A model for reducing information security risks due to human error

A model for reducing information security risks due to human error
“We a r e n o t j u s t s e c u r i t y a wa r e , b u t s e c u r i t y c o mp e t e n t A model for reducing security risks due to human error a s we l l ” Anup Narayanan, CISA, CISSP Founder & CEO, ISQ 1
Focus of the talk Don’t tell anyone, Security my password is….. Policy Never share passwords Addressing the human factor using security “awareness” and “competence” management (C) ISQ. All Rights Reserved 2
The difference between “Awareness” and “Behaviour (Competence)” I know the traffic rules…. (C) ISQ. All Rights Reserved 3
Does it guarantee that I am a good driver? (C) ISQ. All Rights Reserved 4
Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do An organization must aim for a responsible security culture (C) ISQ. All Rights Reserved 5
The problem (Mistakes that organizations are making) I have an amazing security awareness program but people still make security mistakes! The focus is only on awareness, not behaviour (competence) and culture (C) ISQ. All Rights Reserved 6
What organizations need? A system that periodically shows the current Awareness and Competence Levels Organization’s awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE (C) ISQ. All Rights Reserved 7
The power of perception Why do people make security mistakes? (C) ISQ. All Rights Reserved 8
Imagine… Nelson Mandela walks into this room right now and offers you this glass of water…. Will you accept it? (C) ISQ. All Rights Reserved 9
Now, imagine this… This man walks into this room right now and offers you this glass of water…. Will you accept it? (C) ISQ. All Rights Reserved 10
Question Which water did you accept? Why? (C) ISQ. All Rights Reserved 11
Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust (C) ISQ. All Rights Reserved 12
Why must we address the human factor? (or) Is the human factor worth addressing? (C) ISQ. All Rights Reserved 13
Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user (common man) security is a feeling Influencing the feeling of security (what is safe and what is not safe while handling information) makes a user make the right security decisions and apply it 8/8/2012 (C) ISQ. All Rights Reserved 14
Reason 2: Not every attack(er) is that smart People exaggerate risks that are spectacular or uncommon: So what? RSA was hacked Technology & Processes Awareness & Competence The very smart attacker 4 Human – Recognizing a zero day attack, 3 Phishing mails, Not posting business Risk severity/ Attacker information in social media Smartness/ Attack Efficiency 2 Technology + Human – Firewall configuration, Choosing a secure Wifi 1 Automatic security controls – AV, Updates Control All Rights Reserved (C) ISQ. efficiency 15
Reason 3: How much of a trade-off are we willing to make? The best way to stop people from making information security mistakes is to deny them access to information. Are you willing to make that tradeoff? Security awareness and competence management is a trade-off that is affordable and effective (C) ISQ. All Rights Reserved 16
Reason 4: The human factor is important… Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Cars have become more advanced, but does it mean that driving tests have become easier? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? (C) ISQ. All Rights Reserved 17
The Solution Model Security Awareness and Competence Management (C) ISQ. All Rights Reserved 18
The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis (C) ISQ. All Rights Reserved 19
ESP Awareness Assess, Security Risk Identify the Improve, Re- analysis human factor assess Behaviour (Competence) Identify information security awareness Define and competence needs of the business. Check change in awareness Create the strategy for and competence. Improve. awareness and competence Verify Strategize management Deliver Execute the awareness plan (C) ISQ. All Rights Reserved 20
Strategy - Use ESP (Expected Security Practices) ESP Awareness Competence Component Component Information Information Demonstrates correct Classification classification criterion classification Classification labels Detects and reports a Incident reporting Types of incidents simulated incident Incident reporting procedures/ channels (C) ISQ. All Rights Reserved 21
Phase 1 Identify information security awareness and competence needs of the business. Define Check change in awareness Create the strategy for and competence. Improve. awareness and competence Verify Strategize management Deliver Execute the plan (C) ISQ. All Rights Reserved 22
Case Study: Client Profile • Type of industry: Retail • No: of employees 5000+ • Position: Market Leader • Type of Information handled: Customer data, Intellectual Property • Spending on Information Security Awareness: US$ 75,000 (C) ISQ. All Rights Reserved 23
Awareness Vs. Behaviour Awareness Competence/ Behaviour • Sharing of • Customer records were company/customer leaked to competitor information is wrong • Salary information of top • Sensitive Information executive was given to must be protected head hunter • Access Control Cards • Printouts lying must be protected unattended • Visitors can enter the facility without informing security guard (C) ISQ. All Rights Reserved 24
Problem Analysis - Visibility & Clarity When you have too many rules ….it gets complicated Visibility - The degree to which one can see Clarity - Free from obscurity and easy to understand (C) ISQ. All Rights Reserved 25
D o n ’t Which password? Network, desktop, ERP….? s h a r e p a s s w o r d s (C) ISQ. All Rights Reserved 26
Output of Phase 1 Organization’s awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE (C) ISQ. All Rights Reserved 27
Detailed Scorecard 100 Score per ESP 90 89 90 82 80 76 78 70 70 67 67 67 60 56 50 40 33 30 20 10 0 0 0 0 Clear Policies Email Security Info Disclosure Password Security Physical Security Incident Reporting Social Networking/ Blogging Awareness Competence (C) ISQ. All Rights Reserved 28
Audit strategies - Awareness • For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions (C) ISQ. All Rights Reserved 29
Auditing Strategies - Behaviour • For auditing competence – Social Engineering – Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting – Log review: Browsing and email patterns can be observed through log reviews of corresponding systems – Data mining : Mine through internet search engines to see how much sensitive information about the company is available online – Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked). (C) ISQ. All Rights Reserved 30
