Date post: | 14-Nov-2014 |
Category: |
Technology |
Upload: | anup-narayanan |
View: | 849 times |
Download: | 0 times |
1
A model for reducing security risks due to
human errorAnup Narayanan, CISA, CISSP
Founder & CEO, ISQ
“We are not just security aware, but security competent
as well”
(C) ISQ. All Rights Reserved 2
Focus of the talk
Addressing the human factor using security “awareness” and “competence” management
Security Policy
Never share
passwords
Don’t tell anyone, my password is…..
(C) ISQ. All Rights Reserved 3
I know the traffic rules….
The difference between “Awareness” and “Behaviour (Competence)”
(C) ISQ. All Rights Reserved 4
Does it guarantee that I am a good driver?
(C) ISQ. All Rights Reserved 5
Awareness >> Behaviour >> Culture
Awareness
• I know
Behaviour (Competence)
• I do
Culture
• We know and do
An organization must aim for a responsible security culture
(C) ISQ. All Rights Reserved 6
The problem (Mistakes that organizations are making)
The focus is only on awareness, not behaviour (competence) and culture
I have an amazing security awareness program but people still make security mistakes!
(C) ISQ. All Rights Reserved 7
What organizations need?
A system that periodically shows the current Awareness and Competence Levels
LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS
Organization’s awareness score is 87%
Organization’s competence score is 65%
LOW COMPETENCELOW COMPETENCE
MEDIUM COMPETENCE
MEDIUM COMPETENCE HIGH
COMPETENCEHIGH
COMPETENCE
(C) ISQ. All Rights Reserved 8
The power of perception
Why do people make security mistakes?
(C) ISQ. All Rights Reserved 9
Imagine…
Will you accept it?
Nelson Mandela walks into this room right now and offers you this glass of
water….
(C) ISQ. All Rights Reserved 10
Now, imagine this…
Will you accept it?
This man walks into this room right now and offers you this glass of
water….
(C) ISQ. All Rights Reserved 11
Question
Which water did you accept?
Why?
(C) ISQ. All Rights Reserved 12
Analysis
People decide what is good and what is bad based on “trust”
Perception is influenced by Trust
Were you checking the water or the person serving the water?
(C) ISQ. All Rights Reserved 13
Why must we address the human factor?
(or)
Is the human factor worth addressing?
(C) ISQ. All Rights Reserved 14
Reason 1: Security is both a “Reality” and “Feeling”
04/08/2023 14
For security practitioners security is a “Reality” based on the mathematical probability of risks
For the end user (common man) security is a feeling
Influencing the feeling of security (what is safe and what is not safe while handling information) makes a user make the right security decisions and apply it
(C) ISQ. All Rights Reserved 15
Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:So what? RSA was hacked
Control efficiency
Risk severity/ Attacker
Smartness/ Attack
Efficiency
Technology & Processes
Awareness & Competence
Automatic security controls – AV, Updates
Technology + Human – Firewall configuration, Choosing a secure Wifi
Human – Recognizing a zero day attack, Phishing mails, Not posting business
information in social media
The very smart attacker
1
2
3
4
(C) ISQ. All Rights Reserved 16
Reason 3: How much of a trade-off are we willing to make?
The best way to stop people from making information security mistakes is to deny them access to information.
Are you willing to make that trade-off?
Security awareness and competence management is a trade-off that is affordable and effective
(C) ISQ. All Rights Reserved 17
Reason 4: The human factor is important…
Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced?
Cars have become more advanced, but does it mean that driving tests have become easier?
Medical technology has become more advanced, but will you choose a hospital for it’s machines or
the doctors?
(C) ISQ. All Rights Reserved 18
The Solution Model
Security Awareness and Competence Management
(C) ISQ. All Rights Reserved 19
The solution is based on HIMIS
• HIMIS – Human Impact Management for Information Security
• Released under Creative Commons License
• Free for Non-Commercial Use
http://www.isqworld.com/himis
(C) ISQ. All Rights Reserved 20
Security Risk analysis
Identify the human factor
Awareness
Behaviour (Competence)
Assess, Improve, Re-
assess
Define
Strategize
Deliver
Verify
Identify information security awareness and competence needs of the business.
Create the strategy for awareness and competence
management
Execute the awareness plan
Check change in awareness and competence. Improve.
