reporting
• Retrain After First Day?
• Language and Reading Issues
Supervisor Orientations
• New Supervisors– Security Program– Duties/Responsibilities/Accountability– Training Needs
Training Improvements
• Integrating security into job / task training is
more effective than pure “security training”.
• People learn more by doing than by hearing
• Make all job security training as “hands-on” as possible
Learning Pyramid
Source: NTL Institute for Applied Behavioral Sciences
Training Improvements
• “See one, do one, teach one”
• When we must teach others we are forced to
learn it well
• Getting employees involved in training
other employees is invaluable
Five Step Training Process
1. Explain the task
2. Demonstrate how it is done
3. Allow employee(s) to do it under
observation of the trainer
4. Re-direct as necessary
5. Follow-up
Incident Analysis
• Only by getting to the root cause can
we prevent a reoccurrence
Effective Brainstorming
• Use for problem-solving, root cause analysis, or for generating ideas
• What is a Root Cause ?
• The real or underlying causes of:– Incidents – Insecure behavior– Insecure conditions
Why Investigate for Root Causes ?
• Most “causes” listed on incident reports are not causes at all – they are symptoms
• Finding root causes allows us to prevent a
reoccurrence
Why Analyze for Root Cause ?
• Standard incident investigations do not go far enough
• Insurance investigations seek to place:– Liability– Compensability– Blame / Fault
Key Security Management Principle
• Insecure acts & conditions are symptoms of
something wrong in the management system• Root causes will lead to the following general
areas:– Knowledge
– Skill
– Motivation
– Work Process
Symptoms -vs.- Causes
• Insecure acts or conditions are not the causes of incidents, they are symptoms of a defect in our system
• Symptoms can be observed, but they are not the root causes
• Causes are the underlying reasons that allow thesymptoms to occur
• Root causes cannot be seen—they can only beidentified through a thorough investigation.
Root Cause Analysis
• To determine root causes—look at the symptoms,gather the facts—then ask the “W” questions about each symptom
– What– Where– Why, why and why– Who– When
Root Cause Analysis
• Management creates the job, the environment, the rules, the culture, and the “way things are done.”
• If symptoms are occurring, management must change the system, rather than blaming the employee(s).
Root Cause Analysis
• Symptoms - The insecure acts and conditions which we can see that often result in incidents but are not necessarily the root cause.
Root Cause Analysis
• Causes - The underlying reasons for incidentswhich we can’t see can only be identified by athorough investigation.
• Some common examples of causes are:– Inadequate training– Lack of accountability– Inadequate policies and procedures– Improper environmental and equipment set up– Conflicts in Values
Root Cause Analysis
• Failure to address root causes will result in
reoccurrence of:– Symptoms– Incidents
Behavioral Security
How Behavior Effects Security
“The insecure acts of persons are responsible
for a majority of incidents”
Donn Parker
Father of Security
Not A Magic Bullet
Addressing behavior alone is not the magic bullet.• Insecure behavior however, is often a component
of the chain of events leading to an incident.• Insecure behavior is a predictor of future incidents.• Looking for shortcuts is NORMAL human
behavior.• Allowing insecure behavior to become the norm,
reinforces that it is o.k. and that nothing bad willhappen.
Behavioral Security – What is it?
• Belief that human behavior accounts for the
majority of incidents
• Refocuses security efforts from conditions
(regulatory), to behavior
• Based on observation & feedback of
performance
• Insecure Conditions
Insecure conditions may include:• Poor housekeeping (drink by keyboard,
unsecured recycled trash receptors)• Insufficient equipment (share PC)• PC that is not current in O/S Patches• Improper data storage• No data classification• Facility faults (Doors don’t close correctly,
A/C not working - door is left open, etc.• Require SS# or other unnecessary
personable identifier
Insecure Acts
An insecure act might be:– Weak password construction and management
– Failure to log off at end of day
– Delayed pickup of faxed confidential information at fax machine
– Victim to social engineering attempt
– Allowing a stranger to walk through building unchallenged.
