Information Security Human Risk

Level AssessmentNoora Alfayez

Cybersecurity Analyst at Saudi Aramco

© Saudi Arabian Oil Company, 2018

2

Saudi Aramco: Public

Organization A Organization B

Case

3

Saudi Aramco: Public

Organization A Organization B

Case

4

Saudi Aramco: Public

A structured assessment must be conducted to measure the

Human Risk level at the organization

Organization A Organization B

Case

5

Saudi Aramco: Public

Survey &

Analyze

Measure &

Communicate

A structured assessment must be conducted to measure the

Human Risk level at the organization

6

Saudi Aramco: Public

Assessment Background

Demographics Preferences

& opinions

Risks & Gaps

Assessment

A total of 7094 users participated in a corporate wide survey.

The survey consisted of 21 questions, divided into three categories:

7

Saudi Aramco: Public

Survey Participants by Job Position

32%

Chief Position Holders

Cybersecurity Analysts

Contractors / Third Party Consultants

Engineers / Analysts

Others* (trainers, technicians, nurses, etc.)

3%

27%

23%

15%

8

Saudi Aramco: Public

Q: Do you understand the importance of your

role in protecting the organization’s

information from cyber-attacks?

Survey Highlights & Analysis

96%said yes

Observation:415 users have falseperception on their

role in protecting the organization from

cyber-attacks

Joint effort between IT,

management, and end users.

The Information Security team only.

Q: Protecting organization’s business data is

the responsibility of …

415 users

9

Saudi Aramco: Public

Observation:There is an

appetite for more e-learning

courses & SMS awareness tips

Q: Which of the following approaches do you

prefer for information security awareness?

Survey Highlights & Analysis

29.68%

8.91%

5.21%

15.12%

6.19%

8.13%

10.26%

16.50%

EMAIL ANNOUNCEMENTS

LIVE STREAMING, WORKSHOPS & PRESENTATIONS

SOCIAL MEDIA ACCOUNTS (EX. TWITTER)

SMS OR TEXT MESSAGE ON YOUR PHONE

INFORMATIVE WEB PORTALS

BANNERS AND POSTERS

ANIMATED VIDEOS

E-LEARNING COURSES

10

Saudi Aramco: Public

Observation:Percentage of users

who do not know what phishing is dropped from 6% last year to

0.5% this year

Survey Highlights & Analysis

0.5%

58.5%

25.0%

16.1%

Don't know whatphishing email is

Tricky but I like them

Easy to detect

Tricky and I hate them

Q: What is your opinion of the frequent Phishing

Email Test conducted by Information Technology?

Previous SurveyCurrent Survey

6%

11

Saudi Aramco: Public

Survey Highlights & Analysis

6367

40

93

594

Neutral Behavior

Q: How do you handle Phishing emails?

12

Saudi Aramco: Public

Observation:70% of neutral behavior users are above the

age of 40

Survey Highlights & Analysis

6367

40

93

594 70%

Neutral Behavior

Q: How do you handle Phishing emails?

13

Saudi Aramco: Public

Observation:294 users who have

been victims of malware, have

remote access to organization services

Survey Highlights & Analysis

Q: How many times have your

personal devices been infected

with malware in the last year?

Q: Do you have remote access to organization

services such as email on your personal

devices?

14

Saudi Aramco: Public

Survey Highlights & Analysis

Q: How often do you discuss cyber security topics with your

department's cybersecurity analyst?

Q: What do you think about the inclusion of cybersecurity

as competency goal in employee's evaluation?

15

Saudi Aramco: Public

Observation:Those who are not

in favor of the cybersecurity

competency being part of evaluation,

lack communication with cybersecurity

analysts.

Survey Highlights & Analysis

Q: How often do you discuss cyber security topics with your

department's cybersecurity analyst?

Q: What do you think about the inclusion of cybersecurity

as competency goal in employee's evaluation?

16

Saudi Aramco: Public

Human Risk Measurement Indicator

Based on 15 questions

Each answer has score value between 1~5

Low

15-20

Moderate

21-32

Elevated

33-51

Significant

52-63

High

64-75

Indicator = 𝑻𝒐𝒕𝒂𝒍 𝑺𝒄𝒐𝒓𝒆𝒔

𝑵𝒐.𝒐𝒇 𝑷𝒂𝒓𝒕𝒊𝒄𝒊𝒑𝒂𝒏𝒕𝒔

25.54Previous

24.38Now

17

Saudi Aramco: Public

• remote access to your organization

services

• social network accounts

• antivirus on personal devices

• cybersecurity competency in evaluation

• cybersecurity analyst engagement

Human Risk Measurement Indicator

Moderate 24.38

How can we reduce the indicator value?

Weighted questions

18

Saudi Aramco: Public

Assess Human Risk on a Regular Basis (Annually)

Make Assessment Questionnaire Focused On Anticipated Risks

Conduct In-depth Analysis (Correlating questions)

Conclusion

19

Thank you