A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

1. Shred documents before disposing A model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World

2. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 2

3. Awareness? Do not share passwords! © First Legion Consulting 3

4. Behavior? Don’t tell anyone, my password is….. © First Legion Consulting 4

5. Shred documents before disposing © First Legion Consulting 5

6. Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 6

7. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 7

8. Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 8

9. What did we do? “Awareness vs. behavior” benchmarking and produced a scorecard © First Legion Consulting 9

10. The scorecard © First Legion Consulting 10

11. Why are my users not following the information security policy? Root cause analysis of poor information security behavior © First Legion Consulting 11

12. Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 12

13. Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 13

14. Reason 3: Perception… Which is safer? © First Legion Consulting 14

15. Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 15

16. “Awareness” & “Behavior”: Independent but interdependent Question : A person knows the traffic rules. Does that make the person a good driver? Answer: Not necessarily, “Knowing” and “Doing” are two different things Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner? Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 16

17. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study We are here III. Solution model IV. Recap & Resources © First Legion Consulting 17

18. • HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link © First Legion Consulting 18

19. HIMIS solution model - Work backwards Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 19

20. Define Strategize Deliver Verify • Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements) valid for the business • Review and approval of ESP’s • Baseline ESP assessment © First Legion Consulting 20

21. ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-day information classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 21

22. Define Strategize Deliver Verify • For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement. • For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 22

23. Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance Yup! Not the usual glorified • Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 23

24. Behavior management: What works? Let’s cut his Let’s talk to email access him Let’s fire him © First Legion Consulting 24

25. Poor Security behavior Vs. Inconvenience Poor security behavior In-convenience © First Legion Consulting 25

26. Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 26

27. Case study 1: Changing behavior (IT Service Provider) • What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 27

28. Case study 1: Changing behavior (Electronic Retail Store) • Audit finding: Cash boxes are left open when unattended • Cost attached: Branch manager will lose 25% of annual bonus for every violation • Compliance today is above 98% © First Legion Consulting 28

29. Define Strategize Deliver Verify • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt © First Legion Consulting 29

30. Define Strategize Deliver Verify • Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 30

32. HIMIS is not prescriptive and does not suggest absolutes… • Practitioner has the freedom to quantify • Quantifying awareness – Fairly easy, for example, – Average score of a quiz to measure awareness from 100 users’ reasonably indicates an average awareness score • Quantifying behaviour may not be possible directly and indirect methods may have to be used. For example, a) Number of violations found for an ESP b) Impact of the violation c) A score derived by consideration of “a” and “b” above © First Legion Consulting 32

33. Suggested outline of the audit report • Introduction: Motivations and reasons for the program • List of ESP’s and the reasons for the selection of each ESP • Strategy for the program • Delivery models • Average awareness score (from averages of each ESP awareness score) • Average behaviour score or text description (from analysis of behaviour audit report). Root cause analysis for poor awareness and behaviour • Possible threat indicators and suggested mitigations • Recommended corrective actions © First Legion Consulting 33

34. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model We are here IV. Recap & Resources © First Legion Consulting 34

36. Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 36

37. Conclusion If you can influence perception, you can influence the way people choose or react (behavior) Perception is influenced if there is a cost for an action © First Legion Consulting 37

38. If I follow the information security rules will I gain something. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 38

39. Resources • Free security awareness videos – www.isqworld.com • Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf • The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 39

40. Anup Narayanan, Founder & Principal Architect ISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 40

A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

You are reading a preview.

Check these out next

A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

More Related Content

Slideshows for you (18)

Viewers also liked (9)

Similar to A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai (20)

Recently uploaded (20)

A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai