Upload
adrian-wright
View
751
Download
2
Embed Size (px)
DESCRIPTION
Security on the Brain – Using Human Psychology to Achieve Compliance: ISSA-UK Expert Workshop Presented by Adrian Wright - ISSA-UK VP of Research One of the biggest wake-up calls in recent times is the realisation that more than 60% of major security breaches and data losses are down to 'human factor' failings. Our main weapon in mitigating these failings is to spend more on in-house awareness campaigns and on technical measures to minimise any losses - yet incidents and losses continue to increase. Clearly these existing awareness campaigns and controls are not enough, as the message is still not getting through or isn't being complied with. This presentation and workshop session challenges current thinking and strategies in dealing with people as both an asset and a source of risk, by leveraging human psychology and people's differing motivations to improve communication, change opinions and turn basic awareness into actual compliance. In this session Learn: - The psychology of why we don't comply - why awareness alone won't do - What motivates people to do - or not do - specific things - Neurolinguistics - it's not just what you say; but how you say it and to who - Divide and conquer - adapting your message to target specific personality types - Changing the security culture by changing people's belief systems - Dirty tricks (slightly) - tactics that work in changing behaviour - Selling the unsellable - lessons from other sectors in making boring stuff sexy Participate: - Informal group discussion of challenges and successes from your experience - Identifying your audience’s character types and shaping the message - Influencing the Board by speaking their language - Developing an internal PR strategy to improve security's image and influence - Develop a brand new and more effective mission statement for your team About the Presenter: Adrian Wright CISA 20 years experience in Information Security, IT Risk Management & Compliance. Specialist in managing security, risk and compliance awareness campaigns; 9 Years Global CISO Head of InfoSec at Reuters - covering 142 countries and 250,000 systems; 10 years founder and programme director at Secoda Risk Management. Experienced speaker and writer on all things cyber security, governance, risk & compliance. 2 Years Director of Projects & 1 Year VP of Research & Board member at ISSA-UK Having spent decades looking into the darker recesses and failings within technology; Adrian has recently turned his attention to the darker recesses and failings within the human beings that work with the technology…
Citation preview
ISSA-UK Transport Security Expo Workshop 2013
Adrian Wright
CEO Secoda Risk Management
Board & VP Research ISSA-UK
Security on the Brain Using Human Psychology to
Achieve Compliance
Human Psychology in Risk & Security
Risk Factors presentation 10:00 1
Workshop 1 – group exercise 10:30 2
Compliance Factors presentation 11:00 3
4 Workshop 2 – group exercise 11:30
Debate and closing remarks 12:00 5
How I arrived here
• 20 years in IT Risk and Security – trying to make people aware and compliant
• CISO Reuters 9 years: 17000 staff, 250,000 systems, 142 countries
• Observed that some strategies work – and many that don’t…
• Like Penicillin, some successes are discovered by accident
• Follow-up research with security associations and CISO surveys
• Incorporated useful NLP & psychology strategies
• This is the story so far and proven strategies shown to actually work…
Its all about people
• Need for security never been greater • Critically dependent on information
• Mandated by regulators, PCI, customers
• No fallback option
• Threats, vulnerabilities & losses growing
• Easy to convince ourselves it’s a tech issue • Encryption, DLP, pen testing, patching will fix it?
• Hackers & fraudsters
• Investment in tech security measures growing
• Information security just isn’t sexy • Especially the non-tech HR-sounding bits…
• Its all doom and gloom
• It’s a cost centre, not a profit centre
• Gets in the way of business progress
• We’ve become used to all the problems • News full of breach stories every day
• Post PRISM the bar is permanently lowered…
• "If we once accept the unacceptable, the
unacceptable becomes the norm"
“We struggle with getting management
and staff to accept that their behaviour
must be modified in order to improve
security practices.”
[Security Survey Respondent,
Manufacturing industry, Western Europe]
Causes of data loss breaches
DataLossDB.org http://datalossdb.org/statistics
Most from non-technical errors
Non-Technical breach % Fraud % Technical breach % Unknown %
Snail-mail 5 Fraud 9 Virus 1 Unknown 4
Document disposal 5 Hacking 16
Stolen computer 7 Web 12
Email 4
Lost media 3
Stolen document 3
Stolen media 2
Lost document 2
Lost tape 2
Lost drive 1
Stolen drive 1
Stolen tape 1
Lost laptop 1
Misc loss/disposal <1% 2
Stolen laptop 19
Totals 58 9 29 4
Nearly 60% losses due to procedural error, carelessness, failure to adhere to policies etc
Human Perceptions of Risk “Security is both a feeling and a reality. And they’re not the same” Bruce Schneier
How well do we assess risk?
