She looks                                                    I’m gonna steal                  trustworthy                 ...
The 3 pieces that makes up information security                       Technology                        (Firewall)        ...
Focus of the talk  • The Human Factor in Information Security  • The difference between “Awareness and Competence”  • The ...
AwarenessI know the traffic rules….                             4
Competence?Does it guarantee that I am a good driver?                                             5
….even in Information Security!!!!                     Don’t tell anyone,  Security                     my password is….. ...
Awareness >> Behaviour >> Culture   Awareness            Behaviour           Culture                        (Competence)  ...
What organizations need?A system that periodically shows the currentSecurity Awareness and Competence Levels              ...
The power of perceptionWhy do people make security mistakes?
Imagine…       APJ Abdul Kalam walks into this room right        now and offers you this glass of water….                 ...
Now, imagine this…          This man walks into this room right now           and offers you this glass of water….        ...
Question           Which water did             you accept?               Why?                             12
Analysis  Were you checking the water or the person serving                     the water? People decide what is good and ...
How people make security decisions?Influence of perception                                      14
Analysis           Of these two, which terrifies you the most?     More people die of heart attacks than by getting eaten ...
Analysis           Of these two, which terrifies you the most?       Adrenoleukodistrophy   More kids die choking on frenc...
I hope now it is clear that we mustaddress the human factor….Let us summarize…                                      17
Reason 1: Security is both a “Reality” and “Feeling”                              For security practitioners              ...
RSA Attack             19
The Incident     In March 2011, RSA, one of the foremost security     companies in the world disclosed that cyber-attacks ...
Attack   Employee clicked on the attachment of the mail              The embedded component exploited the              vul...
Analysis: Why did the attack happen?
You may wonder…  RSA must be having best-in-class firewalls, anti-viruses and other  security systems. So, how did this at...
Reason 2: Technology…yes, but humans…of course!                Aircrafts have become more advanced, but does it           ...
The Solution ModelSecurity Awareness and Competence Management
The solution is based on HIMIS • HIMIS – Human Impact   Management for   Information Security • Released under Creative   ...
HIMIS Implementation Model   Define     Strategize     Deliver    Verify   Responsible Information Security Behavior      ...
Define  • Choose the ESPs  • Review and approval of ESPs                                  28
Strategize  For awareness management     • Coverage     • Format & visibility: Verbal, Paper and Electronic     • Frequenc...
Deliver  •   Define tolerable deviation  •   Efficiency  •   Collection of feedback  •   Confirmation of receipt          ...
Verify  •   Audit strategy  •   Selection of ESP’s  •   Define sample size  •   Audit methods      For awareness: Intervie...
Examples  • Deploy false emails seeking    information  • Tailgating into the facility  • Placing media labeled with    ‘c...
Reporting model                     Organization’s awareness score was 87%       LOW AWARENESS        MEDIUM AWARENESS    ...
HIMIS Focus
1. Differentiate between Awareness Vs. Competence Consider both “Awareness” and “Competence” independently                ...
2. Visualize ….and influence perception                                          36
3. Scenario based training (Make people solve challenges)                                                      37
Example Video (PLAY)                38
4. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day?              ...
5.Re-measure frequently                     Organization’s awareness score was 87%                                        ...
Summary          “A smart user in front of          the computer is a good           security control and is            no...
Let’s switch ON the HumanLayer of Information SecurityDefenceThank Youhttp://www.isqworld.com/himis
Upcoming SlideShare
Loading in …5
×

The Difference Between the Reality and Feeling of Security by Thomas Kurian

1,548 views
1,392 views

Published on

The paper shall focus on the following:

The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,548
On SlideShare
0
From Embeds
0
Number of Embeds
47
Actions
Shares
0
Downloads
40
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Difference Between the Reality and Feeling of Security by Thomas Kurian

  1. 1. She looks I’m gonna steal trustworthy your toysThe difference between the “Reality” and “Feeling” of SecurityHuman Perception and it’s influence on Information Security
  2. 2. The 3 pieces that makes up information security Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 2
  3. 3. Focus of the talk • The Human Factor in Information Security • The difference between “Awareness and Competence” • The power of perception • Solution Model + Examples 3
  4. 4. AwarenessI know the traffic rules…. 4
  5. 5. Competence?Does it guarantee that I am a good driver? 5
  6. 6. ….even in Information Security!!!! Don’t tell anyone, Security my password is….. Policy Never share passwords 6
  7. 7. Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do Aim for a responsible security culture 7
  8. 8. What organizations need?A system that periodically shows the currentSecurity Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE A smart attacker will always try to influence the perception of the employee 8
  9. 9. The power of perceptionWhy do people make security mistakes?
  10. 10. Imagine… APJ Abdul Kalam walks into this room right now and offers you this glass of water…. 10
  11. 11. Now, imagine this… This man walks into this room right now and offers you this glass of water…. 11
  12. 12. Question Which water did you accept? Why? 12
  13. 13. Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 13
  14. 14. How people make security decisions?Influence of perception 14
  15. 15. Analysis Of these two, which terrifies you the most? More people die of heart attacks than by getting eaten by sharks You may feel safe when you are actually not 15
  16. 16. Analysis Of these two, which terrifies you the most? Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy People exaggerate risks that are uncommon 16
  17. 17. I hope now it is clear that we mustaddress the human factor….Let us summarize… 17
  18. 18. Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 18
  19. 19. RSA Attack 19
  20. 20. The Incident In March 2011, RSA, one of the foremost security companies in the world disclosed that cyber-attacks had penetrated its internal networks and extracted information from its systems. The consequences were • Financial Loss • Reputational Loss
  21. 21. Attack Employee clicked on the attachment of the mail The embedded component exploited the vulnerability
  22. 22. Analysis: Why did the attack happen?
  23. 23. You may wonder… RSA must be having best-in-class firewalls, anti-viruses and other security systems. So, how did this attack happen? Failed to address the Human Factor
  24. 24. Reason 2: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 24
  25. 25. The Solution ModelSecurity Awareness and Competence Management
  26. 26. The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 26
  27. 27. HIMIS Implementation Model Define Strategize Deliver Verify Responsible Information Security Behavior 27
  28. 28. Define • Choose the ESPs • Review and approval of ESPs 28
  29. 29. Strategize For awareness management • Coverage • Format & visibility: Verbal, Paper and Electronic • Frequency • Quality of content • Retention measurement.(surveys,quiz) For behavior management • Motivational strategies • Enfoncement/ disciplinary stratégies 29
  30. 30. Deliver • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt 30
  31. 31. Verify • Audit strategy • Selection of ESP’s • Define sample size • Audit methods For awareness: Interviews, Surveys, Quizzes, For behavior: Observation, Review of incident reports, Social engineering? 31
  32. 32. Examples • Deploy false emails seeking information • Tailgating into the facility • Placing media labeled with ‘confidential information’ in cafeteria or other places 32
  33. 33. Reporting model Organization’s awareness score was 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 33
  34. 34. HIMIS Focus
  35. 35. 1. Differentiate between Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, ESP Improve, Re- assess Behaviour (Competence) ESP – Expected Security Practice 35
  36. 36. 2. Visualize ….and influence perception 36
  37. 37. 3. Scenario based training (Make people solve challenges) 37
  38. 38. Example Video (PLAY) 38
  39. 39. 4. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 39
  40. 40. 5.Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 40
  41. 41. Summary “A smart user in front of the computer is a good security control and is not that expensive.” 41
  42. 42. Let’s switch ON the HumanLayer of Information SecurityDefenceThank Youhttp://www.isqworld.com/himis

×