Koen Maris, profile picture
Uploaded byKoen Maris
581 views

The human factor

The document discusses the significant role of human factors in information security, highlighting that a majority of security incidents stem from human error rather than technology failures. It emphasizes the need for a comprehensive security awareness strategy that includes training employees at all levels, promoting transparency, and addressing the unique cultural behaviors within an organization. Key recommendations include securing management support, defining clear roles, and implementing continuous awareness efforts to effectively change employee behavior regarding security practices.

Embed presentation

Download to read offline
The Human Factor k m ar@b aleo.be (c) Copyright 2005. Koen Maris
Table of contents Table of contents............................................................................................................ 2 Abstract .......................................................................................................................... 3 Introduction.................................................................................................................... 4 Today ......................................................................................................................... 4 The public domain ..................................................................................................... 4 Target audience .............................................................................................................. 5 Management............................................................................................................... 5 Mid management ....................................................................................................... 5 Staff:........................................................................................................................... 5 Technical staff............................................................................................................ 5 Definitions...................................................................................................................... 6 The human factor (layer 8) ............................................................................................ 6 The design issues ....................................................................................................... 6 The technology problem ............................................................................................ 6 Cultural behavior ....................................................................................................... 7 Social engineering...................................................................................................... 7 The exploits............................................................................................................ 7 Human based social engineering ........................................................................... 8 Technology based social engineering .................................................................... 8 Countermeasures............................................................................................................ 9 Seven steps to build your human firewall .................................................................. 9 1. Convince your top management .................................................................... 9 2. Assign and clarify roles and responsibilities ................................................. 9 3. Define an action plan linked to a budget ..................................................... 10 4. Develop and update the policy framework .................................................. 10 5. Develop a security awareness/education program ....................................... 10 6. Measure the progress of your security awareness efforts ............................ 10 7. Develop security incident response team and plan ...................................... 11 Information .................................................................................................................. 12 Resources ..................................................................................................................... 12
Abstract Business today contains an important number of security risks. In most cases, the employees deal with issues according to their knowledge. The importance of a transparent security strategy is often neglected, this results in only the techies having the know how of the security and the strategy. Transparency is necessary so security does not become an obstacle in the business processes. If Top Management is not aware about the strategy, they might take a different direction, if the employees are not aware they might impede your efforts hence security awareness. Often business relies blindly on technology to eliminate a maximum of the risks they have in their work environment. Technology has a gap; it is first of all made by humans, administered by humans and the output interpreted by humans. Deemed to end with the biggest security issue “the human factor”. This said it should be clear that security cannot solely lie within IT if the size of the organization allows it. Security awareness can be obtained by training your employees with security issues that they can reflect to their environment and their private lives. A security awareness program gives a company the ability to highlight risks, improvement made on security, how to use the security department etc… Your employees often think that you security department is a bunch of techies and/or freaks that like to have control. Profiling your department as a point of contact where security issues can be discussed enhances overall security. The key factor, educate your staff by an awareness program, a quiz, posters, e-mail messages or reminders, intranet information etc… Repetition is determent to success; humans only retain information by repeating it over and over and using a more relaxed approach instead of an academic one will loosen up people resulting in more interaction with the security management and its staff.
Introduction Our technology-oriented civilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk. Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well-designed security awareness strategy. Convince your management and launch your ideas in a comprehensive language for your target audience! Today Today employee’s have little idea about the security improvement efforts made by the employers. Nevertheless, all these efforts can be easily bypassed by mistake, configuration error, misinterpretation or intentionally actions. All people take action according to what they know, what they have seen in the past or on the information given at the very moment when the action is required. This behavior is baleful for the security no matter how much investment in technology is made. Due to the rapid changing techniques in order to gain financial benefit technology only cannot cope. The key factor is informing all your employee’s and all-hierarchical levels. By repeating the message, constant reminding with little notes, posters, mails and/or intranet is an effective way to keep up with the new breed of attacks. The public domain In our day-to-day lives, we are overwhelmed by security awareness campaigns. Government, law enforcement, state security and many others inform us with many issues that need public awareness. The information spreads over any medium available and able to reach the mass. Important factor is catching the attention, one-liners, funny or shocking pictures are still the number one strategy. In fact, the public domain has plenty of examples to guide you through an effective campaign that improves your security strategy. Ex.: During the Christmas period a lot of countries put in a lot of effort to make drivers conscious about the risks of drinking and driving. It is clear that the opportunity (Christmas) is exploited to have a better attention from the audience. In most countries, it is a big annual event but focus is kept through the year by different campaigns with a mutual interest. Imagine marketing only works on one big event a year; you will not get a good sales cycle outside your marketing periods.
