Date post: | 18-Apr-2018 |
Category: |
Documents |
Upload: | truongdien |
View: | 218 times |
Download: | 4 times |
TECH PRACTICE
Information Risk Executive Council
™
Wednesday March 21st, 2012
The Security ShiftRethinking User Engagement to Drive Compliance and Behaviour Changere
5
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
ROAD MAP FOR THE PRESENTATION
Social Media Awareness Tactics
Awareness Challenges and
Social MediaKey Findings
INForMATIoN rISk ExECuTIvE CouNCIl®IT PrACTICEwww.irec.executiveboard.com
© 2012 The Corporate Executive Board Company. All Rights Reserved. IREC2204112SYN
6
a toUgH environMent…
expectations for a Challenging 2012CEB’s Business Executives Sentiment Index
insignificant increase in funding expectedMedian, Millions of US Dollars
no Momentum on Controls MaturityControls Maturity Change from 2009 to 2011
only a small increase in staffing expectedAverage FTEs
the information security function is facing tight operating conditions against an uncertain business outlook.
■■ ceb’s business executives sentiment index (besI) declined for the third consecutive quarter—from 46.9 in Q3 2011 to 42.8 in Q4 2011—showing that executives expect increasingly challenging business conditions across the next 12 months.
■■ Past spending restrictions have prevented improvements in controls maturity.
■■ budget and staffing are expected to be largely flat across the next year.
n = 2,055.
Source: http://cebviews.com/economic-outlook/
n = 53.
Source: IrEC 2011 Controls Maturity Benchmarking Survey.
n = 61.
Source: IrEC 2011 Controls Maturity Benchmarking Survey.
n = 90 (2009); n = 104 (2010); n = 66 (2011).
Source: Information risk Executive Council Controls Maturity Benchmarking Service.
10 10
2011 20112012 (E) 2012 (E)
28 30
2009 2010 2011
3.15 3.04 3.11
42.8
Positive
Besi
negative
INForMATIoN rISk ExECuTIvE CouNCIl®IT PrACTICEwww.irec.executiveboard.com
© 2012 The Corporate Executive Board Company. All Rights Reserved. IREC2204112SYN
7
…BUt tHreats are still driving aMBitioUs Plans
Cisos’ top threat ConcernsRated “High” or “Existential” Risk by at Least 40% of Members
security technology roadmapTechnologies by Mainstream Adoption Timeline, Value, and Risk
despite tight operating conditions, the threat environment is driving ambitious plans for 2012.
■■ seven of seventeen threats were rated “high” or “existential” risk by at least 40% of members.
■■ In response, the security technology roadmap shows adoption of many technologies going mainstream this year.
■■ see the next section of this deck for detailed threat data.
■■ see the last section of this deck and the appendix for detailed roadmap data.
■■ organized Crime and Fraud■■ regulatory Noncompliance■■ State-Sponsored Attacks
■■ Third-Party risk■■ Social Engineering/Phishing
■
■■ Mobile Device Application vulnerabilities
■■ BYoD
n = 55.Source: Information risk Executive Council 2012 Threat landscape Survey.
n = 50 IT organizations.Source: IEC Emerging Technology roadmap Surveys, october 2011.
no Plans to deploy
2011
2012
2013+
mobile device management tools
web app firewalls
network-based dlP
grc tools
Unified threat management tools
endpoint dlP
Identity as a service
folder level encryption
end-user biometrics
security as a service
High value Medium value low value
enterprise value
Based on:
� Security Costs � risk visibility � risk reduction
� Compliance Enhancement
� Business Burden
deployment risk
Based on:
� Marketplace Maturity
� Management Tools � Scalability
� Architecture Direction
� Support Skills � organizational
readiness
High risk Medium risk low risk
INFoRMATIoN RISk ExECuTIvE CouNCIl�®IT PRACTICE www.irec.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights Reserved. IREC0915011SYN
7
a raPid incrEasE in HiGH ProfilE incidEnts
Publicly reported incidents attributed to aPt attacksPartial Selection
in the two years from Ghostnet to the iMf attack, there has been a rapid increase in reports of sophisticated and damaging attacks attributed to so called “advanced persistent threats.”
dErf xx-xxxx
catalog # Irec0230411syn
title
200820062004 20122010
titan rain
eU govt. leaders
oak ridge national laboratory
lockheed martin
multiple oil and gas companies
ghost net
operation aurora
rsa
rio tinto
l3
Imf
stuxnet
dErf 11-2693
catalog # Irec0639511syn
title
shady rat
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
7
Awareness efforts work by directly or indirectly influencing user psychology and attitudes to encourage secure behavior.
