A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security.
Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
Presentation from Chesapeake Regional Tech Council\'s TechFocus Seminar on Cloud Security; Presented by Jeff Crume, IBM Distinguished Engineer, IT Security Architect, CISSP-ISSAP on Thursday, October 27, 2011. http://www.chesapeaketech.org
Usable security it isn't secure if people can't use it mwux 2 jun2012Darren Kall
This is one of a pair of talks. This one encourages the UX community to get involved in security products and security aspects. It outlines how UX skills can help make security more secure by making it more usable. It challenges the UX community to adopt "security thinking" because it stretches the traditional boundaries of UX focus. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability. It isn't secure if people can't use it. ™
Human Impact on Information Security - Computer Society of India Conference, ...Anup Narayanan
A brief overview regarding risks to information security due to poor awareness and irresponsible behavior. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
Presentation from Chesapeake Regional Tech Council\'s TechFocus Seminar on Cloud Security; Presented by Jeff Crume, IBM Distinguished Engineer, IT Security Architect, CISSP-ISSAP on Thursday, October 27, 2011. http://www.chesapeaketech.org
Usable security it isn't secure if people can't use it mwux 2 jun2012Darren Kall
This is one of a pair of talks. This one encourages the UX community to get involved in security products and security aspects. It outlines how UX skills can help make security more secure by making it more usable. It challenges the UX community to adopt "security thinking" because it stretches the traditional boundaries of UX focus. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability. It isn't secure if people can't use it. ™
Human Impact on Information Security - Computer Society of India Conference, ...Anup Narayanan
A brief overview regarding risks to information security due to poor awareness and irresponsible behavior. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Darren Kall
This is one of two talks. This one encourages the security community to adopt a user experience approach to the development and deployment of security products. The second encourages the user experience community to focus their skills on usable security issues. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability.
Framework for Security: Security in the Community ContextJere Peltonen
Presentation at the ASIS International European Security Conference 2006 in Nice, France. Framework explains what security is and why it is needed. The original presentation includes animation that is not functional in this SlideShare version. Unfortunately, some slides are therefore blurred. Please, get the original presentation from www.yhteisturvallisuus.net -> materiaali -> Security in the Community Context SCC.pps.
A model for reducing information security risks due to human errorAnup Narayanan
My recent presentation at cOcOn, an international Cyber Security and Policing Conference in Trivandrum Kerala. The talk focuses on reducing information security risks due to human error using information security awareness and competence management solutions.
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Anup Narayanan
A talk that is based on my methodology HIMIS (Human Impact Management for Information Security) for reducing information security risks due to human error. To know more about HIMIS, visit http://www.isqworld.com/himis
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
I examine the information security industry through the lens of behavioral models. Traditional ways of thinking about defensive and offensive motivations focus on models such as game theory, which tend to assume the people on each side are “rational” actors. However, humans have lots of quirks in their thinking that are the result of cognitive biases, and that lead to “irrational” behaviors.
The question therefore is: what biases do defenders and attackers have when they make decisions, and how can we leverage these insights to improve the efficacy of defense? In particular, I’ll discuss what implications theories such as Prospect Theory, time inconsistency, less-is-better effect, sunk cost fallacy, dual system theory and social biases such as fairness and trust have for why the industry dynamics are the way they are.
Given at NCC Group's Security Open Forum on August 17, 2016
How to keep your head (and your job) when the worse case scenario happens.
Due to the increasing frequency of security breaches, defining an action plan is critical for every security practitioner. Getting breached doesn’t determine whether or not you’ve got a good security program in place – but how you respond to one does.
Join security expert Conrad Constantine of AlienVault, for an in-depth discussion on things you and your team should do today to prepare for information security breaches. You’ll get practical, lessons learned advice on:
- The inevitability of security breaches
- Preparing to survive security breaches
- Threat identification and containment
- Handling the aftermath so it’s not worse than the breach itself
The art of seduction, looking how behavior psychology can influence the perception of information security. How cialdini principles of influence are used in phishing attacks, and viral marketing.
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiAnup Narayanan
This talk provides a model for reducing security risks due to poor information security awareness and poor attitude. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis
Presentation held the 9 June at Euronext at the Lisbon Coaching Day over the topic "Competitive Intelligence for Business Communication", Lisbon, Portugal
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Darren Kall
This is one of two talks. This one encourages the security community to adopt a user experience approach to the development and deployment of security products. The second encourages the user experience community to focus their skills on usable security issues. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability.