Target audience In security awareness, you have not one specific audience focus. If possible, split the audience in relation to function they withhold in the company. Splitting your audience in to target groups allows you talk in the specific language of the group. Management: To attract Senior Management members your presentation has to be focused on key elements only. For them it is more interesting to know at what risk level they are, what loss expectancy they have in case of an event and more important what can they gain with spending cash for security improvement. A numerical or statistical approach will improve the level of understanding of the complex issues; also, examples from real life will raise their attention. If the company would loose assets, what would be the financials loss or what is the loss in case the reputation is damaged. Important to know is that if you like them to support your strategy they have to find themselves in the proposals. If they are not in line with your thoughts, you will have a hard job to convince them. Remember the goal of security awareness, changing behavior. Hard but necessary is to pin point the day to day risks in their work environment. After all Senior Management is less comfortable with the fact somebody will tell them how to work and handle things. If everyone is compliant to the password policy and Senior Management is not, the company could loose its valuable reputation very quick and easy. Mid management: Mostly responsible to transmit the message to department heads. A more granular explanation of the policies, standards, procedures and guidelines is mandatory, as they are responsible to map it to different department heads. If the messages transmission fails, the pyramid structure will not work. Crucial factor is full understanding and acceptance by mid management. Their support determines the overall acceptance downwards in the pyramid. Staff: Convincing your staff is the biggest obstacle, and it is only a start as your goal is to change behavior. You can convince them but that will not guarantee success. To change behavior you need repetition and to get repetition you need time, money and support from your management. Splitting staff in to groups that are job related increases the effectiveness of your security awareness. Pointing out the importance of the person behind the job and his/her security related issues will more likely improve the response to your efforts. Make your staff feel involved is the key message to a successful security aware staff. Technical staff: Special care is required because convincing technical staff in how they should approach some parts of their job will not be easy going. Technical staff tends to get things up and running and applies security afterwards. Security integration should start at the beginning of each project or somewhere in the initializing phase. Appending security at the end of project will be expensive, difficult and results in less restrictive security integration as originally planned.
Definitions Often the words training and awareness are used in the wrong context. To avoid this misunderstanding a short explanation based on the NIST-800-50 document. Awareness: Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Training: Training strives to produce relevant and needed security skills and competencies. The human factor (layer 8) Layer 8 complex layer with fuzzy logic making random decisions and unpredictable behavior. The topic is around for quite some time and business does need to address it as never before. Often layer 8 is the cause of scandal where social engineering attacks are successful. This type of attack will rise in the future and we are standing on the edge, technology is keeping us from falling but will it in the future? . The design issues Designing a secure harbor for the business is a difficult task, as not every business unit has its own view on what should be offered. Techies often design to their needs and are less focused on the business requirements. If the design does not incorporate the requirements of the business, it will be subject of a lot of resistance. A solution cannot be successful in security if the people are opposed to it from the very beginning. User-friendly design will improve security due to the reduced error rate. The technology problem Often companies see the technology solution as the way to go. Heavily armored with firewalls, IDS/IPS, VPN, PKI, Anti-virus etc… the security officer considers himself as secured to the bone with a good understanding of its benefits and limitations of the products. However, all this technology remains a valuable tool to protect against malicious attacks but one has to consider the drawbacks in this tech savvy world. Technology is not perfect. Vulnerabilities, unchecked buffers and backdoors are still found in commercial and non-commercial software despite the efforts of your software engineering teams. The best approach to mitigate such risks is using a multilayered solution even though history proofs that the best security can be compromised one way or another. Often big institutions do not understand the complex security issues in sufficient detail to ensure an appropriate solution. Such an approach results in choices that are often only an answer to one of the problems occurring. A firewall can be very good in filtering traffic but could be a nightmare in handling reporting and alerting. A technical solution is an expensive purchase and costly to keep it running. The off-the-shelf products are often an answer to few of the requirements and add little competitive advantage.
External consultants/engineers integrate the products in your infrastructure; this is a huge opportunity to have intrusion or data leakage. Cultural behavior Discipline! Discipline varies around the world. In some countries everything is regulated and executed as written in the books. The cultural behavior is important when designing a campaign. It does not make sense developing strict rules if they cannot be enforced. E.g.: Japan: Due to construction works near the server room it became inevitable to make a huge hole in the wall leading to the server room. Although the hole was big, enough to walk through it but the staff still used the mantrap to enter the server room and advised consultants to do so. A good example on how culture can have an impact on your security strategy. Social engineering Probably the biggest concern today is social engineering, because it is spread throughout all layers of your company and any department could be subject of it. In the most companies a robust policy structure guards against it but control of the compliancy is mandatory, as policies are useless if not applied. What is social engineering? It is an art of deception or persuasion to gain information that would be hidden to the attacker. Despite all efforts and policy integration, any human is subject to emotion that is one of the key elements to misuse by an attacker. Aquiring information or access privileges based on false thrust relationship build between the attacker and its victim. The exploits Diffusion of responsibility – If the victim is convinced the responsibility does not lie solely in his/her hand they are more likely to grant the attackers request. Trust Relationships – The attacker tries to expend more time into its attack to develop a relationship with the goal to gain trust. Exploiting the trust is done by provoking a series of interactions that were positive. Once the attacker is confident, he/she will then try his luck on a bigger move. Moral duty – The attacker encourages the target to act out of a sense of moral duty. Convincing the target that the policy is not stroking with common moral issues will increase the chance to gather information. The target assumes detection will be unlikely. Guilt – Psychodrama, manipulate empathy, create sympathy and touching the heartstrings all these factors are mastered by social engineers. Believe in the innocence of the requestor and the having faith in the story often leads to granting access of giving information to avoid being left with guilt. request.