■■ Arrows in the model show how various elements influence other elements.
OPENING THE BLACK BOX
Model of Awareness Campaign EffectsSchematic
Awareness Efforts
Secure Behavior
Emotional Commitment to
Security
Knowledge of Policy
User Psychology and Attitudes
Decision to ComplyInfluence Influence
1
2
3
4
Perception of Risk to Organization
Self-Interest for Security
CISO Actions
INFRASTRUCTURE EXECUTIVE COUNCIL®IT PRACTICEwww.iec.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights Reserved. IEC0429611SYN
Understand “Consumerized” Demand 13
78% 59% 39% 51%
65% 45% 26% 44%
51% 32% 15% 40%
MAKING THEMSELVES AT HOME
Consumer Technologies Used on a Regular Basis for WorkPercentage of Respondents, “Which Personal/Consumer Technologies Do You Use on a Regular Basis for Getting Work Done?”
Across attitudinal segments, signifi cant percentages of employees are using a broad spectrum of consumer technologies for work.
Personally Owned Devices Social Networking Technologies
Collaboration/Productivity Tools
Communication Tools
■ Personally owned iPhone, Android/Droid, or BlackBerry smartphone
■ Personally owned laptop or home computer
■ Personally owned tablet
■ Facebook/other social networking sites
■ Google Docs/Zoho
■ SlideShare, Flickr, Dropbox, or other storage/sharing resources
■ Blogger, WordPress, or other blogging software
■ Other productivity tools (e.g., Evernote, audio recording) available on the Internet
■ Skype
■ Other communication tools available on the Internet
n = 9,990 global employees, multiple responses allowed.
Personally Owned Devices
Social Networking Technologies
Collaboration/Productivity Tools
Communication Tools
Early Adopters
Open to New Technology
Skeptics/Wary/Uninterested in
New Technology
Source: IEC Employee Technology Value Survey 2011.
See Appendix for fi ndings by individual technologies.
INForMATIoN rISk ExECuTIvE CouNCIl®IT PrACTICEwww.irec.executiveboard.com
© 2012 The Corporate Executive Board Company. All Rights Reserved. IREC2204112SYN
14
risKs froM eMPloyee BeHavior
risk ratings: social engineering/PhishingPercentage of Respondents
although Cisos have long been concerned with phishing, the concern has risen recently due to the use of this method by aPts.
■■ cIsos consistently agreed on the reason given for high risk ratings: the lack of available approaches.
■■ other types of employee behavior have cIsos much less concerned than in recent years, especially use of social media which was a top five risk for members in 2010.
■■ although some phishing e-mails have become much more difficult to detect, many are still not perfect, and other types of social engineering such as pretexting are still amenable to employee awareness.
■■ members should visit the council’s awareness topic center: https://www.irec.executiveboard.com/members/topics/abstract.aspx?cid=100246633.
reason for High risk ratings: social engineering/PhishingPercentage of Respondents
54% The lack of
Available Approaches
21% Enormous Impact (Despite low likelihood)
8% lack of Security Function Maturity
13% lack of Enterprise Support to Mitigate
4% our lack of understanding the risk
2% low
7% low 11%
low
13% Moderate
27% Moderate
14% Moderate
42% Somewhat High
37% Somewhat High
51% Somewhat High
9% Existential
2% Existential
0% Existential
34% High
27% High
24% High
risk ratings: employee CarelessnessPercentage of Respondents
risk ratings: Use of social MediaPercentage of Respondents
Source: Information risk Executive Council 2012 Threat landscape Survey.
n = 55.
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
8
USERS SEE A DIFFERENCE
Correlations of End-User Perceptions of RisksSchematic, Distance Between Risks is Inversely Related to Risk Perception Correlation
End-users view the risks of social media as a class by themselves—there is little correlation between risk perception of social media and risk perception of traditional IT behaviors.
■■ Risk correlations within each behavior type (social media or “traditional” IT behaviors) are high—ranging from about 0.6–0.9.
■■ The correlations between the risks seen in social media and “traditional” behaviors are below 0.5, indicating that users see the risks from these two behavior types differently.
Social Media Risks
“Traditional” IT Risks
Posting Company or Client
Information on Collaboration
Sites
Leaving Sensitive
Information on Desk
Using Facebook for Job-Related
Networking or Collaboration
Leaving Laptops
Unsecured
Tweeting on Work-Related
Topics
Sharing Passwords
Blogging on Work-Related
Topics
Copying or E-Mailing
Sensitive Data
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
9
NEW AWARENESS FOR NEW MEDIA
Key Differences Between Effective Traditional and Social Media Awareness Programs
Social media awareness programs must focus on teaching prudent use at all times rather than on just proscribing certain activities at work.
■■ Ninety percent of organizations in the IREC survey already include some social media awareness activities for their end-user population.
Traditional Awareness
Social Media Awareness
Implications for Awareness Program
Goal Strict Compliance General Prudence
Awareness programs must teach highly nuanced and complex skills that users need to apply in an evolving and non-standard environment.
Curriculum Relatively Stable Rapidly EvolvingThe rate of change in social media creates the potential for risks to emerge suddenly, requiring constant updating of curriculum.
Scope Only Work-Related Includes Personal Use
The blending of employees’ professional and personal lives requires awareness programs to cover personal-use terrain traditionally excluded from curriculum.
Audience Broad Narrow (for now)
Social media awareness activities must take into account the variety of social media adoption and be targeted at a specific, but growing group of users.
11
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
ROAD MAP FOR THE PRESENTATION
Social Media Awareness Tactics
Awareness Challenges and
Social MediaKey Findings
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
14
FINDING CULTURES OF “SECURITY UNAWARENESS”
Identify the Individual Cultures of “Security Unawareness.”Illustrative
By analyzing data from its internal security awareness survey, Symantec discovers a correlation between the security habits of direct reports and their superior.
■■ The internal security awareness survey tests for general understanding of policies, adherence to policies, and behaviors.
■■ Symantec finds and targets communications towards the cultures of “security unawareness” it finds within poor performing parts of the organization.
Invite all employees to participate in a yearly security awareness survey.
Collect survey results.
Examine results across business units and by director to find trends.
Look for patterns of poor score relationships between managers and their direct reports.
Target individual teams with communication and training to remediate findings.
Business Unit Level Scores
Director Level Scores
Staff Scores
BU 1
Jo Mia Sam
BU 2
Bob Lyn Pam
BU 3
Ann Ted Sal
High Security Awareness
Moderate Security Awareness
Low Security Awareness
Cultures of “Security Unawareness,” where both managers and their direct reports have unacceptable security awareness.
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
15
BUILDING TRUST THROUGH SOCIAL MEDIA
Illustrative
Intel uses the disinhibition effect of social media to its advantage, hosting online sessions where users can anonymously have conversations with information security.
■■ Intel’s online platform unites employees from across the organization to have discussions about balancing the need for both a collaborative workplace and information security.
Send
INTEL | ANONYMOUS SECURITY DISCUSSION
The new password rules are terrible!!!! I never remember what I changed it to, unless I write it down.
RE: We understand sometimes the policy is too strict. Visit this Intel site to see some tips on how to make memorable passwords.
How can I safely use Intel’s name and logo on my Facebook and LinkedIn Profiles?
RE: Here is our Social Media policy and Tips page. If you have any questions, let us know.
I don’t think this error should have happened: I recently logged into the HR portal and another Intel employee’s account displayed instead of my own.
RE: That definitely should not have happened. Can you send more specific details to us?
