1.
Security Don’t tell anyone,
Policy my password is…..
Never share
passwords
A model for reducing information security risks due to human
error By Anup Narayanan,
Founder & CEO, ISQ World

2.
Nelson Mandela offers you a glass of water….

3.
This man…. offers you a glass of water

4.
Question
Which water will you
accept?
Why?

5.
1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
We are here
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
III. Solution model
IV. Resources
© First Legion Consulting 5

6.
Awareness?
Do not share passwords!
© First Legion Consulting 6

7.
Shred
documents
before
disposing
Behavior?
© First Legion Consulting 7

8.
Putting it together….
Awareness: Behavior: Culture:
I know I do We do
© First Legion Consulting 8

9.
1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
We are here II. Case study
III. Solution model
IV. Recap & Resources
© First Legion Consulting 9

10.
Case-study:
Client: One of the largest mobile service
providers in the world
• What? Spent US$ 100, 000 on a security
awareness campaign
• How? Screen Savers, Posters, Emailers
• Who? Target - Entire employees
© First Legion Consulting 10

11.
What did we do?
“Awareness vs. behavior” benchmarking
and produced a scorecard
© First Legion Consulting 11

12.
The scorecard
© First Legion Consulting 12

13.
Reason 1: Operational issues ….
If I don’t share my password,
salaries won’t get processed Response by HR
Manager
here…including that of the
InfoSec manager.
Message in the poster
Don’t share
passwords
© First Legion Consulting 14

14.
Reason 2: Confusion ... Too many rules
Which one
do I follow?
© First Legion Consulting 15

15.
Reason 3: Perception…
Which is safer?
© First Legion Consulting 16

16.
Reason 4: Attitude … influenced by cost…(peer
pressure, top management behavior)
Nothing’s gonna happen to me
if I violate the security policies?
Well, I saw her doing it …shall
I?
© First Legion Consulting 17

17.
“Awareness” & “Behavior”: Independent but
interdependent
Question : A person knows the traffic rules. Does that make the
person a good driver?
Answer: Not necessarily, “Knowing” and “Doing” are two
different things
Question: A person knows the “information security rules”. Does
that make the person a responsible information security
practitioner?
Answer: Same as above
Knowing = Awareness
Doing = Behavior
© First Legion Consulting 18

18.
1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
We are here III. Solution model
IV. Recap & Resources
© First Legion Consulting 19

19.
• HIMIS – Human Impact
Management for
Information Security
• Objective – To provide a
model to reduce security
risks due to human error
• Creative Commons
License, free for non-
commercial use
• Download –
http://www.isqworld.com
, click on the HIMIS link
© First Legion Consulting 20

20.
HIMIS solution model - Work backwards
Responsible
information
Define Strategize Deliver Verify security
behavior
© First Legion Consulting 21

21.
Define Strategize Deliver Verify
• Choose ESP's (Expected Security Practices) information
security awareness and behaviour requirements valid
for the business
• Review and approval of ESP’s
• Baseline ESP assessment
© First Legion Consulting 22

22.
ESP:
Information
Classification
Awareness Behaviour
Criterion criterion
The employees must
The employees must The employees must
actually classify
know the different know how to specify the
document in day-to-day
information classification classification, for
work. The evidence of
criterion : "Confidential, example, in the footer of
this classification must
Internal, Public" each document
be available.
© First Legion Consulting 23

23.
Define Strategize Deliver Verify
• For awareness management
– Coverage
– Format & visibility: Verbal, Paper and Electronic
– Frequency
– Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance
• Consideration of cultural factors
– Retention measurement.
• For behavior management
– Motivational strategies
– Enforcement/ disciplinary strategies
© First Legion Consulting 24

24.
Quality of content
• Impact visualization
• Clarity & ease of understanding
• Business relevance Yup! Not the usual glorified
• Consideration of cultural factors power point
Wow! This security
awareness video is so cool!
© First Legion Consulting 25

25.
A 120 minute training plan
• 120 minutes of training in a year
– 45 minutes classroom or e-learning
– 15 minutes screen saver (12 X 1 to 1.5 minutes)
– 15 minutes posters/ wallpaper (same as above)
– 30 minutes through short videos (6 x 5 minutes)
– 20 minutes through quizzes/ surveys (2 x 10 minutes)

26.
Behavior management: What works?
Let’s cut his Let’s talk to
email access him
Let’s fire him
© First Legion Consulting 27

27.
Poor Security behavior Vs.
Inconvenience
Poor
security
behavior
In-convenience
© First Legion Consulting 28

28.
Poor Security behavior Vs. Cost
Poor
security
behavior
Cost
(Enforcement)
© First Legion Consulting 29

29.
Case study 1: Changing behavior (IT Service Provider)
• What we did?
– Quarterly “End-User
Desktop Audits”
– Findings were noted and
“Signed and Agreed by
Auditee”
– Disputes were noted and
“Signed”
– Audit findings were
submitted to InfoSec
Team
© First Legion Consulting 30

30.
Case study 1: Changing behavior (Electronic Retail Store)
• Audit finding: Cash boxes are left open when
unattended
• Cost attached: Branch manager will lose 25% of
annual bonus for every violation
• Compliance today is above 98%
© First Legion Consulting 31

31.
Define Strategize Deliver Verify
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
© First Legion Consulting 32

32.
Define Strategize Deliver Verify
• Audit strategy
– Selection of ESP’s
– Define sample size
– Audit methods
• For awareness: Interviews, Surveys, Quizzes, Mind-map
sessions
• For behavior: Observation, data mining, Log review,
Review of incident reports, Social engineering?
– Reasonable limitations
– Behavior may not always be visible
© First Legion Consulting 33

33.
© First Legion Consulting 34

34.
1. Objective: Describe a workable
model for reducing information
security risks due to human error
2. Talk Plan:
I. Differentiate between
“Awareness” & “Behavior”
II. Case study
III. Solution model
We are here IV. Recap & Resources
© First Legion Consulting 37

35.
Recap
Responsible
information
Define Strategize Deliver Verify security
behavior
© First Legion Consulting 38

36.
Tip! Get HR buy-in
People are my
People are my biggest threat!
biggest asset!
HR InfoSec
manager Manager
You must talk the same thing!
© First Legion Consulting 39

37.
Conclusion
If you can influence perception, you can influence the
way people choose or react (behavior)
Perception is influenced if there is a cost for an
action
© First Legion Consulting 40

38.
If I follow the information
security rules will I gain
something. If I don’t follow,
will I lose something?
When you get your users’ to think
this way, you are on your way to a
better information security
culture!
© First Legion Consulting 41

39.
Resources
• Free security awareness videos –
www.isqworld.com
• Bruce Schneier – The Psychology of Security -
http://www.schneier.com/essay-155.pdf
• The Information Security Management
Maturity Model (ISM3) – www.ism3.com
© First Legion Consulting 42

40.
Anup Narayanan,
Founder & Principal Architect
ISQ World, A First Legion Initiative
anup@isqworld.com
www.isqworld.com
© First Legion Consulting 43