National Safety Council – whole USA statistical averages:
One year odds of dying (USA) as a direct result of:-
• Air / space transport accident 1 in
• Automobile incident – driver/occupant 1 in
• Automobile incident – pedestrian 1 in
• Hit by lightning 1 in
• Flood 1 in
• Earthquake 1 in
• Shot by firearm (assault) 1 in
• Shot by firearm (self inflicted) 1 in
• Some type of accidental trip or fall 1 in
• War 1 in
502,554
20,331
48,816
6,177,230
24,708,922
8,013,704
24,005
17,440
15,085
10,981,743
US National Safety Council – Injury Facts 2006: www.nsg.org
Example - Terrorism risk
You are 12,571 times more likely to die from cancer than from a terrorist attack
You are 11,000 times more likely to die in an airplane accident than from a terrorist plot
involving an airplane
You are 1048 times more likely to die from a car accident than from a terrorist attack
You are 404 times more likely to die in a fall than from a terrorist attack
You are 87 times more likely to drown than die in a terrorist attack
You are 13 times more likely to die in a railway accident than from a terrorist attack
You are 12 times more likely to die from accidental suffocation in bed than from a terrorist
attack
You are 9 times more likely to choke to death on your own vomit than die in a terrorist attack
You are 8 times more likely to be killed by a police officer than by a terrorist
You are 8 times more likely to die from accidental electrocution than from a terrorist attack
You are 6 times more likely to die from hot weather than from a terrorist attack
Statistics from a 2004 National Safety Council report, the National Center for Health Statistics, the U.S.
Census Bureau, and 2003 mortality data from the Center for Disease Control
Perceived Vs Actual Risk
• “Security is both a feeling and a reality – and they’re not the same” – Bruce Schneier: The Psychology of Security, 2008
• We’re getting close to the truth of this now; or at least a useful
definition
• Million years of evolution
• Finely tuned reptilian brain; instant fight or flight decision, in-your-face
risks
• Sabre tooth tigers, strangers entering camp. Crossing the road.
Modern business?
• Initial stimulus for starting cerebral risk management process is change
• And most changes involve a conscious decision. Note the word
‘conscious’
• so... If you’re not making a decision, there’s no trigger for the risk
process
Why do we get it so wrong?
• People exaggerate spectacular but rare risks and downplay common
risks.
• People have trouble estimating risks for anything not exactly like their
normal situation.
• Personified risks are perceived to be greater than anonymous risks.
• People underestimate risks they willingly take and overestimate risks in
situations they can’t control.
• Last, people overestimate risks that are being talked about and remain
an object of public scrutiny.
• David Ropeik and George Gray have a longer list in their book “Risk: A Practical Guide
for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You”
Emotional responses to risk
• People focus on the emotionally perceived severity on the outcome,
rather than on its likelihood
• Example: since 9/11 western world preoccupied with terrorism
– US Homeland security expenditure since 9/11 exceeds 1 trillion dollars
– We live under increasing surveillance & security controls / restrictions
– Policy is shaped by focusing on worst-case scenarios
– Former Sec of Homeland Security Tom Ridge admits pressured to raise
terror alerts to help Bush win re-election
• In the months after 9/11, so many people chose to drive instead of fly
that the resulting deaths dwarfed the deaths from the terrorist attack
itself, because cars are much more dangerous than airplanes.
No personal risk…
Fact: 1 in 5 employees have personally provisioned a cloud service
without IT’s knowledge [1]
– 61% say it’s easier to provision cloud services themselves
– 50% report it takes too long to go through IT
– 27% admit company’s policy actually prohibits the cloud services they want
– While 60% say they have corporate policies in place that prohibit such
actions, respondents say there are no real deterrents for purchasing cloud
services by stealth.
– In fact, 29% report no ramifications whatsoever & another 48% say it’s little
more than a warning.
– Biggest issue is ¼ of execs don’t have open communication with the depts
& business unit leaders that may be provisioning their own cloud services.
– Enter “cloud sprawl” – the unmanaged spread of public cloud services
inside the enterprise.
[1] Avenade global survey 2011 ¦ 573 C-level execs, BU leaders & IT decision-makers in 18 countries
The Psychology of Why We Don’t Comply “The simple truth is that people are motivated for their own reasons, not ours"
WIIFM – world’s most listened to station
• We all listen to it – all the time (you are probably doing it right now)
• When we are asked to do something – What’s In It For Me?
• Where obvious potential benefit-to-self: its an easy decision
• Where no obvious benefit: avoid, put off, refuse, circumvent, argue
– Result: introduction of penalties for non-compliance (reinforces negative
perceptions
• Human brain is bad at processing negative concepts
– DON’T THINK OF DANCING BLUE FROGS!!!
– The DON’T instruction can only be processed after you’ve thought of
dancing blue frogs!
