Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

The Human Factorin

Information Technology

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Introduction

• 75% of security incidents caused by human error

• Technology oriented civilization

• General ignorance in all layers of the civilization

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Work environment

• Employees often clueless about security improvements.

• Incidents often caused by :– Configuration error– Misinterpretation– Intentionally action

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Design issue

• Techies needs vs business needs

• Business function vs security

• User-friendly vs security

• The strength of the design is often the downfall to it. Regular users do not think as those who designed it

• Design should identify human and societal need

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Technology• Technology rapidly changes resulting in

inability to manage• Technology often ties us to our work and

instead making it easier it gets worse• Top notch technology is expensive and

does not guarantee security.• Implementers often external, could leave

insecure traces, purposely or by error

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Social engineering

• Art of deception or persuasion

– The exploits– Human based social engineering– Technology based social engineering

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Social engineeringThe Exploits

• Diffusion of responsibility

• Trust relationships

• Moral duty

• Guilt

• Desire to be helpful

• Cooperation

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

Human basedSocial engineering

• Impersonation

• The VIP approach

• Shoulder surfing

• Dumpster diving

• Piggy backing

• Third party approach

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

TechnologySocial engineering

• Popup windows

• Mail attachments

• Spam, Spim, chain emails, hoaxes

• Websites

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Convince top management– Top down approach– Prove security is business enabler not a cost

enabler only.– According to Gartner the executive board has 3

mayor questions when confronted with security issues:

• Is our security policy enforced fairly and consistently?• Would employees, contractors and partners know if a

security violation occurred?• Would the company know how to handle and react if

they recognize a security violation?

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Assign and clarify roles/responsibilities

– Separation of duties, do people have the authority– Careful with overlapping duties– Clear statements from management

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Define an action plan linked to a budget

– Assessment of relative value of information assets

– Use a risk assessment approach – Prioritize asset values to simplify budgetting– Involve all units

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Develop/update the policy framework

– Policies evolve just as the law in real life– Written in language everyone can understand– Align with business goals, constraining or

contradictory policies end up in the forgotten list

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Develop incident response program

– Reduce damage – Recover quick and efficient– Keep a trace of the security event, learn from it

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Develop a security awareness program

– Conduct a survey to find the weak and strong domains

– Repetition is the key to success– Events happening in the world could be the

initiator– It should not be limited to a one shot. Use any

means possible such as quiz, posters, intranet, mails etc..

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Develop a security awareness program

– Senior management– Mid management– Staff– Technical staff

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresTarget audience

• Develop a security awareness program– Senior management

• Focus on key elements, risk level, loss• Numerical or statistical approach• Examples of real life

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresTarget audience

• Develop a security awareness program– Mid management

• Granular approach on policies, procedures,…• In charge of mapping it to different departments• Use business examples

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresTarget audience

• Develop a security awareness program– Staff

• Repetition = key to success• Split into job related groups• Stress on the importance of his/her job and the security

related issues involved

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresTarget audience

• Develop a security awareness program– Technical Staff

• Audit trails often see as work control• Often integrate security after everything is running• Convince them security protects also their work

environment

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

CountermeasuresBuilding a human firewall

• Measure your security awareness efforts

– A quiz is an excellent tool to measure– Security event statistics can indicate weak spots– Evaluation forms to gain knowledge current

issues and where to improve

Koen Maris – The Human Factor in Information technology – Copyright 2005 – kmar@baleo.be

The Human Factor

Q & A