SlideShare a Scribd company logo
1 of 40
Download to read offline
Shred
documents
  before
 disposing




             A model for reducing
             information security risks due
             to human error
             By Anup Narayanan,
             Founder & CEO, ISQ World
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
We are here
              I. Differentiate between
                   “Awareness” & “Behavior”
              II. Case study
              III. Solution model
              IV. Resources


    © First Legion Consulting               2
Awareness?




  Do not share passwords!
             © First Legion Consulting   3
Behavior?
            Don’t tell anyone,
            my password is…..




             © First Legion Consulting   4
Shred
documents
  before
 disposing




             © First Legion Consulting   5
Putting it together….



 Awareness:    Behavior:                      Culture:

 I know        I do                           We do


                  © First Legion Consulting              6
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
              I. Differentiate between
                   “Awareness” & “Behavior”
We are here   II. Case study
              III. Solution model
              IV. Recap & Resources


    © First Legion Consulting               7
Case-study:

          Client: One of the largest mobile service
          providers in the world

          •   What? Spent US$ 100, 000 on a security
              awareness campaign

          •   How? Screen Savers, Posters, Emailers

          •   Who? Target - Entire employees
                  © First Legion Consulting           8
What did we do?

“Awareness vs. behavior” benchmarking
and produced a scorecard




       © First Legion Consulting        9
The scorecard




                © First Legion Consulting   10
Why are my users not
       following the
   information security
           policy?




          Root cause analysis of poor
          information security behavior

© First Legion Consulting            11
Reason 1: Operational issues ….


           If I don’t share my password,
           salaries won’t get processed                     Response by HR
                                                               Manager
             here…including that of the
                  InfoSec manager.


        Message in the poster



           Don’t share
           passwords


                                © First Legion Consulting                    12
Reason 2: Confusion ... Too many rules




                                                  Which one
                                                  do I follow?




                      © First Legion Consulting                  13
Reason 3: Perception…




                Which is safer?
                    © First Legion Consulting   14
Reason 4: Attitude … influenced by cost…(peer
pressure, top management behavior)


         Nothing’s gonna happen to me
         if I violate the security policies?



          Well, I saw her doing it …shall
          I?



                        © First Legion Consulting   15
“Awareness” & “Behavior”: Independent but
               interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things

Question: A person knows the “information security rules”. Does
that make the person a responsible information security
practitioner?
Answer: Same as above

                  Knowing = Awareness
                    Doing = Behavior
                          © First Legion Consulting               16
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
              I. Differentiate between
                   “Awareness” & “Behavior”
              II. Case study
We are here   III. Solution model
              IV. Recap & Resources


    © First Legion Consulting              17
• HIMIS – Human Impact
             Management for
             Information Security
           • Objective – To provide a
             model to reduce security
             risks due to human error
           • Creative Commons
             License, free for non-
             commercial use
           • Download –
             http://www.isqworld.com
             , click on the HIMIS link
© First Legion Consulting           18
HIMIS solution model - Work backwards



                                                           Responsible
                                                           information
Define   Strategize   Deliver                     Verify   security
                                                           behavior




                      © First Legion Consulting                      19
Define    Strategize      Deliver                  Verify



• Choose ESP's (Expected Security Practices) information
  security awareness and behaviour requirements) valid
  for the business
• Review and approval of ESP’s
• Baseline ESP assessment




                        © First Legion Consulting            20
ESP:
                                            Information
                                            Classification



                       Awareness                                   Behaviour
                        Criterion                                   criterion


                                                                  The employees must
   The employees must            The employees must
                                                                     actually classify
    know the different         know how to specify the
                                                                document in day-to-day
information classification         classification, for
                                                                 work. The evidence of
 criterion : "Confidential,    example, in the footer of
                                                                 this classification must
      Internal, Public"             each document
                                                                       be available.
                                    © First Legion Consulting                           21
Define          Strategize           Deliver                  Verify
• For awareness management
  –   Coverage
  –   Format & visibility: Verbal, Paper and Electronic
  –   Frequency
  –   Quality of content
       •   Impact visualization
       •   Clarity & ease of understanding
       •   Business relevance
       •   Consideration of cultural factors
  – Retention measurement.
• For behavior management
  – Motivational strategies
  – Enforcement/ disciplinary strategies
                                   © First Legion Consulting            22
Quality of content
•    Impact visualization
•    Clarity & ease of understanding
•    Business relevance                               Yup! Not the usual glorified
•    Consideration of cultural factors                       power point


        Wow! This security
     awareness video is so cool!




                                © First Legion Consulting                        23
Behavior management: What works?

                 Let’s cut his                   Let’s talk to
                 email access                        him
Let’s fire him




                     © First Legion Consulting                   24
Poor Security behavior Vs.
Inconvenience



       Poor
     security
     behavior


                        In-convenience

                   © First Legion Consulting   25
Poor Security behavior Vs. Cost




       Poor
     security
     behavior


                      Cost
                 (Enforcement)
                   © First Legion Consulting   26
Case study 1: Changing behavior (IT Service Provider)

• What we did?
   – Quarterly “End-User
     Desktop Audits”
   – Findings were noted and
     “Signed and Agreed by
     Auditee”
   – Disputes were noted and
     “Signed”
   – Audit findings were
     submitted to InfoSec
     Team


                               © First Legion Consulting   27
Case study 1: Changing behavior (Electronic Retail Store)


• Audit finding: Cash boxes are left open when
  unattended

• Cost attached: Branch manager will lose 25% of
  annual bonus for every violation


• Compliance today is above 98%
                         © First Legion Consulting          28
Define    Strategize      Deliver                  Verify


•    Define tolerable deviation
•    Efficiency
•    Collection of feedback
•    Confirmation of receipt




                           © First Legion Consulting            29
Define     Strategize      Deliver                  Verify

• Audit strategy
  – Selection of ESP’s
  – Define sample size
  – Audit methods
     • For awareness: Interviews, Surveys, Quizzes, Mind-map
       sessions
     • For behavior: Observation, data mining, Log review,
       Review of incident reports, Social engineering?
  – Reasonable limitations
  – Behavior may not always be visible

                        © First Legion Consulting              30
© First Legion Consulting   31
HIMIS is not prescriptive and does not suggest
                      absolutes…

• Practitioner has the freedom to quantify

• Quantifying awareness – Fairly easy, for example,
   – Average score of a quiz to measure awareness from 100
     users’ reasonably indicates an average awareness score

• Quantifying behaviour may not be possible directly and
  indirect methods may have to be used. For example,
   a) Number of violations found for an ESP
   b) Impact of the violation
   c) A score derived by consideration of “a” and “b” above
                          © First Legion Consulting           32
Suggested outline of the audit report
• Introduction: Motivations and reasons for the program
• List of ESP’s and the reasons for the selection of each ESP
• Strategy for the program
• Delivery models
• Average awareness score (from averages of each ESP
  awareness score)
• Average behaviour score or text description (from analysis
  of behaviour audit report). Root cause analysis for poor
  awareness and behaviour
• Possible threat indicators and suggested mitigations
• Recommended corrective actions


                         © First Legion Consulting              33
1. Objective: Describe a workable
               model for reducing information
               security risks due to human error
           2. Talk Plan:
              I. Differentiate between
                   “Awareness” & “Behavior”
              II. Case study
              III. Solution model
We are here   IV. Recap & Resources


    © First Legion Consulting              34
Recap



                                                            Responsible
                                                            information
Define    Strategize   Deliver                     Verify   security
                                                            behavior




                       © First Legion Consulting                      35
Tip! Get HR buy-in
                                                        People are my
             People are my                              biggest threat!
             biggest asset!