Desire to be helpful – Relying on people’s helpfulness is one of the key aspects used by social engineers. Social engineers do notice rather quickly if people are not assertive and not confident in refusing. Cooperation – Avoiding situations of conflict, speaking with a voice of reason rather than shouting or barking. Social engineers would be just that guy that would understand your difficult situation. Human based social engineering Impersonation: The most common attack, the attacker says he is someone from the company having trouble to gain access. The attacker will have some names that he will abuse to retrieve the necessary information. The VIP approach: An attacker claims to be a senior member or any other important employee that could have a higher level of access and that creates a certain ambiance of fear at the victim’s side. Shoulder surfing: The attacker tries to capture information you type, keystrokes when password is asked, usernames appearing on your screen etc… Dumpster diving: Valuable information can be found in the waste bins. This has been reduced by using a shredder but shredding in one direction only could be insufficient to prevent a determent attacker from finding information. Piggy backing: Slip into a building by hiding into a group of allowed people. The mass of people is your disguise. Third-party approach: The attacker may know someone in the company and this person would have given the authorization. To the victim the third party will be most of the time a senior staff member. Technology based social engineering Popup windows: A small window popups prompting the user to reenter information, often a username/password but could also be an email address for spam purposes. Once this is done the information is send by email or over web (http) to the attacker. Mail attachments: An email is the ideal disguise to hide malicious programs using a fake file types. Distributing spam, viruses, Trojan horses or any other program that can automatically spread itself and gather information for the attacker. History has proven that users tend to click on the attachments whether the sender is known or not. Spam, chain emails and hoaxes: These do not have a direct threat to the company or the person but they rely on social engineering and gather information such as email addresses to be sold afterwards. Websites: A common ploy is to offer something for free or a chance to win. Often you have to enter personal information, which could be used for identity theft. Or one has to pay a fee to be able to receive the price, after the fee is paid you never hear from them again.
Countermeasures A typical question from management would be: “How can we get full protection against it and what will be the cost?” The answer is fairly simple, no full security against it exists and the costs are recurrent. No matter how much technology integration at some point, the human factor is involved. The human factor can be influenced either political, cultural or a social event. As with any threat, there are always possibilities to mitigate the risk thus reducing the success rate of the malicious event. Seven steps to build your human firewall 1. Convince your top management Every project in your organization it requires support from management. The top down approach proves to be the best in convincing the employees of the seriousness of the project and the need for the change. Getting your management over the line is definitely the hardest part and an external expert in “human firewall” could be a major help. A key factor to get the management at your side is to prove that security is a business enabler and not a continuous expense. Psychology would be your instrument to achieve this step. According to Gartner Group there are three major questions that executives and board of directors need to answer when confronting information security issues: Is our security policy enforced fairly, consistently and legally across the organization? Would our employees, contractors and partners know if a security violation was being committed? Would they know what to do about it if they did recognize a security violation? 2. Assign and clarify roles and responsibilities The biggest obstacle in improving your security is a lack of clear-cut roles and responsibilities. Defining which business units are critical and including the key people in the task force may be one of your goals to set. Security functions are not necessarily limited to one person; separation of duties is often applied. However, rarely all people have the time and the authority to carry out business wide security awareness initiatives. Nevertheless some functions may have overlapping duties or be combined by one person. In his new book Information Security Roles & Responsibilities Made Easy, information security consultant and Human Firewall Council member, Charles Cresson Wood, writes that unfortunately "management at many organizations has never clearly stated its intentions about the work it wanted an information security function to perform. It's hard to do a 'good job,' if you don't know what your job is supposed to be. As perverse as this situation may sound, many information security specialists have been asked to do just that. When things go wrong, they often get blamed even though they didn't know these same things were important."
3. Define an action plan linked to a budget An action plan, start with an assessment of the relative value of information assets. A risk management approach is key to define values and risks. Prioritizing asset values are the corner stones of your plan and simplify the budgeting to address the most important information assets your organization has. The budget planning demands care and a strategic view, convincing it can enable business instead of writing it off, as simple cost might be the key differentiator to get management over the finish. Often the human side of security is neglected, to increase your success rate you have to involve the technical people into your program. Both need to grow together instead of handling it as two separate issues. 4. Develop and update the policy framework The policy framework defines the internal rules of your company. As in real life the law is subject to changes as the civilisation progresses this is the same in your organisation. Policies have to be read and understood by everyone in the organisation. The policies alignment with business goals is key to success. Policies that are constraining or contradictory with business are pushed in the forgotten list. Your ultimate goal is to weave in information security practices as an essential to conducting business safely and securely. 5. Develop a security awareness/education program Security awareness builds human firewalls. It is probably the best tool to inform your staff of day-to-day business risks. It is key that your awareness campaign adapts to business but also to the risk change. Events throughout the world define the campaign agenda partly. Conducting these campaigns should be done on a regular basis, repetition is determent for the success and the increase of security as a result. As a first step conducting a survey gives you the opportunity to retrieve information about the weaker and the stronger domains. This gives you the ability to focus your campaign on weaker points. The campaign should not be limited to a one shot presentation, posters, quizzes, intranet or emails can keep your staff up-to-date. 6. Measure the progress of your security awareness efforts Quizzes are an excellent tool to measure the status of your efforts when it comes to security awareness. A website with a “test your security awareness” or a quiz after the lunch brake where people have to find 10 security errors in an insecure working environment give you a good view where your staff is today. It allows you to detect the weak spots, work on those factors, and integrate new items to stay on track with the evolution. The outcome of your test phase should be integrated into report for top management. Help reassure management that you have made progress in answering the key questions posed at the beginning of this blueprint: Is our security policy enforced fairly, consistently and legally across the organization? Would our employees, contractors and partners know if a security violation was being committed? Would they know what to do about it if they did recognize a security violation?
7. Develop security incident response team and plan Disaster recovery is mandatory to survive in the business jungle. It is important that business can recover in a quick and efficient way but more important is that damage can be reduced from the very beginning of an event. The most important asset to protect is your staff, people first.
Information Author : Koen Maris @ Belgium – Luxemburg Employer : Secaron Sà r.l. - Grevenmacher Biography : Started with software development for small business to end with managing large corporate networks and their systems. In the early internet era in Europe my attention was caught by the insecurity of most connected business. This launched me into the complex matter of IT security which switched to a more general term Information Security. Today I am an active member in w w w .i s sa.o r g and w w w . i s c2.o r g . Presentations : In the late 90’s I have done several presentations about the impact of internet and the security risks. This was in larger perspective initiated by Cisco. My first of many perhaps! Why : Experience showed that the human factor is often neglected. Implementing a techie solution for the problem and handing the real issues over to the administrator often leads to frustration of the staff. The hopes of making a difference through a more human approach should be considered and are keen in developing a concrete security strategy. Resources htt p ://w w w . n i s t . g ov htt p ://w w w.i w a r .o r g.uk/c o m s ec/ r eso ur ce s /sa - to o l s / i nd e x . ht m w w w . i s sa.o r g CISSP Certification All-in-One Exam Guide, 2nd Edition ISBN: 0072229667 w w w .sans.o r g w ww .its ecur ity .co m Thanks to Melissa Guenther m gu enthe r@ cox . net Clement Depuis cdup u i s @ c c c u r e.o r g

