SlideShare a Scribd company logo
1 of 30
She looks
                                                         I’m gonna steal
                    trustworthy
                                                            your toys




The difference between the “Reality” and “Feeling” of Security

Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
Focus of the talk


  • The Human Factor in Information Security
  • From “Security Awareness” to “Security Awareness and
    Competence”
  • Solution model
  • What others are doing?




                                                           2
Awareness




I know the traffic rules….

                             3
Competence?




Does it guarantee that I am a good driver?

                                             4
Awareness >> Behaviour >> Culture




   Awareness           Behaviour           Culture
                       (Competence)

      • I know            • I do              • We know
                                                and do




An organization must aim for a responsible security culture


                                                          5
What organizations need?

A system that periodically shows
the current Security Awareness
and Competence Levels
                                        Awareness score is 87%




       LOW AWARENESS    MEDIUM AWARENESS     HIGH AWARENESS



                               Competence score is 65%


                             MEDIUM
      LOW COMPETENCE       COMPETENCE
                                            HIGH COMPETENCE

                                                                 6
The power of perception


Why do people make security mistakes?
Imagine…


       Nelson Mandela walks into this room right
       now and offers you this glass of water….




                Will you accept it?
                                                   8
Now, imagine this…

          This man walks into this room right now
           and offers you this glass of water….




                 Will you accept it?
                                                    9
Question




           Which water did
             you accept?


               Why?


                             10
Analysis

  Were you checking the water or the person serving
                     the water?




 People decide what is good and what is bad based on
                        “trust”
         Perception is influenced by Trust
                                                  11
Why must we address the human
factor?

(or)
Is the human factor worth addressing?
Case Study 1


LinkedIn Password leak




                         13
The most popular passwords in LinkedIn

link                jesus
1234                connect
work                monkey
god                 123456
job                 michael
12345               jordan
angel               dragon
the                 soccer
ilove               killer
sex                 pepper

                                     14
Analysis


     You may think you are safe when you are actually not




  People get more terrified thinking of getting eaten by a shark then dying of
                heart attack…..but more people die of heart attacks


                                                                            15
Analysis


           People exaggerate risks that are abnormal




       Adrenoleukodistrophy

  More kids die choking on french fries than due to Adrenoleukodistrophy



                                                                      16
Reason 1: Security is both a “Reality” and “Feeling”



                               For security practitioners
                               security is a “Reality” based
                               on the mathematical
                               probability of risks

                               For the end user security is a
                               “feeling”

                               Success lies in influencing
                               the “feeling” of security




                                                           17
Reason 2: Not every attack(er) is that smart
          People exaggerate risks that are spectacular or uncommon:
                        So what? RSA was hacked
                                                                Technology & Processes

                                                               Awareness & Competence

                                                            The very smart attacker
                 4

                                                  Human – Recognizing a zero day attack,
                 3                                 Phishing mails, Not posting business
Risk severity/
   Attacker                                             information in social media
 Smartness/
    Attack
  Efficiency     2                    Technology + Human – Firewall configuration,
                                                Choosing a secure Wifi



                 1                Automatic security controls – AV, Updates



                                                                                   18
                             Control efficiency
Reason 3: Technology…yes, but humans…of course!




                 Aircrafts have become more advanced, but does it
                mean that pilot training requirements have reduced?


                      Medical technology has become more
                  advanced, but will you choose a hospital for it’s
                            machines or the doctors?




                                                                      19
The Solution Model


Security Awareness and Competence Management
The solution is based on HIMIS



 • HIMIS – Human Impact
   Management for
   Information Security
 • Released under Creative
   Commons License
 • Free for Non-Commercial
   Use

                             http://www.isqworld.com/himis

                                                             21
1. Awareness Vs. Competence

 Consider both “Awareness” and “Competence” independently




                                     Awareness
                                                              Assess,
Security Risk    Identify the                               Improve, Re-
  analysis      human factor                                  assess
                                      Behaviour
                                    (Competence)



                         ESP – Expected Security Practice


                                                                     22
2. Visualize, engage ….and influence perception




                                                  23
24
3. Remember drip irrigation

 Which is more effective – Drip irrigation or spraying a lot of water once a day?




                   Small doses, more frequent
                                                                             25
4. Re-measure frequently

                     Organization’s awareness score was 87%
                                                                  ?


       LOW AWARENESS        MEDIUM AWARENESS       HIGH AWARENESS



    Organization’s competence score was 65%                   ?

