compilation - europa

December 09

The AR Conference Calls 2009

Compilation

About ENISA

The European Network and Information Security Agency (ENISA) is an EU agency created

to advance the functioning of the internal market. ENISA is a centre of excellence for the

European Member States and European institutions in network and information security,

giving advice and recommendations and acting as a switchboard of information for good

practices. Moreover, the agency facilitates contacts between the European institutions, the

Member States and private business and industry actors.

Contact details

For contacting ENISA or for general enquiries on information security awareness raising

matters please use the following details:

E-mail: [email protected]

Internet: http://www.enisa.europa.eu

Legal notice

Notice must be taken that this publication represents the views and interpretations of the

authors and editors, unless stated otherwise. This publication should not be construed to

be an action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA

Regulation (EC) No 460/2004. This publication does not necessarily represent state-of

the-art and it might be updated from time to time.

Third-party sources are quoted as appropriate. ENISA is not responsible for the content

of the external sources including external websites referenced in this publication.

This publication is intended for educational and information purposes only. Neither ENISA

nor any person acting on its behalf is responsible for the use that might be made of the

information contained in this publication.

Reproduction is authorised provided the source is acknowledged.

© European Network and Information Security Agency (ENISA), 2009

mailto:[email protected]

http://www.enisa.europa.eu/

Compilation


3

PREFACE ............................................................................................................... 4

About this report ............................................................................................... 4 About the AR Conference Calls........................................................................... 4 Acknowledgments ............................................................................................. 4

PRESENTATIONS .................................................................................................. 5

Overview ........................................................................................................... 5 Claire Vishik ....................................................................................................... 6

New Security & Privacy Risks: Cost of Innovation ................................................... 6

Daniel J. Blander ................................................................................................ 8 How to promote security awareness in your company ............................................. 8

Florence Mottay ............................................................................................... 10 Good practice in assessing and mitigating risks of software development outsourcing 10

Shirley Atkinson .............................................................................................. 13 Peer education and Internet Safety ..................................................................... 13

Lucas Cardholm ............................................................................................... 15 New marketing opportunities in Privacy: European Privacy Seal .............................. 15

Andrea Simmons .............................................................................................. 16 Tackling the barriers to achieving Best Practice in Information Assurance ................ 16

Sissel Thomassen ............................................................................................ 18 An Awareness Threat Horizon: Future Threats and Cultural Aspects ........................ 18

Ulrich Seldeslachts .......................................................................................... 20 L-SEC in Belgium – How Leaders in Security help in raising security awareness ........ 20

Daniel J. Blander .............................................................................................. 22 Emerging Trends in Security Governance: Making Security a Business Success ......... 22

Daniele Vitali ................................................................................................... 24 Business Case: How to persuade Business of the importance of security in a media

company .......................................................................................................... 24

Johannes Wiele ................................................................................................ 26 Human Factor Risk Assessment .......................................................................... 26

Joao Moita ....................................................................................................... 28 The role of security in the new e-World ................................................................ 28

Kathrin Prantner .............................................................................................. 30 E-SEC Virtual Training ....................................................................................... 30

Compilation


4

Preface

About this report

This compilation consists of summaries of the presentations given in the AR Conference

Calls (the Conf Calls) 2009. The purpose of this compilation is to share the content and

outcome of the Conf Calls to the members of the AR Community as well as to General

Public.

About the AR Conference Calls

The Conf Calls was launched in spring 2007 and during the year six Calls were organised.

The 2008 Work Programme included among other things the task to build a “cooperation

platform”, which then was named the AR Community. In addition, from 2008 the Conf

Calls were now formally established a as a means to facilitate discussions and exchange of

good practices.

In 2008, nine Conf Calls were organised; one each month with the exception of July,

August and December. As in the previous year, two speakers presented on each occasion.

The calls covered a wide range of topics from how to raise security awareness through e-

Learning, to briefings of the awareness level among general public gathered through

surveys. The Conf Calls continued in 2009 and they have been appreciated by many

members. By offering the AR Community members a place for the interchange of ideas

and the sharing of knowledge and experiences between members, the Conf Calls have

contributed to the building of the AR Community.

Acknowledgments

The moderator of the 2009 Conf Calls, Mr. Kjell Kalmelid, Expert Awareness Raising,

wishes to acknowledge and warmly thank all members of the AR Community who have

presented in this year‟s Conf Calls.

Ms. Claire Vishik

Mr. Daniel J. Blander

Ms. Florence Mottay

Mrs. Shirley Atkinson

Mr. Lucas Cardholm

Ms. Andrea Simmons

Ms. Sissel Thomassen

Mr. Ulrich Seldeslachts

Mr. Daniele Vitali

Mr. Johannes Wiele

A special thank to the AR Community member, Wendy Goucher for her valuable

comments, feedback and for her invaluable help in editing a large part of this compilation.

Compilation


5

Presentations

Overview

In 2009, the AR Conf Calls were held eight times with 13 speakers.

Month Speaker Topic

February Claire Vishik, Intel ”New Security Risks: Price of Technology Innovation”

March Daniel J. Blander,

InfoSecurityLab, Inc.

”How to promote Security Awareness inside your

company”

April Florence Mottay,

Security Innovation

”Good practice in assessing and mitigating risks of

software development outsourcing”

April Shirley Atkinson,

Plymouth University

”Peer education and Internet Safety in Plymouth”

May Lucas Cardholm,

Ernst & Young

”New Market Opportunities in Privacy: European

Privacy Seal”

May

Andrea Simmons,

Simmons Professional

Services Ltd.

” Tackling the barriers to achieving Best Practice in

Information Assurance”

June Sissel Thomassen,

InfoSecure

”An Awareness Threat Horizon: Future Threats and

Cultural Aspects”

June Ulrich Seldeslachts, L-

SEC

”L-SEC in Belgium: How Leaders in Security help in

raising security awareness”

September Daniel J. Blander,

InfoSecurityLab, Inc.

