SlideShare a Scribd company logo

A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

Anup Narayanan
Anup Narayanan

This talk provides a model for reducing security risks due to poor information security awareness and poor attitude. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis

TechnologyEducation
1 of 40
Download to read offline
Shred documents before disposing A model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World
1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 2
Awareness? Do not share passwords! © First Legion Consulting 3
Behavior? Don’t tell anyone, my password is….. © First Legion Consulting 4
Shred documents before disposing © First Legion Consulting 5
Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 6
1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 7
Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 8
What did we do? “Awareness vs. behavior” benchmarking and produced a scorecard © First Legion Consulting 9
The scorecard © First Legion Consulting 10
Why are my users not following the information security policy? Root cause analysis of poor information security behavior © First Legion Consulting 11
Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 12
Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 13
Reason 3: Perception… Which is safer? © First Legion Consulting 14
Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 15
“Awareness” & “Behavior”: Independent but interdependent Question : A person knows the traffic rules. Does that make the person a good driver? Answer: Not necessarily, “Knowing” and “Doing” are two different things Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner? Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 16
1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study We are here III. Solution model IV. Recap & Resources © First Legion Consulting 17
• HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link © First Legion Consulting 18
HIMIS solution model - Work backwards Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 19
Define Strategize Deliver Verify • Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements) valid for the business • Review and approval of ESP’s • Baseline ESP assessment © First Legion Consulting 20
ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-day information classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 21
Define Strategize Deliver Verify • For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement. • For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 22
Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance Yup! Not the usual glorified • Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 23
Behavior management: What works? Let’s cut his Let’s talk to email access him Let’s fire him © First Legion Consulting 24
Poor Security behavior Vs. Inconvenience Poor security behavior In-convenience © First Legion Consulting 25
Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 26
Case study 1: Changing behavior (IT Service Provider) • What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 27
Case study 1: Changing behavior (Electronic Retail Store) • Audit finding: Cash boxes are left open when unattended • Cost attached: Branch manager will lose 25% of annual bonus for every violation • Compliance today is above 98% © First Legion Consulting 28
Define Strategize Deliver Verify • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt © First Legion Consulting 29
Define Strategize Deliver Verify • Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 30
© First Legion Consulting 31
HIMIS is not prescriptive and does not suggest absolutes… • Practitioner has the freedom to quantify • Quantifying awareness – Fairly easy, for example, – Average score of a quiz to measure awareness from 100 users’ reasonably indicates an average awareness score • Quantifying behaviour may not be possible directly and indirect methods may have to be used. For example, a) Number of violations found for an ESP b) Impact of the violation c) A score derived by consideration of “a” and “b” above © First Legion Consulting 32
Suggested outline of the audit report • Introduction: Motivations and reasons for the program • List of ESP’s and the reasons for the selection of each ESP • Strategy for the program • Delivery models • Average awareness score (from averages of each ESP awareness score) • Average behaviour score or text description (from analysis of behaviour audit report). Root cause analysis for poor awareness and behaviour • Possible threat indicators and suggested mitigations • Recommended corrective actions © First Legion Consulting 33
1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model We are here IV. Recap & Resources © First Legion Consulting 34
Recap Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 35
Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 36
Conclusion If you can influence perception, you can influence the way people choose or react (behavior) Perception is influenced if there is a cost for an action © First Legion Consulting 37
If I follow the information security rules will I gain something. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 38
Resources • Free security awareness videos – www.isqworld.com • Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf • The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 39
Anup Narayanan, Founder & Principal Architect ISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 40

Recommended

Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Anup Narayanan
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
Anup Narayanan
 
Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...
Anup Narayanan
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
KrisValerio
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
mageeb
 
The Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 PresentationThe Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 Presentation
Merck
 
Defense Intelligence & The Information Challenge
Defense Intelligence & The Information ChallengeDefense Intelligence & The Information Challenge
Defense Intelligence & The Information Challenge
IBMGovernmentCA
 
Emm Introduction 2013
Emm Introduction 2013Emm Introduction 2013
Emm Introduction 2013
Lee Schlenker
 