More Related Content

PDF
The Ultimate Guide To Business Continuity
byEnvision Technology Advisors
 
PDF
Leadership in a crisis responding to the coronavirus outbreak
byGraham Watson
 
PPT
Relationship Forecasting
byGlobal Business Events - the Heart of your Network.
 
PDF
Severe Weather Preparedness and Resiliency
byMissionMode
 
PPTX
5 keys to disaster recovery planning
byJustin Foltz
 
PDF
Planning For Disaster And Everyday Threats Wp111438
byErik Ginalick
 
PDF
disaster-recovery-online
byShaktinandan Satyakam
 
PDF
18 Ways Incident Management Systems Create Order (And Why It Matters)
by24/7 Software
 
The Ultimate Guide To Business Continuity
byEnvision Technology Advisors
 
Leadership in a crisis responding to the coronavirus outbreak
byGraham Watson
 
Relationship Forecasting
byGlobal Business Events - the Heart of your Network.
 
Severe Weather Preparedness and Resiliency
byMissionMode
 
5 keys to disaster recovery planning
byJustin Foltz
 
Planning For Disaster And Everyday Threats Wp111438
byErik Ginalick
 
disaster-recovery-online
byShaktinandan Satyakam
 
18 Ways Incident Management Systems Create Order (And Why It Matters)
by24/7 Software
 

What's hot

PDF
Business Continuity Detailed Plan
byWissam Abdel Baki
 
DOCX
Risk management 4th in a series
byGlen Alleman
 
DOCX
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
byPatrick A.
 
PDF
Managing Uncertainty - 2011
byRiskShare
 
PDF
Crisis Communications Polls Feb10
byAmalfiCORE, LLC
 
PDF
Amalfi Core Business Continuity Poll Oct09
byAmalfiCORE, LLC
 
PDF
Curso Crisis Management - 2011 - versão inglês
byMilton R. Almeida
 
Business Continuity Detailed Plan
byWissam Abdel Baki
 
Risk management 4th in a series
byGlen Alleman
 
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
byPatrick A.
 
Managing Uncertainty - 2011
byRiskShare
 
Crisis Communications Polls Feb10
byAmalfiCORE, LLC
 
Amalfi Core Business Continuity Poll Oct09
byAmalfiCORE, LLC
 
Curso Crisis Management - 2011 - versão inglês
byMilton R. Almeida
 

Viewers also liked

PDF
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
byJusteat India
 
PPTX
Gray Stone Advisors NBAA Leadership 2012 ppt
byGray Stone Advisors
 
PDF
Sensible defence
byKoen Maris
 
DOC
บทที่ 2
bysomjaibio003
 
DOC
โครงงานไวรัสคอมพิวเตอร์ 5.4
bysomjaibio003
 
DOC
ปก
bysomjaibio003
 
DOC
บทที่ 5
bysomjaibio003
 
DOC
Cánh hoa duyên kiếp
bysteppe91
 
PPT
Basketball
byaggelosk13
 
PDF
Rafael Moucka na konferencji InternetASAP
byPositive Power Sp. z o.o
 
PDF
RWD: przyszłością m.commerce?
byPositive Power Sp. z o.o
 
PDF
Company Presentation
byPositive Power Sp. z o.o
 
PDF
Rafael Moucka na konferencji PARP
byPositive Power Sp. z o.o
 
PDF
ALEJE.IT z Positive Power
byPositive Power Sp. z o.o
 
PDF
Positive Power na Boss Festiwalu
byPositive Power Sp. z o.o
 
PDF
R.moucka ecommerce standard
byPositive Power Sp. z o.o
 
PDF
Jak być interaktywnym? Pozytywnie o agencjach
byPositive Power Sp. z o.o
 
PPTX
Lks pengukuran
byantoninovela
 
PDF
Kerala honeymoon,Cheap Kerala honeymoon
byJusteat India
 
PPTX
Css
bycarinat95
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
byJusteat India
 