”Emerging Trends in Security Governance: Making

Security a Business Success”

October Daniele Vitali, Spike

Reply

”Business Case: How to persuade Business of the

importance of security in a media company”

October Johannes Wiele,

Defense AG

”Human Factor Risk Assessment”

November Joao Moita, Deloitte &

Associados

“The role of security in the new e-World”

November Kathrin Prantner, E-

SEC Information

Security Solutions

GmbH

“E-SEC Virtual Training”

Compilation


6

Claire Vishik

Dr. Claire Vishik works with Intel Corporation UK. Her work focuses on hardware security,

trusted computing, privacy enhancing technologies, some aspects of encryption and

related policy issues. She is active in standards development and is on the Board of

Directors of TCG, the Trusted Computing Group. She received her PhD from the University

of Texas at Austin. Prior to joining Intel, Claire worked at Schlumberger Laboratory for

Computer Science and AT&T Laboratories studying security and other aspects of Internet

technologies.

New Security & Privacy Risks: Cost of Innovation Excellent progress was made in the last 10 years in increasing security assurance in ICT

products and services through improving the technology development process,

dissemination of information about vulnerabilities, and techniques to mitigate the risks

from malware and breaches. But we need to admit that new security risks are one of the

prices we have to pay for technology innovation because it is impossible, even with the

best models, to anticipate all the risks associated with broad deployment of new

technologies.

The talk addresses some aspects of the connection between technology innovation and

new security risks. Starting with a brief study of this relationship, the lecture moves to

addressing the “weaker points” for security in today‟s dynamic environments where a good

proportion of technology components undergo significant changes or replacement over

shorter and shorter cycles, currently 18 month-3 years. Some of the security imbalance

lies in the fact that various components of the ecosystem are not uniformly protected: this

lack of uniformity concerns endpoints, networks, and software applications (see Figure 1

below).

Figure 1: Different Levels of Security Assurance across the Ecosystem

Compilation


7

The risk points are not due only to weaknesses in single domains, but can emerge due to

interaction of multiple domains (e.g. mobile telephone and PCs). But they also appear in

new applications, sometimes not connected to security or communications, such as known

attacks on improved power management tools on newer PCs. The talk studies other

imbalances, such as the disconnection between the distribution of attacks (95% appear to

be against home PC) and focus of the security efforts (organization rather than

consumers).

In order to illustrate the complex composition and nature of the new threats, the talks

analyzes information from 50+ different studies and forecasts and concludes with a

summary of innovative technologies where risks appear to be focused and activities that

can help alleviate these risks.

Compilation


8

Daniel J. Blander

Mr. Daniel Blander is President of Information Risk Management consulting business

Techtonica and co-owner of the Security Awareness company InfoSecurityLab. His twenty

years of experience in IT and Information Security includes the development of world-wide

security and risk management organizations and programs for companies in the financial,

technology, healthcare, retail, manufacturing, telecom, airline, and service sectors. In

addition to being a certified CISM and CISSP, Daniel was nominated as 2008 Information

Security Executive of the Year for the West. He also lectures around the world on trends

in risk management and security governance.

How to promote security awareness in your company Those of us who work with, and are passionate about, security awareness know its value

to business. We understand its potential of positively affect the overall operational

effectiveness as well the possibility of promoting internal cooperation. Indeed there are so

many good reasons for making intelligent investment in awareness that to find that in the

real world organizations are remarkably resistant, can be a difficult to understand, and

then to overcome.

In his first talk of the year, Daniel Blander of InfoSecurityLab tackled the problem of

promoting security awareness head on with the aim to demonstrate that Security

Awareness should be an important part of the Information Security Management System

of an organization. Daniel defines security awareness as “the process of making people

aware of the risks to the things they value, and how they can safeguard against those

risks” and starts from the position of what is understood about security and about the

need for awareness within the organisation. This equates nicely with the educationally

sound theory that good persuasion should be about moving from known concepts and

ideas towards new ones.

Interestingly, Daniel identifies self inflicted problems such as the belief by management

that staff are not interested in security and would not pay attention, and therefore justify

the investment in a ROI sense, alongside more standard inhibitors as concerns about the

cost of awareness programs and the amount of time that would need to be taken out of

the operational week for staff to take in the awareness message. It is this projection of

the attitude of staff that is the backbone for the method that Daniel uses. He needs not

only to deal with the issues, but the perception of how the message will be delivered and

received both by internal and external customers.

The start of his campaign of persuasion uses quotes from other sources including Kevin

Mitnick, who is famous enough that the name will have some resonance. Mitnick says, in

his book “The Art of Deception”,

“There is only one way to keep your product plans safe and that is by having a trained, aware, and a

conscientious workforce. This involves training on the policies and procedures, but also – and probably even more important – an ongoing awareness program”.

When setting out the appropriate approach, a first step can often be to confront the

standard approach, in this case the „FUD‟ approach which seeks to undermine the current

beliefs and operations in an effort to make the customer look to external help, in the form

Compilation


9

of security awareness training. The problem with that approach is that it has the

panicking customer look for a short term life-line, rather than swimming lessons and an

understanding of what sort of waters are safe to swim in. However, as Daniel argues, fear

uncertainty and doubt are not about awareness, they are about reaction. The best

approach is more about a medium to long term change to organisational culture which

means that it has to focus on behavioural change on the part of all staff, and in all

situations.

The 4 steps to this approach are:

Make it relevant - because people must feel that the

information is relevant to their home and work life.

Empower staff - because people must feel that

security is about working with them in their operations,

not just against.

Make it easy to understand - if the message is not

clear then it will be ignored.

Make it fun - because laughter and amusement is the

super glue that makes information stick significantly

better. Boredom, on the other hand is information

coated in Teflon.