Recommended

Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Anup Narayanan
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
Anup Narayanan
 
Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...
Anup Narayanan
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
KrisValerio
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
mageeb
 
The Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 PresentationThe Modern Columbian Exchange: Biovision 2012 Presentation
The Modern Columbian Exchange: Biovision 2012 Presentation
Merck
 
Defense Intelligence & The Information Challenge
Defense Intelligence & The Information ChallengeDefense Intelligence & The Information Challenge
Defense Intelligence & The Information Challenge
IBMGovernmentCA
 
Emm Introduction 2013
Emm Introduction 2013Emm Introduction 2013
Emm Introduction 2013
Lee Schlenker
 
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived RisksEnterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
The 2.0 Adoption Council
 
Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012
LRNcorporation
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
IT Network marcus evans
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
Joseph Schorr
 
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Insecurity Insight
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
Dee Moone
 
Business Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach FinalBusiness Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach Final
Hossam Hassanien
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
Leo de Sousa
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
Rahul Bhan (CA, CIA, MBA)
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
Patricia M Watson
 
ARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 PresentationARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 Presentation
Michael Hill
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
Marlabs
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security service
Deep Rajbhandari
 
About Acumin
About AcuminAbout Acumin
About Acumin
GemmaPaterson
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...
TISA
 
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy BlumenthalIT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
Andy (Avraham) Blumenthal
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
ssuser3301be1
 
Ch04
Ch04Ch04
Ch04
Jennifer Polack
 
A proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud ComputingA proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud Computing
CSCJournals
 
Risk management seminar -en
Risk management seminar -enRisk management seminar -en
Risk management seminar -en
Rolf Häsänen
 
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
BayCHI
 

More Related Content

What's hot

Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012
LRNcorporation
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
Joseph Schorr
 
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Insecurity Insight
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
Dee Moone
 
Business Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach FinalBusiness Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach Final
Hossam Hassanien
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
Patricia M Watson
 
ARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 PresentationARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 Presentation
Michael Hill
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security service
Deep Rajbhandari
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...
TISA
 
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy BlumenthalIT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
Andy (Avraham) Blumenthal
 

What's hot (18)

Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived RisksEnterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
Enterprise 2.0 Black Belt Workshop: Mitigating Real or Perceived Risks
 
Records and information management presentation 2012
Records and information management presentation 2012Records and information management presentation 2012
Records and information management presentation 2012
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
 
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
Humanitarian Exchange: The Six Ws of Security Policy Making (p. 6-7)
 
Knowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISAKnowledge Management and Knowledge Sharing at DISA
Knowledge Management and Knowledge Sharing at DISA
 
Business Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach FinalBusiness Intelligence In Cloud Computing A Tokenization Approach Final
Business Intelligence In Cloud Computing A Tokenization Approach Final
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
ARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 PresentationARC MGMT 374 Week 1 Presentation
ARC MGMT 374 Week 1 Presentation
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Presentation on rex security service
Presentation on rex security servicePresentation on rex security service
Presentation on rex security service
 
About Acumin
About AcuminAbout Acumin
About Acumin
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...
 
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy BlumenthalIT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
IT Governance - The Solution To Old Fashioned Silos - Andy Blumenthal
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
 

Viewers also liked

A proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud ComputingA proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud Computing
CSCJournals
 
Risk management seminar -en
Risk management seminar -enRisk management seminar -en
Risk management seminar -en
Rolf Häsänen
 
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
BayCHI
 
Human Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & SafetyHuman Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & Safety
Dushyant Kalchuri
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 

Viewers also liked (9)

Ch04
Ch04Ch04
Ch04
 
A proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud ComputingA proposed Solution: Data Availability and Error Correction in Cloud Computing
A proposed Solution: Data Availability and Error Correction in Cloud Computing
 
Risk management seminar -en
Risk management seminar -enRisk management seminar -en
Risk management seminar -en
 
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
Scott MacKenzie at BayCHI: Evaluating Eye Tracking Systems for Computer Data ...
 
