Security         Don’t tell anyone,   Policy          my password is….. Never share passwordsA model for reducing informat...
Nelson Mandela offers you a glass of water….
This man…. offers you a glass of water
QuestionWhich water will you      accept?      Why?
1. Objective: Describe a workable               model for reducing information               security risks due to human e...
Awareness?  Do not share passwords!             © First Legion Consulting   6
Shred     documents       before      disposingBehavior?                  © First Legion Consulting   7
Putting it together…. Awareness:    Behavior:                      Culture: I know        I do                           W...
1. Objective: Describe a workable               model for reducing information               security risks due to human e...
Case-study:          Client: One of the largest mobile service          providers in the world          •   What? Spent US...
What did we do?“Awareness vs. behavior” benchmarkingand produced a scorecard       © First Legion Consulting    11
The scorecard                © First Legion Consulting   12
Reason 1: Operational issues ….           If I don’t share my password,           salaries won’t get processed            ...
Reason 2: Confusion ... Too many rules                                                  Which one                         ...
Reason 3: Perception…                Which is safer?                    © First Legion Consulting   16
Reason 4: Attitude … influenced by cost…(peerpressure, top management behavior)         Nothing’s gonna happen to me      ...
“Awareness” & “Behavior”: Independent but               interdependentQuestion : A person knows the traffic rules. Does th...
1. Objective: Describe a workable               model for reducing information               security risks due to human e...
• HIMIS – Human Impact             Management for             Information Security           • Objective – To provide a   ...
HIMIS solution model - Work backwards                                                           Responsible               ...
Define    Strategize      Deliver                  Verify• Choose ESPs (Expected Security Practices) information  security...
ESP:                                            Information                                            Classification     ...
Define          Strategize           Deliver                  Verify• For awareness management  –   Coverage  –   Format &...
Quality of content•    Impact visualization•    Clarity & ease of understanding•    Business relevance                    ...
A 120 minute training plan• 120 minutes of training in a year    –   45 minutes classroom or e-learning    –   15 minutes ...
Behavior management: What works?                 Let’s cut his                   Let’s talk to                 email acces...
Poor Security behavior Vs.Inconvenience       Poor     security     behavior                        In-convenience        ...
Poor Security behavior Vs. Cost       Poor     security     behavior                      Cost                 (Enforcemen...
Case study 1: Changing behavior (IT Service Provider)• What we did?   – Quarterly “End-User     Desktop Audits”   – Findin...
Case study 1: Changing behavior (Electronic Retail Store)• Audit finding: Cash boxes are left open when  unattended• Cost ...
Define    Strategize      Deliver                  Verify•    Define tolerable deviation•    Efficiency•    Collection of ...
Define     Strategize      Deliver                  Verify• Audit strategy  – Selection of ESP’s  – Define sample size  – ...
© First Legion Consulting   34
1. Objective: Describe a workable               model for reducing information               security risks due to human e...
Recap                                                            Responsible                                              ...
Tip! Get HR buy-in                                                        People are my             People are my         ...
ConclusionIf you can influence perception, you can influence theway people choose or react (behavior)Perception is influen...
If I follow the information  security rules will I gainsomething. If I don’t follow,    will I lose something?    When you...
Resources• Free security awareness videos –  www.isqworld.com• Bruce Schneier – The Psychology of Security -  http://www.s...
Anup Narayanan,     Founder & Principal ArchitectISQ World, A First Legion Initiative                anup@isqworld.com    ...
Upcoming SlideShare
Loading in …5
×

Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

1,441 views

Published on

A talk that is based on my methodology HIMIS (Human Impact Management for Information Security) for reducing information security risks due to human error. To know more about HIMIS, visit http://www.isqworld.com/himis

Published in: Technology, Education
  • Be the first to comment

Reducing Security Risks Due to Human Error - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

