compilation - europa
TRANSCRIPT
December 09
The AR Conference Calls 2009
Compilation
About ENISA
The European Network and Information Security Agency (ENISA) is an EU agency created
to advance the functioning of the internal market. ENISA is a centre of excellence for the
European Member States and European institutions in network and information security,
giving advice and recommendations and acting as a switchboard of information for good
practices. Moreover, the agency facilitates contacts between the European institutions, the
Member States and private business and industry actors.
Contact details
For contacting ENISA or for general enquiries on information security awareness raising
matters please use the following details:
E-mail: [email protected]
Internet: http://www.enisa.europa.eu
Legal notice
Notice must be taken that this publication represents the views and interpretations of the
authors and editors, unless stated otherwise. This publication should not be construed to
be an action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA
Regulation (EC) No 460/2004. This publication does not necessarily represent state-of
the-art and it might be updated from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content
of the external sources including external websites referenced in this publication.
This publication is intended for educational and information purposes only. Neither ENISA
nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.
Reproduction is authorised provided the source is acknowledged.
© European Network and Information Security Agency (ENISA), 2009
Compilation
The AR Conference Calls 2009
3
PREFACE ............................................................................................................... 4
About this report ............................................................................................... 4 About the AR Conference Calls........................................................................... 4 Acknowledgments ............................................................................................. 4
PRESENTATIONS .................................................................................................. 5
Overview ........................................................................................................... 5 Claire Vishik ....................................................................................................... 6
New Security & Privacy Risks: Cost of Innovation ................................................... 6
Daniel J. Blander ................................................................................................ 8 How to promote security awareness in your company ............................................. 8
Florence Mottay ............................................................................................... 10 Good practice in assessing and mitigating risks of software development outsourcing 10
Shirley Atkinson .............................................................................................. 13 Peer education and Internet Safety ..................................................................... 13
Lucas Cardholm ............................................................................................... 15 New marketing opportunities in Privacy: European Privacy Seal .............................. 15
Andrea Simmons .............................................................................................. 16 Tackling the barriers to achieving Best Practice in Information Assurance ................ 16
Sissel Thomassen ............................................................................................ 18 An Awareness Threat Horizon: Future Threats and Cultural Aspects ........................ 18
Ulrich Seldeslachts .......................................................................................... 20 L-SEC in Belgium – How Leaders in Security help in raising security awareness ........ 20
Daniel J. Blander .............................................................................................. 22 Emerging Trends in Security Governance: Making Security a Business Success ......... 22
Daniele Vitali ................................................................................................... 24 Business Case: How to persuade Business of the importance of security in a media
company .......................................................................................................... 24
Johannes Wiele ................................................................................................ 26 Human Factor Risk Assessment .......................................................................... 26
Joao Moita ....................................................................................................... 28 The role of security in the new e-World ................................................................ 28
Kathrin Prantner .............................................................................................. 30 E-SEC Virtual Training ....................................................................................... 30
Compilation
The AR Conference Calls 2009
4
Preface
About this report
This compilation consists of summaries of the presentations given in the AR Conference
Calls (the Conf Calls) 2009. The purpose of this compilation is to share the content and
outcome of the Conf Calls to the members of the AR Community as well as to General
Public.
About the AR Conference Calls
The Conf Calls was launched in spring 2007 and during the year six Calls were organised.
The 2008 Work Programme included among other things the task to build a “cooperation
platform”, which then was named the AR Community. In addition, from 2008 the Conf
Calls were now formally established a as a means to facilitate discussions and exchange of
good practices.
In 2008, nine Conf Calls were organised; one each month with the exception of July,
August and December. As in the previous year, two speakers presented on each occasion.
The calls covered a wide range of topics from how to raise security awareness through e-
Learning, to briefings of the awareness level among general public gathered through
surveys. The Conf Calls continued in 2009 and they have been appreciated by many
members. By offering the AR Community members a place for the interchange of ideas
and the sharing of knowledge and experiences between members, the Conf Calls have
contributed to the building of the AR Community.
Acknowledgments
The moderator of the 2009 Conf Calls, Mr. Kjell Kalmelid, Expert Awareness Raising,
wishes to acknowledge and warmly thank all members of the AR Community who have
presented in this year‟s Conf Calls.
Ms. Claire Vishik
Mr. Daniel J. Blander
Ms. Florence Mottay
Mrs. Shirley Atkinson
Mr. Lucas Cardholm
Ms. Andrea Simmons
Ms. Sissel Thomassen
Mr. Ulrich Seldeslachts
Mr. Daniele Vitali
Mr. Johannes Wiele
A special thank to the AR Community member, Wendy Goucher for her valuable
comments, feedback and for her invaluable help in editing a large part of this compilation.
Compilation
The AR Conference Calls 2009
5
Presentations
Overview
In 2009, the AR Conf Calls were held eight times with 13 speakers.
Month Speaker Topic
February Claire Vishik, Intel ”New Security Risks: Price of Technology Innovation”
March Daniel J. Blander,
InfoSecurityLab, Inc.
”How to promote Security Awareness inside your
company”
April Florence Mottay,
Security Innovation
”Good practice in assessing and mitigating risks of
software development outsourcing”
April Shirley Atkinson,
Plymouth University
”Peer education and Internet Safety in Plymouth”
May Lucas Cardholm,
Ernst & Young
”New Market Opportunities in Privacy: European
Privacy Seal”
May
Andrea Simmons,
Simmons Professional
Services Ltd.
” Tackling the barriers to achieving Best Practice in
Information Assurance”
June Sissel Thomassen,
InfoSecure
”An Awareness Threat Horizon: Future Threats and
Cultural Aspects”
June Ulrich Seldeslachts, L-
SEC
”L-SEC in Belgium: How Leaders in Security help in
raising security awareness”
September Daniel J. Blander,
InfoSecurityLab, Inc.