Framework for Security: Security in the Community ContextJere Peltonen
Presentation at the ASIS International European Security Conference 2006 in Nice, France. Framework explains what security is and why it is needed. The original presentation includes animation that is not functional in this SlideShare version. Unfortunately, some slides are therefore blurred. Please, get the original presentation from www.yhteisturvallisuus.net -> materiaali -> Security in the Community Context SCC.pps.
A model for reducing information security risks due to human errorAnup Narayanan
My recent presentation at cOcOn, an international Cyber Security and Policing Conference in Trivandrum Kerala. The talk focuses on reducing information security risks due to human error using information security awareness and competence management solutions.
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Anup Narayanan
A talk that is based on my methodology HIMIS (Human Impact Management for Information Security) for reducing information security risks due to human error. To know more about HIMIS, visit http://www.isqworld.com/himis
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
I examine the information security industry through the lens of behavioral models. Traditional ways of thinking about defensive and offensive motivations focus on models such as game theory, which tend to assume the people on each side are “rational” actors. However, humans have lots of quirks in their thinking that are the result of cognitive biases, and that lead to “irrational” behaviors.
The question therefore is: what biases do defenders and attackers have when they make decisions, and how can we leverage these insights to improve the efficacy of defense? In particular, I’ll discuss what implications theories such as Prospect Theory, time inconsistency, less-is-better effect, sunk cost fallacy, dual system theory and social biases such as fairness and trust have for why the industry dynamics are the way they are.
Given at NCC Group's Security Open Forum on August 17, 2016
How to keep your head (and your job) when the worse case scenario happens.
Due to the increasing frequency of security breaches, defining an action plan is critical for every security practitioner. Getting breached doesn’t determine whether or not you’ve got a good security program in place – but how you respond to one does.
Join security expert Conrad Constantine of AlienVault, for an in-depth discussion on things you and your team should do today to prepare for information security breaches. You’ll get practical, lessons learned advice on:
- The inevitability of security breaches
- Preparing to survive security breaches
- Threat identification and containment
- Handling the aftermath so it’s not worse than the breach itself
The art of seduction, looking how behavior psychology can influence the perception of information security. How cialdini principles of influence are used in phishing attacks, and viral marketing.
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiAnup Narayanan
This talk provides a model for reducing security risks due to poor information security awareness and poor attitude. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis
Presentation held the 9 June at Euronext at the Lisbon Coaching Day over the topic "Competitive Intelligence for Business Communication", Lisbon, Portugal
Josh Corman, Research Director, Enterprise Security Practice, is often known for his deep insights into and candid discussions about the state of enterprise security and the variables and trends that impact it. Listen as Josh discusses how and why PCI compliance has affected the state of security-specifically, the impact of approaching PCI as a checklist. He also gives ideas for what we need to do, and the types of solutions we need to have to not only satisfy the PCI audit, but to also provide real system security. Josh discusses this in an informal back and forth format with Gene Kim, Tripwire co-Founder and CTO.
In this webcast, you'll learn:
How compliance introduced cost complexity by causing a divergence between what we need to do to pass an audit versus avert threats.
The fallacy that being PCI compliance means you're secure.
Controls that both help you pass your PCI audit while also deterring advanced threats.
How Tripwire VIA solutions provide that rare combination of controls that address both compliance and security.
Now, more than ever, it is important for organizations to embrace a new approach to security awareness training. In this presentation, we present a new field of "Psychological Security" to update the way people are trained to recognize technological manipulation.
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Memorandum Of Association Constitution of Company.pptseri bangash
www.seribangash.com
A Memorandum of Association (MOA) is a legal document that outlines the fundamental principles and objectives upon which a company operates. It serves as the company's charter or constitution and defines the scope of its activities. Here's a detailed note on the MOA:
Contents of Memorandum of Association:
Name Clause: This clause states the name of the company, which should end with words like "Limited" or "Ltd." for a public limited company and "Private Limited" or "Pvt. Ltd." for a private limited company.
https://seribangash.com/article-of-association-is-legal-doc-of-company/
Registered Office Clause: It specifies the location where the company's registered office is situated. This office is where all official communications and notices are sent.