By choosing techniques for putting across the security awareness message that work with

the organisation‟s culture and confront such concerns such as cost, time and retaining the

interest of staff. Some of the techniques discussed included the use of e-mail, web

portals, e-learning and „Lunch and Learn‟ sessions where staffs are given insight into data

security issues that affect them personally, such as home shopping.

Compilation


10

Florence Mottay

Ms. Florence Mottay is a seasoned Business Manager and adept Security Expert. As

Managing Director Security Innovation, she is responsible for the long-term growth,

stability, market leadership, and client satisfaction of the company's EMEA operations.

Leveraging her pervasive technical and operational experience, Ms. Mottay often serves as

a primary point of contact with customers, where she assesses their principal security

concerns and ensures the Product and Services teams devise an operative plan designed

to meet and exceed their stated objectives.

Good practice in assessing and mitigating risks of software development

outsourcing

Over the years, managing software security risks has proven to be an arduous task,

especially when the development process is partially outsourced. Implementing a general

software security initiative is the first step towards effectively mitigating software security

risks associated with outsourcing software. This presentation will focus on the key role of a

security framework within such an initiative, and how it relates to the specific business

drivers for software security.

Operational risk is a very broad concept and includes amongst others physical,

environmental and technical risks. Management of the technical risk can be achieved

through identification of risks and smart implementation of controls. One key aspect of

technical risk management is software security, which is present in one way or the other in

all related security areas; the most obvious being Access Control, System Development

and Maintenance, and Logging and Monitoring.

When development is outsourced the most troublesome areas are the System

Development and Maintenance areas. Although outsourcing is an effective method to

reduce costs, it also entails the loss of control over the outsourced software. Security is

just one of the challenges related to outsourcing and currently does not have a high

priority. Communication issues, delays and quality issues supersede the importance of

security issues for the moment but as processes mature, focus will inevitably shift to

quality in terms of security. In the meantime, focus should be on selecting the right

outsourcing partner for our needs but gauging the security awareness of a potential

partner prior to actual cooperation and putting the right controls in place to mitigate

critical risks can be challenging.

The set of controls at our disposal is fairly well-known and includes all controls that span

the Software Development Life Cycle (SDLC), from the requirements to the deployment

phase. They have all proven to be useful: full code reviews and penetration tests on all

software received significantly reduces the risks. However, these services are both time

consuming and expensive and therefore cannot be considered as a standard solution for

every project. Education is another interesting control commonly used to mitigate software

security risks. However, training all outsourcing partners would again be too expensive

and offers too little return on investment.

Compilation


11

In each case, the appropriateness of each control has to be determined. The security

checklists or framework consists of a system that will aid in evaluating the controls and

help reach the right balance between costs and security.

In risk management terms, the mitigation costs should not exceed the cost of possible

security breaches. Public security breaches may cost millions of dollars in direct losses.

However, we tend to focus on the immediate costs while the soft costs are often forgotten.

It may be difficult to determine the exact costs of protecting reputation and restoring

customer trust, but they often amount to more than the loss caused by the actual breach.

In addition to limiting financial consequences, resistant software protects your brand

reputation and enables you to comply with standards. It is also less expensive to maintain.

Fixing a security bug during the design phase is a 100 times less expensive than fixing it

during the production phase. Reducing the occurrence of software vulnerabilities helps you

minimize costs. However, reducing the number of vulnerabilities is not an easy task, as

attackers have a real advantage. They outnumber developers in any given team and they

have all the time they need to uncover vulnerabilities. In general, outsourcing causes the

loss of control over the confidentiality and integrity of your code. On top of that the

controls of outsourcing partners might be weaker, you have less control over the staff and

therefore you cannot properly evaluate the risk of insider threats.

To mitigate these risks service level agreements are starting to include specific software

security requirements. These SLAs either contain quality statement such as „software

needs to be secure‟ or require the implementation of a specific bug bar, such as a

predefined maximum number of vulnerabilities revealed by a code scanner. These

requirements are a good start but they are still too vague and sometimes hard or even

impossible to apply. The concept of a bug bar is very interesting, but should also be highly

dependent on the application. An external application dealing with critical assets deserves

more scrutiny than an internal application used for informational purposes only.

The safest approach to mitigate software

security risks is to put a security initiative

in place. A security initiative is composed

of different controls. Some are specific to a

certain phase of the SDLC; others are at a

more global level such as a security

framework, but each effective in its

particular context. Design requirements

bring good value but are usually more

suitable for large systems. Code review

and penetration tests are highly effective

but also very costly and should

subsequently be used for critical

applications only. Education, as briefly

mentioned earlier, can only be used

efficiently within internal development

teams or within the context of long-term

outsourcing agreements.

Figure 2: Example Framework

Compilation


12

Using a security framework is relatively cheap and can be used for all types of applications

and systems. Although it is more complex and will differ depending on the organization, it

effectively combines all controls available to reach the perfect balance between cost and

security and can be used as a „security contract‟ with an outsourcing partner. Furthermore,

when a security framework is in place security trends such as new vulnerability types, new

best practices and security lists can easily be integrated in the existing framework. We live

in an information overloaded world and security frameworks offer a first glimpse of clarity:

they help integrate all pieces of the complex software security puzzle.

Compilation


13

Shirley Atkinson

Dr. Shirley Atkinson is an associate lecturer at the University of Plymouth. She has been

researching the effects of internet technologies on young people for the last five years and

has recently completed a UK Government funded project setting up peer ambassadors

supporting safe online behaviours in schools. In addition to her research work, she is

involved in delivering programming tuition to different levels at the University and leads a

team of volunteers in running a cooperative children's youth group.

Peer education and Internet Safety This presentation gave an outline of the peer education project recently completed here at

the University of Plymouth.

An assumption made is that a key element to information security is a need to encourage

safe online behaviours. Peer education was considered as a mechanism for encouraging

awareness of risks and being able to distribute the knowledge of individual self-protection.

However, by concentrating on risks there is the potential to create a culture of fear

whereby activity is stifled because of the unbounded nature of the risk - nobody feels safe,

and that state of mind influences perception. Here in the UK the media help to perpetuate

that culture of fear, dwelling heavily on the negatives.

When considering the realm of young people, they see dwelling on risk as irrelevant to

them, somebody else will suffer, and perhaps they need to protect others. They don't see

that their own actions are putting them in danger. To counteract this, Peer Education has

been proposed as a potential solution with the aim that young people influence others

around them. But there are barriers. The effectiveness of peer education has been difficult

to measure. Concerns arise to protect young people against the effects of Cyberbullying

or one key concern was a disclosure of abuse and how to deal with it. Culture and context

play a key role, not all environments are suited to allowing peer education activities.

The University of Plymouth was awarded one year‟s funding by BECTA - The British

Educational Communications and Technology Agency - to provide a complement to

existing awareness raising workshops. The aim was to create and evaluate a peer led

internet safety programme aimed at 14 to 16 year olds. 8 out of 15 schools participated

in the local area giving insight through focus

groups to the opinions of 202 young people.

They demonstrated a very good understanding of

the issues, but their actual practice varied

revealing that current e-safety messages were not

deemed relevant. 30 young people were invited to

become e-Safety Ambassadors and they were key

to raising awareness. Websites were a favoured

approach, but one school had a display stand on a

key parental involvement day. One of the schools

attended a multi-agency conference on Safer

Internet Day, another wrote a piece for the

Children's BBC.

Figure 3: Example of engagement

Compilation


14

Peer education was found to have no clear definition, and encompassed a number of

methods of delivery which encouraged a diversity of engagement activities. The delivery

of the awareness was found to be effective but we were taking small steps. And to engage

the peers to deliver these initiatives has to be realistic, not tokenistic, and certainly it was

not automatically going to engage young people.

Compilation


15

Lucas Cardholm

Mr. Lucas Cardholm, LL.M., MBA, Executive Director, Ernst & Young Sweden, is an IT-

lawyer specialised in operational risk management. He is an experienced global project

manager working with cost benefit analyses, e-signatures, and privacy and encryption

issues. Lucas is the author of several internationally published articles in this area.

New marketing opportunities in Privacy: European Privacy Seal Lucas presented in the Conf Call in May. In his presentation he presented an interesting

piece on something which should go some way to helping organizations across Europe to

achieve a good standard of security compliance, in a way that will be recognized across

the EU. As the business grows across Europe, and co-operation between organizations

from widely different countries and cultures develop, it is important that there is an

ongoing development of ways that can give a level of recognized security assurance within

the EuroZone.

To this end, EuroPriSe has been devised,

which is a transparent certification

scheme for companies and authorities to

confirm and communicate compliance

with European Privacy Directives. All

member states are covered by the

standard and it has also achieved

worldwide recognition.

“The way the EuroPriSe has been set up is promising. It is designed to be consistent across Europe, and it aims at showing business benefits. The seal should be on the radar of all companies dealing with personal data.” (Gartner, 12 June 2008)

The objectives of the scheme are:

To provide a certification scheme, based on a transparent and revisable procedure

supervised by independent authorities or trustees.

To provide uniform criteria based on the European Privacy Directives valid

throughout the European Member States.

A positive incentive to develop and deploy privacy compliant and privacy enhancing

products and services on the market

It seems that, although the scheme was only launched at the beginning of 2009, uptake is

encouraging:

There are already 70 experts in 10 countries, with around 100 in the pipeline.

These come from a range of specialties including the law, technical (mainly

CISSP/CISA or equivalent) and some who span both.

As of May 09 6 seals had been awarded, including to Microsoft SPP (US) and more

than 10 were in the process of undergoing certification. It is expected that by this

time (the end of 09) the number will have increased.

Target companies include those where privacy is vital (e.g. healthcare), regulated

industries (e.g. the finance sector) and mature organizations who are familiar with the

idea of internal control.

Compilation


16

Andrea Simmons

Ms. Andrea Simmons is the Founder and Director of Simmons Professional Services Ltd.

She is an experienced information assurance evangelist/business consultant and project

manager with expertise in several disciplines. She has over 12 years of wide experience of

the information security industry within both the public and private sector. Andrea is

currently running her own consultancy business and works associatively with several public

and private sector organisations. Andrea is a member of several prominent associations

such as the Management Committee of IAAC and the BCS and is a founder member of the

Institute of Information Security Professionals (IISP).

Tackling the barriers to achieving Best Practice in Information Assurance Having completed a 50,000 report on “Achieving best practice in Public Sector Information

Security” in November 2008, it seemed appropriate to investigate the possibility of

converting this significant piece of work into a PhD submission. The content is particularly

relevant and up to date, given the spate of data breaches that besmirched 2008.

So far, we have seen our industry mature from IT Security, through Information Security,

to Information Assurance and we are now heading towards the broader view of

Information Governance “in the round”.

As an information governance

expert consultant, the lion‟s share of

my work has been undertaken in

support of public sector information

compliance related activities and I

am keen to further explore the

maturation of issues related to

professionalism in the industry and

achieving the culture change

required in order to embed

information security as a natural,

“business as usual” activity. Doing

so would aid the rebuilding of public

trust and confidence that is so

desperately required, balancing that

in so doing strategies and solutions

need to be implemented in a way

that does not infringe the rights and

freedoms of individuals.

Years of ISO27001 training and consultancy delivery lead one to know that if one is

carrying out a thorough review of assets the list goes something like:

people

processes / services

technology (software, applications)

physical (buildings, equipment, hardware)

data and information (could be electronic and paper)

reputation, brand etc.

Figure 4: the Maturity process of Security

Compilation


17

Information surely cannot be perceived to be "intangible"? You can see it, touch it, share

it, use it, pass it on - lose it. A dictionary definition suggests that something intangible is

hard to value - fair enough, I can accept that. Although at a recent round table discussion,

what became clear was actually if you ask the opposite - i.e. what is the perceived

"deprival value" then it gives people a clearer understanding of the implications of the

potential value of the information in question. How would you value the information that

Bob Quick had in his hand when he so inadvertently held it "unwrapped" as it were and all

that thereafter ensued?1 The Ponemon Institute issued research recently that put a value

on the average laptop loss of $50,000 - that's arguably significantly more than the

physical cost of the tangible asset. In the UK public sector, under the Security Policy

Framework of the UK Cabinet Office, Senior Information Risk Owners should identify

Information Asset Owners and I recently read a great piece of work by James F. Stevens

of Carnegie Mellon University, which clarified that there is a clear differentiation between

an Asset Owner and a Custodian.2

In either way, all of these roles should be actively engaged in identifying, classifying,

labelling and protecting information assets. There are already Information Governance

experts tackling a combination of information law agenda including Data Protection,

Freedom of Information, Environmental Information Regulations and the Regulations on

the Re-use of Public Sector Information – a number of which in some way or other require

the collation of inventories of information assets. If all of this activity is being done, then

valuing them should be added to it.

Future research work should look at how best to join up the current professionalism

agendas and apply it to the continual delivery and improvement of information security

within the public sector – in keeping with the Government‟s post-Poynter review agenda of

embedding Information Assurance for the greater good. Potentially the difficulty is that

there is no differential knowledge in this area, but a lot of confusing mixtures of the

concepts of information security, IT security, information assurance and information

governance. Also, there is a need to review the impact of politics and culture on the

shifting priorities that distract from embedding the “best practice” that should be inherent

in all well performing organisations.

What is required is a determination to illuminate, for those who need to know, the

potential impact on creating the right kind of culture and embedding of security awareness

in terms of day to day living for all concerned in order to combine all these agendas.

However, this needs to be done with a different attitude and approach, including the use of

humour and humility – rather than authoritarian, dictatorial, negative policy edicts. We

must embrace our Web 2.0 users and seek to future proof ourselves better rather than

permanently fighting fires and appearing to always be playing “catch up”. All contributions

to my intended research will be most welcome!

1 Assistant Commissioner Bob Quick, Britain's most senior counter-terrorism officer, left

his post after being photographed with a secret document on show when he arrived for a

Downing Street briefing. http://news.bbc.co.uk/2/hi/uk_news/7991590.stm. 2 Stevens, James F. Information Asset Profiling (CMU/SEI-2005-TN-021). Pittsburgh, PA:

Software Engineering Institute, Carnegie Mellon University, 2005.

http://www.cert.org/archive/pdf/05tn021.pdf.

http://news.bbc.co.uk/2/hi/uk_news/7991590.stm

http://www.cert.org/archive/pdf/05tn021.pdf

Compilation


18

Sissel Thomassen

Ms. Sissel Thomassen, InfoSecure Group, is an Information Security professional, with

more than 25 years experience within the Information Security arena. She worked 10

years for the Norwegian Defence, and has more than 8 years of Information Security

knowledge from banking in the UK, where she was responsible for the training programme

for Information Security Coordinators, information security policies, third party evaluations

and security incident management. As a director for InfoSecure Group, she is responsible

for the UK and Scandinavian operations. She has implemented Information Security

awareness and training programmes world-wide for InfoSecure Group over the last 3 years.

An Awareness Threat Horizon: Future Threats and Cultural Aspects Innovations in information technology have increased rapidly over the past few years and

generated significant progress across many business sectors and industries in the way

information is generated, stored, managed, distributed and archived. However, this

innovation has also created opportunities for those seeking to intercept or corrupt valuable

information and disrupt the flow of business, jeopardising all kinds of assets.

These external threats must be taken seriously and technical solutions can go a long way

in preventing them. However, are we equally aware of the internal threats from the people

who run our businesses? More effective solutions are

needed to counter these threats and effective training

must be provided to everybody working with valuable

business information. As new threats emerge, new

training material needs to be deployed.

The newspapers are constantly reporting information

security incidents. Our reputation is at risk should we be

the next organisation to experience a security incident.

Once bulky IT equipment is shrinking; and we are more

mobile, working away from our desks in less secure

environments. Some of the future challenges to achieve

successful security awareness in enterprises include lack

of management commitment, new technology, new

generation work force and a remote work force.

No matter which technical solutions are implemented to

reduce security risks, the people working with

information will always remain the weakest link. For too

long have organisations relied on technical solutions to

protect their infrastructure and data. It never seems too difficult to get a budget for new

IT equipment, whilst obtaining resources for awareness programmes has proven somehow

more difficult. The importance of the human element must never be underestimated, and

with good technical protection, employees are more vulnerable to social engineering than

before, as the criminals have begun targeting people instead of systems.

Compilation


19

Senior management‟s approval and commitment is crucial for the success of an effective

awareness programme, not only to ensure that the people on the floor follow the

programme, but also to ensure that line management understand their importance as the

ones who must encourage their staff and set aside time for them to undertake the

training. Management‟s commitment can be visible in many ways such as including a

written statement in training material to delivering a stronger message by using a

management commitment film as part of the awareness training programme.

Target the awareness programme to staff‟s job roles to ensure appropriate training. The

training must be sufficiently detailed to prevent key messages getting lost. Make the

programme fit the organisation‟s culture by using language and formats that people

understand. Multimedia has proven to be successful in demonstrating live examples of

incidents and making the learning material more effective. Interactive elements are also

popular to engage with the audience in an e-Learning environment.

The new generation employees are young and quick learning; they are used to the

internet, SMS and messages which are short and to the point. This new “techno

generation” are not used to concentrating on longwinded programmes and do not want to

read policies which are difficult to understand. They are also experts in multi-tasking; they

very often are used to doing many things simultaneously and they prefer audio/video

instead of information in textual format. Employees‟ poorly managed access to email and

the web can introduce significant risks to any unsuspecting organisation such as litigation,

regulatory investigations as well as a tainted reputation. Awareness training can alert

employees to the risks involved and help them to understand why there are rules in place

governing the use of these important utilities.

To engage with busy people in the

organisation, those responsible for

delivering security awareness training

must appreciate that straight to the

point and targeted training using

multimedia is a better way forward.

Employees are all different with varying

needs and attitudes. To be able to

engage with them all and deliver the

right message, it is important to deliver

the training material in a variety of

formats and take the time to ensure that

future threats and cultural aspects and

differences are all taken into consideration when planning an awareness programme.

Some important factors to take account of when planning awareness programmes:

Obtain management‟s support and commitment

Ensure continuous attention by providing ongoing training

Enhance entertainment level

Increase interaction

Quick deployment for faster response to threats or incidents

Pay more attention to young employees

Adjust awareness content to meet audience needs (targeted training)

Compilation


20

Ulrich Seldeslachts

Mr. Ulrich Seldeslachts joined L-SEC late 2006 to support the organisation in its future

growth strategy. Prior to L-SEC, he started the European branch of Clearwire, the North-

American WiMAX operator, founded by Craig Mc Caw. Ulrich was responsible for the

development of 7 broadband wireless operations throughout Europe. He has a broad

experience in business and corporate development and company innovation. Between

1998 and 2003, he led the Venture Capital company of the Belgian incumbent telecoms

operator. He aims to use his experiences to solidify the further growth of Information

Security business throughout Europe.

L-SEC in Belgium – How Leaders in Security help in raising security

awareness L-SEC is a Flemish non-profit organization, supported by the IWT, which has offered

support to the Belgian information security sector in Belgium and abroad since 2002. An

expertise centre, L-SEC ensures that both large companies and SMEs in Belgium have an

edge in terms of technological know-how through knowledge exchange and co-operation.

During the course of our work and research in the area of security awareness we can be

inspired and inspiring in our search for new and innovative ways to heighten awareness

within organizations. However, Ulrich Seldeslachts, from L-SEC, took us back to the basic

background scene in June by presenting the findings of research which was gathered in a

series of qualitative interviews held with 1/3 of the companies (152 in total) visiting the

SME inspiration days, over a period of 3 days, in a trade show setting, organized by the

Flemish SME association Unizo, together with KMO-IT. The majority of those who

participated were micro-enterprises, from a diversity of activities including transport,

retail, engineering, services, education and ICT.

The highlights of their research included:

There were indications that in over 75% of the Flemish SME‟s, it‟s not the IT-

manager, but the managing director, often the owner, of the company,

controlling the computer security of the company.

Most MD‟s strongly admit that their knowledge and expertise on this domain is

largely insufficient.

While four out of five Flemish SME‟s questioned would like to improve their level

of information security, only four percent know how to go about.

MD‟s lack the time to develop the required background knowledge or develop

expertise necessary to organize the security of their information systems. As

they are going over crucial decisions on IT and information management. They

require clear, comprehensive, ready-to-eat information to start quickly.

The majority indicates that their level of protection is about 60 to 80%

sufficient. This is probably optimistic, since most of the SME‟s indicate only

having a firewall and antivirus-software to protect them.

About 77% of the participants indicated that they would like to do something

about their level of security in the next 18 to 24 months. Only 4% knew how to

manage this.

Compilation


21

Of the participants about 37% acknowledged that they have to comply with

regulations such as accounting, privacy, data protection, and other. About 40%

were convinced that they don‟t have to comply with any regulations.

Nearly 70% have never done any form of risk analysis on information

management.

At least 40% did not appear to have a proper information security management

process in place.

Few of the findings are surprising, especially amongst the SME sector. However, when

many feel that real strides are being made in raising awareness of the need for secure

business practice, it is disappointing perhaps to find that there are so many businesses

that still don‟t have even the most basic idea of what might be required or how to source

the help they need.

More information about L-SEC and their activities, can be found at their website: www.lsec.be

http://www.lsec.be/

Compilation


22

Daniel J. Blander

Mr. Daniel Blander is President of Information Risk Management consulting business

Techtonica, and co-owner of the Security Awareness company InfoSecurityLab. His twenty

years of experience in IT and Information Security includes the development of world-wide

security and risk management organizations and programs for companies in the financial,

technology, healthcare, retail, manufacturing, telecom, airline, and service sectors. In

addition to being a certified CISM and CISSP, Daniel was nominated as 2008 Information

Security Executive of the Year for the West. He also lectures around the world on trends

in risk management and security governance.

Emerging Trends in Security Governance: Making Security a Business Success In his second talk of the year Daniel looks at the problem of Security governance and how

the profile of security within an organisation can be raised and made more positive.

A key problem with the perception of security in most organisations is that it is driven,

often with the “help” of the media by the fear of vulnerability to security attack and loss.

Daniel strongly makes the point that trying sell the security awareness message using the

FUD approach (Fear, Uncertainty and Doubt) is ineffective as this, again, concentrates on

vulnerability rather than working to understand and manage risk. A key to this is to

develop respect and support from management within the organisation. Without this any

initiatives are likely to be met with an attitude of reluctance or even resistance.

Daniel recalled that he often finds that clients are looking for specific “fixes” to deal with

compliance needs or post-incident reviews. To have this piece-meal approach is to treat

security as an additional extra, rather than to understand its place in the overall culture of

the business.

The solution is found in the creation of a shared governance function – a Security Steering

Committee. This meant that the stakeholders in security then come from all across the

organisation, departments such as HR, and legal as well as finance and even sales and

marketing. If the word

“governance” has overtones

of “compliance” and “audit”

and other formal directive

based activity, the Security

Steering Committee instead

provides a forum for

discussions. The discussions,

however, should not be about

IT issues or technical attacks.

They should be about risks in

each business area, how Risk

Management (and overall

Security) can help or hinder

the business.

Figure 5: The Security Steering Committee

Compilation


23

When setting up the team, here are some pointers to success:

Have clear goals

Aligned with business goals

Make the meeting meaningful with take away info and tasks.

Make subject matter relevant.

Do not let one area grab all the focus

Risk across all business areas.

Risk of all types

IT efficiency is often achieved through techniques such as ITIL and process improvement.

What can be missed is that the same consistency also begets a level of security. Is it

perfect security? No, but it creates a simple, basic framework to build on. We need to seize

this opportunity. Show IT and the business that this consistency is a way to save money.

Show that secure systems are not only safer from being broken in to (and thereby not

available) but the nature of a standard configuration leads to easier to support systems,

consistent builds, and better efficiency and availability to support cost efficiency.

Just reach into your ITIL toolkit and you should be able to find the arguments to win this

case. Daniel explained that he had shown that to several companies after we created

standard configurations, and measured compliance to them that support cases dropped,

and availability went up. His overall message for the steering group is to think of security

as being for the company; not about IT, but about business risks.

In conclusion, he provided some food for thought:

It is not security for IT, it is security for

protecting the company

Security is not the end, it is a process

contained in larger processes

Reach out to the business, be part of the

business

Decentralize Enforcement (means savings +

shared responsibility)

How do you lead to achieve this?

Have a New Attitude

NO FUD

Put your business hat on!

Think of good business practices that reflect

security

Think of business opportunities

Be a Team Player - Include everyone on the team

Figure 6: Decentralize Enforcement

Compilation


24

Daniele Vitali

Mr. Daniele Vitali is a Senior Security Consultant at Spike Reply in Milan, Italy. As an

experienced Security Consultant, he has been working for large multinational and medium

sized companies as well as Public Agencies. His expertise encompasses Enterprise Security

Governance, Enterprise & Consumer Social Networks Security, Mobile Security, Social

Engineering and Web 2.0 Security.

Business Case: How to persuade Business of the importance of security in a media company

Background Daniele presented a Business Case on an awareness raising activity with Matrix S.p.A., an

Italian company that operates in the area of web 2.0 technologies. In this company, Web

2.0 applications and services - such as Social Networks - are not only actively used but

also designed, developed, provided to customers and maintained. One service stands out

among all other services and that is the Virgilio portal (www.virgilio.it). This is the main

Italian based web information provider and social network.

Business case Modern thinking on security awareness asserts that awareness needs to be pervasive

through the workplace, with responsibility on the desk of every member of staff. This

sounds straightforward, but in practice can be a huge task with no clear approach.

Massimiliano Iannicelli at Matrix, with the help of Daniele Vitali and Security Reply has

devised such a strategy. Together, they developed an innovative approach, which they call

the Total Security Awareness Immersion paradigm. The key aim of the approach is to

ensure that “End users must be the promoter of their own security and help improve the

global company security status”, which means that responsibility, is not just with end

users and not just with senior management. All have a role to play. The approach is built

on three pillars:

Involvement in core business processes

Role modelling

Bottom-up approaches

Involvement in core business

processesRole modeling

Bottom-up approaches

Figure 7: Total Security Awareness Immersion

http://www.virgilio.it/

Compilation


25

In what, to some, might be a surprising move they move away from almost all standard

security awareness training approaches. Formal class training is felt to be an ineffective

investment of time, printed materials are generally felt to be not worth the time and effort

required in producing and packaging them and “fancy e-learning tools” are regarded to be

unnecessary as information is cascaded through a few people at a time, so there is no

need to try and reach large numbers of staff at the same time.

The approach taken is for security awareness dissemination to become a routine part of

regular meetings, taking up just about 10 minutes on a standard agenda. However, the

skill is in focusing the information in such a way that it is appropriate to the needs of that

meeting. This means that it enhances the overall purpose, rather than just adds to the

general information „noise‟ of the event. Security staff is involved in every phase of the

product development lifecycle, from Brainstorming to Deployment and Maintenance. They

take 10 minutes to explain some security issues or solutions during every meeting,

covering a security topic strictly related to the meeting objective.

As Daniele expressed it; “being involved systematically in business processes we realised

that the Trojan horse for really reaching all people in the company were daily meetings”

After a year the following results were observed:

The security team had provided security awareness training during daily activities

in more than 250 occasions

The security team was spontaneously called in to resolve issues and to study more

in depth potential security problems. They observed a growing attention to security

and therefore an improved security culture among company‟s employees.

The approach appeared to be pervasive in all security activities.

The approach also seemed to generate few overheads (either in time or resources).

It seemed attention on security was always high because of the focus on business

topics.

As a result of the successful pilot the team are further developing the model, working on

improving measurement (KPIs) and finding new formats to incorporate the Total Security

Awareness Immersion approach into the company‟s culture.

Compilation


26

Johannes Wiele

Johannes Wiele Senior Executive Consultant with Defense AG in Germany. After having

studied philosophy and political science at the University of Münster he stepped into the IT

business world and specialized in IT security and data protection.

Human Factor Risk Assessment “Human Factor Risk Assessment“ (HFRA) can be described as an information security risk

assessment focused on risks resulting from human behaviour, attitude, lack of knowledge

or lack of abilities. HFRA can be used as the first part of a full-scale awareness campaign,

also has a role in just checking if an organization needs to step into human factor security

measures. Sometimes,

HFRA may also show

that technical

measures have to be

improved and one

might expect to find

that sort of situation

where business

applications of a

company foster

inadequate information

handling rather than

good secure practices.

It could be said

therefore, that HFRA is

a part of

comprehensive modern

security approach. This

is illustrated by the bar

in yellow in figure 8.

A typical HFRA project tries to answer a series of questions exploring man-machine

interaction and communication practices within an organisation:

Who uses what kind of data? In which environment? Using what kind of devices?

Do business processes and policies support security and privacy minded behaviour?

What do employees think about security and privacy? What do they know?

What‟s the attitude of employees towards security and privacy?

Are they effectively trained?

Analyzing the answers to these questions allow organisations to understand and assess

human factors before stepping into a costly awareness and empowerment campaign. The

results facilitate internal discussions of human factor topics, and HFRA can be used to

measure the effects of awareness campaign by gathering this information before, during

and after the execution of the campaign. HFRA methodology is mainly based on tools of

technical risk assessments, social psychology and market research, for example:

Observation

Figure 8: HFRA as part of a Security Management approach

Compilation


27

Penetration tests using social engineering methods

Network forensics

On- and offline questionnaires

Focus groups

Critical Incident Technique (Flanagan) to find and define critical situations in

information handling

Culture checks to identify risks resulting from social or local cultural frameworks

As this set of methods tends to result in employee privacy problems, HFRA results

generally have to be strictly anonymized. HFRA must not be used as performance

measurement tool, as this causes fear and dishonest answers among the staff members

questioned during the project. Independent, trusted researchers get better results than

internal specialists.

Every human factor risk assessment should be executed with the assumption that it is not

individuals themselves who are a risk to an organization, but their behaviour, lack of

knowledge and capabilities. The key point is that all of these factors can be improved.

Compilation


28

Joao Moita

Mr. Joao Moita, Manager, Enterprise Risk Services - Security & Privacy, Deloitte &

Associados, Portugal. He started as a software developer and after taking an MSc in

Information Security, he moved on to the IT security field. He is particularly interested in

mechanisms that effectively protect "information" along its life-cycle and in new security

and technological trends that make security working for the business. His specialties

comprise biometrics, PKI, ISO 2700x and other security standards.

The role of security in the new e-World The role of the virtual world is now woven into the way that many in the west world

operate both their business and personal lives. Challenges include mobile working,

straightforward communication across a range of media, shopping on line and even

conducting social relationships through social networking sites. The all pervasive nature of

the internet requires well thought through methodologies that allow for the range of

flexibility of application that will be required. It was just such a methodology that Joao

spoke about in November 2009.

The basic methodology can be illustrated in the following diagram and will be explained

with reference to a project called “Protecting our Client Value” which was run with the

client, a government-owned institute responsible for managing the IT operations for a

Portuguese Ministry.

It is worth noting that the client base was, in effect, the citizenry of Portugal so in excess

of 10 million users with a wide range of knowledge and experience of using the internet

and with a significant geographical spread.

1. Know your Data

In the first instance

information needed to be

gathered with regard to the

physical location of data, the

data owners, the classification

of the data and any legal

requisites that would need to

be addressed in the project.

2. Protecting Client Value

In this instance this focused

on the classification of data

dependant on the level of

confidentiality the data to all

stakeholders.

3. Know your Channels

The business processes were examined in order to determine the flows of data. This stage

also considered where data was at rest and in use.

Compilation


29

4. Implement and monitor controls

This stage, as you might expect, concerned the defining, designing and implementation of

security policies to deal with issues identified in a risk review. This included training and

other awareness raising activities, the implementation of a formal classification process

and the identification and implementation of the technologies that could, or should, be

implemented in order to increment the level of security.

5. Sustain and create capabilities

This required the creation and implementation of an incident response team as well as the

definition and implementation of a technological risk management process.

Compilation


30

Kathrin Prantner

Ms. Kathrin Prantner is co-founder and Executive Director of E-SEC Information Security

Solutions GmbH sited in Salzburg, Austria.

E-SEC Virtual Training

The second presentation in November was entirely different in that it enabled forum

members to see the use of software to bring security awareness to the desk of every

member of staff in a way that is more effective than the standard reading and

comprehension format.

Educators and psychologists have known for a long time that reading and non-reactive

listening are the least effective way to transmit knowledge, and yet these are the very

tools that are most commonly found in the toolbox of the person tasked with raising the

security awareness in a business. Kathrin Prantner, Managing Director and Co-Founder of

E-SEC Information Security Solutions allowed us to have an insight into the way that the

virtual world and gaming approach can give staff a more realistic experience of security

issues.

Kathrin was keen to point out that the package does not treat all users as essentially

facing the same, or similar, challenges. At the basic level there are different courses for

those in the public and private sector as well as other differentiators such as the area of

business, such as healthcare. The unusual aspect of this approach is that the staff member

will feel much like a player in an interactive game in that they move around rooms and

carry out the tasks and solve the problems placed before them. In the illustration below

the user, or player in their minds, has to find a way past the reception gateway. Here, at

the Reception Area the user gets access to the Awareness Lessons “Visitors” and “Attack

via Telephone”.

Figure 9: Snapshot 1 from E-SEC Virtual Training

Compilation


31

Just a quick experience of this approach gives insight into how this might raise awareness

of security in the environment. However, the same approach can also be used to

demonstrate what important, but basically administrative, tasks are.

Figure 10: Snapshot 2 from E-SEC Virtual Training

In the task depicted above, the player looks at the sort of documents they would be used

to dealing with and sort them into the different levels of care and security they are going

to need in a way that gives the user practical experience.

Experience is a powerful learning tool; the problem is that it takes time, and investment to

give staff enough experience to raise not only their knowledge and awareness of security

issues, but their experience to deal with them. This software takes one approach to that

problem and tries to bring the information in an experiential way to all staff, not just those

who have a good level of literacy and traditional learning skill. Kathrin claims that clients

find the package fun, which makes it more likely they will learn the lessons.

Not all forum members will be in the market for this type of package, but it is always

helpful to see new, innovating ideas and hear how they work in practice. It can stimulate

ideas and new approaches that keep security awareness a process that is constantly

evolving.

Compilation


32

Compilation


33

compilation - europa

Documents