a model for reducing information security risks due to human error

A model for reducing security risks due to

human errorAnup Narayanan, CISA, CISSP

Founder & CEO, ISQ

“We are not just security aware, but security competent

as well”

Focus of the talk

Addressing the human factor using security “awareness” and “competence” management

Security Policy

Never share

passwords

Don’t tell anyone, my password is…..

I know the traffic rules….

The difference between “Awareness” and “Behaviour (Competence)”

Does it guarantee that I am a good driver?

Awareness >> Behaviour >> Culture

Awareness

• I know

Behaviour (Competence)

• I do

Culture

• We know and do

An organization must aim for a responsible security culture

The problem (Mistakes that organizations are making)

The focus is only on awareness, not behaviour (competence) and culture

I have an amazing security awareness program but people still make security mistakes!

What organizations need?

A system that periodically shows the current Awareness and Competence Levels

LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS

Organization’s awareness score is 87%

Organization’s competence score is 65%

LOW COMPETENCELOW COMPETENCE

MEDIUM COMPETENCE

MEDIUM COMPETENCE HIGH

COMPETENCEHIGH

COMPETENCE

The power of perception

Why do people make security mistakes?

Imagine…

Will you accept it?

Nelson Mandela walks into this room right now and offers you this glass of

water….

Now, imagine this…

Will you accept it?

This man walks into this room right now and offers you this glass of

water….

Question

Which water did you accept?

Analysis

People decide what is good and what is bad based on “trust”

Perception is influenced by Trust

Were you checking the water or the person serving the water?

Why must we address the human factor?

Is the human factor worth addressing?

Reason 1: Security is both a “Reality” and “Feeling”

04/08/2023 14

For security practitioners security is a “Reality” based on the mathematical probability of risks

For the end user (common man) security is a feeling

Influencing the feeling of security (what is safe and what is not safe while handling information) makes a user make the right security decisions and apply it

Reason 2: Not every attack(er) is that smart

People exaggerate risks that are spectacular or uncommon:So what? RSA was hacked

Control efficiency

Risk severity/ Attacker

Smartness/ Attack

Efficiency

Technology & Processes

Awareness & Competence

Automatic security controls – AV, Updates

Technology + Human – Firewall configuration, Choosing a secure Wifi

Human – Recognizing a zero day attack, Phishing mails, Not posting business

information in social media

The very smart attacker

Reason 3: How much of a trade-off are we willing to make?

The best way to stop people from making information security mistakes is to deny them access to information.

Are you willing to make that trade-off?

Security awareness and competence management is a trade-off that is affordable and effective

Reason 4: The human factor is important…

Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced?

Cars have become more advanced, but does it mean that driving tests have become easier?

Medical technology has become more advanced, but will you choose a hospital for it’s machines or

the doctors?

The Solution Model

Security Awareness and Competence Management

The solution is based on HIMIS

• HIMIS – Human Impact Management for Information Security

• Released under Creative Commons License

• Free for Non-Commercial Use

http://www.isqworld.com/himis

Security Risk analysis

Identify the human factor

Awareness

Behaviour (Competence)

Assess, Improve, Re-

assess

Define

Strategize

Deliver

Verify

Identify information security awareness and competence needs of the business.

Create the strategy for awareness and competence

management

Execute the awareness plan

Check change in awareness and competence. Improve.

Strategy - Use ESP (Expected Security Practices)

Information Classification

Information classification criterion

Classification labels

Demonstrates correct classification

ESP Awareness Component

Competence Component

Incident reporting Types of incidents

Incident reporting procedures/ channels

Detects and reports a simulated incident

Phase 1

Define

Strategize

Deliver

Verify

management

Execute the plan

Case Study: Client Profile

• Type of industry: Retail• No: of employees 5000+• Position: Market Leader• Type of Information handled: Customer data, Intellectual

Property• Spending on Information Security Awareness: US$ 75,000

Awareness Vs. Behaviour

• Sharing of company/customer information is wrong

• Sensitive Information must be protected

• Access Control Cards must be protected

• Customer records were leaked to competitor

• Salary information of top executive was given to head hunter

• Printouts lying unattended

• Visitors can enter the facility without informing security guard

Awareness Competence/ Behaviour

Problem Analysis - Visibility & Clarity

Visibility - The degree to which one can seeClarity - Free from obscurity and easy to understand

When you have too many rules ….it gets complicated

Don’t share

passwords

Which password? Network, desktop, ERP….?

Output of Phase 1

Organization’s awareness score is 87%

Organization’s competence score is 65%

MEDIUM COMPETENCE

COMPETENCEHIGH

COMPETENCE

Detailed Scorecard

Clear Policies Email Security Info Disclosure Password Security Physical Security Incident Reporting Social Networking/ Blogging

66.6666666666667 66.6666666666667

33.3333333333333

77.7777777777778

Score per ESP

Awareness Competence

Audit strategies - Awareness

• For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions

Auditing Strategies - Behaviour

• For auditing competence– Social Engineering

– Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting

– Log review: Browsing and email patterns can be observed through log reviews of corresponding systems

– Data mining : Mine through internet search engines to see how much sensitive information about the company is available online

– Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).

