Information Security Awareness

Copyright © 2011 IsecT Ltd.

September 2011

Management seminar

Building our security culture

Information Security AwarenessCopyright © 2011 IsecT Ltd.

2

Introduction

Sec

uri

ty c

ult

ure

What do we want?

How do we get it?

How do we know when we have it?

Information Security AwarenessCopyright © 2011 IsecT Ltd.

3

What do we want?

Sec

uri

ty c

ult

ure

What do we want?

Intolerance for insecurity

Secure by default

Proactive security

How do we get it?

How do we know when we have it?

Fewer/less costly security incidents

Free security!

Information Security AwarenessCopyright © 2011 IsecT Ltd.

4

But we already have a security culture

Do you really th

ink so?

Do you really th

ink so?

Information Security AwarenessCopyright © 2011 IsecT Ltd.

5

Would you spot a fake email like this?

Information Security AwarenessCopyright © 2011 IsecT Ltd.

6

Linkedin

Handles sensitive medical data

College

8

colleagues

to exploit

Too easy

!

25m more

targets!

Job title

Information Security AwarenessCopyright © 2011 IsecT Ltd.

7

OK, so how do we get it?

If you accept that a security culture is indeed a valuable goal, what would

you suggest we do to establish or improve ours?

Information Security AwarenessCopyright © 2011 IsecT Ltd.

8

How do we get a security culture?

Sec

uri

ty c

ult

ure

What do we want?

How do we get it?

How do we know when we have it?

Leadership, direction

Evident support

Persuasion, motivation

Awareness, training & education

Policies, procedures, guidelines

Reward & punishment

Information Security AwarenessCopyright © 2011 IsecT Ltd.

9

How do we know when we have it?

Sec

uri

ty c

ult

ure

What do we want?

People do the right thing, even when not being told or watched

How do we get it?

How do we know when we have it?

Behavioral metrics

Information Security AwarenessCopyright © 2011 IsecT Ltd.

10

Summary

Sec

uri

ty c

ult

ure

What do we want?

Intolerance for insecurity

Secure by default

Proactive security

People do the right thing, even when not being told or watched

How do we get it?

How do we know when we have it?

Behavioral metrics

Leadership, direction

Evident support

Persuasion, motivation

Awareness, training & education

Policies, procedures, guidelines

Reward & punishment

Fewer/less costly security incidents

Free security!

Information Security AwarenessCopyright © 2011 IsecT Ltd.

11

Management action plan

1. Check the security policies & procedures

2. Lead by example: demonstrate secure behaviors, place a value on security

3. Identify and reward secure behaviors

4. Encourage open discussion about security matters – talk it up a bit

5. Reap the benefits of a security culture

Information Security AwarenessCopyright © 2011 IsecT Ltd.

12

Further information

• Information Security Policy Manual and

other security awareness materials

• CIO or Information Security Manager

• Browse the intranet Security Zone

• Managing the Human Factor in

Information Security by David Lacey

and Spies Among Us by Ira Winkler

• Google for more!