– Tell a child “Mind you don’t spill that glass!”…then 2 minutes later…
• Our security policies and mission are linguistically full of don’t(s) and
negative consequences
Motivation
What motivates people to do or not do certain things?
– All of humankind can be divided into two motivational groupings:
1. People who are primarily motivated by staying away from certain situations and
things;
and
2. Those who are primarily motivated to move towards certain situations and things;
Note: towards-motivated tend to have lower perception of and high tolerance to risk
– Many of us in security and risk management will be of the away from motivated
type: e.g. “we need to avoid that happening, therefore we need to do x”. An away-
from employee might be thinking more about not getting fired, rather than being
attracted by future success.
Linguistic signals
University of Austin Texas
Information Security Office Mission Statement
• “The mission of the Information Security
Office (ISO), as required by state law, is
to assure the security of the university's
Information Technology (IT) resources
and the existence of a safe computing
environment in which the university
community can teach, learn, and
conduct research. The ISO collaborates
with campus IT leaders and university
audit, compliance, and legal units to
support the university's teaching,
research, and public service missions”.
Toronto Marketing Group Mission Statement
• “It’s simple: we aim to be the best and we
want to expand globally. We will to
achieve this with an impeccable
reputation and perfect track record for
success in winning client satisfaction”.
• “We are targeted with opening the 20
biggest markets in Canada in the next 2
years. Our goal is to have 1000
associates in our company and to have
50 affiliated marketing companies that will
run our campaigns and locations. We will
be working with Clients in Finance,
Telecoms, Business Services, Charities,
Cosmetics, Property , Music…”
Towards-motivated types use words such as:
accomplish, attain, obtain, get, achieve, rewards, growth, goals, aim, expand, targets.
Away-from motivated use words like:
security, risk, avoid, steer clear of, prevent, eliminate, solve, fix, get rid of, prohibit.
Challenge: Couldn’t you rewrite this to read more like this?
Internal vs External (locus of responsibility)
• People who assess their performance via own internal standards/beliefs
or
• Through information/feedback from external sources
– Internal: own internal standards & beliefs, make own judgements on their
work. Don’t accept outside direction & ideas. Don’t give or accept feedback,
may be difficult to supervise.
– External: like being managed & receive outside direction & feedback. Need
to be externally motivated and know how well they are doing.
• Internal types motivated by: “I need your opinion”, “help us decide”
• External types motivated by: “others will think highly of you if..”, you will receive
recognition”, “according to the experts..”
– Unmasking question: “How do you know if you have done a good job?”
Options vs Procedures
• Options: this group likes to do things another way. Like bending/breaking the
rules. Start projects but don’t finish them. Explore new possibilities.
– typical roles: fashion designer, inventor, process re-engineering
or
• Procedures: this group need to follow set rules/processes. More concerned
how to do something rather than why.
– typical roles: bookkeeper, commercial airline pilot
• Options types motivated/ influenced / identified by words such as:
– opportunity, alternatives, break the rules, flexibility, variety, unlimited possibilities,
expand your choices, options.
• Procedures types motivated / influenced / identified by words such as:
– correct way, tried and tested, first ...then...lastly, proven path, set procedure, follow
this to the letter.
Awareness isn’t working
“Hello”
“Yes?”
“Did you finish the security awareness training?”
“Yes”
“So are you aware now?”
“Yes”
“Ok – thank you. Goodbye”
Unfortunately my co-respondent has significant likelihood of being:
• Towards-motivated (blind to, and unmotivated by away-from concepts like risk)
• Internal (works to their own values & beliefs, doesn’t give feedback)
• Options (breaks or circumvents rules ,doesn’t follow instructions, finds another way)
So yes, they may have done the course – but they probably won’t buy-in or comply with it
Conflicts with their own motivations, value system, modus operandi
“We need to address culture change at the level of people’s motivation and belief systems”
Workshop Group Session 1
Security on the Brain – Workshop Session 1 30 mins
• Warm-up Debate: Discuss and agree a list of 2 well-known celebrities
from the business world who you believe are Towards motivated, and 2
who you believe may be Away-From motivated – and why (5 mins)
• Write a Group Mission Statement for your virtual security team that will
gain senior management attention and support for your security
mission (15 mins)
• Statistically there will be a number of employees who have a Towards
Motivated + Internal + Options profile (!!). From what you’ve learned,
suggest ways of reaching out to and gaining buy-in from these people (10 mins)
Leveraging Psychology to Achieve Results “Case Studies of What Actually Works”
Dirty Tricks (not really)
"A Man convinced against his will is of the same
opinion still."
— Benjamin Franklin
I’m better than you!
• Online training & testing campaign
– major insurer
• Final knowledge test – user
informed of pass/fail result
• Usual user apathy/resistance
• Added personalised, printable pdf
‘diploma’ for successful pass
• Then… we added more information
to the certificate!
