the difference between the reality and feeling of security
DESCRIPTION
A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security. Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"TRANSCRIPT
The difference between the “Reality” and “Feeling” of Security
Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
She looks trustworthy
I’m gonna steal your toys
2
Focus of the talk
• The Human Factor in Information Security
• From “Security Awareness” to “Security Awareness and
Competence”
• Solution model
• What others are doing?
3
Awareness
I know the traffic rules….
4
Competence?
Does it guarantee that I am a good driver?
5
Awareness >> Behaviour >> Culture
Awareness
• I know
Behaviour (Competence)
• I do
Culture
• We know and do
An organization must aim for a responsible security culture
6
What organizations need?
A system that periodically shows the current Security Awareness and Competence Levels
LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS
Awareness score is 87%
Competence score is 65%
LOW COMPETENCELOW COMPETENCE
MEDIUM COMPETENCE
MEDIUM COMPETENCE HIGH
COMPETENCEHIGH
COMPETENCE
The power of perception
Why do people make security mistakes?
8
Imagine…
Will you accept it?
Nelson Mandela walks into this room right now and offers you this glass of water….
9
Now, imagine this…
Will you accept it?
This man walks into this room right now and offers you this glass of water….
10
Question
Which water did
you accept?
Why?
11
Analysis
People decide what is good and what is bad based on “trust”
Perception is influenced by Trust
Were you checking the water or the person serving the water?
Why must we address the human factor?
(or)
Is the human factor worth addressing?
13
Case Study 1
LinkedIn Password leak
14
The most popular passwords in LinkedIn
link
1234
work
god
job
12345
angel
the
ilove
sex
jesus
connect
monkey
123456
michael
jordan
dragon
soccer
killer
pepper
Analysis
You may think you are safe when you are actually not
15
People get more terrified thinking of getting eaten by a shark then dying of heart
attack…..but more people die of heart attacks
Analysis
People exaggerate risks that are abnormal
16
More kids die choking on french fries than due to Adrenoleukodistrophy
Adrenoleukodistrophy
Reason 1: Security is both a “Reality” and “Feeling”
17
For security practitioners security is a “Reality” based on the mathematical probability of risks
For the end user security is a “feeling”
Success lies in influencing the “feeling” of security
18
Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:So what? RSA was hacked
Control efficiency
Risk severity/ Attacker
Smartness/ Attack
Efficiency
Technology & Processes
Awareness & Competence
Automatic security controls – AV, Updates
Technology + Human – Firewall configuration, Choosing a secure Wifi
Human – Recognizing a zero day attack, Phishing mails, Not posting business
information in social media
The very smart attacker
1
2
3
4
Reason 3: Technology…yes, but humans…of course!
19
Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced?
Medical technology has become more advanced, but will you choose a hospital for it’s machines or
the doctors?
The Solution Model
Security Awareness and Competence Management
21
The solution is based on HIMIS
• HIMIS – Human Impact
Management for Information
Security
• Released under Creative
Commons License
• Free for Non-Commercial Use
http://www.isqworld.com/himis
22
Security Risk analysis
Identify the human factor
Awareness
Behaviour (Competence)
Assess, Improve, Re-
assess
ESP – Expected Security Practice
1. Awareness Vs. Competence
Consider both “Awareness” and “Competence” independently
23
2. Visualize, engage ….and influence perception
24
25
3. Remember drip irrigation
Small doses, more frequent
Which is more effective – Drip irrigation or spraying a lot of water once a day?
26
4. Re-measure frequently
LOW AWARENESSLOW AWARENESS MEDIUM AWARENESSMEDIUM AWARENESS HIGH AWARENESSHIGH AWARENESS
Organization’s awareness score was 87%
Organization’s competence score was 65%
LOW COMPETENCELOW COMPETENCE
MEDIUM COMPETENCE
MEDIUM COMPETENCE HIGH
COMPETENCEHIGH
COMPETENCE
?
?
27
Threat forecast
• Natural disasters
• Diminishing end user security awareness
• Moving to cloud
• Social media proliferation & data leaks
• Corporate frauds
• Attacks using GPS tracking
• Economic espionage
• Introduction of new devices (smart phones etc.)
• Online leaks
• Fast development and release of apps without testing
• Smart outsourcing resulting in less workforce loyalty
Emerging threats 2013 (report by ISF)
29
Summary
Technology (Firewall)
ProcessPeople
Information
Technology and processes are only as good as the people that use them
Let’s switch ON the Human Layer of Information Security Defence
Thank YouAnup Narayananwww.isqworld.com