1.
Information
Employees
Creating a RESPONSIBLE Information Security Culture
Presented by Anup Narayanan, First Legion Consulting
1

2.
2 What is the problem?

3.
Poor Information Security Awareness and Behavior impacts
the business
Most problems are a cultural issue,
•The new generation employees Business Information
talk about business in Facebook
and Orkut or while storing Client/
Customer
Regulatory
data
information in mobile devices data
•Many make mistakes while sharing Financial Employee
Data data
information through email, phone,
printing or even while traveling etc.
3

4.
If you are interested in financial data!
4
 *Average annual loss due to computer
crimes shot up to $350,424/ per
company in 2007 from $168,000 in
2006
 *Insider abuse of network access or e-
mail is the No:1 threat
 Note - The numbers are debatable, but
what matters is that “money” is involved
and hence it matters
*Source: Computer Security Institute
Survey

5.
Principal focus: “Awareness” is not “Behavior”
5
 Awareness: Everyone
knows traffic rules
 Behavior: Few follow
them
 Reason
 Culture
 Quality of enforcement
(C) First Legion Consulting. All Rights Reserved 12/29/2008

6.
Definitions: Awareness, Behavior & Culture
6
Awareness Behavior Culture
• Knowledge or • The action or • The attitudes
understanding reaction of a and
of an object, person under “BEHAVIOR”
idea or specific that are
thought circumstances characteristic
of a particular
social group or
organization”

7.
To change behavior???
7
“ All behavior is learned through the
consequences that follow. If a
person likes the consequence, the
behavior will be repeated; if a
person does not like the consequence,
the behavior is less likely to be
repeated.”

8.
8 What is the challenge?

9.
The Challenge
9
Stage 1: I don’t Stage 2: I know but Stage 3: I know
know I don’t do and I do
• I don’t know • I know about • I practice
about password password password
security security security
No
•( • (Awareness) • (Awareness
awareness) and
Behavior)

10.
Focus on the “3rd” angle of Information Security - PEOPLE
10
Technology and processes Technology
(Firewall)
are only as good as the
people who use them
Process
People?? (ISO
27001)

11.
11 Case Study
Why focusing only on “awareness” does not
produce results?

12.
Analysis of an Information Security “Awareness” Project
12
 Client name: with-held
 Type of industry: Retail
 No: of employees 5000+
 Position: Market Leader
 Type of Information handled: Customer data,
Intellectual Property
 Spending on Information Security Awareness: USD
100, 000

13.
Spending Vs. Returns
13
Awareness that was spread Behavior Created: What we found ?
 Sharing of  Customer records were
leaked to competitor
company/customer  Salary information of top
information is wrong executive was given to
head hunter (job recruiting
 Sensitive Information firm)
must be protected  Printouts lying unattended
 Access Control Cards  Visitors can enter the
facility without informing
must be protected security guard
 More….  More….

14.
14 What was the problem?
Problem 1: Poor “Visibility” & “Clarity”
Problem 2: Poor “Enforcement”

15.
Problem 1: Poor Visibility & Clarity
15
 An organization has
many “rules” and
“regulations”
 Where is the
“information security
rule?”
 The workforce is
confused !!

16.
Example: What are the employees saying?
Message in the campaign Employee reaction (3 employees)
• Don’t share passwords • Which password? Desktop,
Sales ERP, Document
passwords?
• I am stuck in Traffic Jam, have
to update my sales calls by 6
p.m. Tell me what I should do?
• I am sorry, but I didn’t know
that there was a policy like
this
Message in the campaign Employee reaction
• Protect Sensitive Information • To me all information is sensitive
• Does this mean that I cannot share
it even with my colleagues
• How do I protect?

17.
More reactions!
 “It takes 48-96 hours to get a password reset –
What should I do, not do my work?”
 “I get these annoying “Security Screen Savers” every
90 seconds. Why so much overkill!!”
 “We have 100 new employees every month, whereas
the security training is once in 6 months. How will you
handle these “unaware” employees”

18.
Root cause analysis
 Poor Visibility - 50% of the workforce are off-role
employees, they don’t have an email ID – Not covered in
the campaign
 Poor Clarity – Examples
 “See something suspicious – Report it”
 “Don’t share passwords”
 “You have zero privacy anyways – Get over it”
 Poor business relevance
 Generic
 Not business specific
 Poor enforcement

19.
Problem 2: Poor Enforcement
19
Migration is
determined by
ENFORCEMENT
Awareness: Behavior:
“I know, but I “I know and I
don’t do” do”

20.
Remember !!
 The poster near the
water cooler is great
for the 1st 2 weeks
 Then it BLENDS into the
environment

21.
21 Solution model
Methodology  Content (Awareness)  Enforcement

22.
First, Methodology
22
Enforcement
Content
Methodology

23.
Methodology:
23

First Legion
HIMIS
Human Impact Management
™
for Information Security
 Creative Commons License, Free for Non-Commercial use
 Download from www.himis.org, created and owned by First
Legion

