SlideShare a Scribd company logo
Information


                                                       Employees




    Creating a RESPONSIBLE Information Security Culture
          Presented by Anup Narayanan, First Legion Consulting

1
2   What is the problem?
Poor Information Security Awareness and Behavior impacts
                           the business


    Most problems are a cultural issue,

    •The new generation employees             Business Information
    talk about business in Facebook
    and Orkut or while storing                    Client/
                                                 Customer
                                                             Regulatory
                                                               data
    information in mobile devices                  data




    •Many make mistakes while sharing            Financial   Employee
                                                   Data        data
    information through email, phone,
    printing or even while traveling etc.


3
If you are interested in financial data!
4


       *Average annual loss due to computer
        crimes shot up to $350,424/ per
        company in 2007 from $168,000 in
        2006

       *Insider abuse of network access or e-
        mail is the No:1 threat

       Note - The numbers are debatable, but
        what matters is that “money” is involved
        and hence it matters

                                      *Source: Computer Security Institute
                                      Survey
Principal focus: “Awareness” is not “Behavior”
5


       Awareness: Everyone
        knows traffic rules
       Behavior: Few follow
        them
       Reason
         Culture

         Quality   of enforcement




                      (C) First Legion Consulting. All Rights Reserved   12/29/2008
Definitions: Awareness, Behavior & Culture
6




    Awareness             Behavior              Culture

        • Knowledge or        • The action or       • The attitudes
          understanding         reaction of a         and
          of an object,         person under          “BEHAVIOR”
          idea or               specific              that are
          thought               circumstances         characteristic
                                                      of a particular
                                                      social group or
                                                      organization”
To change behavior???
7




              “ All behavior is learned through the
                 consequences that follow. If a
                 person likes the consequence, the
                 behavior will be repeated; if a
                 person does not like the consequence,
                 the behavior is less likely to be
                 repeated.”
8   What is the challenge?
The Challenge
9




    Stage 1: I don’t        Stage 2: I know but   Stage 3: I know
    know                    I don’t do            and I do

         • I don’t know          • I know about        • I practice
           about password          password              password
           security                security              security
          No
         •(                      • (Awareness)         • (Awareness
          awareness)                                     and
                                                         Behavior)
Focus on the “3rd” angle of Information Security - PEOPLE
10




        Technology and processes           Technology
                                            (Firewall)
        are only as good as the
        people who use them

                                                    Process
                                     People??        (ISO
                                                    27001)
11   Case Study
     Why focusing only on “awareness” does not
     produce results?
Analysis of an Information Security “Awareness” Project
12


          Client name: with-held
          Type of industry: Retail
          No: of employees 5000+
          Position: Market Leader
          Type of Information handled: Customer data,
           Intellectual Property
          Spending on Information Security Awareness: USD
           100, 000
Spending Vs. Returns
13



     Awareness that was spread   Behavior Created: What we found ?

        Sharing of                 Customer records were
                                     leaked to competitor
         company/customer           Salary information of top
         information is wrong        executive was given to
                                     head hunter (job recruiting
        Sensitive Information       firm)
         must be protected          Printouts lying unattended
        Access Control Cards       Visitors can enter the
                                     facility without informing
         must be protected           security guard
        More….                     More….
14   What was the problem?
     Problem 1: Poor “Visibility” & “Clarity”
     Problem 2: Poor “Enforcement”
Problem 1: Poor Visibility & Clarity
15


        An organization has
         many “rules” and
         “regulations”
        Where is the
         “information security
         rule?”
        The workforce is
         confused !!
Example: What are the employees saying?

Message in the campaign                  Employee reaction (3 employees)

        • Don’t share passwords                  • Which password? Desktop,
                                                   Sales ERP, Document
                                                   passwords?
                                                 • I am stuck in Traffic Jam, have
                                                   to update my sales calls by 6
                                                   p.m. Tell me what I should do?
                                                 • I am sorry, but I didn’t know
                                                   that there was a policy like
                                                   this




Message in the campaign                  Employee reaction

       • Protect Sensitive Information          • To me all information is sensitive
                                                • Does this mean that I cannot share
                                                  it even with my colleagues
                                                • How do I protect?
More reactions!
   “It takes 48-96 hours to get a password reset –
    What should I do, not do my work?”
   “I get these annoying “Security Screen Savers” every
    90 seconds. Why so much overkill!!”
   “We have 100 new employees every month, whereas
    the security training is once in 6 months. How will you
    handle these “unaware” employees”
Root cause analysis