I’ve been using GoogleDocs to share information with my team, because the tools we currently have don’t let us collaborate like we want to.
We don’t have enough software licenses for StatsAreFun, so I have to let my coworkers log onto my machine sometimes.
I saw someone in the Engineering Department making a lot of copies and leaving work with them. I’m not sure where I should go to report this violation.
I
Ensure employees understand that the anonymous space is a place to provide constructive feedback to security.
Use the space to provide help to employees when they ask for it.
Listen carefully to employees concerns, since they may point out information security issues that go beyond IT.
Look out for usage patterns that may point to pockets of insecure behavior in the organization.
The Consumerization Shift 40
INFRASTRUCTURE EXECUTIVE COUNCIL®IT PRACTICEwww.iec.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights Reserved. IEC0429611SYN
MAPPING CAPABILITY NEEDS
Mingus Corporation’s Technology Value Segmentation Analysis
Mingus Corporation1 supplements its application consumption analysis with survey data to ensure optimal device provisioning.
■ Survey questions address current technology use and preference patterns, level of access to confi dential information, and mobility requirements.
■ Survey results show strong correlation between mobility and “early adopter”–level interest in new technology options.
■ Survey results also identify specifi c security risks for each user segment.
1 Pseudonym.
Mingus’s analysis suggests a need for disproportionate focus among employees with the most intensive technology use.
■ Works from multiple locations
■ Deals with confi dential information but limited to own customers
■ Uses most applications ■ Clearest vision for how
to use technology ■ Greatest interest in
BYO and smartphone support
■ Less mobile, does not deal with confi dential information
■ Values location fl exibility and prefers smartphone use
■ Satisfi ed with current technology capability but values ability to work from home
■ Not mobile but requires access to broad sets of confi dential information
MingusCorporation
High
Enable Smartphone Capability
Enable “Early Adopter” Capability
Enable “Work from Home”
Enable Security
7%
Mo
bili
ty N
eed
Access to Sensitive DataLowLow
High
= Percentage of Workforce
28% 25%
40%
APPLICATIoNSExECuTIvECouNCIL®ITPRACTICEwww.aec.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights Reserved. AEC1115111SYN
5
Business executive temperamentsBusiness-facing applications staff must tailor engagement to business leaders’ preferences for risk, benefit, and effort in applications projects.
■■ The four business executive temperaments are defined by two dimensions: Openness to Persuasion and desire for Control of Applications Projects.
■■ At the top, the Abdicators and the Opportunists desire less control of Applications projects overall, whereas at the bottom, the Cowboys and the Entrepreneurs seek control.
■■ On the left, the Abdicators and the Cowboys are close minded about how they want to work with Applications on solutions delivery.
■■ On the right, the Opportunists and the Entrepreneurs are more open to persuasion about how and why they engage with Applications for solutions delivery.
Low Highopenness to persuasion
Low
High
Desire for control
the abdicators (11% of sample) They want to do what they do and think IT should do IT.
psychographics■■ AvoidmanagingITprojectsatallcosts■■ unswayedbythelureofhighprojectreturns
top concern■■ Wanttoprotecttheirtimeaboveallelse
Demographics■■ Typicallyhave5–15yearsofworkexperience
the opportunists (51% of sample) Reformed Abdicators looking for opportunities to do it themselves
psychographics ■■ Canbeluredbyhighreturnstoself-manageprojects
■■ AvoidriskyITprojectsatallcosts
top concern■■ Mostconcernedaboutgettingthefullscopeofwhattheywant
Demographics■■ Typicallyhave5–15yearsofworkexperience
the cowboys (15% of sample)See applications solutions as critical and need to control them; impatient
psychographics ■■ Wanttoself-manageITprojectsatallcosts■■ Insensitivetorisk
top concern■■ Speedtomarketismostimportantmotivator
Demographics■■ Typicallyhave16–25yearsofexperience
the entrepreneurs (23% of sample) Can look like Cowboys but have more rational desire to control projects; want to hit home runs and are willing to take risks to do it
psychographics ■■ Willdoitthemselvesforhigherreturns,eveniftakingonrisk
■■ Willdowhatittakestoattainbusinessoutcomes
top concern■■ Mostconcernedaboutachievingbusinesscase/outcomes
Demographics■■ Typicallyhave16–25yearsofexperience
3
INFORMATIONRISKEXECUTIVECOUNCIL�®ITPRACTICEwww.irec.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights Reserved. IREC0713711SYN
SELF-SERVICE PROJECT RISK ASSESSMENTS
The Challenge of Efficiently Assessing Project RisksRoot Cause Analysis
Challenge
Components
Handingoffresponsibility,responsibly
AsupportiveroleforSecurity
Baselinecontrolevolution
TooManyProjectstoFullyAssessforInformationRisks
Root Causes
Securityresourcesareinsufficienttoreviewallprojects.