”Emerging Trends in Security Governance: Making
Security a Business Success”
October Daniele Vitali, Spike
Reply
”Business Case: How to persuade Business of the
importance of security in a media company”
October Johannes Wiele,
Defense AG
”Human Factor Risk Assessment”
November Joao Moita, Deloitte &
Associados
“The role of security in the new e-World”
November Kathrin Prantner, E-
SEC Information
Security Solutions
GmbH
“E-SEC Virtual Training”
Compilation
The AR Conference Calls 2009
6
Claire Vishik
Dr. Claire Vishik works with Intel Corporation UK. Her work focuses on hardware security,
trusted computing, privacy enhancing technologies, some aspects of encryption and
related policy issues. She is active in standards development and is on the Board of
Directors of TCG, the Trusted Computing Group. She received her PhD from the University
of Texas at Austin. Prior to joining Intel, Claire worked at Schlumberger Laboratory for
Computer Science and AT&T Laboratories studying security and other aspects of Internet
technologies.
New Security & Privacy Risks: Cost of Innovation Excellent progress was made in the last 10 years in increasing security assurance in ICT
products and services through improving the technology development process,
dissemination of information about vulnerabilities, and techniques to mitigate the risks
from malware and breaches. But we need to admit that new security risks are one of the
prices we have to pay for technology innovation because it is impossible, even with the
best models, to anticipate all the risks associated with broad deployment of new
technologies.
The talk addresses some aspects of the connection between technology innovation and
new security risks. Starting with a brief study of this relationship, the lecture moves to
addressing the “weaker points” for security in today‟s dynamic environments where a good
proportion of technology components undergo significant changes or replacement over
shorter and shorter cycles, currently 18 month-3 years. Some of the security imbalance
lies in the fact that various components of the ecosystem are not uniformly protected: this
lack of uniformity concerns endpoints, networks, and software applications (see Figure 1
below).
Figure 1: Different Levels of Security Assurance across the Ecosystem
Compilation
The AR Conference Calls 2009
7
The risk points are not due only to weaknesses in single domains, but can emerge due to
interaction of multiple domains (e.g. mobile telephone and PCs). But they also appear in
new applications, sometimes not connected to security or communications, such as known
attacks on improved power management tools on newer PCs. The talk studies other
imbalances, such as the disconnection between the distribution of attacks (95% appear to
be against home PC) and focus of the security efforts (organization rather than
consumers).
In order to illustrate the complex composition and nature of the new threats, the talks
analyzes information from 50+ different studies and forecasts and concludes with a
summary of innovative technologies where risks appear to be focused and activities that
can help alleviate these risks.
Compilation
The AR Conference Calls 2009
8
Daniel J. Blander
Mr. Daniel Blander is President of Information Risk Management consulting business
Techtonica and co-owner of the Security Awareness company InfoSecurityLab. His twenty
years of experience in IT and Information Security includes the development of world-wide
security and risk management organizations and programs for companies in the financial,
technology, healthcare, retail, manufacturing, telecom, airline, and service sectors. In
addition to being a certified CISM and CISSP, Daniel was nominated as 2008 Information
Security Executive of the Year for the West. He also lectures around the world on trends
in risk management and security governance.
How to promote security awareness in your company Those of us who work with, and are passionate about, security awareness know its value
to business. We understand its potential of positively affect the overall operational
effectiveness as well the possibility of promoting internal cooperation. Indeed there are so
many good reasons for making intelligent investment in awareness that to find that in the
real world organizations are remarkably resistant, can be a difficult to understand, and
then to overcome.
In his first talk of the year, Daniel Blander of InfoSecurityLab tackled the problem of
promoting security awareness head on with the aim to demonstrate that Security
Awareness should be an important part of the Information Security Management System
of an organization. Daniel defines security awareness as “the process of making people
aware of the risks to the things they value, and how they can safeguard against those
risks” and starts from the position of what is understood about security and about the
need for awareness within the organisation. This equates nicely with the educationally
sound theory that good persuasion should be about moving from known concepts and
ideas towards new ones.
Interestingly, Daniel identifies self inflicted problems such as the belief by management
that staff are not interested in security and would not pay attention, and therefore justify
the investment in a ROI sense, alongside more standard inhibitors as concerns about the
cost of awareness programs and the amount of time that would need to be taken out of
the operational week for staff to take in the awareness message. It is this projection of
the attitude of staff that is the backbone for the method that Daniel uses. He needs not
only to deal with the issues, but the perception of how the message will be delivered and
received both by internal and external customers.
The start of his campaign of persuasion uses quotes from other sources including Kevin
Mitnick, who is famous enough that the name will have some resonance. Mitnick says, in
his book “The Art of Deception”,
“There is only one way to keep your product plans safe and that is by having a trained, aware, and a
conscientious workforce. This involves training on the policies and procedures, but also – and probably even more important – an ongoing awareness program”.
When setting out the appropriate approach, a first step can often be to confront the
standard approach, in this case the „FUD‟ approach which seeks to undermine the current
beliefs and operations in an effort to make the customer look to external help, in the form
Compilation
The AR Conference Calls 2009
9
of security awareness training. The problem with that approach is that it has the
panicking customer look for a short term life-line, rather than swimming lessons and an
understanding of what sort of waters are safe to swim in. However, as Daniel argues, fear
uncertainty and doubt are not about awareness, they are about reaction. The best
approach is more about a medium to long term change to organisational culture which
means that it has to focus on behavioural change on the part of all staff, and in all
situations.
The 4 steps to this approach are:
Make it relevant - because people must feel that the
information is relevant to their home and work life.
Empower staff - because people must feel that
security is about working with them in their operations,
not just against.
Make it easy to understand - if the message is not
clear then it will be ignored.
Make it fun - because laughter and amusement is the
super glue that makes information stick significantly
better. Boredom, on the other hand is information
coated in Teflon.
By choosing techniques for putting across the security awareness message that work with
the organisation‟s culture and confront such concerns such as cost, time and retaining the
interest of staff. Some of the techniques discussed included the use of e-mail, web
portals, e-learning and „Lunch and Learn‟ sessions where staffs are given insight into data
security issues that affect them personally, such as home shopping.
Compilation
The AR Conference Calls 2009
10
Florence Mottay
Ms. Florence Mottay is a seasoned Business Manager and adept Security Expert. As
Managing Director Security Innovation, she is responsible for the long-term growth,
stability, market leadership, and client satisfaction of the company's EMEA operations.
Leveraging her pervasive technical and operational experience, Ms. Mottay often serves as
a primary point of contact with customers, where she assesses their principal security
concerns and ensures the Product and Services teams devise an operative plan designed
to meet and exceed their stated objectives.
Good practice in assessing and mitigating risks of software development
outsourcing
Over the years, managing software security risks has proven to be an arduous task,
especially when the development process is partially outsourced. Implementing a general
software security initiative is the first step towards effectively mitigating software security
risks associated with outsourcing software. This presentation will focus on the key role of a
security framework within such an initiative, and how it relates to the specific business
drivers for software security.
Operational risk is a very broad concept and includes amongst others physical,
environmental and technical risks. Management of the technical risk can be achieved
through identification of risks and smart implementation of controls. One key aspect of
technical risk management is software security, which is present in one way or the other in
all related security areas; the most obvious being Access Control, System Development
and Maintenance, and Logging and Monitoring.
When development is outsourced the most troublesome areas are the System
Development and Maintenance areas. Although outsourcing is an effective method to
reduce costs, it also entails the loss of control over the outsourced software. Security is
just one of the challenges related to outsourcing and currently does not have a high
priority. Communication issues, delays and quality issues supersede the importance of
security issues for the moment but as processes mature, focus will inevitably shift to
quality in terms of security. In the meantime, focus should be on selecting the right
outsourcing partner for our needs but gauging the security awareness of a potential
partner prior to actual cooperation and putting the right controls in place to mitigate
critical risks can be challenging.
The set of controls at our disposal is fairly well-known and includes all controls that span
the Software Development Life Cycle (SDLC), from the requirements to the deployment
phase. They have all proven to be useful: full code reviews and penetration tests on all
software received significantly reduces the risks. However, these services are both time
consuming and expensive and therefore cannot be considered as a standard solution for
every project. Education is another interesting control commonly used to mitigate software
security risks. However, training all outsourcing partners would again be too expensive
and offers too little return on investment.
Compilation
The AR Conference Calls 2009
11
In each case, the appropriateness of each control has to be determined. The security
checklists or framework consists of a system that will aid in evaluating the controls and
help reach the right balance between costs and security.
In risk management terms, the mitigation costs should not exceed the cost of possible
security breaches. Public security breaches may cost millions of dollars in direct losses.
However, we tend to focus on the immediate costs while the soft costs are often forgotten.
It may be difficult to determine the exact costs of protecting reputation and restoring
customer trust, but they often amount to more than the loss caused by the actual breach.
In addition to limiting financial consequences, resistant software protects your brand
reputation and enables you to comply with standards. It is also less expensive to maintain.
Fixing a security bug during the design phase is a 100 times less expensive than fixing it
during the production phase. Reducing the occurrence of software vulnerabilities helps you
minimize costs. However, reducing the number of vulnerabilities is not an easy task, as
attackers have a real advantage. They outnumber developers in any given team and they
have all the time they need to uncover vulnerabilities. In general, outsourcing causes the
loss of control over the confidentiality and integrity of your code. On top of that the
controls of outsourcing partners might be weaker, you have less control over the staff and
therefore you cannot properly evaluate the risk of insider threats.
To mitigate these risks service level agreements are starting to include specific software
security requirements. These SLAs either contain quality statement such as „software
needs to be secure‟ or require the implementation of a specific bug bar, such as a
predefined maximum number of vulnerabilities revealed by a code scanner. These
requirements are a good start but they are still too vague and sometimes hard or even
impossible to apply. The concept of a bug bar is very interesting, but should also be highly
dependent on the application. An external application dealing with critical assets deserves
more scrutiny than an internal application used for informational purposes only.
The safest approach to mitigate software
security risks is to put a security initiative
in place. A security initiative is composed
of different controls. Some are specific to a
certain phase of the SDLC; others are at a
more global level such as a security
framework, but each effective in its
particular context. Design requirements
bring good value but are usually more
suitable for large systems. Code review
and penetration tests are highly effective
but also very costly and should
subsequently be used for critical
applications only. Education, as briefly
mentioned earlier, can only be used
efficiently within internal development
teams or within the context of long-term
outsourcing agreements.
Figure 2: Example Framework
Compilation
The AR Conference Calls 2009
12
Using a security framework is relatively cheap and can be used for all types of applications
and systems. Although it is more complex and will differ depending on the organization, it
effectively combines all controls available to reach the perfect balance between cost and
security and can be used as a „security contract‟ with an outsourcing partner. Furthermore,
when a security framework is in place security trends such as new vulnerability types, new
best practices and security lists can easily be integrated in the existing framework. We live
in an information overloaded world and security frameworks offer a first glimpse of clarity:
they help integrate all pieces of the complex software security puzzle.
Compilation
The AR Conference Calls 2009
13
Shirley Atkinson
Dr. Shirley Atkinson is an associate lecturer at the University of Plymouth. She has been
researching the effects of internet technologies on young people for the last five years and
has recently completed a UK Government funded project setting up peer ambassadors
supporting safe online behaviours in schools. In addition to her research work, she is
involved in delivering programming tuition to different levels at the University and leads a
team of volunteers in running a cooperative children's youth group.
Peer education and Internet Safety This presentation gave an outline of the peer education project recently completed here at
the University of Plymouth.
An assumption made is that a key element to information security is a need to encourage
safe online behaviours. Peer education was considered as a mechanism for encouraging
awareness of risks and being able to distribute the knowledge of individual self-protection.
