A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security.
Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
The difference between the Reality and Feeling of Security
1. She looks
I’m gonna steal
trustworthy
your toys
The difference between the “Reality” and “Feeling” of Security
Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
2. Focus of the talk
• The Human Factor in Information Security
• From “Security Awareness” to “Security Awareness and
Competence”
• Solution model
• What others are doing?
2
5. Awareness >> Behaviour >> Culture
Awareness Behaviour Culture
(Competence)
• I know • I do • We know
and do
An organization must aim for a responsible security culture
5
6. What organizations need?
A system that periodically shows
the current Security Awareness
and Competence Levels
Awareness score is 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Competence score is 65%
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
6
7. The power of perception
Why do people make security mistakes?
8. Imagine…
Nelson Mandela walks into this room right
now and offers you this glass of water….
Will you accept it?
8
9. Now, imagine this…
This man walks into this room right now
and offers you this glass of water….
Will you accept it?
9
11. Analysis
Were you checking the water or the person serving
the water?
People decide what is good and what is bad based on
“trust”
Perception is influenced by Trust
11
12. Why must we address the human
factor?
(or)
Is the human factor worth addressing?
14. The most popular passwords in LinkedIn
link jesus
1234 connect
work monkey
god 123456
job michael
12345 jordan
angel dragon
the soccer
ilove killer
sex pepper
14
15. Analysis
You may think you are safe when you are actually not
People get more terrified thinking of getting eaten by a shark then dying of
heart attack…..but more people die of heart attacks
15
16. Analysis
People exaggerate risks that are abnormal
Adrenoleukodistrophy
More kids die choking on french fries than due to Adrenoleukodistrophy
16
17. Reason 1: Security is both a “Reality” and “Feeling”
For security practitioners
security is a “Reality” based
on the mathematical
probability of risks
For the end user security is a
“feeling”
Success lies in influencing
the “feeling” of security
17
18. Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:
So what? RSA was hacked
Technology & Processes
Awareness & Competence
The very smart attacker
4
Human – Recognizing a zero day attack,
3 Phishing mails, Not posting business
Risk severity/
Attacker information in social media
Smartness/
Attack
Efficiency 2 Technology + Human – Firewall configuration,
Choosing a secure Wifi
1 Automatic security controls – AV, Updates
18
Control efficiency
19. Reason 3: Technology…yes, but humans…of course!
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more
advanced, but will you choose a hospital for it’s
machines or the doctors?
19
21. The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
21
22. 1. Awareness Vs. Competence
Consider both “Awareness” and “Competence” independently
Awareness
Assess,
Security Risk Identify the Improve, Re-
analysis human factor assess
Behaviour
(Competence)
ESP – Expected Security Practice
22
25. 3. Remember drip irrigation
Which is more effective – Drip irrigation or spraying a lot of water once a day?
Small doses, more frequent
25
26. 4. Re-measure frequently
Organization’s awareness score was 87%
?
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65% ?
MEDIUM
LOW COMPETENCE COMPETENCE
HIGH COMPETENCE
26
28. Emerging threats 2013 (report by ISF)
• Natural disasters • Economic espionage
• Diminishing end user • Introduction of new devices
security awareness (smart phones etc.)
• Moving to cloud • Online leaks
• Social media proliferation • Fast development and
& data leaks release of apps without
• Corporate frauds testing
• Attacks using GPS • Smart outsourcing resulting in
tracking less workforce loyalty
29. Summary
Technology
(Firewall)
Information
People Process
Technology and processes are only as good as the people that
use them 29
30. Let’s switch ON the Human
Layer of Information Security
Defence
Thank You
Anup Narayanan
www.isqworld.com