1.
She looks
I’m gonna steal
trustworthy
your toys
The difference between the “Reality” and “Feeling” of Security
Human Perception and it’s influence on Information Security

2.
The 3 pieces that makes up information security
Technology
(Firewall)
Information
People Process
Technology and processes are only as good as the people that
use them 2

3.
Focus of the talk
• The Human Factor in Information Security
• The difference between “Awareness and Competence”
• The power of perception
• Solution Model + Examples
3

4.
Awareness
I know the traffic rules….
4

5.
Competence?
Does it guarantee that I am a good driver?
5

6.
….even in Information Security!!!!
Don’t tell anyone,
Security
my password is…..
Policy
Never share
passwords
6

7.
Awareness >> Behaviour >> Culture
Awareness Behaviour Culture
(Competence)
• I know • I do • We know
and do
Aim for a responsible security culture
7

8.
What organizations need?
A system that periodically shows the current
Security Awareness and Competence Levels Awareness score is 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Competence score is 65%
MEDIUM
LOW COMPETENCE COMPETENCE HIGH COMPETENCE
A smart attacker will always try to influence the perception of the employee
8

9.
The power of perception
Why do people make security mistakes?

10.
Imagine…
APJ Abdul Kalam walks into this room right
now and offers you this glass of water….
10

11.
Now, imagine this…
This man walks into this room right now
and offers you this glass of water….
11

12.
Question
Which water did
you accept?
Why?
12

13.
Analysis
Were you checking the water or the person serving
the water?
People decide what is good and what is bad based on
“trust”
Perception is influenced by Trust
13

14.
How people make security decisions?
Influence of perception
14

15.
Analysis
Of these two, which terrifies you the most?
More people die of heart attacks than by getting eaten by sharks
You may feel safe when you are actually not
15

16.
Analysis
Of these two, which terrifies you the most?
Adrenoleukodistrophy
More kids die choking on french fries than due to Adrenoleukodistrophy
People exaggerate risks that are uncommon
16

17.
I hope now it is clear that we must
address the human factor….
Let us summarize…
17

18.
Reason 1: Security is both a “Reality” and “Feeling”
For security practitioners
security is a “Reality” based
on the mathematical
probability of risks
For the end user security is a
“feeling”
Success lies in influencing
the “feeling” of security
18

19.
RSA Attack
19

20.
The Incident
In March 2011, RSA, one of the foremost security
companies in the world disclosed that cyber-attacks had
penetrated its internal networks and extracted information
from its systems.
The consequences were
• Financial Loss
• Reputational Loss

21.
Attack
Employee clicked on the attachment of the mail
The embedded component exploited the
vulnerability

22.
Analysis: Why did the attack happen?

23.
You may wonder…
RSA must be having best-in-class firewalls, anti-viruses and other
security systems. So, how did this attack happen?
Failed to address the Human Factor

24.
Reason 2: Technology…yes, but humans…of course!
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more advanced,
but will you choose a hospital for it’s machines or
the doctors?
24

25.
The Solution Model
Security Awareness and Competence Management

26.
The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
26

27.
HIMIS Implementation Model
Define Strategize Deliver Verify
Responsible Information Security Behavior
27

28.
Define
• Choose the ESPs
• Review and approval of ESPs
28

29.
Strategize
For awareness management
• Coverage
• Format & visibility: Verbal, Paper and Electronic
• Frequency
• Quality of content
• Retention measurement.(surveys,quiz)
For behavior management
• Motivational strategies
• Enfoncement/ disciplinary stratégies
29

30.
Deliver
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
30

31.
Verify
• Audit strategy
• Selection of ESP’s
• Define sample size
• Audit methods
For awareness: Interviews, Surveys, Quizzes,
For behavior: Observation, Review of incident reports, Social
engineering?
31

32.
Examples
• Deploy false emails seeking
information
• Tailgating into the facility
• Placing media labeled with
‘confidential information’ in
cafeteria or other places
32

33.
Reporting model
Organization’s awareness score was 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65%
MEDIUM
LOW COMPETENCE COMPETENCE HIGH COMPETENCE
33

34.
HIMIS Focus

35.
1. Differentiate between Awareness Vs. Competence
Consider both “Awareness” and “Competence” independently
Awareness
Assess,
ESP Improve, Re-
assess
Behaviour
(Competence)
ESP – Expected Security Practice
35

36.
2. Visualize ….and influence perception
36

37.
3. Scenario based training (Make people solve challenges)
37

38.
Example
Video (PLAY)
38

39.
4. Remember drip irrigation
Which is more effective – Drip irrigation or spraying a lot of water once a day?
Small doses, more frequent
39

40.
5.Re-measure frequently
Organization’s awareness score was 87%
?
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65% ?
MEDIUM
LOW COMPETENCE COMPETENCE HIGH COMPETENCE
40

41.
Summary
“A smart user in front of
the computer is a good
security control and is
not that expensive.”
41

42.
Let’s switch ON the Human
Layer of Information Security
Defence
Thank You
http://www.isqworld.com/himis