A model for reducing information security risks due
to human errorBy Anup Narayanan,Founder & CEO, ISQ World
Shred
documents
before
disposing
2
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Resources
We are here
© First Legion Consulting
3
Awareness?
Do not share passwords!© First Legion Consulting
4
Behavior? Don’t tell anyone, my password is…..
© First Legion Consulting
Shred
documents
before
disposing
5© First Legion Consulting
6
Putting it together….
Awareness:
I know
Behavior:
I do
Culture:
We do
© First Legion Consulting
7
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources
We are here
© First Legion Consulting
8
Case-study:
Client: One of the largest mobile service providers in the world
• What? Spent US$ 100, 000 on a security awareness campaign
• How? Screen Savers, Posters, Emailers
• Who? Target - Entire employees
© First Legion Consulting
9
What did we do?
“Awareness vs. behavior” benchmarking and produced a scorecard
© First Legion Consulting
10
The scorecard
© First Legion Consulting
11
Why are my users not following the
information security policy?
Root cause analysis of poor information security behavior
© First Legion Consulting
12
Reason 1: Operational issues ….
Message in the poster
Don’t share passwords
Response by HR Manager
If I don’t share my password, salaries won’t get processed here…including that of the
InfoSec manager.
© First Legion Consulting
Reason 2: Confusion ... Too many rules
Which one do I follow?
13© First Legion Consulting
14
Reason 3: Perception…
Which is safer?
© First Legion Consulting
Reason 4: Attitude … influenced by cost…(peer pressure, top management behavior)
15
Nothing’s gonna happen to me if I violate the security policies?
Well, I saw her doing it …shall I?
© First Legion Consulting
“Awareness” & “Behavior”: Independent but interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things
Question: A person knows the “information security rules”. Does that make the person a responsible information security practitioner?Answer: Same as above
Knowing = AwarenessDoing = Behavior
16© First Legion Consulting
17
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & Resources
We are here
© First Legion Consulting
• HIMIS – Human Impact Management for Information Security
• Objective – To provide a model to reduce security risks due to human error
• Creative Commons License, free for non-commercial use
• Download –http://www.isqworld.com, click on the HIMIS link
18© First Legion Consulting
19
Define Strategize Deliver Verify
Responsible
information
security
behavior
HIMIS solution model - Work backwards
© First Legion Consulting
Define Strategize Deliver Verify
• Choose ESP's (Expected Security Practices) information security awareness and behaviour requirements) valid for the business
• Review and approval of ESP’s
• Baseline ESP assessment
20© First Legion Consulting
21
ESP: Information
Classification
Awareness Criterion
The employees must know the different
information classification criterion : "Confidential,
Internal, Public"
The employees must know how to specify the
classification, for example, in the footer of
each document
Behaviour criterion
The employees must actually classify
document in day-to-day work. The evidence of this classification must
be available.© First Legion Consulting
Define Strategize Deliver Verify
• For awareness management– Coverage
– Format & visibility: Verbal, Paper and Electronic
– Frequency
– Quality of content • Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
– Retention measurement.
• For behavior management – Motivational strategies
– Enforcement/ disciplinary strategies22© First Legion Consulting
Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
23
Wow! This security awareness video is so cool!
Yup! Not the usual glorified power point
© First Legion Consulting
Behavior management: What works?
24
Let’s fire him
Let’s cut his email access
Let’s talk to him
© First Legion Consulting
25
In-convenience
Poor security behavior
Poor Security behavior Vs. Inconvenience
© First Legion Consulting
26
Cost (Enforcement)
Poor security behavior
Poor Security behavior Vs. Cost
© First Legion Consulting
27
Case study 1: Changing behavior (IT Service Provider)
• What we did?– Quarterly “End-User
Desktop Audits”
– Findings were noted and “Signed and Agreed by Auditee”
– Disputes were noted and “Signed”
– Audit findings were submitted to InfoSec Team
© First Legion Consulting
28
Case study 1: Changing behavior (Electronic Retail Store)
• Audit finding: Cash boxes are left open when unattended
• Cost attached: Branch manager will lose 25% of annual bonus for every violation
• Compliance today is above 98%© First Legion Consulting
Define Strategize Deliver Verify
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
29© First Legion Consulting
Define Strategize Deliver Verify
• Audit strategy– Selection of ESP’s
– Define sample size
– Audit methods
• For awareness: Interviews, Surveys, Quizzes, Mind-map sessions
• For behavior: Observation, data mining, Log review, Review of incident reports, Social engineering?
– Reasonable limitations
– Behavior may not always be visible
30© First Legion Consulting
31© First Legion Consulting
HIMIS is not prescriptive and does not suggest absolutes…
• Practitioner has the freedom to quantify
• Quantifying awareness – Fairly easy, for example,
– Average score of a quiz to measure awareness from 100 users’ reasonably indicates an average awareness score
• Quantifying behaviour may not be possible directly and indirect methods may have to be used. For example,
a) Number of violations found for an ESP
b) Impact of the violation
c) A score derived by consideration of “a” and “b” above
32© First Legion Consulting
Suggested outline of the audit report
• Introduction: Motivations and reasons for the program• List of ESP’s and the reasons for the selection of each ESP• Strategy for the program • Delivery models• Average awareness score (from averages of each ESP
awareness score)• Average behaviour score or text description (from analysis
of behaviour audit report). Root cause analysis for poor awareness and behaviour
• Possible threat indicators and suggested mitigations• Recommended corrective actions
33© First Legion Consulting
34
1. Objective: Describe a workable model for reducing information security risks due to human error
2. Talk Plan:I. Differentiate between
“Awareness” & “Behavior”II. Case studyIII. Solution modelIV. Recap & ResourcesWe are here
© First Legion Consulting
3535
Define Strategize Deliver Verify
Responsible
information
security
behavior
Recap
© First Legion Consulting
36
Tip! Get HR buy-in
InfoSec Manager
HR manager
People are my biggest asset!
People are my biggest threat!
You must talk the same thing!
© First Legion Consulting
37
Conclusion
If you can influence perception, you can influence the way people choose or react (behavior)
Perception is influenced if there is a cost for an
action
© First Legion Consulting
38
If I follow the information security rules will I gain
something. If I don’t follow, will I lose something?
When you get your users’ to think
this way, you are on your way to a
better information security
culture!
© First Legion Consulting
Resources
• Free security awareness videos –www.isqworld.com
• Bruce Schneier – The Psychology of Security -http://www.schneier.com/essay-155.pdf
• The Information Security Management Maturity Model (ISM3) – www.ism3.com
39© First Legion Consulting
40
Anup Narayanan,Founder & Principal Architect
ISQ World, A First Legion Initiative
www.isqworld.com
© First Legion Consulting