24.
What can you do with HIMIS?
24
1. Assess the current level of
Information Security Awareness and
Behavior
2. Understand the business impact
3. Define “Desirable Information
Security Behavior” for each function
group (HR, R&D, Finance etc.)
4. Define “Enforcement Strategies”
5. Create a roadmap, measure and
monitor

25.
HIMIS: Notes
25
 DNV (Det Norske Veritas), a leading “Safety Risk
Management Company”, has created an
“Independent Assessment Model” for HIMIS
 HIMIS is the first “Information Security Behavior”
methodology to achieve this
 Vodafone India is the first organization to undergo
the verification assessment through DNV

26.
Next, Content
26
Tool
Content
Methodology

27.
Importance of Content
27
 Content is a key propellant for
creating good Information Security
awareness

28.
Qualities of a good Information Security Awareness Campaign
28
 Defined by HIMIS
 The campaign must have
 Reach
 Visibility
 Content must have the following qualities
1. Business relevance: Not generic but Specific
2. Impact visualization: Show what can go wrong
3. Consider cultural factors: Consider the characteristics of the
population
4. Clarity & Ease of understanding: Keep it simple; Less
Jargons

29.
People are busy!
“I can’t attend the information security training”
I am traveling on
I have a meeting business
I have to prepare a I will be on
report vacation
29

30.
Fact: Inputs to designing a good security awareness
campaign
How clear
Is the is my
impact language?
visualized
clearly?
What
information
do they
Who am I access?
talking to?
What’s my
workforce?
Security Awareness
Campaign

31.
Next, Enforcement
31
Enforcement
Content
Methodology

32.
Remember!
32
Migration is
determined by
ENFORCEMENT
Awareness: Behavior:
“I know, but I “I know and I
don’t do” do”

33.
Solution Model
33
 Create two teams,
 The Core Information Security Management Team
 A Team of Information Security Champions
 Tasks
 The Core Information Security Management Team will create the
“Enforcement Strategies”
 The Information Security Champions will assess the awareness
and behavior levels, create awareness and provide feedback
 The Core Information Security Management team will
enforce awareness strategies based on the feedback

34.
The Solution: Steps of Execution
34
 Step 1 – Core team defines the Enforcement Strategies
 Step 2 – Create a team of “Information Security Champions”
 The champions will be trained on Information Security Awareness and
Behavior Management
 They champions will be given tools to analyze and record awareness and
behavior levels
 Step 3 – Support the champions with “Information Security
Awareness Content”
 The champions will be given a set of content to be distributed to their
target group
 The content will be created after taking the inputs from the champions
 Step 4 – The champions provide the feedback to the core team
for enacting enforcement strategies

35.
What is the benefit of this model?
35
1. Information security enters a micro level (functional level)
rather than being at a superficial top level
2. Information security awareness is tailor-made for each
functional level
 Eg:- A champion from Finance team will focus on protecting financial
data
 Eg:- A champion from HR team will focus on protecting privacy of
employee records
3. Business relevance – The champions will give inputs for
creating information security awareness content

36.
What is the benefit of this model? (Contd….)
36
4. The champions will be assigned targets that will
be monitored and measured
5. You gain an internal capability to manage
information security awareness rather than
depending on an external consultant

37.
37 Case Study
The importance of Enforcement & how it
produces results

38.
Case Study 1: IT Business
38
 Company
 OffshoreDevelopment, 3 Centers in India
 Young workforce: Majority between 22-27
 Security Rules
 Don’tforwards emails with unofficial attachments
 No downloads of videos, music, freeware
 No storage of personal content in official systems

39.
Case Study 1: IT Business
39
 What we did?
 Quarterly “End-User Desktop Audits”
 Findings were immediately “Signed and Agreed by
Auditee”
 Disputes were noted and “Signed”
 Audit findings were submitted to InfoSec Team

40.
The key: Repetition and Consistency
40
?

41.
41 Remember!!
Whatever “Enforcement
Strategy” you may decide, the
key is “Repetition and
Consistency”

42.
Time and resource requirements
42
 A roadmap of 3 years
 A team of InfoSec Champions for year 1 targeting
approximately 5% - 10% of the total workforce
(One champion per 50-100 users’)
 Average effort of 18 man-hours per champion per
year
6 hours in quarter 1
 4 hours each in remaining 3 quarters

43.
Additional notes
43
 The solution model is ISO 27001 aligned
 The targets that this solution will achieve will help in
complying to the “Human Resources Security
(Domain A.8 of ISO 27001: 2005)

44.
Closing notes: To change behavior
44
“ All behavior is learned through the
consequences that follow. If a
person likes the consequence, the
behavior will be repeated; if a
person does not like the consequence,
the behavior is less likely to be
repeated.”

45.
Presented by
Anup Narayanan
CISA, CISSP
Founder & Sr. Consultant
anup@firstlegion.net
www.firstlegion.net
45