Gray Stone Advisors NBAA Leadership 2012 ppt
byGray Stone Advisors
 
Sensible defence
byKoen Maris
 
บทที่ 2
bysomjaibio003
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
bysomjaibio003
 
ปก
bysomjaibio003
 
บทที่ 5
bysomjaibio003
 
Cánh hoa duyên kiếp
bysteppe91
 
Basketball
byaggelosk13
 
Rafael Moucka na konferencji InternetASAP
byPositive Power Sp. z o.o
 
RWD: przyszłością m.commerce?
byPositive Power Sp. z o.o
 
Company Presentation
byPositive Power Sp. z o.o
 
Rafael Moucka na konferencji PARP
byPositive Power Sp. z o.o
 
ALEJE.IT z Positive Power
byPositive Power Sp. z o.o
 
Positive Power na Boss Festiwalu
byPositive Power Sp. z o.o
 
R.moucka ecommerce standard
byPositive Power Sp. z o.o
 
Jak być interaktywnym? Pozytywnie o agencjach
byPositive Power Sp. z o.o
 
Lks pengukuran
byantoninovela
 
Kerala honeymoon,Cheap Kerala honeymoon
byJusteat India
 
Css
bycarinat95
 

Similar to The human factor

PDF
Cybersecurity Employee Training
byPaige Rasid
 
PDF
Social Engineering Audit & Security Awareness
byCBIZ, Inc.
 
PPT
End User Security Awareness Presentation
byCristian Mihai
 
PDF
Information security principles to the private versus public sector.pdf
byinfo401595
 
PPT
Security Awareness in the Enterprise
byamiable_indian
 
PDF
Awareness is only the first step
byHewlett Packard Enterprise Business Value Exchange
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
PPTX
Security Awareness and Training
byPriyank Hada
 
DOCX
Running Head SECURITY AWARENESSSecurity Awareness .docx
bytoltonkendal
 
PDF
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
bySandra (Sandy) Dunn
 
PDF
Фишинг — проклятие или возможность для ИБ?
byPositive Hack Days
 
PDF
University-of-Miami_MEDINA
byKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
DOCX
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
bytoltonkendal
 
PDF
How To Promote Security Awareness In Your Company
bydanielblander
 
PPT
Organizational Security: When People are Involved
bySocial Media Performance Group
 
PDF
How to make employees aware and responsible towards security of the Company's...
byCommLab India – Rapid eLearning Solutions
 
PPTX
Towards a Structured Information Security Awareness Programme
bytulipbiru64
 
PDF
Human Impact on Information Security - Computer Society of India Conference, ...
byAnup Narayanan
 
PDF
beyond_the_firewall_0103
byJack McCullough
 
PPTX
Human Factors_MODULE_2.pptx
byShreeveni
 
Cybersecurity Employee Training
byPaige Rasid
 
Social Engineering Audit & Security Awareness
byCBIZ, Inc.
 
End User Security Awareness Presentation
byCristian Mihai
 
Information security principles to the private versus public sector.pdf
byinfo401595
 
Security Awareness in the Enterprise
byamiable_indian
 
Awareness is only the first step
byHewlett Packard Enterprise Business Value Exchange
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
Security Awareness and Training
byPriyank Hada
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
bytoltonkendal
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
bySandra (Sandy) Dunn
 
Фишинг — проклятие или возможность для ИБ?
byPositive Hack Days
 
University-of-Miami_MEDINA
byKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
bytoltonkendal
 
How To Promote Security Awareness In Your Company
bydanielblander
 
Organizational Security: When People are Involved
bySocial Media Performance Group
 
How to make employees aware and responsible towards security of the Company's...
byCommLab India – Rapid eLearning Solutions
 
Towards a Structured Information Security Awareness Programme
bytulipbiru64
 
Human Impact on Information Security - Computer Society of India Conference, ...
byAnup Narayanan
 
beyond_the_firewall_0103
byJack McCullough
 
Human Factors_MODULE_2.pptx
byShreeveni
 

Recently uploaded

PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PDF
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PPTX
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PDF
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Information and Communication Technologies and Power
byJeffrey Hart
 
