11

New York State Higher Education CIO ConferenceNew York State Higher Education CIO ConferenceWest Point - July 2005West Point - July 2005

Building an Information Building an Information Security Culture in a Security Culture in a

Global EnterpriseGlobal Enterprise

Jane Scott Norris, CISSP CISMChief Information Security Officer

U.S. Department of State

22

Information Security ProgramInformation Security Program

Designed to Protect INFORMATIONDesigned to Protect INFORMATION

Policy and ProceduresPolicy and Procedures• To support business objectives while considering security To support business objectives while considering security

requirementsrequirements

Informing users of their responsibilitiesInforming users of their responsibilities• Employees must know policies, understand their obligations, and Employees must know policies, understand their obligations, and

actively complyactively comply

Monitoring and review of programMonitoring and review of program

33

Information Security DriversInformation Security Drivers

Constantly changing ITConstantly changing IT Increasing connectivityIncreasing connectivity Rush to marketRush to market Readily available hacking toolsReadily available hacking tools Increasing RiskIncreasing Risk Only as strong as the weakest linkOnly as strong as the weakest link

Insider threat is always greatest: deliberate, Insider threat is always greatest: deliberate, carelesscareless, , irrationalirrational or or uninformeduninformed

44

3 Waves of Information Security3 Waves of Information Security

Technical WaveTechnical Wave• Authentication and access controlAuthentication and access control

Management WaveManagement Wave• Policies, proceduresPolicies, procedures• CISO and separate security staffCISO and separate security staff

Institutionalization WaveInstitutionalization Wave• Information Security AwarenessInformation Security Awareness• Information Security CultureInformation Security Culture

Standardization, certification and measurementStandardization, certification and measurement Human AspectsHuman Aspects

Von Solms (2000)

55

It’s A People ProblemIt’s A People ProblemInformation and Information Systems Security:Information and Information Systems Security:

ProductsProductsProcessesProcessesPeoplePeople

Ensuring that employees receive tailored and timely awareness, training, and education is paramount to maintaining effective security

H/W and S/W

ManagementOperational

UsersAdministrators

66

The Security GapThe Security Gap Security technology is essential Security technology is essential

• Firewalls, anti-virus, intrusion detection, encryption etc.Firewalls, anti-virus, intrusion detection, encryption etc.

Technology is not enoughTechnology is not enough• Gartner: 80% of downtime is due to people and processes Gartner: 80% of downtime is due to people and processes

Tighter the security controls, the harder they are to break Tighter the security controls, the harder they are to break and the target becomes the user and the target becomes the user • Technology can make it difficult to forge IDs but can’t stop Technology can make it difficult to forge IDs but can’t stop

people getting real IDs under fake namespeople getting real IDs under fake names

Technology can never stop social engineering Technology can never stop social engineering • People are still tricked into disclosing their passwordsPeople are still tricked into disclosing their passwords

CCrreeaattiinngg aanndd mmaaiinnttaaiinniinngg aa sseeccuurriittyy ccuullttuurree iiss ccrriittiiccaall ffoorr cclloossiinngg tthhee sseeccuurriittyy ggaapp

Creating and maintaining a security Creating and maintaining a security culture is critical for closing the culture is critical for closing the

security gapsecurity gap

77

People and MachinesPeople and Machines

Security controls deal with known riskSecurity controls deal with known risk People spot irregularitiesPeople spot irregularities Employees that are security conscious and Employees that are security conscious and

correctly trained correctly trained • Develop a “feeling” for what is “normal” behaviorDevelop a “feeling” for what is “normal” behavior• Recognize unusual, unexpected behaviorRecognize unusual, unexpected behavior

Employees need to Employees need to • Adapt to new scenariosAdapt to new scenarios• Report and act on incidents Report and act on incidents

A well informed workforce helps to promulgate good security habits, and to identify and mitigate problems quickly

88

Awareness, Training & EducationAwareness, Training & EducationComparative FrameworkComparative Framework

AwarenessAwareness TrainingTraining EducationEducationAttributeAttribute WhatWhat HowHow WhyWhyLevelLevel InformationInformation KnowledgeKnowledge InsightInsight

Learning Learning ObjectiveObjective

Recognition & Recognition & RetentionRetention

SkillSkill UnderstandingUnderstanding

Example Example Teaching Teaching MethodMethod

MediaMedia-Videos-Videos-Newsletters-Newsletters-Posters-Posters

Practical Practical InstructionInstruction-Lecture and/or demo-Lecture and/or demo-Case study-Case study-Hands-on practice-Hands-on practice

Theoretical Theoretical InstructionInstruction-Seminar and discussion-Seminar and discussion-Reading and study-Reading and study-Research-Research

Test MeasureTest Measure True/FalseTrue/FalseMultiple ChoiceMultiple Choice  (identify learning)(identify learning)

Problem SolvingProblem SolvingRecognition & Recognition & ResolutionResolution(apply learning)(apply learning)

EssayEssay    (interpret learning)(interpret learning)

Impact Impact TimeframeTimeframe

Short-TermShort-Term IntermediateIntermediate Long-TermLong-Term

“The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16

99

Security Awareness ProgramSecurity Awareness Program

Communicate security requirementsCommunicate security requirements• Policy, rules of behaviorPolicy, rules of behavior

Communicate Roles and ResponsibilitiesCommunicate Roles and Responsibilities

Improve understanding of proper security Improve understanding of proper security procedures procedures • At work and at home At work and at home

Serve as basis for monitoring and sanctions Serve as basis for monitoring and sanctions programprogram

Majority of organizations view security awareness as important,although they do not believe they invest enough in this area.

2004 CSI/FBI Computer Crime and Security Survey

1010

NIST GuidanceNIST GuidanceNIST SP 800-53NIST SP 800-53 ““An effective information security program should include An effective information security program should include

… security awareness training to inform personnel of the … security awareness training to inform personnel of the information security risks associated with their activities information security risks associated with their activities and responsibilities in complying with organizational and responsibilities in complying with organizational policies and procedures designed to reduce these risks”policies and procedures designed to reduce these risks”

NIST SP 800-50NIST SP 800-50 ““Awareness involves guiding and motivating people on Awareness involves guiding and motivating people on

appropriate behaviors”appropriate behaviors”

NIST SP 800-16NIST SP 800-16 The fundamental value of security awareness is to create The fundamental value of security awareness is to create

“a change in attitudes which change the organizational “a change in attitudes which change the organizational culture”culture”

1111

Information Security CultureInformation Security Culture

Information Security culture must Information Security culture must complement the Organizational culturecomplement the Organizational culture• Congruent with the missionCongruent with the mission• Commensurate with risk appetiteCommensurate with risk appetite

Common elements of a security culture Common elements of a security culture across organizationsacross organizations• Privacy, internal controlsPrivacy, internal controls• Protection of proprietary informationProtection of proprietary information• LawsLaws

Employee Vigilance and Appropriate Response are natural activities in the daily activities of every employee

1212

Attitude AdjustmentAttitude Adjustment

Attitude is importantAttitude is important• Predictor of BehaviorPredictor of Behavior• Motivator of BehaviorMotivator of Behavior• Source of RiskSource of Risk• Irrational behavior based on passion (love, Irrational behavior based on passion (love,

anger)anger)

PERSUASION: Changing attitudes and behavior

Attitude can be changedAttitude can be changed• Social PsychologySocial Psychology• Fish!Fish!

1313

Social PsychologySocial Psychology

ATTITUDE

Affect

Behavior Cognition

Influencing Behavior and Decision-MakingInfluencing Behavior and Decision-Making

Sam Chum, CISSP: Change that Attitude: The ABCs of a Persuasive Awareness Program

1414

ABC ModelABC Model

AffectAffect• Emotional responseEmotional response• More likely to do activities that More likely to do activities that

Are fun or make us feel goodAre fun or make us feel good Avoid negative feelings (guilt, fear, pain) Avoid negative feelings (guilt, fear, pain)

BehaviorBehavior• Feedback for attitudesFeedback for attitudes• Doing leads to likingDoing leads to liking

CognitionCognition• Opinions formed by reasoningOpinions formed by reasoning

1515

Influence TechniquesInfluence Techniques

ReciprocityReciprocity Cognitive DissonanceCognitive Dissonance Diffusion of Diffusion of

ResponsibilityResponsibility IndividualizationIndividualization Group DynamicsGroup Dynamics Social ProofSocial Proof AuthorityAuthority RepetitionRepetition

CONSISTENCY OF CONSISTENCY OF MESSAGEMESSAGE

1616

ReciprocityReciprocity

o IndebtednessIndebtedness• Obligation to reciprocate on debtObligation to reciprocate on debt

TrinketsTrinkets• Lanyards, pens, mousepads, lunch bagsLanyards, pens, mousepads, lunch bags• Simple sloganSimple slogan

Large ROILarge ROI

1717

Cognitive DissonanceCognitive Dissonance

o Performing an action that is contrary to Performing an action that is contrary to beliefs or attitudebeliefs or attitude

o Natural response is to reduce the Natural response is to reduce the tension/discordtension/discord

o Requirement to repeat unpopular Requirement to repeat unpopular procedure makes it more palatableprocedure makes it more palatable

Examples:Examples:• Mandatory, periodic change of passwordMandatory, periodic change of password• Requirement for Strong passwordsRequirement for Strong passwords

1818

Diffusion of ResponsibilityDiffusion of Responsibility

o Members of a group take less personal Members of a group take less personal responsibility when group output, not responsibility when group output, not individual contribution, is measuredindividual contribution, is measured

o Avoid anonymityAvoid anonymity Remind employees that they are Remind employees that they are

responsible for all system activity responsible for all system activity conducted under their logonconducted under their logon

ELSECyber Security: It’s Everyone’s Job! Λ

1919

IndividualizationIndividualization

o Opposite of Diffusion of ResponsibilityOpposite of Diffusion of Responsibilityo Individual AccountabilityIndividual Accountability ID badgesID badges Personalized messagesPersonalized messages In-person deliveryIn-person delivery Individual rewardsIndividual rewards

Information Assurance – It’s MY job too!

2020

Group DynamicsGroup Dynamics

o In a group, individuals tend to adopt more In a group, individuals tend to adopt more extreme attitudes to a topic over timeextreme attitudes to a topic over time• Diffusion of ResponsibilityDiffusion of Responsibility• Leaders tend to be those with stronger views, Leaders tend to be those with stronger views,

more extreme attitudesmore extreme attitudes Group interaction will enhance security in Group interaction will enhance security in

a group that has a propensity for securitya group that has a propensity for security Peer PressurePeer Pressure

2121

Social ProofSocial Proof

o People mimic others’ behaviorPeople mimic others’ behavior Be aware of informal communicationsBe aware of informal communications

• Most frequentMost frequent• Must be on messageMust be on message

Ensure good examples; discourage bad Ensure good examples; discourage bad behaviorbehavior

One ill-chosen comment from an influential person can undo months of awareness efforts

2222

Obedience to AuthorityObedience to Authority

o Natural tendency to obey authorityNatural tendency to obey authority Ensure executive commitmentEnsure executive commitment Ensure line manager buy-inEnsure line manager buy-in

Message Multipliers: Senior Management Participation and Senior Leadership by Example

2323

RepetitionRepetition

o Repeated exposure to a Repeated exposure to a consistentconsistent message can change attitudes message can change attitudes

More familiar with policies and procedures, More familiar with policies and procedures, the more that correct behavior is inducedthe more that correct behavior is induced

Use all channels of communicationUse all channels of communication• Formal and InformalFormal and Informal• Push and PullPush and Pull

If a stimulus, originally an attention-getter, is used If a stimulus, originally an attention-getter, is used repeatedly, the learner will selectively ignore the repeatedly, the learner will selectively ignore the

stimulus. stimulus. NIST SP 800-16

2424

Fish! Approach to WorkFish! Approach to Work

Choose Your AttitudeChoose Your Attitude PlayPlay Make Their DayMake Their Day Be PresentBe Present

Fish! Lundin Stephen C., Paul, Harry and Christensen, JohnHyperion Books, 2000

“Boost Morale and Improve Results”

2525

ConsistencyConsistency

Familiarity breeds contempt?Familiarity breeds contempt?

Repetition induces likingRepetition induces liking• Chun: Change that AttitudeChun: Change that Attitude

Even a boring job can be funEven a boring job can be fun• Fish!Fish!

Variety is the spice;Consistency the Staple

2626

Target AudienceTarget Audience

Every system userEvery system user

NIST defines 5 rolesNIST defines 5 roles• ExecutivesExecutives• Security PersonnelSecurity Personnel• Systems OwnersSystems Owners• Systems Admin and IT Support Systems Admin and IT Support • Operational Managers and System UsersOperational Managers and System Users

2727

The Awareness TeamThe Awareness Team

Senior ManagementSenior Management CIO and CISOCIO and CISO Functional ElementsFunctional Elements Security ProfessionalsSecurity Professionals System AdministratorsSystem Administrators Every Every individualindividual employee! employee!

The more YOU know, the stronger WE are!

2828

Tailored ApproachTailored Approach

Mandatory annual awareness presentation for allMandatory annual awareness presentation for all• GeneralGeneral• Real world examplesReal world examples• Lots in the Press about Identity TheftLots in the Press about Identity Theft

Home PC SecurityHome PC Security• Bring the message homeBring the message home

Other sessions tailored for particular groupsOther sessions tailored for particular groups• Targeted messages and examplesTargeted messages and examples

Involve people in awareness to overcome their Involve people in awareness to overcome their resistance to changeresistance to change

Individuals have different learning styles

2929

DeliveryDelivery

Prior to being granted privilegesPrior to being granted privileges• No access without awarenessNo access without awareness

PeriodicallyPeriodically• Mandatory Annual AwarenessMandatory Annual Awareness• Classes or On-lineClasses or On-line

Interim, short communiquésInterim, short communiqués• E-mails, broadcasts, “Tip of the Day”E-mails, broadcasts, “Tip of the Day”• In response to new threats, vulnerabilities and policiesIn response to new threats, vulnerabilities and policies

Small group sessionsSmall group sessions Less formal eventsLess formal events

• Fairs, Awareness Days Fairs, Awareness Days • Games – Security JeopardyGames – Security Jeopardy

Push – Pull techniquesPush – Pull techniques

3030

On-going ProgramOn-going Program

Cultural Change takes timeCultural Change takes time Continuous ProgramContinuous Program Maintain employee awareness and Maintain employee awareness and

organizational commitmentorganizational commitment

Awareness presentations must be on-going, creative, and motivational, with the objective of focusing the learner’s attention so that learning will be incorporated into conscious decision-making. NIST SP 800-16

3131

ROI from Security AwarenessROI from Security Awareness

Cost AvoidanceCost Avoidance Support of Mission ObjectivesSupport of Mission Objectives Protection of ImageProtection of Image Prevention of Down Time, Damage and Prevention of Down Time, Damage and

DestructionDestruction

Security conscious employees make better cyber citizens

3232

Measurement of ProgramMeasurement of Program

Externally in response to FISMA:Externally in response to FISMA:• Congress and OMBCongress and OMB• Quarterly and AnnuallyQuarterly and Annually• President’s Management AgendaPresident’s Management Agenda• Congress FISMA GradeCongress FISMA Grade

Internally:Internally:• Quarterly Bureau ScorecardsQuarterly Bureau Scorecards• FeedbackFeedback

What gets measured gets done!

3333

Output vs. OutcomeOutput vs. Outcome

OutputsOutputs• Number of employees trainedNumber of employees trained

OutcomesOutcomes• Fewer Audit FindingsFewer Audit Findings• Fewer material weaknessesFewer material weaknesses• Fewer violationsFewer violations• Less severe incidentsLess severe incidents• Less repetition of errorsLess repetition of errors• Less damageLess damage• Reduced cost of complianceReduced cost of compliance

3434

Measurement of PeopleMeasurement of People

Measurement by organizational elementMeasurement by organizational element• Peer pressurePeer pressure

Measurement by individualMeasurement by individual• Awards/RewardsAwards/Rewards• Include in employee evaluationInclude in employee evaluation

Sanction by individualSanction by individual

3535

Security Minded CultureSecurity Minded Culture

When Employees …• Are aware of the threats, vulnerabilities

and consequences of exploits• Recognize and report suspicious activity• Can discuss why controls are necessary• Take an active role in protecting

informationA risk managed approach balances

security requirements and mission need

3636

A Habit not a MandateA Habit not a Mandate

If we understand why observing good If we understand why observing good information assurance practice is the right information assurance practice is the right thing to dothing to do

Then we will do things because we believe Then we will do things because we believe it’s the right thing to do, rather than it’s the right thing to do, rather than because we’re told to do thembecause we’re told to do them

Assimilation: An individual incorporates new Assimilation: An individual incorporates new experiences into an existing behavior patternexperiences into an existing behavior pattern

3737

Challenge for Security ProfessionalsChallenge for Security Professionals

• Keep current on new threats, vulnerabilities and solutions

• Educate general users and senior management of threats and exploits. Show them why cyber security is needed and what they can do to protect information

• Instill in all employees a feeling of shared responsibility

• Sell information security

3838

It’s a DialogueIt’s a Dialogue

Security Awareness personnel need to …Security Awareness personnel need to …

Understand Understand Security climateSecurity climate Business objectivesBusiness objectives Line managers’ concerns, problemsLine managers’ concerns, problems Individual and group issuesIndividual and group issues

PossessPossess IT Background and security knowledgeIT Background and security knowledge Communication SkillsCommunication Skills Marketing SkillsMarketing Skills Business SavvyBusiness Savvy

3939

The Business Case for SecurityThe Business Case for Security Use the language of businessUse the language of business

Show how security supports mission objectives Show how security supports mission objectives

Demonstrate the return on investment Demonstrate the return on investment associated with good security associated with good security

Talk with management (and users) in terms Talk with management (and users) in terms they can understand – avoid the language they can understand – avoid the language barrierbarrier

Drop the “Geek Speak”

4040

SummarySummary

AttitudesAttitudes BehaviorBehavior

CultureCulture

Whether it’s a homogeneous group in a campus setting or a diverse, global

workforce, a variety of techniques and consistency of message are needed

4141

10 Cs of Information Security Culture10 Cs of Information Security Culture

1.1. ComedyComedy2.2. CompleteComplete3.3. Consistent MessageConsistent Message4.4. Customized SessionsCustomized Sessions5.5. Current, relevant contentCurrent, relevant content6.6. Communication ChannelsCommunication Channels7.7. Common (plain) LanguageCommon (plain) Language8.8. Commitment from ExecutivesCommitment from Executives9.9. Continuing Awareness ProgramContinuing Awareness Program10.10. Compulsory Annual Awareness OfferingCompulsory Annual Awareness Offering

4242

ReferencesReferences

Chun, Sam: Chun, Sam: “Change that Attitude: The ABCs of a Persuasive Awareness “Change that Attitude: The ABCs of a Persuasive Awareness Program”Program” Information Security Management Handbook, 5Information Security Management Handbook, 5thth Edition, Volume 2, Edition, Volume 2, Auerbach, 2005Auerbach, 2005

NIST Special Publication 800-53: NIST Special Publication 800-53: “Recommend Security Controls for “Recommend Security Controls for Federal Information Systems”, FebFederal Information Systems”, Feb 2005 2005

NIST Special Publication 800-50: NIST Special Publication 800-50: “Building an Information Technology “Building an Information Technology Security Awareness and Training Program ”, Security Awareness and Training Program ”, Oct 2003Oct 2003

• de Zafra, Dorothea: de Zafra, Dorothea: “The Human Factor in Training Strategies”“The Human Factor in Training Strategies” presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991 presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991 as quoted in NIST SPas quoted in NIST SP 800-16800-16

NIST Special Publication 800-16: NIST Special Publication 800-16: “Information Technology Security “Information Technology Security Training Requirements: A Role- and Performance-Based Model”, Training Requirements: A Role- and Performance-Based Model”, April 1998April 1998

Lundin Stephen C., Paul, Harry and Christensen, John:Lundin Stephen C., Paul, Harry and Christensen, John: “FISH!FISH!” ” Hyperion Books, 2000

4343

Contact InformationContact Information

For further information or comments, please e-mail:

CISO@State.govSubject: NY State CIOs