The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
The Difference Between the Reality and Feeling of Security by Thomas Kurian
1. She looks
I’m gonna steal
trustworthy
your toys
The difference between the “Reality” and “Feeling” of Security
Human Perception and it’s influence on Information Security
2. The 3 pieces that makes up information security
Technology
(Firewall)
Information
People Process
Technology and processes are only as good as the people that
use them 2
3. Focus of the talk
• The Human Factor in Information Security
• The difference between “Awareness and Competence”
• The power of perception
• Solution Model + Examples
3
6. ….even in Information Security!!!!
Don’t tell anyone,
Security
my password is…..
Policy
Never share
passwords
6
7. Awareness >> Behaviour >> Culture
Awareness Behaviour Culture
(Competence)
• I know • I do • We know
and do
Aim for a responsible security culture
7
8. What organizations need?
A system that periodically shows the current
Security Awareness and Competence Levels Awareness score is 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Competence score is 65%
MEDIUM
LOW COMPETENCE COMPETENCE HIGH COMPETENCE
A smart attacker will always try to influence the perception of the employee
8
9. The power of perception
Why do people make security mistakes?
10. Imagine…
APJ Abdul Kalam walks into this room right
now and offers you this glass of water….
10
11. Now, imagine this…
This man walks into this room right now
and offers you this glass of water….
11
13. Analysis
Were you checking the water or the person serving
the water?
People decide what is good and what is bad based on
“trust”
Perception is influenced by Trust
13
14. How people make security decisions?
Influence of perception
14
15. Analysis
Of these two, which terrifies you the most?
More people die of heart attacks than by getting eaten by sharks
You may feel safe when you are actually not
15
16. Analysis
Of these two, which terrifies you the most?
Adrenoleukodistrophy
More kids die choking on french fries than due to Adrenoleukodistrophy
People exaggerate risks that are uncommon
16
17. I hope now it is clear that we must
address the human factor….
Let us summarize…
17
18. Reason 1: Security is both a “Reality” and “Feeling”
For security practitioners
security is a “Reality” based
on the mathematical
probability of risks
For the end user security is a
“feeling”
Success lies in influencing
the “feeling” of security
18
20. The Incident
In March 2011, RSA, one of the foremost security
companies in the world disclosed that cyber-attacks had
penetrated its internal networks and extracted information
from its systems.
The consequences were
• Financial Loss
• Reputational Loss
21. Attack
Employee clicked on the attachment of the mail
The embedded component exploited the
vulnerability
23. You may wonder…
RSA must be having best-in-class firewalls, anti-viruses and other
security systems. So, how did this attack happen?
Failed to address the Human Factor
24. Reason 2: Technology…yes, but humans…of course!
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more advanced,
but will you choose a hospital for it’s machines or
the doctors?
24
26. The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
26
27. HIMIS Implementation Model
Define Strategize Deliver Verify
Responsible Information Security Behavior
27
28. Define
• Choose the ESPs
• Review and approval of ESPs
28
29. Strategize
For awareness management
• Coverage
• Format & visibility: Verbal, Paper and Electronic
• Frequency
• Quality of content
• Retention measurement.(surveys,quiz)
For behavior management
• Motivational strategies
• Enfoncement/ disciplinary stratégies
29
30. Deliver
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
30
31. Verify
• Audit strategy
• Selection of ESP’s
• Define sample size
• Audit methods
For awareness: Interviews, Surveys, Quizzes,
For behavior: Observation, Review of incident reports, Social
engineering?
31
32. Examples
• Deploy false emails seeking
information
• Tailgating into the facility
• Placing media labeled with
‘confidential information’ in
cafeteria or other places
32
33. Reporting model
Organization’s awareness score was 87%
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65%
MEDIUM
LOW COMPETENCE COMPETENCE HIGH COMPETENCE
33
39. 4. Remember drip irrigation
Which is more effective – Drip irrigation or spraying a lot of water once a day?
Small doses, more frequent
39
40. 5.Re-measure frequently
Organization’s awareness score was 87%
?
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s competence score was 65% ?
MEDIUM
LOW COMPETENCE COMPETENCE HIGH COMPETENCE
40
41. Summary
“A smart user in front of
the computer is a good
security control and is
not that expensive.”
41
42. Let’s switch ON the Human
Layer of Information Security
Defence
Thank You
http://www.isqworld.com/himis