Projectmanagersareoverburdenedbysecurityrequirements.
Toomanycomplexcontrolshindertimelyprojectcompletion.
BP’s Insight
Securityneedsanapproachthattransfersriskmanagementactivitiestoprojectmanagerswhilestillmaintainingprocessoversightandguidance.
Withsimplifiedrequirementsandtherightsupporttools,projectmanagerscanownassessmentandcontrolimplementationforlower-riskprojects.
Baselinecontrolsaretoostatic;theneedsofprojectsshoulddriveoptimizationofthebaselinecontrolsportfoliotominimizerequiredprojectcontrols.
1
2
3
DERF xx-xxxx
Catalog # IREC0230411SYN
Title
INFORMATIONRISKEXECUTIVECOUNCIL�®ITPRACTICEwww.irec.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights Reserved. IREC0713711SYN
8
WIN-WIN
Improvement from Security’s Point-Of-View
BP’s project risk management redesign is improving project assessment coverage and reallocating resources to where they are needed most.
■■ “Security-Involved” project assessments include all projects with any degree of direct security involvement.
■■ For the two percent of projects that are insignificant changes to existing systems, true waivers for assessment are granted.
■■ “Self-Service” project assessments include all projects that can meet security requirements without any direct security involvement.
■■ “Security-Led” project assessments include projects in which Security is embedded early in the SDLC.
Previous
Improvement from the Project Manager’s Point-of-View
Redesigned
450 WaiveredProjects
InvisibletoSecurity
1050“Security-Involved”ProjectAssessments
*FourFTEsperformingtesting*TwelveFTEsperformingriskassessments(~90projectsperFTEannually)
Elimination of significant number of projects not receiving a risk assessment
50NoAssessmentRequired
L�owRisk
850“Self-Service”ProjectAssessments
FourFTEs(whopreviouslyperformedtesting)nowprovidingself-servicesupport
600“Security-L�ed”ProjectAssessments
TwelveFTEs(whoassess~50projectsannually)
Approximately 45% decrease in project workload per FTE enables deeper involvement in critical projects
Lightweight:Projectseligibleforself-servicecomplywith36minimumrequirementsratherthanthe107itemsonthefullsecurityassessment.
Faster: Forprojectsusingself-service,theworkneededwilltake3–4hours,fewerforsmallprojects.
Projects/Year Projects/Year
DERF xx-xxxx
Catalog # IREC0230411SYN
Title
17
INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN
ROAD MAP FOR THE PRESENTATION
Social Media Awareness Tactics
Awareness Challenges and
Social MediaKey Findings
K Fi di
1. Despite increased interest in, and spend on, security technologies, focussing
Key Findings
1. Despite increased interest in, and spend on, security technologies, focussing on end-user awareness and behaviour has biggest outcome. End-users approach new technologies differently than they approach traditional IT.
2. As well as training, investment in security technologies needs to be focussedon user groups who most often access the most critical data.
3. Business partners want to take on more responsibility for IT delivery, but their ability to do this effectively depends on temperament.
4. IT should focus on creating clear and accountable processes to hand off project decisions, enabling a focus on fewer projects that carry ‘real’ risk.
INFORMATION TECHNOLOGY PRACTICEINFORMATION RISK EXECUTIVE COUNCIL®
© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN