Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia,...
-
Upload
anup-narayanan -
Category
Technology
-
view
1.265 -
download
1
description
Transcript of Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia,...
A model for reducing information security risks due to human error By Anup Narayanan,
Founder & CEO, ISQ World
Security
Policy
Never share
passwords
Don’t tell anyone, my password is…..
Nelson Mandela offers you a glass of water….
This man…. offers you a glass of water
Question
Which water will you accept?Why?
5
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Resources
We are here
© First Legion Consulting
6
Awareness?
Do not share passwords!© First Legion Consulting
Shred
documents
before
disposing
7© First Legion Consulting
Behavior?
8
Putting it together….
Awareness:
I know
Behavior:
I do
Culture:
We do
© First Legion Consulting
9
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources
We are here
© First Legion Consulting
10
Case-study:
Client: One of the largest mobile service providers in the world
• What? Spent US$ 100, 000 on a security awareness campaign
• How? Screen Savers, Posters, Emailers
• Who? Target - Entire employees
© First Legion Consulting
11
What did we do?
“Awareness vs. behavior” benchmarking and produced a scorecard
© First Legion Consulting
12
The scorecard
© First Legion Consulting
14
Reason 1: Operational issues ….
Message in the poster
Don’t share passwords
Response by HR Manager
If I don’t share my password, salaries won’t get processed here…including that of the
InfoSec manager.
© First Legion Consulting
Reason 2: Confusion ... Too many rules
Which one do I follow?
15© First Legion Consulting
16
Reason 3: Perception…
Which is safer?
© First Legion Consulting
Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior)
17
Nothing’s gonna happen to me if I violate the security policies?
Well, I saw her doing it …shall I?
© First Legion Consulting
“Awareness” & “Behavior”: Independent but interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things
Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner?Answer: Same as above
Knowing = AwarenessDoing = Behavior
18© First Legion Consulting
19
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources
We are here
© First Legion Consulting
• HIMIS – Human Impact Management for Information Security
• Objective – To provide a model to reduce security risks due to human error
• Creative Commons License, free for non-commercial use
• Download –http://www.isqworld.com, click on the HIMIS link
20© First Legion Consulting
21
Define Strategize Deliver Verify
Responsible
information
security
behavior
HIMIS solution model - Work backwards
© First Legion Consulting
Define Strategize Deliver Verify
• Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements valid for the business
• Review and approval of ESP’s
• Baseline ESP assessment
22© First Legion Consulting
23
ESP: Information
Classification
Awareness Criterion
The employees must know the different
information classification criterion : "Confidential,
Internal, Public"
The employees must know how to specify the
classification, for example, in the footer of
each document
Behaviour criterion
The employees must actually classify
document in day-to-day work. The evidence of this classification must
be available.© First Legion Consulting
Define Strategize Deliver Verify
• For awareness management– Coverage
– Format & visibility: Verbal, Paper and Electronic
– Frequency
– Quality of content • Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
– Retention measurement.
• For behavior management – Motivational strategies
– Enforcement/ disciplinary strategies24© First Legion Consulting
Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
25
Wow! This security awareness video is so cool!
Yup! Not the usual glorified power point
© First Legion Consulting
A 120 minute training plan
• 120 minutes of training in a year
– 45 minutes classroom or e-learning
– 15 minutes screen saver (12 X 1 to 1.5 minutes)
– 15 minutes posters/ wallpaper (same as above)
– 30 minutes through short videos (6 x 5 minutes)
– 20 minutes through quizzes/ surveys (2 x 10 minutes)
Behavior management: What works?
27
Let’s fire him
Let’s cut his email access
Let’s talk to him
© First Legion Consulting
28
In-convenience
Poor security behavior
Poor Security behavior Vs. Inconvenience
© First Legion Consulting
29
Cost (Enforcement)
Poor security behavior
Poor Security behavior Vs. Cost
© First Legion Consulting
30
Case study 1: Changing behavior (IT Service Provider)
• What we did?– Quarterly “End-User
Desktop Audits”
– Findings were noted and “Signed and Agreed by Auditee”
– Disputes were noted and “Signed”
– Audit findings were submitted to InfoSec Team
© First Legion Consulting
31
Case study 1: Changing behavior (Electronic Retail Store)
• Audit finding: Cash boxes are left open when unattended
• Cost attached: Branch manager will lose 25% of annual bonus for every violation
• Compliance today is above 98%© First Legion Consulting
Define Strategize Deliver Verify
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
32© First Legion Consulting
Define Strategize Deliver Verify
• Audit strategy– Selection of ESP’s
– Define sample size
– Audit methods
• For awareness: Interviews, Surveys, Quizzes, Mind-map sessions
• For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering?
– Reasonable limitations
– Behavior may not always be visible
33© First Legion Consulting
34© First Legion Consulting
37
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & ResourcesWe are here
© First Legion Consulting
3838
Define Strategize Deliver Verify
Responsible
information
security
behavior
Recap
© First Legion Consulting
39
Tip! Get HR buy-in
InfoSec Manager
HR manager
People are my biggest asset!
People are my biggest threat!
You must talk the same thing!
© First Legion Consulting
40
Conclusion
If you can influence perception, you can influence the way people choose or react (behavior)
Perception is influenced if there is a cost for an
action
© First Legion Consulting
41
If I follow the information security rules will I gain
something. If I don’t follow, will I lose something?
When you get your users’ to think
this way, you are on your way to a
better information security
culture!
© First Legion Consulting
Resources
• Free security awareness videos –www.isqworld.com
• Bruce Schneier – The Psychology of Security -http://www.schneier.com/essay-155.pdf
• The Information Security Management Maturity Model (ISM3) – www.ism3.com
42© First Legion Consulting
43
Anup Narayanan,Founder & Principal Architect
ISQ World, A First Legion Initiative
www.isqworld.com
© First Legion Consulting