                                  MEDIUM
      LOW COMPETENCE            COMPETENCE
                                                  HIGH COMPETENCE



                                                                      26
Threat forecast




                  27
Emerging threats 2013 (report by ISF)


    • Natural disasters            • Economic espionage
    • Diminishing end user         • Introduction of new devices
      security awareness             (smart phones etc.)
    • Moving to cloud              • Online leaks
    • Social media proliferation   • Fast development and
      & data leaks                   release of apps without
    • Corporate frauds               testing
    • Attacks using GPS            • Smart outsourcing resulting in
      tracking                       less workforce loyalty
Summary



                       Technology
                        (Firewall)


                        Information

                 People               Process




 Technology and processes are only as good as the people that
                         use them                         29
Let’s switch ON the Human
Layer of Information Security
Defence

Thank You
Anup Narayanan
www.isqworld.com

More Related Content

What's hot

Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
Dee Moone
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
Zsolt Nemeth
 

What's hot (6)

Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
 
Reflections on Resilience and Communitation
Reflections on Resilience and CommunitationReflections on Resilience and Communitation
Reflections on Resilience and Communitation
 
Framework for Security: Security in the Community Context
Framework for Security: Security in the Community ContextFramework for Security: Security in the Community Context
Framework for Security: Security in the Community Context
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 

Similar to The difference between the Reality and Feeling of Security

4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
CFG
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
Ed Bellis
 

Similar to The difference between the Reality and Feeling of Security (20)

A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...
 
Secure360 on Risk
Secure360 on RiskSecure360 on Risk
Secure360 on Risk
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution  i3SIntegrated Security, Safety and Surveillance Solution  i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats!  Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats!  Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 
Insider Threat Mitigation
 Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
 
EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017
 
Human Element In Security
Human Element In SecurityHuman Element In Security
Human Element In Security
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec Field
 
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 

Recently uploaded

如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
ogawka
 
Mental Health Issues of Graduate Students
Mental Health Issues of Graduate StudentsMental Health Issues of Graduate Students
Mental Health Issues of Graduate Students
vineshkumarsajnani12
 
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
yulianti213969
 
Obat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di Jakarta
Obat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di JakartaObat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di Jakarta
Obat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di Jakarta
Obat Aborsi Jakarta Wa 085176963835 Apotek Jual Obat Cytotec Di Jakarta
 
Obat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di Malang
Obat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di MalangObat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di Malang
Obat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di Malang
Obat Aborsi Jakarta Wa 085176963835 Apotek Jual Obat Cytotec Di Jakarta
 

Recently uploaded (20)

如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
 
Mental Health Issues of Graduate Students
Mental Health Issues of Graduate StudentsMental Health Issues of Graduate Students
Mental Health Issues of Graduate Students
 
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdfThe Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
 
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
 
A DAY IN THE LIFE OF A SALESPERSON .pptx
A DAY IN THE LIFE OF A SALESPERSON .pptxA DAY IN THE LIFE OF A SALESPERSON .pptx
A DAY IN THE LIFE OF A SALESPERSON .pptx
 
Sex service available my WhatsApp number 7374088497
Sex service available my WhatsApp number 7374088497Sex service available my WhatsApp number 7374088497
Sex service available my WhatsApp number 7374088497
 
Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...
Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...
Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...
 
Obat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di Jakarta
Obat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di JakartaObat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di Jakarta
Obat Aborsi Jakarta 0851\7696\3835 Jual Obat Cytotec Di Jakarta
 
10 Easiest Ways To Buy Verified TransferWise Accounts
10 Easiest Ways To Buy Verified TransferWise Accounts10 Easiest Ways To Buy Verified TransferWise Accounts
10 Easiest Ways To Buy Verified TransferWise Accounts
 
Pitch Deck Teardown: Goodcarbon's $5.5m Seed deck
Pitch Deck Teardown: Goodcarbon's $5.5m Seed deckPitch Deck Teardown: Goodcarbon's $5.5m Seed deck
Pitch Deck Teardown: Goodcarbon's $5.5m Seed deck
 
What are the differences between an international company, a global company, ...
What are the differences between an international company, a global company, ...What are the differences between an international company, a global company, ...
What are the differences between an international company, a global company, ...
 
