measuring human risk - sans human risk...the challenge technical security (firewalls, vpns, av, ......

Measuring Human Risk What is your security score?

SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014

Michigan Tech Facts

• Public University

• Total Enrollment: 6,957

• Graduate Enrollment: 1,484

• 50 Majors

• Carnegie Foundation Doctoral II status

• 400 Faculty, 1000 staff

• Ranked programs in Environmental, Mechanical, and Metallurgical Engineering


Where influences how.


Overall IT, InfoSec and Compliance Structure

“Normal” IT Stuff

Infrastructure

Telecommunications

IT Services

Operations

User Services

Media Technology

Enterprise Computing

Also

IT Project Management

IT Budget Management

CISO – “Technical” Security

CICO – “Information” Security


Constant InfoSec Context • Compliance needs (FERPA, GLBA, HIPAA, PCI…)

• Risk assessments

• News (especially of peers)

• Case studies

Remember: Don’t bring problems, bring solutions

Easy on the FUD!


True Story.


The Challenge

Technical security (firewalls, VPNs, AV, etc.) is justified, specified and PURCHASED.

Operational security (patching, CM, coding) is proceduralized, centralized and MANDATED.

User security (behavior) is encouraged , coaxed, and “hoped for”.

Security

Tech Ops Training

Behavior

Awareness

…hmmmm security…

Training vs. Behavior?


The BIG Deal…

User security depends on user behavior; not on compliance, or training, or awareness.

If behavior does not change the awareness has no real value.

If this change is real it must be measured.


The Plan

Develop comprehensive training and assessment system which will:

#1 - Improve Behavior

#2 - Apply training appropriately

#3 - Develop metrics and analytics

#4 - Find and fill gaps (process, not event)


TARR System (Train, Audit, Review, Remediate)

Combine HR, people, and security survey data

Score risk: per person, department, division

Target training where appropriate

Rinse / repeat (2010, 2012, 2014,…)


• What do you handle?

• Where do you get it?

• Where do you keep it?

• What do you do with it?

Survey Construction


Security Score

Each “usage” type has a score and a risk value

Scoring:

add 1 for low-risk answer

add 100 for medium-risk answer

add 10000 for high-risk answer

Sum by Group (CC/PIFI/HCI), Risk level, or score


Yikes! Not another Survey

Average survey time: 4 Minutes

2014 Participation Rates by Group

Group Surveyed Responded Pct

Custodial 176 102 58%

Faculty 480 338 70%

Staff 1140 779 68%

Student Employees 2069 1072 52%

Grand Total 3865 2291 59%


Survey Part 1: What do you handle?


Survey Part 2: Where do you get it?


Survey Part 3: Where do you keep it?


Survey Part 4: What do you do with it?


Example Score Calculation: PIFI

Sally’s PIFI Score Gets PIFI from 1 low risk place Stores PIFI in 1 low risk place Transmits via 3 ways (1 high risk, 2 low risk) Score is thus 10004 (1x10000+4)

Sally Mnumber


Code Tracked Information

PIFI PI Financial Information

HCI PI Healthcare Information

SSN Social Security Numbers

DIR Directory Information

Crim Criminal History

GovID Government Issued ID

Photo Photographic or Biometrics

CC Credit Card Information

VclID Vehicle ID

Mnum University ID Number

Scores Calculated for “In Scope” Data


Risk: Measured.


Risk: Counted.


Risk: Summed.


Training Directed by REAL Access

Estimated campus-wide training: $2,000/Minute


Finally!

• Training is directed by access (by department/unit)

• Audits are directed by risk (not reputation)

• Reviews and remediation can be swift

• Risk can be accessed at person, department, division levels


Measured Multi-Year Effect Change in Overall PCI Risk Distribution

0

20

40

60

80

100

120

140

0

20

40

60

80

100

2010 2012 2014

Change in Overall PCI Risk Distribution

High Medium Low Risk Population

15% 20% 18%

15%17% 24%

70% 63% 58%

0%

25%

50%

75%

100%

2010 2012 2014

Change in Overall PCI Risk Distribution

Low Medium High

Year-by-Year Risk Path High High High

101 58 43

Medium Medium Medium

22 16 18

Low Low Low

21 18 18

No Risk* No Risk* No Risk*

117 65 57

2010 2012 2014

7

2

2

8

2

3


Average Score by Area

5,000

10,000

15,000

20,000

25,000

2010 2012 2014

Average Security Score for Human Resources Staff

SSN PIFI HCI


Individualized Trend/Training Data

Name: Sally Happyworker

Job Title: IT Analyst/Programmer

Department: IT Business Systems

Division: OIT

Supervisor: Steve Smith

Code Sensitive Data Type

2010

Score

Training

Completed

2012

Score

Training

Completed

2014

Score

SSN Social Security Data 10,003 No 10,003 Yes 3

PCI-DSS Credit Card Data 10,102 Yes 0 Yes 0

PIFI Personally Identifiable Finacial Data 10,003 No 10,003 Yes 3

HCI Health Care Information 10,003 No 10,003 Yes 3

Total 40,111 30,009 9

Risk (High/Medium/Low) 4/1/11 3/0/9 0/0/9

InfoSec Score/Training Data Sheet


Overall Effect of Training

End User Risk Pool End User Risk Pool

Questions? Dan deBeaubien – [email protected]

Ashley Sudderth – [email protected]

mailto:[email protected]

mailto:[email protected]

measuring human risk - sans human risk...the challenge technical security (firewalls, vpns, av, ......

Documents