The difference between the “Reality” and “Feeling” of Security
Human Perception and it’s influence on Information Security
She looks
trustworthyI’m gonna steal
your toys
The 3 pieces that makes up information security
2
Technology (Firewall)
ProcessPeople
Information
Technology and processes are only as good as the people that
use them
Focus of the talk
• The Human Factor in Information Security
• The difference between “Awareness and Competence”
• The power of perception
• Solution Model + Examples
3
Awareness
I know the traffic rules….
4
Competence?
Does it guarantee that I am a good driver?
5
….even in Information Security!!!!
6
Security Security Security Security
PolicyPolicyPolicyPolicy
Never share
passwords
Don’t tell anyone,
my password is…..
Awareness >> Behaviour >> Culture
Awareness
• I know• I know
Behaviour (Competence)
• I do• I do
Culture
• We know and do
• We know and do
Aim for a responsible security culture
7
What organizations need?
A system that periodically shows the current
Security Awareness and Competence Levels
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Awareness score is 87%
Competence score is 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
8
A smart attacker will always try to influence the perception of the employee
The power of perception
Why do people make security mistakes?
Imagine…
APJ Abdul Kalam walks into this room right
now and offers you this glass of water….
10
Now, imagine this…
This man walks into this room right now
and offers you this glass of water….
11
Question
Which water did
you accept?
Why?
12
Analysis
People decide what is good and what is bad based on “trust”
Perception is influenced by Trust
Were you checking the water or the person serving the water?
13
How people make security decisions?
Influence of perception
14
Analysis
Of these two, which terrifies you the most?
15
More people die of heart attacks than by getting eaten by sharks
You may feel safe when you are actually not
Analysis
Of these two, which terrifies you the most?
16
More kids die choking on french fries than due to Adrenoleukodistrophy
People exaggerate risks that are uncommon
Adrenoleukodistrophy
I hope now it is clear that we must address the human factor….
Let us summarize…
17
Reason 1: Security is both a “Reality” and “Feeling”
18
For security practitionerssecurity is a “Reality” based
on the mathematical
probability of risks
For the end user security is a
“feeling”
Success lies in influencing the “feeling” of security
RSA Attack
19
The Incident
In March 2011, RSA, one of the foremost security
companies in the world disclosed that cyber-attacks had
penetrated its internal networks and extracted information
from its systems.
The consequences were
• Financial Loss
• Reputational Loss
Attack
Employee clicked on the attachment of the mail
The embedded component exploited the
vulnerability
Analysis: Why did the attack happen?
RSA must be having best-in-class firewalls, anti-viruses and other
security systems. So, how did this attack happen?
You may wonder…
Failed to address the Human Factor
Reason 2: Technology…yes, but humans…of course!
24
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more advanced,
but will you choose a hospital for it’s machines or
the doctors?
The Solution Model
Security Awareness and Competence Management
The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
26
HIMIS Implementation Model
27
Define Strategize Deliver Verify
Responsible Information Security Behavior
Define
28
• Choose the ESPs
• Review and approval of ESPs
Strategize
29
For awareness management
• Coverage
• Format & visibility: Verbal, Paper and Electronic
• Frequency
• Quality of content
• Retention measurement.(surveys,quiz)
For behavior management
• Motivational strategies
• Enfoncement/ disciplinary stratégies
Deliver
30
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
Verify
31
• Audit strategy
• Selection of ESP’s
• Define sample size
• Audit methods
For awareness: Interviews, Surveys, Quizzes,
For behavior: Observation, Review of incident reports, Social
engineering?
Examples
• Deploy false emails seeking
information
• Tailgating into the facility
• Placing media labeled with
‘confidential information’ in
cafeteria or other places
32
Reporting model
33
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s awareness score was 87%
Organization’s competence score was 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
HIMIS Focus
ESP
Awareness
Behaviour
(Competence)
Assess,
Improve, Re-
assess
ESP – Expected Security Practice
1. Differentiate between Awareness Vs. Competence
35
Consider both “Awareness” and “Competence” independently
2. Visualize ….and influence perception
36
3. Scenario based training (Make people solve challenges)
37
Example
38
Video (PLAY)
4. Remember drip irrigation
Small doses, more frequent
Which is more effective – Drip irrigation or spraying a lot of water once a day?
39
5.Re-measure frequently
40
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s awareness score was 87%
Organization’s competence score was 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
?
?
Summary
41
“A smart user in front of
the computer is a good
security control and is
not that expensive.”
Let’s switch ON the Human Layer of Information Security Defence
Thank You
http://www.isqworld.com/himis