A model for reducing information security risks due to human error By Anup Narayanan,

Founder & CEO, ISQ World

Security

Policy

Never share

passwords

Don’t tell anyone, my password is…..

Nelson Mandela offers you a glass of water….

This man…. offers you a glass of water

Question

Which water will you accept?Why?

5

1. Objective: Describe a workable model for reducing information security risks due to human error

2. Talk Plan:I. Differentiate between

“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Resources

We are here

© First Legion Consulting

6

Awareness?

Do not share passwords!© First Legion Consulting

Shred

documents

before

disposing

7© First Legion Consulting

Behavior?

8

Putting it together….

Awareness:

I know

Behavior:

I do

Culture:

We do

© First Legion Consulting

9

1. Objective: Describe a workable model for reducing information security risks due to human error

2. Talk Plan:I. Differentiate between

“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources

We are here

© First Legion Consulting

10

Case-study:

Client: One of the largest mobile service providers in the world

• What? Spent US$ 100, 000 on a security awareness campaign

• How? Screen Savers, Posters, Emailers

• Who? Target - Entire employees

© First Legion Consulting

11

What did we do?

“Awareness vs. behavior” benchmarking and produced a scorecard

© First Legion Consulting

12

The scorecard

© First Legion Consulting

14

Reason 1: Operational issues ….

Message in the poster

Don’t share passwords

Response by HR Manager

If I don’t share my password, salaries won’t get processed here…including that of the

InfoSec manager.

© First Legion Consulting

Reason 2: Confusion ... Too many rules

Which one do I follow?

15© First Legion Consulting

16

Reason 3: Perception…

Which is safer?

© First Legion Consulting

Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior)

17

Nothing’s gonna happen to me if I violate the security policies?

Well, I saw her doing it …shall I?

© First Legion Consulting

“Awareness” & “Behavior”: Independent but interdependent

Question : A person knows the traffic rules. Does that make the

person a good driver?

Answer: Not necessarily, “Knowing” and “Doing” are two

different things

Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner?Answer: Same as above

Knowing = AwarenessDoing = Behavior

18© First Legion Consulting

19

1. Objective: Describe a workable model for reducing information security risks due to human error

2. Talk Plan:I. Differentiate between

“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources

We are here

© First Legion Consulting

• HIMIS – Human Impact Management for Information Security

• Objective – To provide a model to reduce security risks due to human error

• Creative Commons License, free for non-commercial use

• Download –http://www.isqworld.com, click on the HIMIS link

20© First Legion Consulting

21

Define Strategize Deliver Verify

Responsible

information

security

behavior

HIMIS solution model - Work backwards

© First Legion Consulting

Define Strategize Deliver Verify

• Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements valid for the business

• Review and approval of ESP’s

• Baseline ESP assessment

22© First Legion Consulting

23

ESP: Information

Classification

Awareness Criterion

The employees must know the different

information classification criterion : "Confidential,

Internal, Public"

The employees must know how to specify the

classification, for example, in the footer of

each document

Behaviour criterion

The employees must actually classify

document in day-to-day work. The evidence of this classification must

be available.© First Legion Consulting

Define Strategize Deliver Verify

• For awareness management– Coverage

– Format & visibility: Verbal, Paper and Electronic

– Frequency

– Quality of content • Impact visualization

• Clarity & ease of understanding

• Business relevance

• Consideration of cultural factors

– Retention measurement.

• For behavior management – Motivational strategies

– Enforcement/ disciplinary strategies24© First Legion Consulting

Quality of content

• Impact visualization

• Clarity & ease of understanding

• Business relevance

• Consideration of cultural factors

25

Wow! This security awareness video is so cool!

Yup! Not the usual glorified power point

© First Legion Consulting

A 120 minute training plan

• 120 minutes of training in a year

– 45 minutes classroom or e-learning

– 15 minutes screen saver (12 X 1 to 1.5 minutes)

– 15 minutes posters/ wallpaper (same as above)

– 30 minutes through short videos (6 x 5 minutes)

– 20 minutes through quizzes/ surveys (2 x 10 minutes)

Behavior management: What works?

27

Let’s fire him

Let’s cut his email access

Let’s talk to him

© First Legion Consulting

28

In-convenience

Poor security behavior

Poor Security behavior Vs. Inconvenience

© First Legion Consulting

29

Cost (Enforcement)

Poor security behavior

Poor Security behavior Vs. Cost

© First Legion Consulting

30

Case study 1: Changing behavior (IT Service Provider)

• What we did?– Quarterly “End-User

Desktop Audits”

– Findings were noted and “Signed and Agreed by Auditee”

– Disputes were noted and “Signed”

– Audit findings were submitted to InfoSec Team

© First Legion Consulting

31

Case study 1: Changing behavior (Electronic Retail Store)

• Audit finding: Cash boxes are left open when unattended

• Cost attached: Branch manager will lose 25% of annual bonus for every violation

• Compliance today is above 98%© First Legion Consulting

Define Strategize Deliver Verify

• Define tolerable deviation

• Efficiency

• Collection of feedback

• Confirmation of receipt

32© First Legion Consulting

Define Strategize Deliver Verify

• Audit strategy– Selection of ESP’s

– Define sample size

– Audit methods

• For awareness: Interviews, Surveys, Quizzes, Mind-map sessions

• For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering?

– Reasonable limitations

– Behavior may not always be visible

33© First Legion Consulting

34© First Legion Consulting

37

1. Objective: Describe a workable model for reducing information security risks due to human error

2. Talk Plan:I. Differentiate between

“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & ResourcesWe are here

© First Legion Consulting

3838

Define Strategize Deliver Verify

Responsible

information

security

behavior

Recap

© First Legion Consulting

39

Tip! Get HR buy-in

InfoSec Manager

HR manager

People are my biggest asset!

People are my biggest threat!

You must talk the same thing!

© First Legion Consulting

40

Conclusion

If you can influence perception, you can influence the way people choose or react (behavior)

Perception is influenced if there is a cost for an

action

© First Legion Consulting

41

If I follow the information security rules will I gain

something. If I don’t follow, will I lose something?

When you get your users’ to think

this way, you are on your way to a

better information security

culture!

© First Legion Consulting

Resources

• Free security awareness videos –www.isqworld.com

• Bruce Schneier – The Psychology of Security -http://www.schneier.com/essay-155.pdf

• The Information Security Management Maturity Model (ISM3) – www.ism3.com

42© First Legion Consulting

43

Anup Narayanan,Founder & Principal Architect

ISQ World, A First Legion Initiative

anup@isqworld.com

www.isqworld.com

© First Legion Consulting