   Poor Visibility - 50% of the workforce are off-role
    employees, they don’t have an email ID – Not covered in
    the campaign
   Poor Clarity – Examples
     “See something suspicious – Report it”
     “Don’t share passwords”
     “You have zero privacy anyways – Get over it”
   Poor business relevance
     Generic
     Not business specific
   Poor enforcement
Problem 2: Poor Enforcement
19




                       Migration is
                      determined by
                      ENFORCEMENT


      Awareness:                          Behavior:
     “I know, but I                    “I know and I
       don’t do”                            do”
Remember !!
   The poster near the
    water cooler is great
    for the 1st 2 weeks
   Then it BLENDS into the
    environment
21   Solution model
     Methodology  Content (Awareness)  Enforcement
First, Methodology
22




                    Enforcement




                  Content

               Methodology
Methodology:
23




                   
                  First Legion
                                 HIMIS
                                 Human Impact Management
                                                           ™

                                        for Information Security



        Creative Commons License, Free for Non-Commercial use

        Download from www.himis.org, created and owned by First
         Legion
What can you do with HIMIS?
24


            1.   Assess the current level of
                 Information Security Awareness and
                 Behavior
            2.   Understand the business impact
            3.   Define “Desirable Information
                 Security Behavior” for each function
                 group (HR, R&D, Finance etc.)
            4.   Define “Enforcement Strategies”
            5.   Create a roadmap, measure and
                 monitor
HIMIS: Notes
25


        DNV (Det Norske Veritas), a leading “Safety Risk
         Management Company”, has created an
         “Independent Assessment Model” for HIMIS

        HIMIS is the first “Information Security Behavior”
         methodology to achieve this

        Vodafone India is the first organization to undergo
         the verification assessment through DNV
Next, Content
26




                      Tool

                     Content

               Methodology
Importance of Content
27


        Content is a key propellant for
         creating good Information Security
         awareness
Qualities of a good Information Security Awareness Campaign
28
        Defined by HIMIS
        The campaign must have
          Reach

          Visibility

             Content must have the following qualities
         1.     Business relevance: Not generic but Specific
         2.     Impact visualization: Show what can go wrong
         3.     Consider cultural factors: Consider the characteristics of the
                population
         4.     Clarity & Ease of understanding: Keep it simple; Less
                Jargons
People are busy!

     “I can’t attend the information security training”
                                          I am traveling on
                       I have a meeting       business

     I have to prepare a                             I will be on
            report                                     vacation




29
Fact: Inputs to designing a good security awareness
campaign
                      How clear
            Is the       is my
           impact     language?
         visualized
          clearly?


                                                           What
                                                        information
                                                          do they
                                      Who am I            access?
                                      talking to?



                                                    What’s my
                                                    workforce?




                                     Security Awareness
                                         Campaign
Next, Enforcement
31




                   Enforcement




                  Content

               Methodology
Remember!
32




                       Migration is
                      determined by
                      ENFORCEMENT


      Awareness:                         Behavior:
     “I know, but I                   “I know and I
       don’t do”                           do”
Solution Model
33


        Create two teams,
            The Core Information Security Management Team
            A Team of Information Security Champions


        Tasks
            The Core Information Security Management Team will create the
             “Enforcement Strategies”
            The Information Security Champions will assess the awareness
             and behavior levels, create awareness and provide feedback
            The Core Information Security Management team will
             enforce awareness strategies based on the feedback
The Solution: Steps of Execution
34
        Step 1 – Core team defines the Enforcement Strategies
        Step 2 – Create a team of “Information Security Champions”
            The champions will be trained on Information Security Awareness and
             Behavior Management
            They champions will be given tools to analyze and record awareness and
             behavior levels
        Step 3 – Support the champions with “Information Security
         Awareness Content”
            The champions will be given a set of content to be distributed to their
             target group
            The content will be created after taking the inputs from the champions
        Step 4 – The champions provide the feedback to the core team
         for enacting enforcement strategies
What is the benefit of this model?
35
     1.       Information security enters a micro level (functional level)
              rather than being at a superficial top level

