A model for reducing information security risks due to human error

1

A model for reducing security risks due to

human errorAnup Narayanan, CISA, CISSP

Founder & CEO, ISQ

“We are not just security aware, but security competent

as well”

(C) ISQ. All Rights Reserved 2

Focus of the talk

Addressing the human factor using security “awareness” and “competence” management

Security Policy

Never share

passwords

Don’t tell anyone, my password is…..


I know the traffic rules….

The difference between “Awareness” and “Behaviour (Competence)”


Does it guarantee that I am a good driver?


Awareness >> Behaviour >> Culture

Awareness

• I know

Behaviour (Competence)

• I do

Culture

• We know and do

An organization must aim for a responsible security culture


The problem (Mistakes that organizations are making)

The focus is only on awareness, not behaviour (competence) and culture

I have an amazing security awareness program but people still make security mistakes!


What organizations need?

A system that periodically shows the current Awareness and Competence Levels

LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS

Organization’s awareness score is 87%

Organization’s competence score is 65%

LOW COMPETENCELOW COMPETENCE

MEDIUM COMPETENCE

MEDIUM COMPETENCE HIGH

COMPETENCEHIGH

COMPETENCE


The power of perception

Why do people make security mistakes?


Imagine…

Will you accept it?

Nelson Mandela walks into this room right now and offers you this glass of

water….


Now, imagine this…

Will you accept it?

This man walks into this room right now and offers you this glass of

water….


Question

Which water did you accept?

Why?


Analysis

People decide what is good and what is bad based on “trust”

Perception is influenced by Trust

Were you checking the water or the person serving the water?


Why must we address the human factor?

(or)

Is the human factor worth addressing?


Reason 1: Security is both a “Reality” and “Feeling”

04/08/2023 14

For security practitioners security is a “Reality” based on the mathematical probability of risks

For the end user (common man) security is a feeling

Influencing the feeling of security (what is safe and what is not safe while handling information) makes a user make the right security decisions and apply it


Reason 2: Not every attack(er) is that smart

People exaggerate risks that are spectacular or uncommon:So what? RSA was hacked

Control efficiency

Risk severity/ Attacker

Smartness/ Attack

Efficiency

Technology & Processes

Awareness & Competence

Automatic security controls – AV, Updates

Technology + Human – Firewall configuration, Choosing a secure Wifi

Human – Recognizing a zero day attack, Phishing mails, Not posting business

information in social media

The very smart attacker

1

2

3

4


Reason 3: How much of a trade-off are we willing to make?

The best way to stop people from making information security mistakes is to deny them access to information.

Are you willing to make that trade-off?

Security awareness and competence management is a trade-off that is affordable and effective


Reason 4: The human factor is important…

Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced?

Cars have become more advanced, but does it mean that driving tests have become easier?

Medical technology has become more advanced, but will you choose a hospital for it’s machines or

the doctors?


The Solution Model

Security Awareness and Competence Management


The solution is based on HIMIS

• HIMIS – Human Impact Management for Information Security

• Released under Creative Commons License

• Free for Non-Commercial Use

http://www.isqworld.com/himis

http://www.isqworld.com/himis


Security Risk analysis

Identify the human factor

Awareness

Behaviour (Competence)

Assess, Improve, Re-

assess

Define

Strategize

Deliver

Verify

Identify information security awareness and competence needs of the business.

Create the strategy for awareness and competence

management

Execute the awareness plan

Check change in awareness and competence. Improve.

ESP


Strategy - Use ESP (Expected Security Practices)

Information Classification

Information classification criterion

Classification labels

Demonstrates correct classification

ESP Awareness Component

Competence Component

Incident reporting Types of incidents

Incident reporting procedures/ channels

Detects and reports a simulated incident


Phase 1

Define

Strategize

Deliver

Verify



management


Execute the plan


Case Study: Client Profile

• Type of industry: Retail• No: of employees 5000+• Position: Market Leader• Type of Information handled: Customer data, Intellectual

Property• Spending on Information Security Awareness: US$ 75,000

Awareness Vs. Behaviour

• Sharing of company/customer information is wrong

• Sensitive Information must be protected

• Access Control Cards must be protected

• Customer records were leaked to competitor

• Salary information of top executive was given to head hunter

• Printouts lying unattended

• Visitors can enter the facility without informing security guard

Awareness Competence/ Behaviour

24(C) ISQ. All Rights Reserved

Problem Analysis - Visibility & Clarity

Visibility - The degree to which one can seeClarity - Free from obscurity and easy to understand

When you have too many rules ….it gets complicated

25(C) ISQ. All Rights Reserved


Don’t share

passwords

Which password? Network, desktop, ERP….?