Phase 2 - Strategize

Define

Strategize

Deliver

Verify

management

Execute the plan

Quality of content – Impact visualization

Show the impact of poor security awareness and competence to the “non-information security” professional

Quality of content – Business relevance

Show the impact of poor security awareness and competence to the “non-information security” professional

Oops! My business is held responsible if I

install pirated software on my PC?

Quality of content – Clarity and Ease

Keep it very simple

So..the email security policy is …6 pages

Email security – 5 quick tips. Wow, that’s

Quality of content - Cultural factors

Language or terms used, color and design, character representation

Sorry, that information is

classified. Let me explain the basics of password

security

Retention measurement

• How much have they understood

• How long do they remember?

• Immediately• 30 days later• 60 days later

Well…my emails have disappeared. Which number

do I call?

Coverage

• Identify the target workforce• Tolerable deviation – How much

percentage of the workforce must receive the training

• Set realistic expectations• E.g. – Refer the visibility meter

Format and visibility

• Format – Different types of information security awareness content

• Visibility – Channels through which the content is delivered

Format Visibility

Verbal Live training sessions, Video conferences

Electronic EmailIntranetPostersSocial media

Paper Posters, cards, quizzes or surveys

Frequency

• Gap between 2 awareness deliveries• Critical – Gap should be minimal

Which is more effective – Drip irrigation or spraying a lot of water once a day?

Competence management/ Behaviour Change

A case study

Creating the right environment

Motivational Strategies

Disciplinary strategies

Case Study : IT Business

• Company– Offshore Development, 3

Centers in India – Young workforce: Majority

between 22-27

• Security Rules– Don’t forwards emails with

unofficial attachments– No downloads of videos,

music, freeware– No storage of personal

content in official systems

Case Study : IT Business

• What we did?– Quarterly “End-User

Desktop Audits”– Findings were

immediately “Signed and Agreed by Auditee”

– Disputes were noted and “Signed”

– Audit findings were submitted to InfoSec Team

Case Study : IT Business – The result

% of Non-Compliance

% of Non-Compliance?

Learning

Security Tradeoff Vs. Inconvenience

Personal

In-convenience

Security

Trade-Off

Security Tradeoff Vs. Cost

Cost (Enforcement)

Security

Trade-Off

Enforcement or Cost

• Quality of Life

• Career

• Money

• Time

Phase 3 - Deliver

Define

Strategize

Deliver

Verify

management

Execute the plan

Define tolerable deviation

• It is almost impossible to get 100% participation

• Define a number that is reasonable– 80% participation in the first

6 months– 85% in the next 6

Efficiency

• Efficiency of channels in delivering the program– Emails must reach the target

workforce, not go to SPAM– Videos must stream at an

optimum speed – Training sessions

• Trainer must knowledgeable• Able to articulate the topics

well • Use tools and examples• Encourage discussion

Collection of feedback

• Not to be confused with “retention measurement”1. The clarity of the content in

conveying the intended message

2. The business relevance of the content

3. Impact visualization

4. The quality of the trainer or the efficiency of the delivery channel

5. Other factors

Phase 4 - Verify

Define

Strategize

Deliver

Verify

management

Execute the plan

Audit strategies - Awareness

• For auditing information security awareness component of the ESP: – Interviews – Surveys – Quizzes – Mind-map sessions

Auditing Strategies - Behaviour

• For auditing competence– Social Engineering

– Observations: Observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting

– Log review: Browsing and email patterns can be observed through log reviews of corresponding systems

– Data mining : Mine through internet search engines to see how much sensitive information about the company is available online

– Incident report review: Review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).

Output of Verify phase

Organization’s awareness score was 87%

Organization’s competence score was 65%

MEDIUM COMPETENCE

COMPETENCEHIGH

COMPETENCE

Summary

Technology (Firewall)

ProcessPeople

Information

Technology and processes are only as good as the people that use them

Free resources

• Free security awareness video – http://isqworld.com/security-awareness-training-samples

• The Psychology of Security, Bruce Schneier - http://www.schneier.com/essay-155.html

Thank YouAnup Narayanan

@ CoCon 2012, Trivandrum, Kerala

Let’s switch ON the Human Layer of Information Security Defence

a model for reducing information security risks due to human error

rights reservedc isq

security risks

feeling of security

competence managementc

information security

trustc isq

rights reserved5

rights reserved7

Technology

reducing the risks to child pedestrians

indonesia - reducing risks together

forklift safety reducing risks

preventing and reducing risks for sexual violence

reducing the-risks-2011-06-07

imidacloprid: reducing risks to groundwater from

reducing risks from flooding

reducing legal risks through contracts

reducing medical error and increasing patient safety ...

diversification: reducing risks, increasing incomes while

improving maintenance - a guide to reducing human error

development of a symplectic and phase error reducing

reducing risks saving lives

forklift safety reducing the risks

reducing risks of future disasters

reducing risks and building resilience

adaptation to climate change by reducing disaster risks...

reducing installation error in airline maintenance

reducing workplace risks

reducing global health risks€¦ · reducing global health...