However, by concentrating on risks there is the potential to create a culture of fear
whereby activity is stifled because of the unbounded nature of the risk - nobody feels safe,
and that state of mind influences perception. Here in the UK the media help to perpetuate
that culture of fear, dwelling heavily on the negatives.
When considering the realm of young people, they see dwelling on risk as irrelevant to
them, somebody else will suffer, and perhaps they need to protect others. They don't see
that their own actions are putting them in danger. To counteract this, Peer Education has
been proposed as a potential solution with the aim that young people influence others
around them. But there are barriers. The effectiveness of peer education has been difficult
to measure. Concerns arise to protect young people against the effects of Cyberbullying
or one key concern was a disclosure of abuse and how to deal with it. Culture and context
play a key role, not all environments are suited to allowing peer education activities.
The University of Plymouth was awarded one year‟s funding by BECTA - The British
Educational Communications and Technology Agency - to provide a complement to
existing awareness raising workshops. The aim was to create and evaluate a peer led
internet safety programme aimed at 14 to 16 year olds. 8 out of 15 schools participated
in the local area giving insight through focus
groups to the opinions of 202 young people.
They demonstrated a very good understanding of
the issues, but their actual practice varied
revealing that current e-safety messages were not
deemed relevant. 30 young people were invited to
become e-Safety Ambassadors and they were key
to raising awareness. Websites were a favoured
approach, but one school had a display stand on a
key parental involvement day. One of the schools
attended a multi-agency conference on Safer
Internet Day, another wrote a piece for the
Children's BBC.
Figure 3: Example of engagement
Compilation
The AR Conference Calls 2009
14
Peer education was found to have no clear definition, and encompassed a number of
methods of delivery which encouraged a diversity of engagement activities. The delivery
of the awareness was found to be effective but we were taking small steps. And to engage
the peers to deliver these initiatives has to be realistic, not tokenistic, and certainly it was
not automatically going to engage young people.
Compilation
The AR Conference Calls 2009
15
Lucas Cardholm
Mr. Lucas Cardholm, LL.M., MBA, Executive Director, Ernst & Young Sweden, is an IT-
lawyer specialised in operational risk management. He is an experienced global project
manager working with cost benefit analyses, e-signatures, and privacy and encryption
issues. Lucas is the author of several internationally published articles in this area.
New marketing opportunities in Privacy: European Privacy Seal Lucas presented in the Conf Call in May. In his presentation he presented an interesting
piece on something which should go some way to helping organizations across Europe to
achieve a good standard of security compliance, in a way that will be recognized across
the EU. As the business grows across Europe, and co-operation between organizations
from widely different countries and cultures develop, it is important that there is an
ongoing development of ways that can give a level of recognized security assurance within
the EuroZone.
To this end, EuroPriSe has been devised,
which is a transparent certification
scheme for companies and authorities to
confirm and communicate compliance
with European Privacy Directives. All
member states are covered by the
standard and it has also achieved
worldwide recognition.
“The way the EuroPriSe has been set up is promising. It is designed to be consistent across Europe, and it aims at showing business benefits. The seal should be on the radar of all companies dealing with personal data.” (Gartner, 12 June 2008)
The objectives of the scheme are:
To provide a certification scheme, based on a transparent and revisable procedure
supervised by independent authorities or trustees.
To provide uniform criteria based on the European Privacy Directives valid
throughout the European Member States.
A positive incentive to develop and deploy privacy compliant and privacy enhancing
products and services on the market
It seems that, although the scheme was only launched at the beginning of 2009, uptake is
encouraging:
There are already 70 experts in 10 countries, with around 100 in the pipeline.
These come from a range of specialties including the law, technical (mainly
CISSP/CISA or equivalent) and some who span both.
As of May 09 6 seals had been awarded, including to Microsoft SPP (US) and more
than 10 were in the process of undergoing certification. It is expected that by this
time (the end of 09) the number will have increased.
Target companies include those where privacy is vital (e.g. healthcare), regulated
industries (e.g. the finance sector) and mature organizations who are familiar with the
idea of internal control.
Compilation
The AR Conference Calls 2009
16
Andrea Simmons
Ms. Andrea Simmons is the Founder and Director of Simmons Professional Services Ltd.
She is an experienced information assurance evangelist/business consultant and project
manager with expertise in several disciplines. She has over 12 years of wide experience of
the information security industry within both the public and private sector. Andrea is
currently running her own consultancy business and works associatively with several public
and private sector organisations. Andrea is a member of several prominent associations
such as the Management Committee of IAAC and the BCS and is a founder member of the
Institute of Information Security Professionals (IISP).
Tackling the barriers to achieving Best Practice in Information Assurance Having completed a 50,000 report on “Achieving best practice in Public Sector Information
Security” in November 2008, it seemed appropriate to investigate the possibility of
converting this significant piece of work into a PhD submission. The content is particularly
relevant and up to date, given the spate of data breaches that besmirched 2008.
So far, we have seen our industry mature from IT Security, through Information Security,
to Information Assurance and we are now heading towards the broader view of
Information Governance “in the round”.
As an information governance
expert consultant, the lion‟s share of
my work has been undertaken in
support of public sector information
compliance related activities and I
am keen to further explore the
maturation of issues related to
professionalism in the industry and
achieving the culture change
required in order to embed
information security as a natural,
“business as usual” activity. Doing
so would aid the rebuilding of public
trust and confidence that is so
desperately required, balancing that
in so doing strategies and solutions
need to be implemented in a way
that does not infringe the rights and
freedoms of individuals.
Years of ISO27001 training and consultancy delivery lead one to know that if one is
carrying out a thorough review of assets the list goes something like:
people
processes / services
technology (software, applications)
physical (buildings, equipment, hardware)
data and information (could be electronic and paper)
reputation, brand etc.