     2.       Information security awareness is tailor-made for each
              functional level
               Eg:- A champion from Finance team will focus on protecting financial
                data
               Eg:- A champion from HR team will focus on protecting privacy of
                employee records


     3.       Business relevance – The champions will give inputs for
              creating information security awareness content
What is the benefit of this model? (Contd….)
36


     4.   The champions will be assigned targets that will
          be monitored and measured

     5.   You gain an internal capability to manage
          information security awareness rather than
          depending on an external consultant
37   Case Study
     The importance of Enforcement & how it
     produces results
Case Study 1: IT Business
38


        Company
          OffshoreDevelopment, 3 Centers in India
          Young workforce: Majority between 22-27

        Security Rules
          Don’tforwards emails with unofficial attachments
          No downloads of videos, music, freeware

          No storage of personal content in official systems
Case Study 1: IT Business
39


        What we did?
          Quarterly  “End-User Desktop Audits”
          Findings were immediately “Signed and Agreed by
           Auditee”
          Disputes were noted and “Signed”

          Audit findings were submitted to InfoSec Team
The key: Repetition and Consistency
40




               ?
41            Remember!!

        Whatever “Enforcement
     Strategy” you may decide, the
         key is “Repetition and
              Consistency”
Time and resource requirements
42


        A roadmap of 3 years
        A team of InfoSec Champions for year 1 targeting
         approximately 5% - 10% of the total workforce
         (One champion per 50-100 users’)
        Average effort of 18 man-hours per champion per
         year
         6  hours in quarter 1
          4 hours each in remaining 3 quarters
Additional notes
43


        The solution model is ISO 27001 aligned
        The targets that this solution will achieve will help in
         complying to the “Human Resources Security
         (Domain A.8 of ISO 27001: 2005)
Closing notes: To change behavior
44




                      “ All behavior is learned through the
                         consequences that follow. If a
                         person likes the consequence, the
                         behavior will be repeated; if a
                         person does not like the consequence,
                         the behavior is less likely to be
                         repeated.”
Presented by

        Anup Narayanan
          CISA, CISSP
     Founder & Sr. Consultant
      anup@firstlegion.net




      www.firstlegion.net



45

More Related Content

What's hot

Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
Dee Moone
 
Making Informed Decision
Making Informed DecisionMaking Informed Decision
Making Informed Decision
euweben01
 
Mir3 Singlewire STUGGE Presentation
Mir3 Singlewire STUGGE PresentationMir3 Singlewire STUGGE Presentation
Mir3 Singlewire STUGGE Presentation
Singlewire Software
 

What's hot (16)

Cutting Through the Clutter: Successful Messaging in an Age of Information Ov...
Cutting Through the Clutter: Successful Messaging in an Age of Information Ov...Cutting Through the Clutter: Successful Messaging in an Age of Information Ov...
Cutting Through the Clutter: Successful Messaging in an Age of Information Ov...
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Designing intelligent social systems 121205
Designing intelligent social systems 121205Designing intelligent social systems 121205
Designing intelligent social systems 121205
 
Pulse Lab Jakarta Launch Presentation
Pulse Lab Jakarta Launch PresentationPulse Lab Jakarta Launch Presentation
Pulse Lab Jakarta Launch Presentation
 
Event Processing Overview
Event Processing OverviewEvent Processing Overview
Event Processing Overview
 
Bank of America Digital Wellbeing Presentation
Bank of America Digital Wellbeing Presentation Bank of America Digital Wellbeing Presentation
Bank of America Digital Wellbeing Presentation
 
Preparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CTPreparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CT
 
How to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency IncidentsHow to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency Incidents
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
 
Dragonsden 2012
Dragonsden 2012Dragonsden 2012
Dragonsden 2012
 
Valuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handoutValuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handout
 
DLFAN
DLFANDLFAN
DLFAN
 
Making Informed Decision
Making Informed DecisionMaking Informed Decision
Making Informed Decision
 
RBS on Innovation
RBS on InnovationRBS on Innovation
RBS on Innovation
 
Mir3 Singlewire STUGGE Presentation
Mir3 Singlewire STUGGE PresentationMir3 Singlewire STUGGE Presentation
Mir3 Singlewire STUGGE Presentation
 
