More Related Content Similar to A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai (20) A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai1. Shred
documents
before
disposing
A model for reducing
information security risks due
to human error
By Anup Narayanan,
Founder & CEO, ISQ World
2. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
We are here
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
III. Solution model
IV. Resources
© First Legion Consulting 2
3. Awareness?
Do not share passwords!
© First Legion Consulting 3
4. Behavior?
Don’t tell anyone,
my password is…..
© First Legion Consulting 4
7. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
We are here II. Case study
III. Solution model
IV. Recap & Resources
© First Legion Consulting 7
8. Case-study:
Client: One of the largest mobile service
providers in the world
• What? Spent US$ 100, 000 on a security
awareness campaign
• How? Screen Savers, Posters, Emailers
• Who? Target - Entire employees
© First Legion Consulting 8
9. What did we do?
“Awareness vs. behavior” benchmarking
and produced a scorecard
© First Legion Consulting 9
11. Why are my users not
following the
information security
policy?
Root cause analysis of poor
information security behavior
© First Legion Consulting 11
12. Reason 1: Operational issues ….
If I don’t share my password,
salaries won’t get processed Response by HR
Manager
here…including that of the
InfoSec manager.
Message in the poster
Don’t share
passwords
© First Legion Consulting 12
15. Reason 4: Attitude … influenced by cost…(peer
pressure, top management behavior)
Nothing’s gonna happen to me
if I violate the security policies?
Well, I saw her doing it …shall
I?
© First Legion Consulting 15
16. “Awareness” & “Behavior”: Independent but
interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things
Question: A person knows the “information security rules”. Does
that make the person a responsible information security
practitioner?
Answer: Same as above
Knowing = Awareness
Doing = Behavior
© First Legion Consulting 16
17. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
We are here III. Solution model
IV. Recap & Resources
© First Legion Consulting 17
18. • HIMIS – Human Impact
Management for
Information Security
• Objective – To provide a
model to reduce security
risks due to human error
• Creative Commons
License, free for non-
commercial use
• Download –
http://www.isqworld.com
, click on the HIMIS link
© First Legion Consulting 18
19. HIMIS solution model - Work backwards
Responsible
information
Define Strategize Deliver Verify security
behavior
© First Legion Consulting 19
20. Define Strategize Deliver Verify
• Choose ESP's (Expected Security Practices) information
security awareness and behaviour requirements) valid
for the business
• Review and approval of ESP’s
• Baseline ESP assessment
© First Legion Consulting 20
21. ESP:
Information
Classification
Awareness Behaviour
Criterion criterion
The employees must
The employees must The employees must
actually classify
know the different know how to specify the
document in day-to-day
information classification classification, for
work. The evidence of
criterion : "Confidential, example, in the footer of
this classification must
Internal, Public" each document
be available.
© First Legion Consulting 21
22. Define Strategize Deliver Verify
• For awareness management
– Coverage
– Format & visibility: Verbal, Paper and Electronic
– Frequency
– Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
– Retention measurement.
• For behavior management
– Motivational strategies
– Enforcement/ disciplinary strategies
© First Legion Consulting 22
23. Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance Yup! Not the usual glorified
• Consideration of cultural factors power point
Wow! This security
awareness video is so cool!
© First Legion Consulting 23
24. Behavior management: What works?
Let’s cut his Let’s talk to
email access him
Let’s fire him
© First Legion Consulting 24
25. Poor Security behavior Vs.
Inconvenience
Poor
security
behavior
In-convenience
© First Legion Consulting 25
27. Case study 1: Changing behavior (IT Service Provider)
• What we did?
– Quarterly “End-User
Desktop Audits”
– Findings were noted and
“Signed and Agreed by
Auditee”
– Disputes were noted and
“Signed”
– Audit findings were
submitted to InfoSec
Team
© First Legion Consulting 27
28. Case study 1: Changing behavior (Electronic Retail Store)
• Audit finding: Cash boxes are left open when
unattended
• Cost attached: Branch manager will lose 25% of
annual bonus for every violation
• Compliance today is above 98%
© First Legion Consulting 28
29. Define Strategize Deliver Verify
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
© First Legion Consulting 29
30. Define Strategize Deliver Verify
• Audit strategy
– Selection of ESP’s
– Define sample size
– Audit methods
• For awareness: Interviews, Surveys, Quizzes, Mind-map
sessions
• For behavior: Observation, data mining, Log review,
Review of incident reports, Social engineering?
– Reasonable limitations
– Behavior may not always be visible
© First Legion Consulting 30
32. HIMIS is not prescriptive and does not suggest
absolutes…
• Practitioner has the freedom to quantify
• Quantifying awareness – Fairly easy, for example,
– Average score of a quiz to measure awareness from 100
users’ reasonably indicates an average awareness score
• Quantifying behaviour may not be possible directly and
indirect methods may have to be used. For example,
a) Number of violations found for an ESP
b) Impact of the violation
c) A score derived by consideration of “a” and “b” above
© First Legion Consulting 32
33. Suggested outline of the audit report
• Introduction: Motivations and reasons for the program
• List of ESP’s and the reasons for the selection of each ESP
• Strategy for the program
• Delivery models
• Average awareness score (from averages of each ESP
awareness score)
• Average behaviour score or text description (from analysis
of behaviour audit report). Root cause analysis for poor
awareness and behaviour
• Possible threat indicators and suggested mitigations
• Recommended corrective actions
© First Legion Consulting 33
34. 1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
III. Solution model
We are here IV. Recap & Resources
© First Legion Consulting 34
35. Recap
Responsible
information
Define Strategize Deliver Verify security
behavior
© First Legion Consulting 35
36. Tip! Get HR buy-in
People are my
People are my biggest threat!
biggest asset!
HR InfoSec
manager Manager
You must talk the same thing!
© First Legion Consulting 36
37. Conclusion
If you can influence perception, you can influence the
way people choose or react (behavior)
Perception is influenced if there is a cost for an
action
© First Legion Consulting 37
38. If I follow the information
security rules will I gain
something. If I don’t follow,
will I lose something?
When you get your users’ to think
this way, you are on your way to a
better information security
culture!
© First Legion Consulting 38
39. Resources
• Free security awareness videos –
www.isqworld.com
• Bruce Schneier – The Psychology of Security -
http://www.schneier.com/essay-155.pdf
• The Information Security Management
Maturity Model (ISM3) – www.ism3.com
© First Legion Consulting 39
40. Anup Narayanan,
Founder & Principal Architect
ISQ World, A First Legion Initiative
anup@isqworld.com
www.isqworld.com
© First Legion Consulting 40