First Time Home Buyer's Guide - KM Realty Group LLC
First Time Home Buyer's Guide - KM Realty Group LLCFirst Time Home Buyer's Guide - KM Realty Group LLC
First Time Home Buyer's Guide - KM Realty Group LLC
 
Solar Panel Installation A Comprehensive Guide.pdf
Solar Panel Installation A Comprehensive Guide.pdfSolar Panel Installation A Comprehensive Guide.pdf
Solar Panel Installation A Comprehensive Guide.pdf
 
The Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and UncertaintyThe Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and Uncertainty
 
How Bookkeeping helps you in Cost Saving, Tax Saving and Smooth Business Runn...
How Bookkeeping helps you in Cost Saving, Tax Saving and Smooth Business Runn...How Bookkeeping helps you in Cost Saving, Tax Saving and Smooth Business Runn...
How Bookkeeping helps you in Cost Saving, Tax Saving and Smooth Business Runn...
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Obat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di Malang
Obat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di MalangObat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di Malang
Obat Aborsi Malang 0851\7696\3835 Jual Obat Cytotec Di Malang
 
A DAY IN LIFE OF A NEGOTIATOR By Pondicherry University MBA Students.pptx
A DAY IN LIFE OF A NEGOTIATOR By Pondicherry University MBA Students.pptxA DAY IN LIFE OF A NEGOTIATOR By Pondicherry University MBA Students.pptx
A DAY IN LIFE OF A NEGOTIATOR By Pondicherry University MBA Students.pptx
 
Unlocking Growth The Power of Outsourcing for CPA Firms
Unlocking Growth The Power of Outsourcing for CPA FirmsUnlocking Growth The Power of Outsourcing for CPA Firms
Unlocking Growth The Power of Outsourcing for CPA Firms
 
Progress Report - Oracle's OCI Analyst Summit 2024
Progress Report - Oracle's OCI Analyst Summit 2024Progress Report - Oracle's OCI Analyst Summit 2024
Progress Report - Oracle's OCI Analyst Summit 2024
 

The difference between the Reality and Feeling of Security

  • 1. She looks I’m gonna steal trustworthy your toys The difference between the “Reality” and “Feeling” of Security Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
  • 2. Focus of the talk • The Human Factor in Information Security • From “Security Awareness” to “Security Awareness and Competence” • Solution model • What others are doing? 2
  • 3. Awareness I know the traffic rules…. 3
  • 4. Competence? Does it guarantee that I am a good driver? 4
  • 5. Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do An organization must aim for a responsible security culture 5
  • 6. What organizations need? A system that periodically shows the current Security Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 6
  • 7. The power of perception Why do people make security mistakes?
  • 8. Imagine… Nelson Mandela walks into this room right now and offers you this glass of water…. Will you accept it? 8
  • 9. Now, imagine this… This man walks into this room right now and offers you this glass of water…. Will you accept it? 9
  • 10. Question Which water did you accept? Why? 10
  • 11. Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 11
  • 12. Why must we address the human factor? (or) Is the human factor worth addressing?
  • 13. Case Study 1 LinkedIn Password leak 13
  • 14. The most popular passwords in LinkedIn link jesus 1234 connect work monkey god 123456 job michael 12345 jordan angel dragon the soccer ilove killer sex pepper 14
  • 15. Analysis You may think you are safe when you are actually not People get more terrified thinking of getting eaten by a shark then dying of heart attack…..but more people die of heart attacks 15
  • 16. Analysis People exaggerate risks that are abnormal Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy 16
  • 17. Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 17
  • 18. Reason 2: Not every attack(er) is that smart People exaggerate risks that are spectacular or uncommon: So what? RSA was hacked Technology & Processes Awareness & Competence The very smart attacker 4 Human – Recognizing a zero day attack, 3 Phishing mails, Not posting business Risk severity/ Attacker information in social media Smartness/ Attack Efficiency 2 Technology + Human – Firewall configuration, Choosing a secure Wifi 1 Automatic security controls – AV, Updates 18 Control efficiency
  • 19. Reason 3: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 19
  • 20. The Solution Model Security Awareness and Competence Management
  • 21. The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 21
  • 22. 1. Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, Security Risk Identify the Improve, Re- analysis human factor assess Behaviour (Competence) ESP – Expected Security Practice 22
  • 23. 2. Visualize, engage ….and influence perception 23
  • 24. 24
  • 25. 3. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 25
  • 26. 4. Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 26
  • 28. Emerging threats 2013 (report by ISF) • Natural disasters • Economic espionage • Diminishing end user • Introduction of new devices security awareness (smart phones etc.) • Moving to cloud • Online leaks • Social media proliferation • Fast development and & data leaks release of apps without • Corporate frauds testing • Attacks using GPS • Smart outsourcing resulting in tracking less workforce loyalty
  • 29. Summary Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 29
  • 30. Let’s switch ON the Human Layer of Information Security Defence Thank You Anup Narayanan www.isqworld.com