Figure 4: the Maturity process of Security
Compilation
The AR Conference Calls 2009
17
Information surely cannot be perceived to be "intangible"? You can see it, touch it, share
it, use it, pass it on - lose it. A dictionary definition suggests that something intangible is
hard to value - fair enough, I can accept that. Although at a recent round table discussion,
what became clear was actually if you ask the opposite - i.e. what is the perceived
"deprival value" then it gives people a clearer understanding of the implications of the
potential value of the information in question. How would you value the information that
Bob Quick had in his hand when he so inadvertently held it "unwrapped" as it were and all
that thereafter ensued?1 The Ponemon Institute issued research recently that put a value
on the average laptop loss of $50,000 - that's arguably significantly more than the
physical cost of the tangible asset. In the UK public sector, under the Security Policy
Framework of the UK Cabinet Office, Senior Information Risk Owners should identify
Information Asset Owners and I recently read a great piece of work by James F. Stevens
of Carnegie Mellon University, which clarified that there is a clear differentiation between
an Asset Owner and a Custodian.2
In either way, all of these roles should be actively engaged in identifying, classifying,
labelling and protecting information assets. There are already Information Governance
experts tackling a combination of information law agenda including Data Protection,
Freedom of Information, Environmental Information Regulations and the Regulations on
the Re-use of Public Sector Information – a number of which in some way or other require
the collation of inventories of information assets. If all of this activity is being done, then
valuing them should be added to it.
Future research work should look at how best to join up the current professionalism
agendas and apply it to the continual delivery and improvement of information security
within the public sector – in keeping with the Government‟s post-Poynter review agenda of
embedding Information Assurance for the greater good. Potentially the difficulty is that
there is no differential knowledge in this area, but a lot of confusing mixtures of the
concepts of information security, IT security, information assurance and information
governance. Also, there is a need to review the impact of politics and culture on the
shifting priorities that distract from embedding the “best practice” that should be inherent
in all well performing organisations.
What is required is a determination to illuminate, for those who need to know, the
potential impact on creating the right kind of culture and embedding of security awareness
in terms of day to day living for all concerned in order to combine all these agendas.
However, this needs to be done with a different attitude and approach, including the use of
humour and humility – rather than authoritarian, dictatorial, negative policy edicts. We
must embrace our Web 2.0 users and seek to future proof ourselves better rather than
permanently fighting fires and appearing to always be playing “catch up”. All contributions
to my intended research will be most welcome!
1 Assistant Commissioner Bob Quick, Britain's most senior counter-terrorism officer, left
his post after being photographed with a secret document on show when he arrived for a
Downing Street briefing. http://news.bbc.co.uk/2/hi/uk_news/7991590.stm. 2 Stevens, James F. Information Asset Profiling (CMU/SEI-2005-TN-021). Pittsburgh, PA:
Software Engineering Institute, Carnegie Mellon University, 2005.
http://www.cert.org/archive/pdf/05tn021.pdf.
Compilation
The AR Conference Calls 2009
18
Sissel Thomassen
Ms. Sissel Thomassen, InfoSecure Group, is an Information Security professional, with
more than 25 years experience within the Information Security arena. She worked 10
years for the Norwegian Defence, and has more than 8 years of Information Security
knowledge from banking in the UK, where she was responsible for the training programme
for Information Security Coordinators, information security policies, third party evaluations
and security incident management. As a director for InfoSecure Group, she is responsible
for the UK and Scandinavian operations. She has implemented Information Security
awareness and training programmes world-wide for InfoSecure Group over the last 3 years.
An Awareness Threat Horizon: Future Threats and Cultural Aspects Innovations in information technology have increased rapidly over the past few years and
generated significant progress across many business sectors and industries in the way
information is generated, stored, managed, distributed and archived. However, this
innovation has also created opportunities for those seeking to intercept or corrupt valuable
information and disrupt the flow of business, jeopardising all kinds of assets.
These external threats must be taken seriously and technical solutions can go a long way
in preventing them. However, are we equally aware of the internal threats from the people
who run our businesses? More effective solutions are
needed to counter these threats and effective training
must be provided to everybody working with valuable
business information. As new threats emerge, new
training material needs to be deployed.
The newspapers are constantly reporting information
security incidents. Our reputation is at risk should we be
the next organisation to experience a security incident.
Once bulky IT equipment is shrinking; and we are more
mobile, working away from our desks in less secure
environments. Some of the future challenges to achieve
successful security awareness in enterprises include lack
of management commitment, new technology, new
generation work force and a remote work force.
No matter which technical solutions are implemented to
reduce security risks, the people working with
information will always remain the weakest link. For too
long have organisations relied on technical solutions to
protect their infrastructure and data. It never seems too difficult to get a budget for new
IT equipment, whilst obtaining resources for awareness programmes has proven somehow
more difficult. The importance of the human element must never be underestimated, and
with good technical protection, employees are more vulnerable to social engineering than
before, as the criminals have begun targeting people instead of systems.
Compilation
The AR Conference Calls 2009
19
Senior management‟s approval and commitment is crucial for the success of an effective
awareness programme, not only to ensure that the people on the floor follow the
programme, but also to ensure that line management understand their importance as the
ones who must encourage their staff and set aside time for them to undertake the
training. Management‟s commitment can be visible in many ways such as including a
written statement in training material to delivering a stronger message by using a
management commitment film as part of the awareness training programme.
Target the awareness programme to staff‟s job roles to ensure appropriate training. The
training must be sufficiently detailed to prevent key messages getting lost. Make the
programme fit the organisation‟s culture by using language and formats that people
understand. Multimedia has proven to be successful in demonstrating live examples of
incidents and making the learning material more effective. Interactive elements are also
popular to engage with the audience in an e-Learning environment.
The new generation employees are young and quick learning; they are used to the
internet, SMS and messages which are short and to the point. This new “techno
generation” are not used to concentrating on longwinded programmes and do not want to
read policies which are difficult to understand. They are also experts in multi-tasking; they
very often are used to doing many things simultaneously and they prefer audio/video
instead of information in textual format. Employees‟ poorly managed access to email and
the web can introduce significant risks to any unsuspecting organisation such as litigation,
regulatory investigations as well as a tainted reputation. Awareness training can alert
employees to the risks involved and help them to understand why there are rules in place
governing the use of these important utilities.
To engage with busy people in the
organisation, those responsible for
delivering security awareness training
must appreciate that straight to the
point and targeted training using
multimedia is a better way forward.
Employees are all different with varying
needs and attitudes. To be able to
engage with them all and deliver the
right message, it is important to deliver
the training material in a variety of
formats and take the time to ensure that
future threats and cultural aspects and
differences are all taken into consideration when planning an awareness programme.
Some important factors to take account of when planning awareness programmes:
Obtain management‟s support and commitment
Ensure continuous attention by providing ongoing training
Enhance entertainment level
Increase interaction
Quick deployment for faster response to threats or incidents
Pay more attention to young employees
Adjust awareness content to meet audience needs (targeted training)
Compilation
The AR Conference Calls 2009
20
Ulrich Seldeslachts
Mr. Ulrich Seldeslachts joined L-SEC late 2006 to support the organisation in its future
growth strategy. Prior to L-SEC, he started the European branch of Clearwire, the North-
American WiMAX operator, founded by Craig Mc Caw. Ulrich was responsible for the
development of 7 broadband wireless operations throughout Europe. He has a broad
experience in business and corporate development and company innovation. Between
1998 and 2003, he led the Venture Capital company of the Belgian incumbent telecoms
operator. He aims to use his experiences to solidify the further growth of Information
Security business throughout Europe.
L-SEC in Belgium – How Leaders in Security help in raising security
awareness L-SEC is a Flemish non-profit organization, supported by the IWT, which has offered
support to the Belgian information security sector in Belgium and abroad since 2002. An
expertise centre, L-SEC ensures that both large companies and SMEs in Belgium have an
edge in terms of technological know-how through knowledge exchange and co-operation.
During the course of our work and research in the area of security awareness we can be
inspired and inspiring in our search for new and innovative ways to heighten awareness
within organizations. However, Ulrich Seldeslachts, from L-SEC, took us back to the basic
background scene in June by presenting the findings of research which was gathered in a
series of qualitative interviews held with 1/3 of the companies (152 in total) visiting the
SME inspiration days, over a period of 3 days, in a trade show setting, organized by the
Flemish SME association Unizo, together with KMO-IT. The majority of those who
participated were micro-enterprises, from a diversity of activities including transport,
retail, engineering, services, education and ICT.
The highlights of their research included:
There were indications that in over 75% of the Flemish SME‟s, it‟s not the IT-
manager, but the managing director, often the owner, of the company,
controlling the computer security of the company.
Most MD‟s strongly admit that their knowledge and expertise on this domain is
largely insufficient.
While four out of five Flemish SME‟s questioned would like to improve their level
of information security, only four percent know how to go about.
MD‟s lack the time to develop the required background knowledge or develop
expertise necessary to organize the security of their information systems. As
they are going over crucial decisions on IT and information management. They
require clear, comprehensive, ready-to-eat information to start quickly.
The majority indicates that their level of protection is about 60 to 80%
sufficient. This is probably optimistic, since most of the SME‟s indicate only
having a firewall and antivirus-software to protect them.
About 77% of the participants indicated that they would like to do something
about their level of security in the next 18 to 24 months. Only 4% knew how to
manage this.
Compilation
The AR Conference Calls 2009
21
Of the participants about 37% acknowledged that they have to comply with
regulations such as accounting, privacy, data protection, and other. About 40%
were convinced that they don‟t have to comply with any regulations.
Nearly 70% have never done any form of risk analysis on information
management.
At least 40% did not appear to have a proper information security management
process in place.
Few of the findings are surprising, especially amongst the SME sector. However, when
many feel that real strides are being made in raising awareness of the need for secure
business practice, it is disappointing perhaps to find that there are so many businesses
that still don‟t have even the most basic idea of what might be required or how to source
the help they need.
More information about L-SEC and their activities, can be found at their website: www.lsec.be
Compilation
The AR Conference Calls 2009
22
Daniel J. Blander
Mr. Daniel Blander is President of Information Risk Management consulting business
Techtonica, and co-owner of the Security Awareness company InfoSecurityLab. His twenty
years of experience in IT and Information Security includes the development of world-wide
security and risk management organizations and programs for companies in the financial,
technology, healthcare, retail, manufacturing, telecom, airline, and service sectors. In
addition to being a certified CISM and CISSP, Daniel was nominated as 2008 Information
Security Executive of the Year for the West. He also lectures around the world on trends
in risk management and security governance.
Emerging Trends in Security Governance: Making Security a Business Success In his second talk of the year Daniel looks at the problem of Security governance and how
the profile of security within an organisation can be raised and made more positive.
A key problem with the perception of security in most organisations is that it is driven,
often with the “help” of the media by the fear of vulnerability to security attack and loss.
Daniel strongly makes the point that trying sell the security awareness message using the
FUD approach (Fear, Uncertainty and Doubt) is ineffective as this, again, concentrates on
vulnerability rather than working to understand and manage risk. A key to this is to
develop respect and support from management within the organisation. Without this any
initiatives are likely to be met with an attitude of reluctance or even resistance.
Daniel recalled that he often finds that clients are looking for specific “fixes” to deal with
compliance needs or post-incident reviews. To have this piece-meal approach is to treat
security as an additional extra, rather than to understand its place in the overall culture of
the business.
The solution is found in the creation of a shared governance function – a Security Steering
Committee. This meant that the stakeholders in security then come from all across the
organisation, departments such as HR, and legal as well as finance and even sales and
marketing. If the word
“governance” has overtones
of “compliance” and “audit”
and other formal directive
based activity, the Security
Steering Committee instead
provides a forum for
discussions. The discussions,
however, should not be about
IT issues or technical attacks.
They should be about risks in
each business area, how Risk
Management (and overall
Security) can help or hinder
the business.
