The difference between the Reality and Feeling of Security
•Download as PPTX, PDF•
6 likes•9,966 views
A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security. Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"
Recommended
Recommended
More Related Content
What's hot
What's hot (6)
Similar to The difference between the Reality and Feeling of Security
Similar to The difference between the Reality and Feeling of Security (20)
Recently uploaded
Recently uploaded (20)
The difference between the Reality and Feeling of Security
- 1. She looks I’m gonna steal trustworthy your toys The difference between the “Reality” and “Feeling” of Security Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
- 2. Focus of the talk • The Human Factor in Information Security • From “Security Awareness” to “Security Awareness and Competence” • Solution model • What others are doing? 2
- 3. Awareness I know the traffic rules…. 3
- 4. Competence? Does it guarantee that I am a good driver? 4
- 5. Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do An organization must aim for a responsible security culture 5
- 6. What organizations need? A system that periodically shows the current Security Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 6
- 7. The power of perception Why do people make security mistakes?
- 8. Imagine… Nelson Mandela walks into this room right now and offers you this glass of water…. Will you accept it? 8
- 9. Now, imagine this… This man walks into this room right now and offers you this glass of water…. Will you accept it? 9
- 10. Question Which water did you accept? Why? 10
- 11. Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 11
- 12. Why must we address the human factor? (or) Is the human factor worth addressing?
- 13. Case Study 1 LinkedIn Password leak 13
- 14. The most popular passwords in LinkedIn link jesus 1234 connect work monkey god 123456 job michael 12345 jordan angel dragon the soccer ilove killer sex pepper 14
- 15. Analysis You may think you are safe when you are actually not People get more terrified thinking of getting eaten by a shark then dying of heart attack…..but more people die of heart attacks 15
- 16. Analysis People exaggerate risks that are abnormal Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy 16
- 17. Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 17
- 18. Reason 2: Not every attack(er) is that smart People exaggerate risks that are spectacular or uncommon: So what? RSA was hacked Technology & Processes Awareness & Competence The very smart attacker 4 Human – Recognizing a zero day attack, 3 Phishing mails, Not posting business Risk severity/ Attacker information in social media Smartness/ Attack Efficiency 2 Technology + Human – Firewall configuration, Choosing a secure Wifi 1 Automatic security controls – AV, Updates 18 Control efficiency
- 19. Reason 3: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 19
- 20. The Solution Model Security Awareness and Competence Management
- 21. The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 21
- 22. 1. Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, Security Risk Identify the Improve, Re- analysis human factor assess Behaviour (Competence) ESP – Expected Security Practice 22
- 23. 2. Visualize, engage ….and influence perception 23
- 24. 24
- 25. 3. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 25
- 26. 4. Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 26
- 27. Threat forecast 27
- 28. Emerging threats 2013 (report by ISF) • Natural disasters • Economic espionage • Diminishing end user • Introduction of new devices security awareness (smart phones etc.) • Moving to cloud • Online leaks • Social media proliferation • Fast development and & data leaks release of apps without • Corporate frauds testing • Attacks using GPS • Smart outsourcing resulting in tracking less workforce loyalty
- 29. Summary Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 29
- 30. Let’s switch ON the Human Layer of Information Security Defence Thank You Anup Narayanan www.isqworld.com