The Difference Between the Reality and Feeling of Security by Thomas Kurian

The difference between the “Reality” and “Feeling” of Security

Human Perception and it’s influence on Information Security

She looks

trustworthyI’m gonna steal

your toys

The 3 pieces that makes up information security

2

Technology (Firewall)

ProcessPeople

Information

Technology and processes are only as good as the people that

use them

Focus of the talk

• The Human Factor in Information Security

• The difference between “Awareness and Competence”

• The power of perception

• Solution Model + Examples

3

Awareness

I know the traffic rules….

4

Competence?

Does it guarantee that I am a good driver?

5

….even in Information Security!!!!

6

Security Security Security Security

PolicyPolicyPolicyPolicy

Never share

passwords

Don’t tell anyone,

my password is…..

Awareness >> Behaviour >> Culture

Awareness

• I know• I know

Behaviour (Competence)

• I do• I do

Culture

• We know and do

• We know and do

Aim for a responsible security culture

7

What organizations need?

A system that periodically shows the current

Security Awareness and Competence Levels

LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS

Awareness score is 87%

Competence score is 65%

LOW COMPETENCE

MEDIUM

COMPETENCEHIGH COMPETENCE

8

A smart attacker will always try to influence the perception of the employee

The power of perception

Why do people make security mistakes?

Imagine…

APJ Abdul Kalam walks into this room right

now and offers you this glass of water….

10

Now, imagine this…

This man walks into this room right now

and offers you this glass of water….

11

Question

Which water did

you accept?

Why?

12

Analysis

People decide what is good and what is bad based on “trust”

Perception is influenced by Trust

Were you checking the water or the person serving the water?

13

How people make security decisions?

Influence of perception

14

Analysis

Of these two, which terrifies you the most?

15

More people die of heart attacks than by getting eaten by sharks

You may feel safe when you are actually not

Analysis

Of these two, which terrifies you the most?

16

More kids die choking on french fries than due to Adrenoleukodistrophy

People exaggerate risks that are uncommon

Adrenoleukodistrophy

I hope now it is clear that we must address the human factor….

Let us summarize…

17

Reason 1: Security is both a “Reality” and “Feeling”

18

For security practitionerssecurity is a “Reality” based

on the mathematical

probability of risks

For the end user security is a

“feeling”

Success lies in influencing the “feeling” of security

RSA Attack

19

The Incident

In March 2011, RSA, one of the foremost security

companies in the world disclosed that cyber-attacks had

penetrated its internal networks and extracted information

from its systems.

The consequences were

• Financial Loss

• Reputational Loss

Attack

Employee clicked on the attachment of the mail

The embedded component exploited the

vulnerability

Analysis: Why did the attack happen?

RSA must be having best-in-class firewalls, anti-viruses and other

security systems. So, how did this attack happen?

You may wonder…

Failed to address the Human Factor

Reason 2: Technology…yes, but humans…of course!

24

Aircrafts have become more advanced, but does it

mean that pilot training requirements have reduced?

Medical technology has become more advanced,

but will you choose a hospital for it’s machines or

the doctors?

The Solution Model

Security Awareness and Competence Management

The solution is based on HIMIS

• HIMIS – Human Impact

Management for

Information Security

• Released under Creative

Commons License

• Free for Non-Commercial

Use

http://www.isqworld.com/himis

26

HIMIS Implementation Model

27

Define Strategize Deliver Verify

Responsible Information Security Behavior

Define

28

• Choose the ESPs

• Review and approval of ESPs

Strategize

29

For awareness management

• Coverage

• Format & visibility: Verbal, Paper and Electronic

• Frequency

• Quality of content

• Retention measurement.(surveys,quiz)

For behavior management

• Motivational strategies

• Enfoncement/ disciplinary stratégies

Deliver

30

• Define tolerable deviation

• Efficiency

• Collection of feedback

• Confirmation of receipt

Verify

31

• Audit strategy

• Selection of ESP’s

• Define sample size

• Audit methods

For awareness: Interviews, Surveys, Quizzes,

For behavior: Observation, Review of incident reports, Social

engineering?

Examples

• Deploy false emails seeking

information

• Tailgating into the facility

• Placing media labeled with

‘confidential information’ in

cafeteria or other places

32

Reporting model

33

LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS

Organization’s awareness score was 87%

Organization’s competence score was 65%

LOW COMPETENCE

MEDIUM

COMPETENCEHIGH COMPETENCE

HIMIS Focus

ESP

Awareness

Behaviour

(Competence)

Assess,

Improve, Re-

assess

ESP – Expected Security Practice

1. Differentiate between Awareness Vs. Competence

35

Consider both “Awareness” and “Competence” independently

2. Visualize ….and influence perception

36

3. Scenario based training (Make people solve challenges)

37

Example

38

Video (PLAY)

4. Remember drip irrigation

Small doses, more frequent

Which is more effective – Drip irrigation or spraying a lot of water once a day?

39

5.Re-measure frequently

40

LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS

Organization’s awareness score was 87%

Organization’s competence score was 65%

LOW COMPETENCE

MEDIUM

COMPETENCEHIGH COMPETENCE

?

?

Summary

41

“A smart user in front of

the computer is a good

security control and is

not that expensive.”

Let’s switch ON the Human Layer of Information Security Defence

Thank You

http://www.isqworld.com/himis