Figure 5: The Security Steering Committee
Compilation
The AR Conference Calls 2009
23
When setting up the team, here are some pointers to success:
Have clear goals
Aligned with business goals
Make the meeting meaningful with take away info and tasks.
Make subject matter relevant.
Do not let one area grab all the focus
Risk across all business areas.
Risk of all types
IT efficiency is often achieved through techniques such as ITIL and process improvement.
What can be missed is that the same consistency also begets a level of security. Is it
perfect security? No, but it creates a simple, basic framework to build on. We need to seize
this opportunity. Show IT and the business that this consistency is a way to save money.
Show that secure systems are not only safer from being broken in to (and thereby not
available) but the nature of a standard configuration leads to easier to support systems,
consistent builds, and better efficiency and availability to support cost efficiency.
Just reach into your ITIL toolkit and you should be able to find the arguments to win this
case. Daniel explained that he had shown that to several companies after we created
standard configurations, and measured compliance to them that support cases dropped,
and availability went up. His overall message for the steering group is to think of security
as being for the company; not about IT, but about business risks.
In conclusion, he provided some food for thought:
It is not security for IT, it is security for
protecting the company
Security is not the end, it is a process
contained in larger processes
Reach out to the business, be part of the
business
Decentralize Enforcement (means savings +
shared responsibility)
How do you lead to achieve this?
Have a New Attitude
NO FUD
Put your business hat on!
Think of good business practices that reflect
security
Think of business opportunities
Be a Team Player - Include everyone on the team
Figure 6: Decentralize Enforcement
Compilation
The AR Conference Calls 2009
24
Daniele Vitali
Mr. Daniele Vitali is a Senior Security Consultant at Spike Reply in Milan, Italy. As an
experienced Security Consultant, he has been working for large multinational and medium
sized companies as well as Public Agencies. His expertise encompasses Enterprise Security
Governance, Enterprise & Consumer Social Networks Security, Mobile Security, Social
Engineering and Web 2.0 Security.
Business Case: How to persuade Business of the importance of security in a media company
Background Daniele presented a Business Case on an awareness raising activity with Matrix S.p.A., an
Italian company that operates in the area of web 2.0 technologies. In this company, Web
2.0 applications and services - such as Social Networks - are not only actively used but
also designed, developed, provided to customers and maintained. One service stands out
among all other services and that is the Virgilio portal (www.virgilio.it). This is the main
Italian based web information provider and social network.
Business case Modern thinking on security awareness asserts that awareness needs to be pervasive
through the workplace, with responsibility on the desk of every member of staff. This
sounds straightforward, but in practice can be a huge task with no clear approach.
Massimiliano Iannicelli at Matrix, with the help of Daniele Vitali and Security Reply has
devised such a strategy. Together, they developed an innovative approach, which they call
the Total Security Awareness Immersion paradigm. The key aim of the approach is to
ensure that “End users must be the promoter of their own security and help improve the
global company security status”, which means that responsibility, is not just with end
users and not just with senior management. All have a role to play. The approach is built
on three pillars:
Involvement in core business processes
Role modelling
Bottom-up approaches
Involvement in core business
processesRole modeling
Bottom-up approaches
Figure 7: Total Security Awareness Immersion
Compilation
The AR Conference Calls 2009
25
In what, to some, might be a surprising move they move away from almost all standard
security awareness training approaches. Formal class training is felt to be an ineffective
investment of time, printed materials are generally felt to be not worth the time and effort
required in producing and packaging them and “fancy e-learning tools” are regarded to be
unnecessary as information is cascaded through a few people at a time, so there is no
need to try and reach large numbers of staff at the same time.
The approach taken is for security awareness dissemination to become a routine part of
regular meetings, taking up just about 10 minutes on a standard agenda. However, the
skill is in focusing the information in such a way that it is appropriate to the needs of that
meeting. This means that it enhances the overall purpose, rather than just adds to the
general information „noise‟ of the event. Security staff is involved in every phase of the
product development lifecycle, from Brainstorming to Deployment and Maintenance. They
take 10 minutes to explain some security issues or solutions during every meeting,
covering a security topic strictly related to the meeting objective.
As Daniele expressed it; “being involved systematically in business processes we realised
that the Trojan horse for really reaching all people in the company were daily meetings”
After a year the following results were observed:
The security team had provided security awareness training during daily activities
in more than 250 occasions
The security team was spontaneously called in to resolve issues and to study more
in depth potential security problems. They observed a growing attention to security
and therefore an improved security culture among company‟s employees.
The approach appeared to be pervasive in all security activities.
The approach also seemed to generate few overheads (either in time or resources).
It seemed attention on security was always high because of the focus on business
topics.
As a result of the successful pilot the team are further developing the model, working on
improving measurement (KPIs) and finding new formats to incorporate the Total Security
Awareness Immersion approach into the company‟s culture.
Compilation
The AR Conference Calls 2009
26
Johannes Wiele
Johannes Wiele Senior Executive Consultant with Defense AG in Germany. After having
studied philosophy and political science at the University of Münster he stepped into the IT
business world and specialized in IT security and data protection.
Human Factor Risk Assessment “Human Factor Risk Assessment“ (HFRA) can be described as an information security risk
assessment focused on risks resulting from human behaviour, attitude, lack of knowledge
or lack of abilities. HFRA can be used as the first part of a full-scale awareness campaign,
also has a role in just checking if an organization needs to step into human factor security
measures. Sometimes,
HFRA may also show
that technical
measures have to be
improved and one
might expect to find
that sort of situation
where business
applications of a
company foster
inadequate information
handling rather than
good secure practices.
It could be said
therefore, that HFRA is
a part of
comprehensive modern
security approach. This
is illustrated by the bar
in yellow in figure 8.
A typical HFRA project tries to answer a series of questions exploring man-machine
interaction and communication practices within an organisation:
Who uses what kind of data? In which environment? Using what kind of devices?
Do business processes and policies support security and privacy minded behaviour?