Objective Clause: This clause delineates the main objectives for which the company is formed. It's important to define these objectives clearly, as the company cannot undertake activities beyond those mentioned in this clause.
www.seribangash.com
Liability Clause: It outlines the extent of liability of the company's members. In the case of companies limited by shares, the liability of members is limited to the amount unpaid on their shares. For companies limited by guarantee, members' liability is limited to the amount they undertake to contribute if the company is wound up.
https://seribangash.com/promotors-is-person-conceived-formation-company/
Capital Clause: This clause specifies the authorized capital of the company, i.e., the maximum amount of share capital the company is authorized to issue. It also mentions the division of this capital into shares and their respective nominal value.
Association Clause: It simply states that the subscribers wish to form a company and agree to become members of it, in accordance with the terms of the MOA.
Importance of Memorandum of Association:
Legal Requirement: The MOA is a legal requirement for the formation of a company. It must be filed with the Registrar of Companies during the incorporation process.
Constitutional Document: It serves as the company's constitutional document, defining its scope, powers, and limitations.
Protection of Members: It protects the interests of the company's members by clearly defining the objectives and limiting their liability.
External Communication: It provides clarity to external parties, such as investors, creditors, and regulatory authorities, regarding the company's objectives and powers.
https://seribangash.com/difference-public-and-private-company-law/
Binding Authority: The company and its members are bound by the provisions of the MOA. Any action taken beyond its scope may be considered ultra vires (beyond the powers) of the company and therefore void.
Amendment of MOA:
While the MOA lays down the company's fundamental principles, it is not entirely immutable. It can be amended, but only under specific circumstances and in compliance with legal procedures. Amendments typically require shareholder
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
Business Valuation Principles for EntrepreneursBen Wann
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
"𝑩𝑬𝑮𝑼𝑵 𝑾𝑰𝑻𝑯 𝑻𝑱 𝑰𝑺 𝑯𝑨𝑳𝑭 𝑫𝑶𝑵𝑬"
𝐓𝐉 𝐂𝐨𝐦𝐬 (𝐓𝐉 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬) is a professional event agency that includes experts in the event-organizing market in Vietnam, Korea, and ASEAN countries. We provide unlimited types of events from Music concerts, Fan meetings, and Culture festivals to Corporate events, Internal company events, Golf tournaments, MICE events, and Exhibitions.
𝐓𝐉 𝐂𝐨𝐦𝐬 provides unlimited package services including such as Event organizing, Event planning, Event production, Manpower, PR marketing, Design 2D/3D, VIP protocols, Interpreter agency, etc.
Sports events - Golf competitions/billiards competitions/company sports events: dynamic and challenging
⭐ 𝐅𝐞𝐚𝐭𝐮𝐫𝐞𝐝 𝐩𝐫𝐨𝐣𝐞𝐜𝐭𝐬:
➢ 2024 BAEKHYUN [Lonsdaleite] IN HO CHI MINH
➢ SUPER JUNIOR-L.S.S. THE SHOW : Th3ee Guys in HO CHI MINH
➢FreenBecky 1st Fan Meeting in Vietnam
➢CHILDREN ART EXHIBITION 2024: BEYOND BARRIERS
➢ WOW K-Music Festival 2023
➢ Winner [CROSS] Tour in HCM
➢ Super Show 9 in HCM with Super Junior
➢ HCMC - Gyeongsangbuk-do Culture and Tourism Festival
➢ Korean Vietnam Partnership - Fair with LG
➢ Korean President visits Samsung Electronics R&D Center
➢ Vietnam Food Expo with Lotte Wellfood
"𝐄𝐯𝐞𝐫𝐲 𝐞𝐯𝐞𝐧𝐭 𝐢𝐬 𝐚 𝐬𝐭𝐨𝐫𝐲, 𝐚 𝐬𝐩𝐞𝐜𝐢𝐚𝐥 𝐣𝐨𝐮𝐫𝐧𝐞𝐲. 𝐖𝐞 𝐚𝐥𝐰𝐚𝐲𝐬 𝐛𝐞𝐥𝐢𝐞𝐯𝐞 𝐭𝐡𝐚𝐭 𝐬𝐡𝐨𝐫𝐭𝐥𝐲 𝐲𝐨𝐮 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐚 𝐩𝐚𝐫𝐭 𝐨𝐟 𝐨𝐮𝐫 𝐬𝐭𝐨𝐫𝐢𝐞𝐬."