Key considerations
Key considerationsKey considerations
Key considerations
 

Viewers also liked

Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
Nidhi Gupta
 
Organizational Culture and Ethics, Enron Case Study
Organizational Culture and Ethics, Enron Case StudyOrganizational Culture and Ethics, Enron Case Study
Organizational Culture and Ethics, Enron Case Study
Brynne VanHettinga
 
Social impacts information technology
Social impacts information technologySocial impacts information technology
Social impacts information technology
Rimple Darra
 

Viewers also liked (18)

National information security education & awareness program
National information security education & awareness programNational information security education & awareness program
National information security education & awareness program
 
00 introduction to cyber safe ambassador program
00 introduction to cyber safe ambassador program00 introduction to cyber safe ambassador program
00 introduction to cyber safe ambassador program
 
Cybersafe manual-1 lowres
Cybersafe manual-1 lowresCybersafe manual-1 lowres
Cybersafe manual-1 lowres
 
Information security fasit-cait-20150129_v04
Information security fasit-cait-20150129_v04Information security fasit-cait-20150129_v04
Information security fasit-cait-20150129_v04
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-security
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
The impact of information in society
The impact of information in society The impact of information in society
The impact of information in society
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Risk based internal auditing
 Risk based internal auditing Risk based internal auditing
Risk based internal auditing
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Organizational Culture and Ethics, Enron Case Study
Organizational Culture and Ethics, Enron Case StudyOrganizational Culture and Ethics, Enron Case Study
Organizational Culture and Ethics, Enron Case Study
 
Information technology and its impact on society
Information technology and its impact on societyInformation technology and its impact on society
Information technology and its impact on society
 
Social impacts information technology
Social impacts information technologySocial impacts information technology
Social impacts information technology
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Similar to Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India

Itri icl 0116_distribute
Itri icl 0116_distributeItri icl 0116_distribute
Itri icl 0116_distribute
Fuming Shih
 
IxDA Taiwan 6th slide
IxDA Taiwan 6th slideIxDA Taiwan 6th slide
IxDA Taiwan 6th slide
Stanley Chang
 
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
Daniel Rivas
 

Similar to Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India (20)

Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
 
Using Behavioral Science to Secure Your Organization
Using Behavioral Science to Secure Your OrganizationUsing Behavioral Science to Secure Your Organization
Using Behavioral Science to Secure Your Organization
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
 
Itri icl 0116_distribute
Itri icl 0116_distributeItri icl 0116_distribute
Itri icl 0116_distribute
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
PINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human DimensionPINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human Dimension
 
A Morning of Mobile Privacy - Presenter Slides
A Morning of Mobile Privacy - Presenter SlidesA Morning of Mobile Privacy - Presenter Slides
A Morning of Mobile Privacy - Presenter Slides
 
IxDA Taiwan 6th slide
IxDA Taiwan 6th slideIxDA Taiwan 6th slide
IxDA Taiwan 6th slide
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
 
Social Media: Managing Risk
Social Media:  Managing RiskSocial Media:  Managing Risk
Social Media: Managing Risk
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sector
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived RisksEnterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 

Human Impact on Information Security - Computer Society of India Conference, Coimbatore, India