What do employees think about security and privacy? What do they know?
What‟s the attitude of employees towards security and privacy?
Are they effectively trained?
Analyzing the answers to these questions allow organisations to understand and assess
human factors before stepping into a costly awareness and empowerment campaign. The
results facilitate internal discussions of human factor topics, and HFRA can be used to
measure the effects of awareness campaign by gathering this information before, during
and after the execution of the campaign. HFRA methodology is mainly based on tools of
technical risk assessments, social psychology and market research, for example:
Observation
Figure 8: HFRA as part of a Security Management approach
Compilation
The AR Conference Calls 2009
27
Penetration tests using social engineering methods
Network forensics
On- and offline questionnaires
Focus groups
Critical Incident Technique (Flanagan) to find and define critical situations in
information handling
Culture checks to identify risks resulting from social or local cultural frameworks
As this set of methods tends to result in employee privacy problems, HFRA results
generally have to be strictly anonymized. HFRA must not be used as performance
measurement tool, as this causes fear and dishonest answers among the staff members
questioned during the project. Independent, trusted researchers get better results than
internal specialists.
Every human factor risk assessment should be executed with the assumption that it is not
individuals themselves who are a risk to an organization, but their behaviour, lack of
knowledge and capabilities. The key point is that all of these factors can be improved.
Compilation
The AR Conference Calls 2009
28
Joao Moita
Mr. Joao Moita, Manager, Enterprise Risk Services - Security & Privacy, Deloitte &
Associados, Portugal. He started as a software developer and after taking an MSc in
Information Security, he moved on to the IT security field. He is particularly interested in
mechanisms that effectively protect "information" along its life-cycle and in new security
and technological trends that make security working for the business. His specialties
comprise biometrics, PKI, ISO 2700x and other security standards.
The role of security in the new e-World The role of the virtual world is now woven into the way that many in the west world
operate both their business and personal lives. Challenges include mobile working,
straightforward communication across a range of media, shopping on line and even
conducting social relationships through social networking sites. The all pervasive nature of
the internet requires well thought through methodologies that allow for the range of
flexibility of application that will be required. It was just such a methodology that Joao
spoke about in November 2009.
The basic methodology can be illustrated in the following diagram and will be explained
with reference to a project called “Protecting our Client Value” which was run with the
client, a government-owned institute responsible for managing the IT operations for a
Portuguese Ministry.
It is worth noting that the client base was, in effect, the citizenry of Portugal so in excess
of 10 million users with a wide range of knowledge and experience of using the internet
and with a significant geographical spread.
1. Know your Data
In the first instance
information needed to be
gathered with regard to the
physical location of data, the
data owners, the classification
of the data and any legal
requisites that would need to
be addressed in the project.
2. Protecting Client Value
In this instance this focused
on the classification of data
dependant on the level of
confidentiality the data to all
stakeholders.
3. Know your Channels
The business processes were examined in order to determine the flows of data. This stage
also considered where data was at rest and in use.
Compilation
The AR Conference Calls 2009
29
4. Implement and monitor controls
This stage, as you might expect, concerned the defining, designing and implementation of
security policies to deal with issues identified in a risk review. This included training and
other awareness raising activities, the implementation of a formal classification process
and the identification and implementation of the technologies that could, or should, be
implemented in order to increment the level of security.
5. Sustain and create capabilities
This required the creation and implementation of an incident response team as well as the
definition and implementation of a technological risk management process.
Compilation
The AR Conference Calls 2009
30
Kathrin Prantner
Ms. Kathrin Prantner is co-founder and Executive Director of E-SEC Information Security
Solutions GmbH sited in Salzburg, Austria.
E-SEC Virtual Training
The second presentation in November was entirely different in that it enabled forum
members to see the use of software to bring security awareness to the desk of every
member of staff in a way that is more effective than the standard reading and
comprehension format.
Educators and psychologists have known for a long time that reading and non-reactive
listening are the least effective way to transmit knowledge, and yet these are the very
tools that are most commonly found in the toolbox of the person tasked with raising the
security awareness in a business. Kathrin Prantner, Managing Director and Co-Founder of
E-SEC Information Security Solutions allowed us to have an insight into the way that the
virtual world and gaming approach can give staff a more realistic experience of security
issues.
Kathrin was keen to point out that the package does not treat all users as essentially
facing the same, or similar, challenges. At the basic level there are different courses for
those in the public and private sector as well as other differentiators such as the area of
business, such as healthcare. The unusual aspect of this approach is that the staff member
will feel much like a player in an interactive game in that they move around rooms and
carry out the tasks and solve the problems placed before them. In the illustration below
the user, or player in their minds, has to find a way past the reception gateway. Here, at
the Reception Area the user gets access to the Awareness Lessons “Visitors” and “Attack
via Telephone”.
Figure 9: Snapshot 1 from E-SEC Virtual Training
Compilation
The AR Conference Calls 2009
31
Just a quick experience of this approach gives insight into how this might raise awareness
of security in the environment. However, the same approach can also be used to
demonstrate what important, but basically administrative, tasks are.
Figure 10: Snapshot 2 from E-SEC Virtual Training
In the task depicted above, the player looks at the sort of documents they would be used
to dealing with and sort them into the different levels of care and security they are going
to need in a way that gives the user practical experience.
Experience is a powerful learning tool; the problem is that it takes time, and investment to
give staff enough experience to raise not only their knowledge and awareness of security
issues, but their experience to deal with them. This software takes one approach to that
problem and tries to bring the information in an experiential way to all staff, not just those
who have a good level of literacy and traditional learning skill. Kathrin claims that clients
find the package fun, which makes it more likely they will learn the lessons.
Not all forum members will be in the market for this type of package, but it is always
helpful to see new, innovating ideas and hear how they work in practice. It can stimulate
ideas and new approaches that keep security awareness a process that is constantly
evolving.
Compilation
The AR Conference Calls 2009
32
Compilation
The AR Conference Calls 2009
33