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 

The human factor

  • 1.
    The Human Factor k m ar@b aleo.be (c) Copyright 2005. Koen Maris
  • 2.
    Table of contents Table of contents............................................................................................................ 2 Abstract .......................................................................................................................... 3 Introduction.................................................................................................................... 4 Today ......................................................................................................................... 4 The public domain ..................................................................................................... 4 Target audience .............................................................................................................. 5 Management............................................................................................................... 5 Mid management ....................................................................................................... 5 Staff:........................................................................................................................... 5 Technical staff............................................................................................................ 5 Definitions...................................................................................................................... 6 The human factor (layer 8) ............................................................................................ 6 The design issues ....................................................................................................... 6 The technology problem ............................................................................................ 6 Cultural behavior ....................................................................................................... 7 Social engineering...................................................................................................... 7 The exploits............................................................................................................ 7 Human based social engineering ........................................................................... 8 Technology based social engineering .................................................................... 8 Countermeasures............................................................................................................ 9 Seven steps to build your human firewall .................................................................. 9 1. Convince your top management .................................................................... 9 2. Assign and clarify roles and responsibilities ................................................. 9 3. Define an action plan linked to a budget ..................................................... 10 4. Develop and update the policy framework .................................................. 10 5. Develop a security awareness/education program ....................................... 10 6. Measure the progress of your security awareness efforts ............................ 10 7. Develop security incident response team and plan ...................................... 11 Information .................................................................................................................. 12 Resources ..................................................................................................................... 12
  • 3.
    Abstract Business todaycontains an important number of security risks. In most cases, the employees deal with issues according to their knowledge. The importance of a transparent security strategy is often neglected, this results in only the techies having the know how of the security and the strategy. Transparency is necessary so security does not become an obstacle in the business processes. If Top Management is not aware about the strategy, they might take a different direction, if the employees are not aware they might impede your efforts hence security awareness. Often business relies blindly on technology to eliminate a maximum of the risks they have in their work environment. Technology has a gap; it is first of all made by humans, administered by humans and the output interpreted by humans. Deemed to end with the biggest security issue “the human factor”. This said it should be clear that security cannot solely lie within IT if the size of the organization allows it. Security awareness can be obtained by training your employees with security issues that they can reflect to their environment and their private lives. A security awareness program gives a company the ability to highlight risks, improvement made on security, how to use the security department etc… Your employees often think that you security department is a bunch of techies and/or freaks that like to have control. Profiling your department as a point of contact where security issues can be discussed enhances overall security. The key factor, educate your staff by an awareness program, a quiz, posters, e-mail messages or reminders, intranet information etc… Repetition is determent to success; humans only retain information by repeating it over and over and using a more relaxed approach instead of an academic one will loosen up people resulting in more interaction with the security management and its staff.
  • 4.
    Introduction Our technology-orientedcivilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk. Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well-designed security awareness strategy. Convince your management and launch your ideas in a comprehensive language for your target audience! Today Today employee’s have little idea about the security improvement efforts made by the employers. Nevertheless, all these efforts can be easily bypassed by mistake, configuration error, misinterpretation or intentionally actions. All people take action according to what they know, what they have seen in the past or on the information given at the very moment when the action is required. This behavior is baleful for the security no matter how much investment in technology is made. Due to the rapid changing techniques in order to gain financial benefit technology only cannot cope. The key factor is informing all your employee’s and all-hierarchical levels. By repeating the message, constant reminding with little notes, posters, mails and/or intranet is an effective way to keep up with the new breed of attacks. The public domain In our day-to-day lives, we are overwhelmed by security awareness campaigns. Government, law enforcement, state security and many others inform us with many issues that need public awareness. The information spreads over any medium available and able to reach the mass. Important factor is catching the attention, one-liners, funny or shocking pictures are still the number one strategy. In fact, the public domain has plenty of examples to guide you through an effective campaign that improves your security strategy. Ex.: During the Christmas period a lot of countries put in a lot of effort to make drivers conscious about the risks of drinking and driving. It is clear that the opportunity (Christmas) is exploited to have a better attention from the audience. In most countries, it is a big annual event but focus is kept through the year by different campaigns with a mutual interest. Imagine marketing only works on one big event a year; you will not get a good sales cycle outside your marketing periods.
  • 5.