  • 1. Information Employees Creating a RESPONSIBLE Information Security Culture Presented by Anup Narayanan, First Legion Consulting 1
  • 2. 2 What is the problem?
  • 3. Poor Information Security Awareness and Behavior impacts the business Most problems are a cultural issue, •The new generation employees Business Information talk about business in Facebook and Orkut or while storing Client/ Customer Regulatory data information in mobile devices data •Many make mistakes while sharing Financial Employee Data data information through email, phone, printing or even while traveling etc. 3
  • 4. If you are interested in financial data! 4  *Average annual loss due to computer crimes shot up to $350,424/ per company in 2007 from $168,000 in 2006  *Insider abuse of network access or e- mail is the No:1 threat  Note - The numbers are debatable, but what matters is that “money” is involved and hence it matters *Source: Computer Security Institute Survey
  • 5. Principal focus: “Awareness” is not “Behavior” 5  Awareness: Everyone knows traffic rules  Behavior: Few follow them  Reason  Culture  Quality of enforcement (C) First Legion Consulting. All Rights Reserved 12/29/2008
  • 6. Definitions: Awareness, Behavior & Culture 6 Awareness Behavior Culture • Knowledge or • The action or • The attitudes understanding reaction of a and of an object, person under “BEHAVIOR” idea or specific that are thought circumstances characteristic of a particular social group or organization”
  • 7. To change behavior??? 7 “ All behavior is learned through the consequences that follow. If a person likes the consequence, the behavior will be repeated; if a person does not like the consequence, the behavior is less likely to be repeated.”
  • 8. 8 What is the challenge?
  • 9. The Challenge 9 Stage 1: I don’t Stage 2: I know but Stage 3: I know know I don’t do and I do • I don’t know • I know about • I practice about password password password security security security No •( • (Awareness) • (Awareness awareness) and Behavior)
  • 10. Focus on the “3rd” angle of Information Security - PEOPLE 10 Technology and processes Technology (Firewall) are only as good as the people who use them Process People?? (ISO 27001)
  • 11. 11 Case Study Why focusing only on “awareness” does not produce results?
  • 12. Analysis of an Information Security “Awareness” Project 12  Client name: with-held  Type of industry: Retail  No: of employees 5000+  Position: Market Leader  Type of Information handled: Customer data, Intellectual Property  Spending on Information Security Awareness: USD 100, 000
  • 13. Spending Vs. Returns 13 Awareness that was spread Behavior Created: What we found ?  Sharing of  Customer records were leaked to competitor company/customer  Salary information of top information is wrong executive was given to head hunter (job recruiting  Sensitive Information firm) must be protected  Printouts lying unattended  Access Control Cards  Visitors can enter the facility without informing must be protected security guard  More….  More….
  • 14. 14 What was the problem? Problem 1: Poor “Visibility” & “Clarity” Problem 2: Poor “Enforcement”
  • 15. Problem 1: Poor Visibility & Clarity 15  An organization has many “rules” and “regulations”  Where is the “information security rule?”  The workforce is confused !!
  • 16. Example: What are the employees saying? Message in the campaign Employee reaction (3 employees) • Don’t share passwords • Which password? Desktop, Sales ERP, Document passwords? • I am stuck in Traffic Jam, have to update my sales calls by 6 p.m. Tell me what I should do? • I am sorry, but I didn’t know that there was a policy like this Message in the campaign Employee reaction • Protect Sensitive Information • To me all information is sensitive • Does this mean that I cannot share it even with my colleagues • How do I protect?
  • 17. More reactions!  “It takes 48-96 hours to get a password reset – What should I do, not do my work?”  “I get these annoying “Security Screen Savers” every 90 seconds. Why so much overkill!!”  “We have 100 new employees every month, whereas the security training is once in 6 months. How will you handle these “unaware” employees”
  • 18. Root cause analysis  Poor Visibility - 50% of the workforce are off-role employees, they don’t have an email ID – Not covered in the campaign  Poor Clarity – Examples  “See something suspicious – Report it”  “Don’t share passwords”  “You have zero privacy anyways – Get over it”  Poor business relevance  Generic  Not business specific  Poor enforcement
  • 19. Problem 2: Poor Enforcement 19 Migration is determined by ENFORCEMENT Awareness: Behavior: “I know, but I “I know and I don’t do” do”
  • 20. Remember !!  The poster near the water cooler is great for the 1st 2 weeks  Then it BLENDS into the environment
  • 21. 21 Solution model Methodology  Content (Awareness)  Enforcement
  • 22. First, Methodology 22 Enforcement Content Methodology
  • 23. Methodology: 23  First Legion HIMIS Human Impact Management ™ for Information Security  Creative Commons License, Free for Non-Commercial use  Download from www.himis.org, created and owned by First Legion