ESP
(C) ISQ. All Rights Reserved 21
Strategy - Use ESP (Expected Security Practices)
Information Classification
Information classification criterion
Classification labels
Demonstrates correct classification
ESP Awareness Component
Competence Component
Incident reporting Types of incidents
Incident reporting procedures/ channels
Detects and reports a simulated incident
(C) ISQ. All Rights Reserved 22
Phase 1
Define
Strategize
Deliver
Verify
Identify information security awareness and competence needs of the business.
Create the strategy for awareness and competence
management
Check change in awareness and competence. Improve.
Execute the plan
(C) ISQ. All Rights Reserved 23
Case Study: Client Profile
• Type of industry: Retail• No: of employees 5000+• Position: Market Leader• Type of Information handled: Customer data, Intellectual
Property• Spending on Information Security Awareness: US$ 75,000
Awareness Vs. Behaviour
• Sharing of company/customer information is wrong
• Sensitive Information must be protected
• Access Control Cards must be protected
• Customer records were leaked to competitor
• Salary information of top executive was given to head hunter
• Printouts lying unattended
• Visitors can enter the facility without informing security guard
Awareness Competence/ Behaviour
24(C) ISQ. All Rights Reserved
Problem Analysis - Visibility & Clarity
Visibility - The degree to which one can seeClarity - Free from obscurity and easy to understand
When you have too many rules ….it gets complicated
25(C) ISQ. All Rights Reserved
(C) ISQ. All Rights Reserved 26
Don’t share
passwords
Which password? Network, desktop, ERP….?
(C) ISQ. All Rights Reserved 27
Output of Phase 1
LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS
Organization’s awareness score is 87%
Organization’s competence score is 65%
LOW COMPETENCELOW COMPETENCE
MEDIUM COMPETENCE
MEDIUM COMPETENCE HIGH
COMPETENCEHIGH
COMPETENCE
(C) ISQ. All Rights Reserved 28
Detailed Scorecard
Clear Policies Email Security Info Disclosure Password Security Physical Security Incident Reporting Social Networking/ Blogging
0
10
20
30
40
50
60
70
80
90
100
82
67
89 90
76
56
70
0
66.6666666666667 66.6666666666667
0 0
33.3333333333333
77.7777777777778
Score per ESP
Awareness Competence
(C) ISQ. All Rights Reserved 29
Audit strategies - Awareness
• For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions
(C) ISQ. All Rights Reserved 30
Auditing Strategies - Behaviour
• For auditing competence– Social Engineering
– Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting
– Log review: Browsing and email patterns can be observed through log reviews of corresponding systems
– Data mining : Mine through internet search engines to see how much sensitive information about the company is available online
– Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).
(C) ISQ. All Rights Reserved 31
Phase 2 - Strategize
Define
Strategize
Deliver
Verify
Identify information security awareness and competence needs of the business.
Create the strategy for awareness and competence
management
Check change in awareness and competence. Improve.
Execute the plan
(C) ISQ. All Rights Reserved 32
Quality of content – Impact visualization
Show the impact of poor security awareness and competence to the “non-information security” professional
(C) ISQ. All Rights Reserved 33
Quality of content – Business relevance
Show the impact of poor security awareness and competence to the “non-information security” professional
Oops! My business is held responsible if I
install pirated software on my PC?
(C) ISQ. All Rights Reserved 34
Quality of content – Clarity and Ease
Keep it very simple
So..the email security policy is …6 pages
long.
Email security – 5 quick tips. Wow, that’s
cool!
(C) ISQ. All Rights Reserved 35
Quality of content - Cultural factors
Language or terms used, color and design, character representation
Sorry, that information is
classified. Let me explain the basics of password
security
(C) ISQ. All Rights Reserved 36
Retention measurement
• How much have they understood
• How long do they remember?
• Immediately• 30 days later• 60 days later
Well…my emails have disappeared. Which number
do I call?
Coverage
• Identify the target workforce• Tolerable deviation – How much
percentage of the workforce must receive the training
• Set realistic expectations• E.g. – Refer the visibility meter
(C) ISQ. All Rights Reserved 37
(C) ISQ. All Rights Reserved 38
Format and visibility
• Format – Different types of information security awareness content
• Visibility – Channels through which the content is delivered
Format Visibility
Verbal Live training sessions, Video conferences
Electronic EmailIntranetPostersSocial media
Paper Posters, cards, quizzes or surveys
(C) ISQ. All Rights Reserved 39
Frequency
• Gap between 2 awareness deliveries• Critical – Gap should be minimal
Which is more effective – Drip irrigation or spraying a lot of water once a day?
