a model for reducing security risks due to human error - isafe 2010, dubai

A model for reducing information security risks due

to human errorBy Anup Narayanan,Founder & CEO, ISQ World

Shred

documents

before

disposing

2

1. Objective: Describe a workable model for reducing information security risks due to human error

2. Talk Plan:I. Differentiate between

“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Resources

We are here

© First Legion Consulting

3

Awareness?

Do not share passwords!© First Legion Consulting

4

Behavior? Don’t tell anyone, my password is…..


Shred

documents

before

disposing

5© First Legion Consulting

6

Putting it together….

Awareness:

I know

Behavior:

I do

Culture:

We do


7



“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources

We are here


8

Case-study:

Client: One of the largest mobile service providers in the world

• What? Spent US$ 100, 000 on a security awareness campaign

• How? Screen Savers, Posters, Emailers

• Who? Target - Entire employees


9

What did we do?

“Awareness vs. behavior” benchmarking and produced a scorecard


10

The scorecard


11

Why are my users not following the

information security policy?

Root cause analysis of poor information security behavior


12

Reason 1: Operational issues ….

Message in the poster

Don’t share passwords

Response by HR Manager

If I don’t share my password, salaries won’t get processed here…including that of the

InfoSec manager.


Reason 2: Confusion ... Too many rules

Which one do I follow?


14

Reason 3: Perception…

Which is safer?


Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior)

15

Nothing’s gonna happen to me if I violate the security policies?

Well, I saw her doing it …shall I?


“Awareness” & “Behavior”: Independent but interdependent

Question : A person knows the traffic rules. Does that make the

person a good driver?

Answer: Not necessarily, “Knowing” and “Doing” are two

different things

Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner?Answer: Same as above

Knowing = AwarenessDoing = Behavior


17



“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources

We are here


• HIMIS – Human Impact Management for Information Security

• Objective – To provide a model to reduce security risks due to human error

• Creative Commons License, free for non-commercial use

• Download –http://www.isqworld.com, click on the HIMIS link


http://www.isqworld.com/

19

Define Strategize Deliver Verify

Responsible

information

security

behavior

HIMIS solution model - Work backwards



• Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements) valid for the business

• Review and approval of ESP’s

• Baseline ESP assessment


21

ESP: Information

Classification

Awareness Criterion

The employees must know the different

information classification criterion : "Confidential,

Internal, Public"

The employees must know how to specify the

classification, for example, in the footer of

each document

Behaviour criterion

The employees must actually classify

document in day-to-day work. The evidence of this classification must

be available.© First Legion Consulting


• For awareness management– Coverage

– Format & visibility: Verbal, Paper and Electronic

– Frequency

– Quality of content • Impact visualization

• Clarity & ease of understanding

• Business relevance

• Consideration of cultural factors

– Retention measurement.

• For behavior management – Motivational strategies

– Enforcement/ disciplinary strategies22© First Legion Consulting

Quality of content

• Impact visualization

• Clarity & ease of understanding

• Business relevance

• Consideration of cultural factors

23

Wow! This security awareness video is so cool!

Yup! Not the usual glorified power point


Behavior management: What works?

24

Let’s fire him

Let’s cut his email access

Let’s talk to him


25

In-convenience

Poor security behavior

Poor Security behavior Vs. Inconvenience


26

Cost (Enforcement)

Poor security behavior

Poor Security behavior Vs. Cost


27

Case study 1: Changing behavior (IT Service Provider)

• What we did?– Quarterly “End-User

Desktop Audits”

– Findings were noted and “Signed and Agreed by Auditee”

– Disputes were noted and “Signed”

– Audit findings were submitted to InfoSec Team


28

Case study 1: Changing behavior (Electronic Retail Store)

• Audit finding: Cash boxes are left open when unattended

• Cost attached: Branch manager will lose 25% of annual bonus for every violation

• Compliance today is above 98%© First Legion Consulting


• Define tolerable deviation

• Efficiency

• Collection of feedback

• Confirmation of receipt



• Audit strategy– Selection of ESP’s

– Define sample size

– Audit methods

• For awareness: Interviews, Surveys, Quizzes, Mind-map sessions

• For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering?

– Reasonable limitations

– Behavior may not always be visible


HIMIS is not prescriptive and does not suggest absolutes…

• Practitioner has the freedom to quantify

• Quantifying awareness – Fairly easy, for example,

– Average score of a quiz to measure awareness from 100 users’ reasonably indicates an average awareness score

• Quantifying behaviour may not be possible directly and indirect methods may have to be used. For example,

a) Number of violations found for an ESP

b) Impact of the violation

c) A score derived by consideration of “a” and “b” above


Suggested outline of the audit report

• Introduction: Motivations and reasons for the program• List of ESP’s and the reasons for the selection of each ESP• Strategy for the program • Delivery models• Average awareness score (from averages of each ESP

awareness score)• Average behaviour score or text description (from analysis

of behaviour audit report). Root cause analysis for poor awareness and behaviour

• Possible threat indicators and suggested mitigations• Recommended corrective actions


34



“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & ResourcesWe are here


3535


Responsible

information

security

behavior

Recap


36

Tip! Get HR buy-in

InfoSec Manager

HR manager

People are my biggest asset!

People are my biggest threat!

You must talk the same thing!


37

Conclusion

If you can influence perception, you can influence the way people choose or react (behavior)

Perception is influenced if there is a cost for an

action


38

If I follow the information security rules will I gain

something. If I don’t follow, will I lose something?

When you get your users’ to think

this way, you are on your way to a

better information security

culture!


Resources

• Free security awareness videos –www.isqworld.com

• Bruce Schneier – The Psychology of Security -http://www.schneier.com/essay-155.pdf

• The Information Security Management Maturity Model (ISM3) – www.ism3.com



http://www.schneier.com/essay-155.pdf



http://www.ism3.com/

40

Anup Narayanan,Founder & Principal Architect

ISQ World, A First Legion Initiative

[email protected]

www.isqworld.com





a model for reducing security risks due to human error - isafe 2010, dubai

Technology