Your SlideShare is downloading. ×
  • Like
The Difference Between the Reality and Feeling of Security by Thomas Kurian
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The Difference Between the Reality and Feeling of Security by Thomas Kurian

  • 1,045 views
Published

The paper shall focus on the following: …

The paper shall focus on the following:

The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,045
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
33
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. She looks I’m gonna steal trustworthy your toysThe difference between the “Reality” and “Feeling” of SecurityHuman Perception and it’s influence on Information Security
  • 2. The 3 pieces that makes up information security Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 2
  • 3. Focus of the talk • The Human Factor in Information Security • The difference between “Awareness and Competence” • The power of perception • Solution Model + Examples 3
  • 4. AwarenessI know the traffic rules…. 4
  • 5. Competence?Does it guarantee that I am a good driver? 5
  • 6. ….even in Information Security!!!! Don’t tell anyone, Security my password is….. Policy Never share passwords 6
  • 7. Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do Aim for a responsible security culture 7
  • 8. What organizations need?A system that periodically shows the currentSecurity Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE A smart attacker will always try to influence the perception of the employee 8
  • 9. The power of perceptionWhy do people make security mistakes?
  • 10. Imagine… APJ Abdul Kalam walks into this room right now and offers you this glass of water…. 10
  • 11. Now, imagine this… This man walks into this room right now and offers you this glass of water…. 11
  • 12. Question Which water did you accept? Why? 12
  • 13. Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 13
  • 14. How people make security decisions?Influence of perception 14
  • 15. Analysis Of these two, which terrifies you the most? More people die of heart attacks than by getting eaten by sharks You may feel safe when you are actually not 15
  • 16. Analysis Of these two, which terrifies you the most? Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy People exaggerate risks that are uncommon 16
  • 17. I hope now it is clear that we mustaddress the human factor….Let us summarize… 17
  • 18. Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 18
  • 19. RSA Attack 19
  • 20. The Incident In March 2011, RSA, one of the foremost security companies in the world disclosed that cyber-attacks had penetrated its internal networks and extracted information from its systems. The consequences were • Financial Loss • Reputational Loss
  • 21. Attack Employee clicked on the attachment of the mail The embedded component exploited the vulnerability
  • 22. Analysis: Why did the attack happen?
  • 23. You may wonder… RSA must be having best-in-class firewalls, anti-viruses and other security systems. So, how did this attack happen? Failed to address the Human Factor
  • 24. Reason 2: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 24
  • 25. The Solution ModelSecurity Awareness and Competence Management
  • 26. The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 26
  • 27. HIMIS Implementation Model Define Strategize Deliver Verify Responsible Information Security Behavior 27
  • 28. Define • Choose the ESPs • Review and approval of ESPs 28
  • 29. Strategize For awareness management • Coverage • Format & visibility: Verbal, Paper and Electronic • Frequency • Quality of content • Retention measurement.(surveys,quiz) For behavior management • Motivational strategies • Enfoncement/ disciplinary stratégies 29
  • 30. Deliver • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt 30
  • 31. Verify • Audit strategy • Selection of ESP’s • Define sample size • Audit methods For awareness: Interviews, Surveys, Quizzes, For behavior: Observation, Review of incident reports, Social engineering? 31
  • 32. Examples • Deploy false emails seeking information • Tailgating into the facility • Placing media labeled with ‘confidential information’ in cafeteria or other places 32
  • 33. Reporting model Organization’s awareness score was 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 33
  • 34. HIMIS Focus
  • 35. 1. Differentiate between Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, ESP Improve, Re- assess Behaviour (Competence) ESP – Expected Security Practice 35
  • 36. 2. Visualize ….and influence perception 36
  • 37. 3. Scenario based training (Make people solve challenges) 37
  • 38. Example Video (PLAY) 38
  • 39. 4. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 39
  • 40. 5.Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 40
  • 41. Summary “A smart user in front of the computer is a good security control and is not that expensive.” 41
  • 42. Let’s switch ON the HumanLayer of Information SecurityDefenceThank Youhttp://www.isqworld.com/himis