– Door to secure area propped open.
Observation Process
• Request to observe employee working:
1. Summarize the secure behaviors that you
observed.
2. Describe areas of concern.
3. Ask the employee for suggestions for a more secure way to do the task.
4. Thank the employee for allowing the
observation.
Resistance to Change
• With change comes resistance.
• Culture change will revert to old ways without constant measurement and reinforcement.
Success Factors for ManagingChange
• Address employee and management resistance
factors• Engage employees in action planning process• Establish reasonable objectives and schedule for
implementation• Focus on the journey not the destination
Success Factors for ManagingChange
• Have an organized system (ZIPP)
• Pilot first, then implement
• Recognize early signs of shifting
• Measure
• Evaluate
• Redirect or continue plan
• Re-evaluate………………………
Why Measure Perceptions?
• “Perceptions are reality”
• Regardless of management’s intent regarding security – reality is what employees perceive about security.
Security Opinion Survey
• Survey measures the drivers of a security culture against a potential perfect score of 100%.
• The gap (how far from 100%) in each driver will help focus security efforts on lower scoring drivers.
Key Drivers
• Vulnerability Correction
• Security Communications
• Behavioral
Reinforcement
• Security Values• Management
Credibility• Accountability
Security Opinion Survey
• Survey also measures the difference in what
employees and management perceive about the security culture.
• Typical results are that management perceives security as more positive than do employees.
• The larger the gap the greater the problem.
Survey Parameters
• Fifteen to twenty questions
• Likert scale of 1-5 (negative to positive)
• Using weighted-average, or mean
• Standard deviation – how widely scattered are the answers
Vulnerability Correction
• Measures the importance a company places
on identifying and correcting vulnerabilities.
• Are appropriate resources expended to
eliminate vulnerabilities?
Security Communications
• Do employees feel security is adequately
communicated?
• Is there freedom to discuss security issues?
• Do employees fear that communicating negative security perceptions might lead to reprimands or terminations?
Behavior Reinforcement
• Is behavior observed and appropriate feedback provided?
• Are positive acts rewarded?
• Are negative acts reprimanded?
Security Values
• Do employees perceive security is a true value in the organization or an espoused value?
• Are production messages overwhelming security value messages and degrading management’s intent?
Management Credibility
• Does the audio match the video?
• Leaders must “walk the talk” of a security culture to have credibility.
Focus Group Interviews
• Helps validate survey results and provides
grassroots suggestions for improvement
• Employees have less fear communicating when part of a group.
• May be the first step in employee involvement and buy-in.
Management Interviews
• Identifies the views of management.
• Identifies problems in the flow of communication between the corporate level and the field/floor level.
• Pinpoints perceived implementation problems.
Confidentiality
• Confidentiality cannot be overstressed if you want the truth.
• Consider use of a third party for collections.
• Perceived lack of confidentiality with online
surveys.
Survey Collection Protocols
• Keep survey short or will be pencil
whipped.
• Separate supervisors and employees.
• Consider cultural and literacy issues
Baseline Measurement
• Initial survey provides a baseline.
• Should measure again no sooner than 18 months to determine degree of improvement.
• Culture change takes time to anchor.
Sensitive Information
• Be careful how sensitive information is used if used in a punitive manner, you will never regain trust.
• Once you open the door to communication you may be surprised at what is going on.
Culture Assessment Report
• Identifies the strengths & weaknesses in the
security culture.
• Provides starting points for effective
intervention.
• Makes specific recommendations for
improving the security culture.
What To Do With Information
• A survey without intent to change will send the wrong message and may do harm.
• Communicate the results of the survey to
employees.
• Involve employees in improvement plan.
All content is copyrighted material and may not be duplicated, distributed, transferred, transmitted, copied, altered, sold, used to create derivative works, or otherwise misused.