Competence management/ Behaviour Change
A case study
(C) ISQ. All Rights Reserved 40
(C) ISQ. All Rights Reserved 41
Creating the right environment
Motivational Strategies
Disciplinary strategies
Case Study : IT Business
• Company– Offshore Development, 3
Centers in India – Young workforce: Majority
between 22-27
• Security Rules– Don’t forwards emails with
unofficial attachments– No downloads of videos,
music, freeware– No storage of personal
content in official systems
(C) ISQ. All Rights Reserved 42
Case Study : IT Business
• What we did?– Quarterly “End-User
Desktop Audits”– Findings were
immediately “Signed and Agreed by Auditee”
– Disputes were noted and “Signed”
– Audit findings were submitted to InfoSec Team
(C) ISQ. All Rights Reserved 43
Case Study : IT Business – The result
(C) ISQ. All Rights Reserved 44
3rd
Mon
th
6th
Mon
th
9th
Mon
th
12th
Mon
th
15th
Mon
th
18th
Mon
th0
20
40
60
80
% of Non-Compliance
% of Non-Compliance?
Learning
(C) ISQ. All Rights Reserved 45
Security Tradeoff Vs. Inconvenience
(C) ISQ. All Rights Reserved 46
Personal
In-convenience
Security
Trade-Off
Security Tradeoff Vs. Cost
(C) ISQ. All Rights Reserved 47
Cost (Enforcement)
Security
Trade-Off
Enforcement or Cost
• Quality of Life
• Career
• Money
• Time
(C) ISQ. All Rights Reserved 48
Phase 3 - Deliver
Define
Strategize
Deliver
Verify
Identify information security awareness and competence needs of the business.
Create the strategy for awareness and competence
management
Check change in awareness and competence. Improve.
Execute the plan
(C) ISQ. All Rights Reserved 49
Define tolerable deviation
• It is almost impossible to get 100% participation
• Define a number that is reasonable– 80% participation in the first
6 months– 85% in the next 6
(C) ISQ. All Rights Reserved 50
Efficiency
• Efficiency of channels in delivering the program– Emails must reach the target
workforce, not go to SPAM– Videos must stream at an
optimum speed – Training sessions
• Trainer must knowledgeable• Able to articulate the topics
well • Use tools and examples• Encourage discussion
(C) ISQ. All Rights Reserved 51
Collection of feedback
• Not to be confused with “retention measurement”1. The clarity of the content in
conveying the intended message
2. The business relevance of the content
3. Impact visualization
4. The quality of the trainer or the efficiency of the delivery channel
5. Other factors
(C) ISQ. All Rights Reserved 52
Phase 4 - Verify
Define
Strategize
Deliver
Verify
Identify information security awareness and competence needs of the business.
Create the strategy for awareness and competence
management
Check change in awareness and competence. Improve.
Execute the plan
(C) ISQ. All Rights Reserved 53
Audit strategies - Awareness
• For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions
(C) ISQ. All Rights Reserved 54
Auditing Strategies - Behaviour
• For auditing competence– Social Engineering
– Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting
– Log review: Browsing and email patterns can be observed through log reviews of corresponding systems
– Data mining : Mine through internet search engines to see how much sensitive information about the company is available online
– Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).
(C) ISQ. All Rights Reserved 55
Output of Verify phase
LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS
Organization’s awareness score was 87%
Organization’s competence score was 65%
LOW COMPETENCELOW COMPETENCE
MEDIUM COMPETENCE
MEDIUM COMPETENCE HIGH
COMPETENCEHIGH
COMPETENCE
?
?
(C) ISQ. All Rights Reserved 56
Summary
Technology (Firewall)
ProcessPeople
Information
Technology and processes are only as good as the people that use them
(C) ISQ. All Rights Reserved 57
Free resources
• Free security awareness video – http://isqworld.com/security-awareness-training-samples
• The Psychology of Security, Bruce Schneier - http://www.schneier.com/essay-155.html
(C) ISQ. All Rights Reserved 58
Thank YouAnup Narayanan
@ CoCon 2012, Trivandrum, Kerala
Let’s switch ON the Human Layer of Information Security Defence