  • 24. What can you do with HIMIS? 24 1. Assess the current level of Information Security Awareness and Behavior 2. Understand the business impact 3. Define “Desirable Information Security Behavior” for each function group (HR, R&D, Finance etc.) 4. Define “Enforcement Strategies” 5. Create a roadmap, measure and monitor
  • 25. HIMIS: Notes 25  DNV (Det Norske Veritas), a leading “Safety Risk Management Company”, has created an “Independent Assessment Model” for HIMIS  HIMIS is the first “Information Security Behavior” methodology to achieve this  Vodafone India is the first organization to undergo the verification assessment through DNV
  • 26. Next, Content 26 Tool Content Methodology
  • 27. Importance of Content 27  Content is a key propellant for creating good Information Security awareness
  • 28. Qualities of a good Information Security Awareness Campaign 28  Defined by HIMIS  The campaign must have  Reach  Visibility  Content must have the following qualities 1. Business relevance: Not generic but Specific 2. Impact visualization: Show what can go wrong 3. Consider cultural factors: Consider the characteristics of the population 4. Clarity & Ease of understanding: Keep it simple; Less Jargons
  • 29. People are busy! “I can’t attend the information security training” I am traveling on I have a meeting business I have to prepare a I will be on report vacation 29
  • 30. Fact: Inputs to designing a good security awareness campaign How clear Is the is my impact language? visualized clearly? What information do they Who am I access? talking to? What’s my workforce? Security Awareness Campaign
  • 31. Next, Enforcement 31 Enforcement Content Methodology
  • 32. Remember! 32 Migration is determined by ENFORCEMENT Awareness: Behavior: “I know, but I “I know and I don’t do” do”
  • 33. Solution Model 33  Create two teams,  The Core Information Security Management Team  A Team of Information Security Champions  Tasks  The Core Information Security Management Team will create the “Enforcement Strategies”  The Information Security Champions will assess the awareness and behavior levels, create awareness and provide feedback  The Core Information Security Management team will enforce awareness strategies based on the feedback
  • 34. The Solution: Steps of Execution 34  Step 1 – Core team defines the Enforcement Strategies  Step 2 – Create a team of “Information Security Champions”  The champions will be trained on Information Security Awareness and Behavior Management  They champions will be given tools to analyze and record awareness and behavior levels  Step 3 – Support the champions with “Information Security Awareness Content”  The champions will be given a set of content to be distributed to their target group  The content will be created after taking the inputs from the champions  Step 4 – The champions provide the feedback to the core team for enacting enforcement strategies
  • 35. What is the benefit of this model? 35 1. Information security enters a micro level (functional level) rather than being at a superficial top level 2. Information security awareness is tailor-made for each functional level  Eg:- A champion from Finance team will focus on protecting financial data  Eg:- A champion from HR team will focus on protecting privacy of employee records 3. Business relevance – The champions will give inputs for creating information security awareness content
  • 36. What is the benefit of this model? (Contd….) 36 4. The champions will be assigned targets that will be monitored and measured 5. You gain an internal capability to manage information security awareness rather than depending on an external consultant
  • 37. 37 Case Study The importance of Enforcement & how it produces results
  • 38. Case Study 1: IT Business 38  Company  OffshoreDevelopment, 3 Centers in India  Young workforce: Majority between 22-27  Security Rules  Don’tforwards emails with unofficial attachments  No downloads of videos, music, freeware  No storage of personal content in official systems
  • 39. Case Study 1: IT Business 39  What we did?  Quarterly “End-User Desktop Audits”  Findings were immediately “Signed and Agreed by Auditee”  Disputes were noted and “Signed”  Audit findings were submitted to InfoSec Team
  • 40. The key: Repetition and Consistency 40 ?
  • 41. 41 Remember!! Whatever “Enforcement Strategy” you may decide, the key is “Repetition and Consistency”
  • 42. Time and resource requirements 42  A roadmap of 3 years  A team of InfoSec Champions for year 1 targeting approximately 5% - 10% of the total workforce (One champion per 50-100 users’)  Average effort of 18 man-hours per champion per year 6 hours in quarter 1  4 hours each in remaining 3 quarters
  • 43. Additional notes 43  The solution model is ISO 27001 aligned  The targets that this solution will achieve will help in complying to the “Human Resources Security (Domain A.8 of ISO 27001: 2005)
  • 44. Closing notes: To change behavior 44 “ All behavior is learned through the consequences that follow. If a person likes the consequence, the behavior will be repeated; if a person does not like the consequence, the behavior is less likely to be repeated.”
  • 45. Presented by Anup Narayanan CISA, CISSP Founder & Sr. Consultant anup@firstlegion.net www.firstlegion.net 45