information security human risk level assessment · saudi aramco: public human risk measurement...
TRANSCRIPT
![Page 1: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/1.jpg)
Information Security Human Risk
Level AssessmentNoora Alfayez
Cybersecurity Analyst at Saudi Aramco
© Saudi Arabian Oil Company, 2018
![Page 2: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/2.jpg)
2
Saudi Aramco: Public
Organization A Organization B
Case
![Page 3: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/3.jpg)
3
Saudi Aramco: Public
Organization A Organization B
Case
![Page 4: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/4.jpg)
4
Saudi Aramco: Public
A structured assessment must be conducted to measure the
Human Risk level at the organization
Organization A Organization B
Case
![Page 5: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/5.jpg)
5
Saudi Aramco: Public
Survey &
Analyze
Measure &
Communicate
A structured assessment must be conducted to measure the
Human Risk level at the organization
![Page 6: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/6.jpg)
6
Saudi Aramco: Public
Assessment Background
Demographics Preferences
& opinions
Risks & Gaps
Assessment
A total of 7094 users participated in a corporate wide survey.
The survey consisted of 21 questions, divided into three categories:
![Page 7: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/7.jpg)
7
Saudi Aramco: Public
Survey Participants by Job Position
32%
Chief Position Holders
Cybersecurity Analysts
Contractors / Third Party Consultants
Engineers / Analysts
Others* (trainers, technicians, nurses, etc.)
3%
27%
23%
15%
![Page 8: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/8.jpg)
8
Saudi Aramco: Public
Q: Do you understand the importance of your
role in protecting the organization’s
information from cyber-attacks?
Survey Highlights & Analysis
96%said yes
Observation:415 users have falseperception on their
role in protecting the organization from
cyber-attacks
Joint effort between IT,
management, and end users.
The Information Security team only.
Q: Protecting organization’s business data is
the responsibility of …
415 users
![Page 9: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/9.jpg)
9
Saudi Aramco: Public
Observation:There is an
appetite for more e-learning
courses & SMS awareness tips
Q: Which of the following approaches do you
prefer for information security awareness?
Survey Highlights & Analysis
29.68%
8.91%
5.21%
15.12%
6.19%
8.13%
10.26%
16.50%
EMAIL ANNOUNCEMENTS
LIVE STREAMING, WORKSHOPS & PRESENTATIONS
SOCIAL MEDIA ACCOUNTS (EX. TWITTER)
SMS OR TEXT MESSAGE ON YOUR PHONE
INFORMATIVE WEB PORTALS
BANNERS AND POSTERS
ANIMATED VIDEOS
E-LEARNING COURSES
![Page 10: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/10.jpg)
10
Saudi Aramco: Public
Observation:Percentage of users
who do not know what phishing is dropped from 6% last year to
0.5% this year
Survey Highlights & Analysis
0.5%
58.5%
25.0%
16.1%
Don't know whatphishing email is
Tricky but I like them
Easy to detect
Tricky and I hate them
Q: What is your opinion of the frequent Phishing
Email Test conducted by Information Technology?
Previous SurveyCurrent Survey
6%
![Page 11: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/11.jpg)
11
Saudi Aramco: Public
Survey Highlights & Analysis
6367
40
93
594
Neutral Behavior
Q: How do you handle Phishing emails?
![Page 12: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/12.jpg)
12
Saudi Aramco: Public
Observation:70% of neutral behavior users are above the
age of 40
Survey Highlights & Analysis
6367
40
93
594 70%
Neutral Behavior
Q: How do you handle Phishing emails?
![Page 13: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/13.jpg)
13
Saudi Aramco: Public
Observation:294 users who have
been victims of malware, have
remote access to organization services
Survey Highlights & Analysis
Q: How many times have your
personal devices been infected
with malware in the last year?
Q: Do you have remote access to organization
services such as email on your personal
devices?
![Page 14: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/14.jpg)
14
Saudi Aramco: Public
Survey Highlights & Analysis
Q: How often do you discuss cyber security topics with your
department's cybersecurity analyst?
Q: What do you think about the inclusion of cybersecurity
as competency goal in employee's evaluation?
![Page 15: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/15.jpg)
15
Saudi Aramco: Public
Observation:Those who are not
in favor of the cybersecurity
competency being part of evaluation,
lack communication with cybersecurity
analysts.
Survey Highlights & Analysis
Q: How often do you discuss cyber security topics with your
department's cybersecurity analyst?
Q: What do you think about the inclusion of cybersecurity
as competency goal in employee's evaluation?
![Page 16: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/16.jpg)
16
Saudi Aramco: Public
Human Risk Measurement Indicator
Based on 15 questions
Each answer has score value between 1~5
Low
15-20
Moderate
21-32
Elevated
33-51
Significant
52-63
High
64-75
Indicator = 𝑻𝒐𝒕𝒂𝒍 𝑺𝒄𝒐𝒓𝒆𝒔
𝑵𝒐.𝒐𝒇 𝑷𝒂𝒓𝒕𝒊𝒄𝒊𝒑𝒂𝒏𝒕𝒔
25.54Previous
24.38Now
![Page 17: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/17.jpg)
17
Saudi Aramco: Public
• remote access to your organization
services
• social network accounts
• antivirus on personal devices
• cybersecurity competency in evaluation
• cybersecurity analyst engagement
Human Risk Measurement Indicator
Moderate 24.38
How can we reduce the indicator value?
Weighted questions
![Page 18: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/18.jpg)
18
Saudi Aramco: Public
Assess Human Risk on a Regular Basis (Annually)
Make Assessment Questionnaire Focused On Anticipated Risks
Conduct In-depth Analysis (Correlating questions)
Conclusion
![Page 19: Information Security Human Risk Level Assessment · Saudi Aramco: Public Human Risk Measurement Indicator Based on 15 questions Each answer has score value between 1~5 Low 15-20 Moderate](https://reader031.vdocuments.mx/reader031/viewer/2022040805/5e43745c6f436213fc5ac55f/html5/thumbnails/19.jpg)
19
Thank you