• Specifically, the percentage pass
score.
• 1000 staff rushed to take the test on
the same day - and the testing
server crashed!
• Eureka moment #1: People can’t
help competing with each other
I wanna be first – certainly not last!
• Implemented security awareness & compliance system – user acceptance / tests
• Employees can see % progress
• Managers can see progress of their staff
• Useful improvement in levels of compliance: particularly as managers can view
• With towards-motivated Vs away-from trait in mind: added benchmarking display (shows how each user is performing against average of their peers)
• Eureka moment #2! Employees rushed to comply more than their colleagues.
• Effect of ‘ratcheting-up’ compliance to 100% within days
Divide & conquer: Psycho-linguistically
• Notice how some words seem to
‘work’ and others don’t?
• We’ve already seen how different
words will register or appeal to
different types (e.g. toward, away-from)
• We’ve also seen how certain job
roles will attract personality types
• At the risk of generalising; appeal to
those character types by role
• Select wording and values that work
for particular character types
• Include motivators (positive &
negative) and word to best
influence each personality type
Embed Motivators
Results-driven incentives to comply, excel, achieve
Risk-driven consequences for ‘do
nothing’, ‘avoid’, ‘breach’
Add Role-Based Guidance
Map guidance to mandates – use words that motivate that type
Opportunity to make guidance more useful /
understandable
Make Compliance Role-Based
Word policies etc to appeal to specific char
types
Map char types to most likely roles
Surfing the Indignation
• Organisations don’t think about security incidents – until they have one!
• Management attention quickly subsides after cleaned up
– evidence from series of risk assessment workshops
– demonstrates phenomenon of short-term corporate memory…
• Use this small window of opportunity to get what you want
– pre-prepare projects, proposals, endorsements ready when window opens
– Incidents are great opportunity to improve processes, controls, culture
– I coined the phrase ‘Surfing the Indignation” for increasing profile of
information security while management attention is still on the issue
Workshop Group Session 2
Security on the Brain – Workshop Session 2 30mins
• Group discussion point: In your respective organisations, where do you
believe your most influential target audience sits? (15mins)
– E.g. what group, function or person will you target with your key message
in order to:
• Gain the most powerful support, endorsement, backing, funding?
• Change the overall perception of your security team and its value?
• Achieve best possible communication (attention + acceptance) of your security
message across the organisation?
• Reach a good level of staff compliance with your policies/procedures across the
whole business
• Given our new insight into the differences between actual risks and
perceived ones, how will you improve the ways you measure, prioritise
and communicate risk awareness across the business? (15 mins)
Selling the Unsellable
“Lessons from other sectors”
Management attitudes (actual!)
• “We don’t measure or catalogue our risks, because then we’ll have to do
something about them”
• “We don’t have any security policies. Our staff don’t like them”
• “We perform hundreds of risk assessments a year and just store the
results”
• “We keep the results within the group. We don’t want senior
management on our backs if they saw how bad it is”
• “We have a well-used business impact assessment process,
unfortunately nearly all our systems appear in the red category so we
don’t have a means of deciding which ones are highest priority”
• “We’ve adjusted the risk process so it shows fewer things as critical”
Lessons from the Insurance industry
• Years ago Insurance was hard
to sell. It was all doom and
gloom, complicated and difficult
to buy (sound familiar?)
• The landscape has changed:
insurance now legal
requirement if you drive &
cannot get mortgage without it
• So now we sell the upside:
faster to buy into, best price,
visually entertaining, more
options…
• So…perhaps we could learn
something here?
Conclusions
• Its people not just technology that needs patching
• It’s a people problem & people fall into defined personality groups.
Understand what motivates and how to communicate with each type
• Use role-based policies and awareness as a means of targeting each
personality type with motivators tailored to that group
• Make security function ‘towards-motivated’ – not just ‘away-from’
motivated. Combine towards and away-from to maximum effect
• Get a neurolinguistic makeover – put a positive spin on your messages
• If you are selling fear – make it graphic and hard-hitting
• If you are selling a necessary chore – make it easier to buy into
• Ideally don’t sell either – sell benefits, cost savings, efficiency
Crisis – or Opportunity?
Weiji [way-jhee], modern Chinese for "crisis"
"The word "crisis" is composed of two characters:
One represents danger, and the other represents
opportunity.
Final Thoughts
Raise your horizons…
Embrace the new opportunities…
But hey – be careful out there!
Suggested Reading
[email protected] [email protected] 44 (0)8456 4 27001
U.S. Centers for Disease Control Report
Keep in mind when reading this entire piece that we are consistently and substantially understating the
risk of other causes of death as compared to terrorism, because we are comparing deaths from various
causes within the United States against deaths from terrorism worldwide.