The document discusses going beyond just awareness for information security and outlines several key areas to focus on: inform, teach, and motivate employees; manage responsibilities and ensure transparency, partitioning, separation, rotation, and supervision; and measure information dissemination, education outcomes, and behaviors through surveys, trials, and practice. The overall message is that an effective information security culture requires going beyond only raising awareness to also persuading, engaging, and holding people accountable.

1. Beyond
Awareness
23 de febrero 2006 Infosecurity Iberia 2006 1

2. Awareness
22 de Marzo de Infosecurity Iberia 2006 2

3. Awareness
•Best Practices.
•Compliance with Policies.
•Risks.
•Teach to
•Know and Understand.
22 de Marzo de Infosecurity Iberia 2006 3

4. Awareness
•Teach
•Convince.
•Motivate.
22 de Marzo de Infosecurity Iberia 2006 4

5. Threats
22 de Marzo de Infosecurity Iberia 2006 5

6. Human Threats
•Fraud.
•Scams.
•Corruption.
•Blakmail.
22 de Marzo de Infosecurity Iberia 2006 6

7. Human Threats
•Tailgating.
•Uncontrolled visitors.
•Mail or phone information requests.
•Forgotten doc in Printers, Fax, etc.
•Trust in uniforms.
22 de Marzo de Infosecurity Iberia 2006 7

8. Amenazas Técnicas
•The user must reach were systems can’t
•Hoax, Spam, Virus, Phising, Spyware.
•Backup copies.
•Authentication Sharing.
•Undeleted discarded information.
•...but systems should help.
22 de Marzo de Infosecurity Iberia 2006 8

9. Errors
22 de Marzo de Infosecurity Iberia 2006 9

10. Errors
22 de Marzo de Infosecurity Iberia 2006 10

11. Errores
180
22 de Marzo de Infosecurity Iberia 2006 11

12. Errores
•A automatic signal for doors open was requested, but not
granted.
•The person who had to close the doors was sleeping.
•The official who had to check the doors couldn’t do it, they
were short of personnel and was busy doing something
else.
•The boat was designed for a different route, so the ramp
was too high. For this reason it was ballasted, and the
ballast wasn’t drained because they were short of time.
•As they were short of time, the captain started full throttel,
which caused the wave the sink the boat.
22 de Marzo de Infosecurity Iberia 2006 12

13. Errores
•Who was guilty for the sinking?
•NONE OF THE ABOVE.
•THE MANAGERS who put the crew in a position were
human error was possible and likely,.
22 de Marzo de Infosecurity Iberia 2006 13

14. Irrationality
22 de Marzo de Infosecurity Iberia 2006 14

15. Actitud
•Honesty.
•Loyalty.
•Professional attitude.
•Healthy skepticism.
22 de Marzo de Infosecurity Iberia 2006 15

16. Irracionalidad
•Lottery.
•Milgram and Asch experiments:
•Respect to Authority.
•Uncontested Obedience.
•Response to group pressure.
•Uniforms.
•Conformism.
•Kitty Genovese case.
•You are more likely to stick to your deciosions if you make
themMarzo de
22 de
public. Infosecurity Iberia 2006 16

17. Information
22 de Marzo de Infosecurity Iberia 2006 17

18. Inform
• “When I hear, I forget, when I see, I
remember, when I do, I learn” Confucius (551-479 BC)
•Positive messages are remembered better
than negative ones.
•Two frequent errors :
•Too much information.
•Information too technical.
22 de Marzo de Infosecurity Iberia 2006 18

19. Informa
•Communication Media.
•Posters.
•Mails.
•Meetings.
•Etc.
22 de Marzo de Infosecurity Iberia 2006 19

20. Tuition
22 de Marzo de Infosecurity Iberia 2006 20

21. Tuition
22 de Marzo de Infosecurity Iberia 2006 21

22. Tuition
22 de Marzo de Infosecurity Iberia 2006 22

23. Tuition
•Check the message reached the other end.
•Exams.
•Surveys.
•Results.
22 de Marzo de Infosecurity Iberia 2006 23

24. Motivation
22 de Marzo de Infosecurity Iberia 2006 24

25. Motivation - Rewards
•Unpleasant actions: They are better
performed without a reward or with a small
one.
•Pleasan actions: Motivation is lost if they
are rewarded.
•Rewards:
•Material ones.
•Acknowledgement for your peers.
22 de Marzo de Infosecurity Iberia 2006 25

26. Motivación - Pusnihment
•They are more effective the more likely they
are, not the more severe they are.
•Punishments:
•Material.
•Losing face.
22 de Marzo de Infosecurity Iberia 2006 26

27. Motivación - Persuasion
•It is far more likely someone will do
something if it is felt as his or her own will.
•It is more likely an action will be taken if
we believe in it.
•To persuade is more difficult than reward
or punish, but far for difficult.
22 de Marzo de Infosecurity Iberia 2006 27

28. Responsibility
22 de Marzo de Infosecurity Iberia 2006 28

29. Responsibility
22 de Marzo de Infosecurity Iberia 2006 29

30. Responsibility
•Understand responsibilities distribution.
•Assum your own responsibility.
•Stablish barriers for information gathering
and collusion.
22 de Marzo de Infosecurity Iberia 2006 30

31. Responsibility
•Transparency.
•Partitioning.
•Separation.
•Rotation.
•Supervision.
22 de Marzo de Infosecurity Iberia 2006 31

32. Measurement
22 de Marzo de Infosecurity Iberia 2006 32

33. Medición
•Information – Activity.
•Tuition – Surveys.
•Trust – (No se puede)
•Behaviour – Trials, practice.
22 de Marzo de Infosecurity Iberia 2006 33

34. Summary
•Inform.
•Teach.
•Motivate.
•Manage.
•TPSRSR.
22 de Marzo de Infosecurity Iberia 2006 34

35. THANKS
22 de Marzo de Infosecurity Iberia 2006 35