    Target audience Insecurity awareness, you have not one specific audience focus. If possible, split the audience in relation to function they withhold in the company. Splitting your audience in to target groups allows you talk in the specific language of the group. Management: To attract Senior Management members your presentation has to be focused on key elements only. For them it is more interesting to know at what risk level they are, what loss expectancy they have in case of an event and more important what can they gain with spending cash for security improvement. A numerical or statistical approach will improve the level of understanding of the complex issues; also, examples from real life will raise their attention. If the company would loose assets, what would be the financials loss or what is the loss in case the reputation is damaged. Important to know is that if you like them to support your strategy they have to find themselves in the proposals. If they are not in line with your thoughts, you will have a hard job to convince them. Remember the goal of security awareness, changing behavior. Hard but necessary is to pin point the day to day risks in their work environment. After all Senior Management is less comfortable with the fact somebody will tell them how to work and handle things. If everyone is compliant to the password policy and Senior Management is not, the company could loose its valuable reputation very quick and easy. Mid management: Mostly responsible to transmit the message to department heads. A more granular explanation of the policies, standards, procedures and guidelines is mandatory, as they are responsible to map it to different department heads. If the messages transmission fails, the pyramid structure will not work. Crucial factor is full understanding and acceptance by mid management. Their support determines the overall acceptance downwards in the pyramid. Staff: Convincing your staff is the biggest obstacle, and it is only a start as your goal is to change behavior. You can convince them but that will not guarantee success. To change behavior you need repetition and to get repetition you need time, money and support from your management. Splitting staff in to groups that are job related increases the effectiveness of your security awareness. Pointing out the importance of the person behind the job and his/her security related issues will more likely improve the response to your efforts. Make your staff feel involved is the key message to a successful security aware staff. Technical staff: Special care is required because convincing technical staff in how they should approach some parts of their job will not be easy going. Technical staff tends to get things up and running and applies security afterwards. Security integration should start at the beginning of each project or somewhere in the initializing phase. Appending security at the end of project will be expensive, difficult and results in less restrictive security integration as originally planned.
  • 6.
    Definitions Often thewords training and awareness are used in the wrong context. To avoid this misunderstanding a short explanation based on the NIST-800-50 document. Awareness: Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Training: Training strives to produce relevant and needed security skills and competencies. The human factor (layer 8) Layer 8 complex layer with fuzzy logic making random decisions and unpredictable behavior. The topic is around for quite some time and business does need to address it as never before. Often layer 8 is the cause of scandal where social engineering attacks are successful. This type of attack will rise in the future and we are standing on the edge, technology is keeping us from falling but will it in the future? . The design issues Designing a secure harbor for the business is a difficult task, as not every business unit has its own view on what should be offered. Techies often design to their needs and are less focused on the business requirements. If the design does not incorporate the requirements of the business, it will be subject of a lot of resistance. A solution cannot be successful in security if the people are opposed to it from the very beginning. User-friendly design will improve security due to the reduced error rate. The technology problem Often companies see the technology solution as the way to go. Heavily armored with firewalls, IDS/IPS, VPN, PKI, Anti-virus etc… the security officer considers himself as secured to the bone with a good understanding of its benefits and limitations of the products. However, all this technology remains a valuable tool to protect against malicious attacks but one has to consider the drawbacks in this tech savvy world. Technology is not perfect. Vulnerabilities, unchecked buffers and backdoors are still found in commercial and non-commercial software despite the efforts of your software engineering teams. The best approach to mitigate such risks is using a multilayered solution even though history proofs that the best security can be compromised one way or another. Often big institutions do not understand the complex security issues in sufficient detail to ensure an appropriate solution. Such an approach results in choices that are often only an answer to one of the problems occurring. A firewall can be very good in filtering traffic but could be a nightmare in handling reporting and alerting. A technical solution is an expensive purchase and costly to keep it running. The off-the-shelf products are often an answer to few of the requirements and add little competitive advantage.
  • 7.
    External consultants/engineers integratethe products in your infrastructure; this is a huge opportunity to have intrusion or data leakage. Cultural behavior Discipline! Discipline varies around the world. In some countries everything is regulated and executed as written in the books. The cultural behavior is important when designing a campaign. It does not make sense developing strict rules if they cannot be enforced. E.g.: Japan: Due to construction works near the server room it became inevitable to make a huge hole in the wall leading to the server room. Although the hole was big, enough to walk through it but the staff still used the mantrap to enter the server room and advised consultants to do so. A good example on how culture can have an impact on your security strategy. Social engineering Probably the biggest concern today is social engineering, because it is spread throughout all layers of your company and any department could be subject of it. In the most companies a robust policy structure guards against it but control of the compliancy is mandatory, as policies are useless if not applied. What is social engineering? It is an art of deception or persuasion to gain information that would be hidden to the attacker. Despite all efforts and policy integration, any human is subject to emotion that is one of the key elements to misuse by an attacker. Aquiring information or access privileges based on false thrust relationship build between the attacker and its victim. The exploits Diffusion of responsibility – If the victim is convinced the responsibility does not lie solely in his/her hand they are more likely to grant the attackers request. Trust Relationships – The attacker tries to expend more time into its attack to develop a relationship with the goal to gain trust. Exploiting the trust is done by provoking a series of interactions that were positive. Once the attacker is confident, he/she will then try his luck on a bigger move. Moral duty – The attacker encourages the target to act out of a sense of moral duty. Convincing the target that the policy is not stroking with common moral issues will increase the chance to gather information. The target assumes detection will be unlikely. Guilt – Psychodrama, manipulate empathy, create sympathy and touching the heartstrings all these factors are mastered by social engineers. Believe in the innocence of the requestor and the having faith in the story often leads to granting access of giving information to avoid being left with guilt. request.
  • 8.
    Desire to behelpful – Relying on people’s helpfulness is one of the key aspects used by social engineers. Social engineers do notice rather quickly if people are not assertive and not confident in refusing. Cooperation – Avoiding situations of conflict, speaking with a voice of reason rather than shouting or barking. Social engineers would be just that guy that would understand your difficult situation. Human based social engineering Impersonation: The most common attack, the attacker says he is someone from the company having trouble to gain access. The attacker will have some names that he will abuse to retrieve the necessary information. The VIP approach: An attacker claims to be a senior member or any other important employee that could have a higher level of access and that creates a certain ambiance of fear at the victim’s side. Shoulder surfing: The attacker tries to capture information you type, keystrokes when password is asked, usernames appearing on your screen etc… Dumpster diving: Valuable information can be found in the waste bins. This has been reduced by using a shredder but shredding in one direction only could be insufficient to prevent a determent attacker from finding information. Piggy backing: Slip into a building by hiding into a group of allowed people. The mass of people is your disguise. Third-party approach: The attacker may know someone in the company and this person would have given the authorization. To the victim the third party will be most of the time a senior staff member. Technology based social engineering Popup windows: A small window popups prompting the user to reenter information, often a username/password but could also be an email address for spam purposes. Once this is done the information is send by email or over web (http) to the attacker. Mail attachments: An email is the ideal disguise to hide malicious programs using a fake file types. Distributing spam, viruses, Trojan horses or any other program that can automatically spread itself and gather information for the attacker. History has proven that users tend to click on the attachments whether the sender is known or not. Spam, chain emails and hoaxes: These do not have a direct threat to the company or the person but they rely on social engineering and gather information such as email addresses to be sold afterwards. Websites: A common ploy is to offer something for free or a chance to win. Often you have to enter personal information, which could be used for identity theft. Or one has to pay a fee to be able to receive the price, after the fee is paid you never hear from them again.