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
The world of search engine optimization (SEO) is buzzing with discussions after Google confirmed that around 2,500 leaked internal documents related to its Search feature are indeed authentic. The revelation has sparked significant concerns within the SEO community. The leaked documents were initially reported by SEO experts Rand Fishkin and Mike King, igniting widespread analysis and discourse. For More Info:- https://news.arihantwebtech.com/search-disrupted-googles-leaked-documents-rock-the-seo-world/
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
The difference between the Reality and Feeling of Security
1. She looks
I’m gonna steal
trustworthy
your toys
The difference between the “Reality” and “Feeling” of Security
Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
2. Focus of the talk
• The Human Factor in Information Security
• From “Security Awareness” to “Security Awareness and
Competence”
• Solution model
• What others are doing?
2
5. Awareness >> Behaviour >> Culture
Awareness Behaviour Culture
(Competence)
• I know • I do • We know
and do
An organization must aim for a responsible security culture
5
6. What organizations need?
A system that periodically shows
the current Security Awareness
and Competence Levels
Awareness score is 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Competence score is 65%
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
6
7. The power of perception
Why do people make security mistakes?
8. Imagine…
Nelson Mandela walks into this room right
now and offers you this glass of water….
Will you accept it?
8
9. Now, imagine this…
This man walks into this room right now
and offers you this glass of water….
Will you accept it?
9
11. Analysis
Were you checking the water or the person serving
the water?
People decide what is good and what is bad based on
“trust”
Perception is influenced by Trust
11
12. Why must we address the human
factor?
(or)
Is the human factor worth addressing?
14. The most popular passwords in LinkedIn
link jesus
1234 connect
work monkey
god 123456
job michael
12345 jordan
angel dragon
the soccer
ilove killer
sex pepper
14
15. Analysis
You may think you are safe when you are actually not
People get more terrified thinking of getting eaten by a shark then dying of
heart attack…..but more people die of heart attacks
15
16. Analysis
People exaggerate risks that are abnormal
Adrenoleukodistrophy
More kids die choking on french fries than due to Adrenoleukodistrophy
16
17. Reason 1: Security is both a “Reality” and “Feeling”
For security practitioners
security is a “Reality” based
on the mathematical
probability of risks
For the end user security is a
“feeling”
Success lies in influencing
the “feeling” of security
17
18. Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:
So what? RSA was hacked
Technology & Processes
Awareness & Competence
The very smart attacker
4
Human – Recognizing a zero day attack,
3 Phishing mails, Not posting business
Risk severity/
Attacker information in social media
Smartness/
Attack
Efficiency 2 Technology + Human – Firewall configuration,
Choosing a secure Wifi
1 Automatic security controls – AV, Updates
18
Control efficiency
19. Reason 3: Technology…yes, but humans…of course!
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more
advanced, but will you choose a hospital for it’s
machines or the doctors?
19
21. The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
21
22. 1. Awareness Vs. Competence
Consider both “Awareness” and “Competence” independently
Awareness
Assess,
Security Risk Identify the Improve, Re-
analysis human factor assess
Behaviour
(Competence)
ESP – Expected Security Practice
22
25. 3. Remember drip irrigation
Which is more effective – Drip irrigation or spraying a lot of water once a day?
Small doses, more frequent
25
26. 4. Re-measure frequently
Organization’s awareness score was 87%
?
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65% ?
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
26
28. Emerging threats 2013 (report by ISF)
• Natural disasters • Economic espionage
• Diminishing end user • Introduction of new devices
security awareness (smart phones etc.)
• Moving to cloud • Online leaks
• Social media proliferation • Fast development and
& data leaks release of apps without
• Corporate frauds testing
• Attacks using GPS • Smart outsourcing resulting in
tracking less workforce loyalty
29. Summary
Technology
(Firewall)
Information
People Process
Technology and processes are only as good as the people that
use them 29
30. Let’s switch ON the Human
Layer of Information Security
Defence
Thank You
Anup Narayanan
www.isqworld.com