Phase 2 - Strategize Identify information security awareness Define and competence needs of the business. Check change in awareness Create the strategy for and competence. Improve. awareness and competence Verify Strategize management Deliver Execute the plan (C) ISQ. All Rights Reserved 31
Quality of content – Impact visualization Show the impact of poor security awareness and competence to the “non-information security” professional (C) ISQ. All Rights Reserved 32
Quality of content – Business relevance Oops! My business is held responsible if I install pirated software on my PC? Show the impact of poor security awareness and competence to the “non-information security” professional (C) ISQ. All Rights Reserved 33
Quality of content – Clarity and Ease So..the email Email security security policy – 5 quick tips. is …6 pages Wow, that’s long. cool! Keep it very simple (C) ISQ. All Rights Reserved 34
Quality of content - Cultural factors Sorry, that information is classified. Let me explain the basics of password security Language or terms used, color and design, character representation (C) ISQ. All Rights Reserved 35
Retention measurement Well…my emails have disappeared. Which number do I call? • How much have they understood • How long do they remember? • Immediately • 30 days later • 60 days later (C) ISQ. All Rights Reserved 36
Coverage • Identify the target workforce • Tolerable deviation – How much percentage of the workforce must receive the training • Set realistic expectations • E.g. – Refer the visibility meter (C) ISQ. All Rights Reserved 37
Format and visibility • Format – Different types of information security awareness content • Visibility – Channels through which the content is delivered Format Visibility Verbal Live training sessions, Video conferences Electronic Email Intranet Posters Social media Paper Posters, cards, quizzes or surveys (C) ISQ. All Rights Reserved 38
Frequency • Gap between 2 awareness deliveries • Critical – Gap should be minimal Which is more effective – Drip irrigation or spraying a lot of water once a day? (C) ISQ. All Rights Reserved 39
Competence management/ Behaviour Change A case study (C) ISQ. All Rights Reserved 40
Creating the right environment Motivational Strategies Disciplinary strategies (C) ISQ. All Rights Reserved 41
Case Study : IT Business • Company – Offshore Development, 3 Centers in India – Young workforce: Majority between 22-27 • Security Rules – Don’t forwards emails with unofficial attachments – No downloads of videos, music, freeware – No storage of personal content in official systems (C) ISQ. All Rights Reserved 42
Case Study : IT Business • What we did? – Quarterly “End-User Desktop Audits” – Findings were immediately “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team (C) ISQ. All Rights Reserved 43
Case Study : IT Business – The result % of Non-Compliance 90 80 70 60 50 40 30 20 ? % of Non- Compliance 10 0 (C) ISQ. All Rights Reserved 44
Learning (C) ISQ. All Rights Reserved 45
Security Tradeoff Vs. Inconvenience Security Trade-Off Personal In-convenience (C) ISQ. All Rights Reserved 46
Security Tradeoff Vs. Cost Enforcement or Cost •Quality of Life Security •Career Trade-Off •Money •Time Cost (Enforcement) (C) ISQ. All Rights Reserved 47
Phase 3 - Deliver Identify information security awareness Define and competence needs of the business. Check change in awareness Create the strategy for and competence. Improve. awareness and competence Verify Strategize management Deliver Execute the plan (C) ISQ. All Rights Reserved 48
Define tolerable deviation • It is almost impossible to get 100% participation • Define a number that is reasonable – 80% participation in the first 6 months – 85% in the next 6 (C) ISQ. All Rights Reserved 49
Efficiency • Efficiency of channels in delivering the program – Emails must reach the target workforce, not go to SPAM – Videos must stream at an optimum speed – Training sessions • Trainer must knowledgeable • Able to articulate the topics well • Use tools and examples • Encourage discussion (C) ISQ. All Rights Reserved 50
Collection of feedback • Not to be confused with “retention measurement” 1. The clarity of the content in conveying the intended message 2. The business relevance of the content 3. Impact visualization 4. The quality of the trainer or the efficiency of the delivery channel 5. Other factors (C) ISQ. All Rights Reserved 51
Phase 4 - Verify Identify information security awareness Define and competence needs of the business. Check change in awareness Create the strategy for and competence. Improve. awareness and competence Verify Strategize management Deliver Execute the plan (C) ISQ. All Rights Reserved 52
Audit strategies - Awareness • For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions (C) ISQ. All Rights Reserved 53
Auditing Strategies - Behaviour • For auditing competence – Social Engineering – Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting – Log review: Browsing and email patterns can be observed through log reviews of corresponding systems – Data mining : Mine through internet search engines to see how much sensitive information about the company is available online – Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked). (C) ISQ. All Rights Reserved 54
Output of Verify phase Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE (C) ISQ. All Rights Reserved 55
Summary Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them (C) ISQ. All Rights Reserved 56
Free resources • Free security awareness video – http://isqworld.com/security-awareness-training-samples • The Psychology of Security, Bruce Schneier - http://www.schneier.com/essay-155.html (C) ISQ. All Rights Reserved 57
Let’s switch ON the Human Layer of Information Security Defence Thank You Anup Narayanan @ CoCon 2012, Trivandrum, Kerala (C) ISQ. All Rights Reserved 58

Check these out next

A model for reducing information security risks due to human error

Recommended

More Related Content

Slideshows for you(20)

Similar to A model for reducing information security risks due to human error(20)

Recently uploaded(20)

A model for reducing information security risks due to human error