  • 9.
    Countermeasures A typicalquestion from management would be: “How can we get full protection against it and what will be the cost?” The answer is fairly simple, no full security against it exists and the costs are recurrent. No matter how much technology integration at some point, the human factor is involved. The human factor can be influenced either political, cultural or a social event. As with any threat, there are always possibilities to mitigate the risk thus reducing the success rate of the malicious event. Seven steps to build your human firewall 1. Convince your top management Every project in your organization it requires support from management. The top down approach proves to be the best in convincing the employees of the seriousness of the project and the need for the change. Getting your management over the line is definitely the hardest part and an external expert in “human firewall” could be a major help. A key factor to get the management at your side is to prove that security is a business enabler and not a continuous expense. Psychology would be your instrument to achieve this step. According to Gartner Group there are three major questions that executives and board of directors need to answer when confronting information security issues: Is our security policy enforced fairly, consistently and legally across the organization? Would our employees, contractors and partners know if a security violation was being committed? Would they know what to do about it if they did recognize a security violation? 2. Assign and clarify roles and responsibilities The biggest obstacle in improving your security is a lack of clear-cut roles and responsibilities. Defining which business units are critical and including the key people in the task force may be one of your goals to set. Security functions are not necessarily limited to one person; separation of duties is often applied. However, rarely all people have the time and the authority to carry out business wide security awareness initiatives. Nevertheless some functions may have overlapping duties or be combined by one person. In his new book Information Security Roles & Responsibilities Made Easy, information security consultant and Human Firewall Council member, Charles Cresson Wood, writes that unfortunately "management at many organizations has never clearly stated its intentions about the work it wanted an information security function to perform. It's hard to do a 'good job,' if you don't know what your job is supposed to be. As perverse as this situation may sound, many information security specialists have been asked to do just that. When things go wrong, they often get blamed even though they didn't know these same things were important."
  • 10.
    3. Define anaction plan linked to a budget An action plan, start with an assessment of the relative value of information assets. A risk management approach is key to define values and risks. Prioritizing asset values are the corner stones of your plan and simplify the budgeting to address the most important information assets your organization has. The budget planning demands care and a strategic view, convincing it can enable business instead of writing it off, as simple cost might be the key differentiator to get management over the finish. Often the human side of security is neglected, to increase your success rate you have to involve the technical people into your program. Both need to grow together instead of handling it as two separate issues. 4. Develop and update the policy framework The policy framework defines the internal rules of your company. As in real life the law is subject to changes as the civilisation progresses this is the same in your organisation. Policies have to be read and understood by everyone in the organisation. The policies alignment with business goals is key to success. Policies that are constraining or contradictory with business are pushed in the forgotten list. Your ultimate goal is to weave in information security practices as an essential to conducting business safely and securely. 5. Develop a security awareness/education program Security awareness builds human firewalls. It is probably the best tool to inform your staff of day-to-day business risks. It is key that your awareness campaign adapts to business but also to the risk change. Events throughout the world define the campaign agenda partly. Conducting these campaigns should be done on a regular basis, repetition is determent for the success and the increase of security as a result. As a first step conducting a survey gives you the opportunity to retrieve information about the weaker and the stronger domains. This gives you the ability to focus your campaign on weaker points. The campaign should not be limited to a one shot presentation, posters, quizzes, intranet or emails can keep your staff up-to-date. 6. Measure the progress of your security awareness efforts Quizzes are an excellent tool to measure the status of your efforts when it comes to security awareness. A website with a “test your security awareness” or a quiz after the lunch brake where people have to find 10 security errors in an insecure working environment give you a good view where your staff is today. It allows you to detect the weak spots, work on those factors, and integrate new items to stay on track with the evolution. The outcome of your test phase should be integrated into report for top management. Help reassure management that you have made progress in answering the key questions posed at the beginning of this blueprint: Is our security policy enforced fairly, consistently and legally across the organization? Would our employees, contractors and partners know if a security violation was being committed? Would they know what to do about it if they did recognize a security violation?
  • 11.
    7. Develop securityincident response team and plan Disaster recovery is mandatory to survive in the business jungle. It is important that business can recover in a quick and efficient way but more important is that damage can be reduced from the very beginning of an event. The most important asset to protect is your staff, people first.
  • 12.
    Information Author :Koen Maris @ Belgium – Luxemburg Employer : Secaron Sà r.l. - Grevenmacher Biography : Started with software development for small business to end with managing large corporate networks and their systems. In the early internet era in Europe my attention was caught by the insecurity of most connected business. This launched me into the complex matter of IT security which switched to a more general term Information Security. Today I am an active member in w w w .i s sa.o r g and w w w . i s c2.o r g . Presentations : In the late 90’s I have done several presentations about the impact of internet and the security risks. This was in larger perspective initiated by Cisco. My first of many perhaps! Why : Experience showed that the human factor is often neglected. Implementing a techie solution for the problem and handing the real issues over to the administrator often leads to frustration of the staff. The hopes of making a difference through a more human approach should be considered and are keen in developing a concrete security strategy. Resources htt p ://w w w . n i s t . g ov htt p ://w w w.i w a r .o r g.uk/c o m s ec/ r eso ur ce s /sa - to o l s / i nd e x . ht m w w w . i s sa.o r g CISSP Certification All-in-One Exam Guide, 2nd Edition ISBN: 0072229667 w w w .sans.o r g w ww .its ecur ity .co m Thanks to Melissa Guenther m gu enthe r@ cox . net Clement Depuis cdup u i s @ c c c u r e.o r g