Human Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & SafetyHuman Error & Risk Factor Affecting Reliability & Safety
Human Error & Risk Factor Affecting Reliability & Safety
 
Information security management
Information security managementInformation security management
Information security management
 
Human Error Prevention
Human Error PreventionHuman Error Prevention
Human Error Prevention
 
Beekman5 std ppt_12
Beekman5 std ppt_12Beekman5 std ppt_12
Beekman5 std ppt_12
 
Types of computer system error
Types of computer system errorTypes of computer system error
Types of computer system error
 

Similar to A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

Dlp content-discovery-best-practices
Dlp content-discovery-best-practicesDlp content-discovery-best-practices
Dlp content-discovery-best-practices
lookout4raj
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
Evan Francen
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
 

Similar to A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai (20)

Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
 
Dlp content-discovery-best-practices
Dlp content-discovery-best-practicesDlp content-discovery-best-practices
Dlp content-discovery-best-practices
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Emm introduction
Emm introductionEmm introduction
Emm introduction
 
Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Ibm data governance framework
Ibm data governance frameworkIbm data governance framework
Ibm data governance framework
 
A Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceA Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & Compliance
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai

  • 1. Shred documents before disposing A model for reducing information security risks due to human error By Anup Narayanan, Founder & CEO, ISQ World
  • 2. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: We are here I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model IV. Resources © First Legion Consulting 2
  • 3. Awareness? Do not share passwords! © First Legion Consulting 3
  • 4. Behavior? Don’t tell anyone, my password is….. © First Legion Consulting 4
  • 5. Shred documents before disposing © First Legion Consulting 5
  • 6. Putting it together…. Awareness: Behavior: Culture: I know I do We do © First Legion Consulting 6
  • 7. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” We are here II. Case study III. Solution model IV. Recap & Resources © First Legion Consulting 7
  • 8. Case-study: Client: One of the largest mobile service providers in the world • What? Spent US$ 100, 000 on a security awareness campaign • How? Screen Savers, Posters, Emailers • Who? Target - Entire employees © First Legion Consulting 8
  • 9. What did we do? “Awareness vs. behavior” benchmarking and produced a scorecard © First Legion Consulting 9
  • 10. The scorecard © First Legion Consulting 10
  • 11. Why are my users not following the information security policy? Root cause analysis of poor information security behavior © First Legion Consulting 11
  • 12. Reason 1: Operational issues …. If I don’t share my password, salaries won’t get processed Response by HR Manager here…including that of the InfoSec manager. Message in the poster Don’t share passwords © First Legion Consulting 12
  • 13. Reason 2: Confusion ... Too many rules Which one do I follow? © First Legion Consulting 13
  • 14. Reason 3: Perception… Which is safer? © First Legion Consulting 14
  • 15. Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior) Nothing’s gonna happen to me if I violate the security policies? Well, I saw her doing it …shall I? © First Legion Consulting 15
  • 16. “Awareness” & “Behavior”: Independent but interdependent Question : A person knows the traffic rules. Does that make the person a good driver? Answer: Not necessarily, “Knowing” and “Doing” are two different things Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner? Answer: Same as above Knowing = Awareness Doing = Behavior © First Legion Consulting 16
  • 17. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study We are here III. Solution model IV. Recap & Resources © First Legion Consulting 17
  • 18. • HIMIS – Human Impact Management for Information Security • Objective – To provide a model to reduce security risks due to human error • Creative Commons License, free for non- commercial use • Download – http://www.isqworld.com , click on the HIMIS link © First Legion Consulting 18
  • 19. HIMIS solution model - Work backwards Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 19
  • 20. Define Strategize Deliver Verify • Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements) valid for the business • Review and approval of ESP’s • Baseline ESP assessment © First Legion Consulting 20