Output of Phase 1


Organization’s awareness score is 87%

Organization’s competence score is 65%


MEDIUM COMPETENCE


COMPETENCEHIGH

COMPETENCE


Detailed Scorecard

Clear Policies Email Security Info Disclosure Password Security Physical Security Incident Reporting Social Networking/ Blogging

0

10

20

30

40

50

60

70

80

90

100

82

67

89 90

76

56

70

0

66.6666666666667 66.6666666666667

0 0

33.3333333333333

77.7777777777778

Score per ESP

Awareness Competence


Audit strategies - Awareness

• For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions


Auditing Strategies - Behaviour

• For auditing competence– Social Engineering

– Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting

– Log review: Browsing and email patterns can be observed through log reviews of corresponding systems

– Data mining : Mine through internet search engines to see how much sensitive information about the company is available online

– Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).


Phase 2 - Strategize

Define

Strategize

Deliver

Verify



management


Execute the plan


Quality of content – Impact visualization

Show the impact of poor security awareness and competence to the “non-information security” professional


Quality of content – Business relevance

Show the impact of poor security awareness and competence to the “non-information security” professional

Oops! My business is held responsible if I

install pirated software on my PC?


Quality of content – Clarity and Ease

Keep it very simple

So..the email security policy is …6 pages

long.

Email security – 5 quick tips. Wow, that’s

cool!


Quality of content - Cultural factors

Language or terms used, color and design, character representation

Sorry, that information is

classified. Let me explain the basics of password

security


Retention measurement

• How much have they understood

• How long do they remember?

• Immediately• 30 days later• 60 days later

Well…my emails have disappeared. Which number

do I call?

Coverage

• Identify the target workforce• Tolerable deviation – How much

percentage of the workforce must receive the training

• Set realistic expectations• E.g. – Refer the visibility meter



Format and visibility

• Format – Different types of information security awareness content

• Visibility – Channels through which the content is delivered

Format Visibility

Verbal Live training sessions, Video conferences

Electronic EmailIntranetPostersSocial media

Paper Posters, cards, quizzes or surveys


Frequency

• Gap between 2 awareness deliveries• Critical – Gap should be minimal

Which is more effective – Drip irrigation or spraying a lot of water once a day?

Competence management/ Behaviour Change

A case study



Creating the right environment

Motivational Strategies

Disciplinary strategies

Case Study : IT Business

• Company– Offshore Development, 3

Centers in India – Young workforce: Majority

between 22-27

• Security Rules– Don’t forwards emails with

unofficial attachments– No downloads of videos,

music, freeware– No storage of personal

content in official systems


Case Study : IT Business

• What we did?– Quarterly “End-User

Desktop Audits”– Findings were

immediately “Signed and Agreed by Auditee”

– Disputes were noted and “Signed”

– Audit findings were submitted to InfoSec Team


Case Study : IT Business – The result


3rd

Mon

th

6th

Mon

th

9th

Mon

th

12th

Mon

th

15th

Mon

th

18th

Mon

th0

20

40

60

80

% of Non-Compliance

% of Non-Compliance?

Learning


Security Tradeoff Vs. Inconvenience


Personal

In-convenience

Security

Trade-Off

Security Tradeoff Vs. Cost


Cost (Enforcement)

Security

Trade-Off

Enforcement or Cost

• Quality of Life

• Career

• Money

• Time


Phase 3 - Deliver

Define

Strategize

Deliver

Verify



management


Execute the plan


Define tolerable deviation

• It is almost impossible to get 100% participation

• Define a number that is reasonable– 80% participation in the first

6 months– 85% in the next 6


Efficiency

• Efficiency of channels in delivering the program– Emails must reach the target

workforce, not go to SPAM– Videos must stream at an

optimum speed – Training sessions

• Trainer must knowledgeable• Able to articulate the topics

well • Use tools and examples• Encourage discussion


Collection of feedback

• Not to be confused with “retention measurement”1. The clarity of the content in

conveying the intended message

2. The business relevance of the content

3. Impact visualization

4. The quality of the trainer or the efficiency of the delivery channel

5. Other factors


Phase 4 - Verify

Define

Strategize

Deliver

Verify



management


Execute the plan


Audit strategies - Awareness

• For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions


Auditing Strategies - Behaviour

• For auditing competence– Social Engineering

– Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting

– Log review: Browsing and email patterns can be observed through log reviews of corresponding systems

– Data mining : Mine through internet search engines to see how much sensitive information about the company is available online

– Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).


Output of Verify phase


Organization’s awareness score was 87%

Organization’s competence score was 65%


MEDIUM COMPETENCE


COMPETENCEHIGH

COMPETENCE

?

?


Summary

Technology (Firewall)

ProcessPeople

Information

Technology and processes are only as good as the people that use them


Free resources

• Free security awareness video – http://isqworld.com/security-awareness-training-samples

• The Psychology of Security, Bruce Schneier - http://www.schneier.com/essay-155.html

http://isqworld.com/security-awareness-training-samples

http://isqworld.com/security-awareness-training-samples

http://www.schneier.com/essay-155.html


Thank YouAnup Narayanan

@ CoCon 2012, Trivandrum, Kerala

Let’s switch ON the Human Layer of Information Security Defence

Date post:	14-Nov-2014
Category:	Technology
Upload:	anup-narayanan
View:	849 times
Download:	0 times