  1. 1. Security Don’t tell anyone, Policy my password is….. Never share passwordsA model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World
  2. 2. Nelson Mandela offers you a glass of water….
  3. 3. This man…. offers you a glass of water
  4. 4. QuestionWhich water will you accept? Why?
  5. 5. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan:We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 5
  6. 6. Awareness? Do not share passwords! © First Legion Consulting 6
  7. 7. Shred documents before disposingBehavior? © First Legion Consulting 7
  8. 8. Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 8
  9. 9. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior”We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 9
  10. 10. Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 10
  11. 11. What did we do?“Awareness vs. behavior” benchmarkingand produced a scorecard © First Legion Consulting 11
  12. 12. The scorecard © First Legion Consulting 12
  13. 13. Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 14
  14. 14. Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 15
  15. 15. Reason 3: Perception… Which is safer? © First Legion Consulting 16
  16. 16. Reason 4: Attitude … influenced by cost…(peerpressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 17
  17. 17. “Awareness” & “Behavior”: Independent but interdependentQuestion : A person knows the traffic rules. Does that make theperson a good driver?Answer: Not necessarily, “Knowing” and “Doing” are twodifferent thingsQuestion: A person knows the “information security rules”. Doesthat make the person a responsible information securitypractitioner?Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 18
  18. 18. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case studyWe are here III. Solution model IV. Recap & Resources © First Legion Consulting 19
  19. 19. • HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link© First Legion Consulting 20
  20. 20. HIMIS solution model - Work backwards Responsible informationDefine Strategize Deliver Verify security behavior © First Legion Consulting 21
  21. 21. Define Strategize Deliver Verify• Choose ESPs (Expected Security Practices) information security awareness and behaviour requirements valid for the business• Review and approval of ESP’s• Baseline ESP assessment © First Legion Consulting 22
  22. 22. ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-dayinformation classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 23
  23. 23. Define Strategize Deliver Verify• For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement.• For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 24
  24. 24. Quality of content• Impact visualization• Clarity & ease of understanding• Business relevance Yup! Not the usual glorified• Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 25
  25. 25. A 120 minute training plan• 120 minutes of training in a year – 45 minutes classroom or e-learning – 15 minutes screen saver (12 X 1 to 1.5 minutes) – 15 minutes posters/ wallpaper (same as above) – 30 minutes through short videos (6 x 5 minutes) – 20 minutes through quizzes/ surveys (2 x 10 minutes)
  26. 26. Behavior management: What works? Let’s cut his Let’s talk to email access himLet’s fire him © First Legion Consulting 27
  27. 27. Poor Security behavior Vs.Inconvenience Poor security behavior In-convenience © First Legion Consulting 28
  28. 28. Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 29
  29. 29. Case study 1: Changing behavior (IT Service Provider)• What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 30
  30. 30. Case study 1: Changing behavior (Electronic Retail Store)• Audit finding: Cash boxes are left open when unattended• Cost attached: Branch manager will lose 25% of annual bonus for every violation• Compliance today is above 98% © First Legion Consulting 31
  31. 31. Define Strategize Deliver Verify• Define tolerable deviation• Efficiency• Collection of feedback• Confirmation of receipt © First Legion Consulting 32
  32. 32. Define Strategize Deliver Verify• Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 33
  33. 33. © First Legion Consulting 34
  34. 34. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution modelWe are here IV. Recap & Resources © First Legion Consulting 37
  35. 35. Recap Responsible informationDefine Strategize Deliver Verify security behavior © First Legion Consulting 38
  36. 36. Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 39
  37. 37. ConclusionIf you can influence perception, you can influence theway people choose or react (behavior)Perception is influenced if there is a cost for anaction © First Legion Consulting 40
  38. 38. If I follow the information security rules will I gainsomething. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 41
  39. 39. Resources• Free security awareness videos – www.isqworld.com• Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf• The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 42
  40. 40. Anup Narayanan, Founder & Principal ArchitectISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 43

×