  • 21. ESP: Information Classification Awareness Behaviour Criterion criterion The employees must The employees must The employees must actually classify know the different know how to specify the document in day-to-day information classification classification, for work. The evidence of criterion : "Confidential, example, in the footer of this classification must Internal, Public" each document be available. © First Legion Consulting 21
  • 22. Define Strategize Deliver Verify • For awareness management – Coverage – Format & visibility: Verbal, Paper and Electronic – Frequency – Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance • Consideration of cultural factors – Retention measurement. • For behavior management – Motivational strategies – Enforcement/ disciplinary strategies © First Legion Consulting 22
  • 23. Quality of content • Impact visualization • Clarity & ease of understanding • Business relevance Yup! Not the usual glorified • Consideration of cultural factors power point Wow! This security awareness video is so cool! © First Legion Consulting 23
  • 24. Behavior management: What works? Let’s cut his Let’s talk to email access him Let’s fire him © First Legion Consulting 24
  • 25. Poor Security behavior Vs. Inconvenience Poor security behavior In-convenience © First Legion Consulting 25
  • 26. Poor Security behavior Vs. Cost Poor security behavior Cost (Enforcement) © First Legion Consulting 26
  • 27. Case study 1: Changing behavior (IT Service Provider) • What we did? – Quarterly “End-User Desktop Audits” – Findings were noted and “Signed and Agreed by Auditee” – Disputes were noted and “Signed” – Audit findings were submitted to InfoSec Team © First Legion Consulting 27
  • 28. Case study 1: Changing behavior (Electronic Retail Store) • Audit finding: Cash boxes are left open when unattended • Cost attached: Branch manager will lose 25% of annual bonus for every violation • Compliance today is above 98% © First Legion Consulting 28
  • 29. Define Strategize Deliver Verify • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt © First Legion Consulting 29
  • 30. Define Strategize Deliver Verify • Audit strategy – Selection of ESP’s – Define sample size – Audit methods • For awareness: Interviews, Surveys, Quizzes, Mind-map sessions • For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering? – Reasonable limitations – Behavior may not always be visible © First Legion Consulting 30
  • 31. © First Legion Consulting 31
  • 32. HIMIS is not prescriptive and does not suggest absolutes… • Practitioner has the freedom to quantify • Quantifying awareness – Fairly easy, for example, – Average score of a quiz to measure awareness from 100 users’ reasonably indicates an average awareness score • Quantifying behaviour may not be possible directly and indirect methods may have to be used. For example, a) Number of violations found for an ESP b) Impact of the violation c) A score derived by consideration of “a” and “b” above © First Legion Consulting 32
  • 33. Suggested outline of the audit report • Introduction: Motivations and reasons for the program • List of ESP’s and the reasons for the selection of each ESP • Strategy for the program • Delivery models • Average awareness score (from averages of each ESP awareness score) • Average behaviour score or text description (from analysis of behaviour audit report). Root cause analysis for poor awareness and behaviour • Possible threat indicators and suggested mitigations • Recommended corrective actions © First Legion Consulting 33
  • 34. 1. Objective: Describe a workable model for reducing information security risks due to human error 2. Talk Plan: I. Differentiate between “Awareness” & “Behavior” II. Case study III. Solution model We are here IV. Recap & Resources © First Legion Consulting 34
  • 35. Recap Responsible information Define Strategize Deliver Verify security behavior © First Legion Consulting 35
  • 36. Tip! Get HR buy-in People are my People are my biggest threat! biggest asset! HR InfoSec manager Manager You must talk the same thing! © First Legion Consulting 36
  • 37. Conclusion If you can influence perception, you can influence the way people choose or react (behavior) Perception is influenced if there is a cost for an action © First Legion Consulting 37
  • 38. If I follow the information security rules will I gain something. If I don’t follow, will I lose something? When you get your users’ to think this way, you are on your way to a better information security culture! © First Legion Consulting 38
  • 39. Resources • Free security awareness videos – www.isqworld.com • Bruce Schneier – The Psychology of Security - http://www.schneier.com/essay-155.pdf • The Information Security Management Maturity Model (ISM3) – www.ism3.com © First Legion Consulting 39
  • 40. Anup Narayanan, Founder & Principal Architect ISQ World, A First Legion Initiative anup@isqworld.com www.isqworld.com © First Legion Consulting 40