            HR                                      InfoSec
            manager                                 Manager


            You must talk the same thing!
                        © First Legion Consulting                         36
Conclusion
If you can influence perception, you can influence the
way people choose or react (behavior)


Perception is influenced if there is a             cost   for an
action




                           © First Legion Consulting               37
If I follow the information
  security rules will I gain
something. If I don’t follow,
    will I lose something?



    When you get your users’ to think
    this way, you are on your way to a
    better information security
    culture!

  © First Legion Consulting        38
Resources
• Free security awareness videos –
  www.isqworld.com
• Bruce Schneier – The Psychology of Security -
  http://www.schneier.com/essay-155.pdf
• The Information Security Management
  Maturity Model (ISM3) – www.ism3.com



                   © First Legion Consulting      39
Anup Narayanan,
     Founder & Principal Architect
ISQ World, A First Legion Initiative
                anup@isqworld.com
                 www.isqworld.com

   © First Legion Consulting           40

More Related Content

What's hot

Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived RisksEnterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived RisksThe 2.0 Adoption Council
 
Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012LRNcorporation
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...IT Network marcus evans
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape WebinarJoseph Schorr
 
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)Insecurity Insight
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISADee Moone
 
Business Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing  A Tokenization Approach FinalBusiness Intelligence In Cloud Computing  A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach FinalHossam Hassanien
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonPatricia M Watson
 
ARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 PresentationARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 PresentationMichael Hill
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management ServicesMarlabs
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security serviceDeep Rajbhandari
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark  - it & information security human resource deve...Prinya acis slide for swpark  - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...TISA
 
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy BlumenthalIT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy BlumenthalAndy (Avraham) Blumenthal
 

What's hot (18)

Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived RisksEnterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
 
Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
 
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
 
Business Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing  A Tokenization Approach FinalBusiness Intelligence In Cloud Computing  A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach Final
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
ARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 PresentationARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 Presentation
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security service
 
About Acumin
About AcuminAbout Acumin
About Acumin
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark  - it & information security human resource deve...Prinya acis slide for swpark  - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...
 
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy BlumenthalIT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
 

Viewers also liked

A proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud ComputingA proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud ComputingCSCJournals
 
Risk management seminar -en
Risk management   seminar -enRisk management   seminar -en
Risk management seminar -enRolf Häsänen
 
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...BayCHI
 
Human Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & SafetyHuman Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & SafetyDushyant Kalchuri
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Human Error Prevention
Human Error PreventionHuman Error Prevention
Human Error PreventionToru Nakata
 
Types of computer system error
Types of computer system errorTypes of computer system error
Types of computer system errorRachel Espino
 

Viewers also liked (9)

Ch04
Ch04Ch04
Ch04
 
A proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud ComputingA proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud Computing
 
Risk management seminar -en
Risk management   seminar -enRisk management   seminar -en
Risk management seminar -en
 
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
 
Human Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & SafetyHuman Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & Safety
 
Information security management
Information security managementInformation security management
Information security management
 
Human Error Prevention
Human Error PreventionHuman Error Prevention
Human Error Prevention
 
Beekman5 std ppt_12
Beekman5 std ppt_12Beekman5 std ppt_12
Beekman5 std ppt_12
 
Types of computer system error
Types of computer system errorTypes of computer system error
Types of computer system error
 

Similar to A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk MgmtAlfred Ouyang
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
 
Dlp content-discovery-best-practices
Dlp content-discovery-best-practicesDlp content-discovery-best-practices
Dlp content-discovery-best-practiceslookout4raj
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3techcouncil
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementWilliam McBorrough
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementWilliam McBorrough
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk ManagementManoj Jain
 
Ibm data governance framework
Ibm data governance frameworkIbm data governance framework
Ibm data governance frameworkkaiyun7631
 
A Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceA Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceInnoTech
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccessasundaram1
 

Similar to A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai (20)

Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
 
Dlp content-discovery-best-practices
Dlp content-discovery-best-practicesDlp content-discovery-best-practices
Dlp content-discovery-best-practices
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Emm introduction
Emm introductionEmm introduction
Emm introduction
 
Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Ibm data governance framework
Ibm data governance frameworkIbm data governance framework
Ibm data governance framework
 
A Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceA Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & Compliance
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 

Recently uploaded

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 

Recently uploaded (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 

A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

  • 1. Shred documents before disposing A model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World
  • 2. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 2
  • 3. Awareness? Do not share passwords! © First Legion Consulting 3
  • 4. Behavior? Don’t tell anyone, my password is….. © First Legion Consulting 4
  • 5. Shred documents before disposing © First Legion Consulting 5
  • 6. Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 6
  • 7. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 7
  • 8. Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 8
  • 9. What did we do? “Awareness vs. behavior” benchmarking and produced a scorecard © First Legion Consulting 9
  • 10. The scorecard © First Legion Consulting 10
  • 11. Why are my users not following the information security policy? Root cause analysis of poor information security behavior © First Legion Consulting 11
  • 12. Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 12
  • 13. Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 13
  • 14. Reason 3: Perception… Which is safer? © First Legion Consulting 14
  • 15. Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 15
  • 16. “Awareness” & “Behavior”: Independent but interdependent Question : A person knows the traffic rules. Does that make the person a good driver? Answer: Not necessarily, “Knowing” and “Doing” are two different things Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner? Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 16
  • 17. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study We are here III. Solution model IV. Recap & Resources © First Legion Consulting 17
  • 18. • HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link © First Legion Consulting 18
  • 19. HIMIS solution model - Work backwards Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 19
  • 20. Define Strategize Deliver Verify • Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements) valid for the business • Review and approval of ESP’s • Baseline ESP assessment © First Legion Consulting 20
  • 21. ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-day information classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 21
  • 22. Define Strategize Deliver Verify • For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement. • For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 22
  • 23. Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance Yup! Not the usual glorified • Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 23
  • 24. Behavior management: What works? Let’s cut his Let’s talk to email access him Let’s fire him © First Legion Consulting 24
  • 25. Poor Security behavior Vs. Inconvenience Poor security behavior In-convenience © First Legion Consulting 25
  • 26. Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 26
  • 27. Case study 1: Changing behavior (IT Service Provider) • What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 27
  • 28. Case study 1: Changing behavior (Electronic Retail Store) • Audit finding: Cash boxes are left open when unattended • Cost attached: Branch manager will lose 25% of annual bonus for every violation • Compliance today is above 98% © First Legion Consulting 28
  • 29. Define Strategize Deliver Verify • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt © First Legion Consulting 29
  • 30. Define Strategize Deliver Verify • Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 30
  • 31. © First Legion Consulting 31
  • 32. HIMIS is not prescriptive and does not suggest absolutes… • Practitioner has the freedom to quantify • Quantifying awareness – Fairly easy, for example, – Average score of a quiz to measure awareness from 100 users’ reasonably indicates an average awareness score • Quantifying behaviour may not be possible directly and indirect methods may have to be used. For example, a) Number of violations found for an ESP b) Impact of the violation c) A score derived by consideration of “a” and “b” above © First Legion Consulting 32
  • 33. Suggested outline of the audit report • Introduction: Motivations and reasons for the program • List of ESP’s and the reasons for the selection of each ESP • Strategy for the program • Delivery models • Average awareness score (from averages of each ESP awareness score) • Average behaviour score or text description (from analysis of behaviour audit report). Root cause analysis for poor awareness and behaviour • Possible threat indicators and suggested mitigations • Recommended corrective actions © First Legion Consulting 33
  • 34. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model We are here IV. Recap & Resources © First Legion Consulting 34
  • 35. Recap Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 35
  • 36. Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 36
  • 37. Conclusion If you can influence perception, you can influence the way people choose or react (behavior) Perception is influenced if there is a cost for an action © First Legion Consulting 37
  • 38. If I follow the information security rules will I gain something. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 38
  • 39. Resources • Free security awareness videos – www.isqworld.com • Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf • The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 39
  • 40. Anup Narayanan, Founder & Principal Architect ISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 40