Creating a RESPONSIBLE Information Security Culture

Presented by Anup Narayanan, First Legion Consulting

Information

Employees

1

What is the problem?2

Client/ Customer

data

Regulatory data

Financial Data

Employee data

Business Information

Most problems are a cultural issue,

•The new generation employees

talk about business in Facebook

and Orkut or while storing

information in mobile devices

•Many make mistakes while sharing

information through email, phone,

printing or even while traveling etc.

Poor Information Security Awareness and Behavior impacts

the business

3

If you are interested in financial data!

*Average annual loss due to computer

crimes shot up to $350,424/ per

company in 2007 from $168,000 in

2006

*Insider abuse of network access or e-

mail is the No:1 threat

Note - The numbers are debatable, but

what matters is that “money” is involved

and hence it matters

*Source: Computer Security Institute

Survey

4

Principal focus: “Awareness” is not “Behavior”

Awareness: Everyone

knows traffic rules

Behavior: Few follow

them

Reason

Culture

Quality of enforcement

12/29/2008

5

(C) First Legion Consulting. All Rights Reserved

Definitions: Awareness, Behavior & Culture

Awareness

• Knowledge or understanding of an object, idea or thought

Behavior

• The action or reaction of a person under specific circumstances

Culture

• The attitudes and “BEHAVIOR” that are characteristic of a particular social group or organization”

6

To change behavior???

“ All behavior is learned through the

consequences that follow. If a

person likes the consequence, the

behavior will be repeated; if a

person does not like the consequence,

the behavior is less likely to be

repeated.”

7

What is the challenge?8

The Challenge

Stage 1: I don’t know

• I don’t know about password security

• (No awareness)

Stage 2: I know but I don’t do

• I know about password security

• (Awareness)

Stage 3: I know and I do

• I practice password security

• (Awareness and

Behavior)

9

Focus on the “3rd” angle of Information Security - PEOPLE

Technology and processes

are only as good as the

people who use them

Technology (Firewall)

Process (ISO

27001)People??

10

Why focusing only on “awareness” does not

produce results?

Case Study11

Analysis of an Information Security “Awareness” Project

Client name: with-held

Type of industry: Retail

No: of employees 5000+

Position: Market Leader

Type of Information handled: Customer data,

Intellectual Property

Spending on Information Security Awareness: USD

100, 000

12

Spending Vs. Returns

Sharing of

company/customer

information is wrong

Sensitive Information

must be protected

Access Control Cards

must be protected

More….

Customer records were leaked to competitor

Salary information of top executive was given to head hunter (job recruiting firm)

Printouts lying unattended

Visitors can enter the facility without informing security guard

More….

Awareness that was spread Behavior Created: What we found ?

13

Problem 1: Poor “Visibility” & “Clarity”

Problem 2: Poor “Enforcement”

What was the problem?14

Problem 1: Poor Visibility & Clarity

An organization has

many “rules” and

“regulations”

Where is the

“information security

rule?”

The workforce is

confused !!

15

Example: What are the employees saying?

Message in the campaign

• Don’t share passwords

Employee reaction (3 employees)

• Which password? Desktop, Sales ERP, Document passwords?

• I am stuck in Traffic Jam, have to update my sales calls by 6 p.m. Tell me what I should do?

• I am sorry, but I didn’t know that there was a policy like this

Message in the campaign

• Protect Sensitive Information

Employee reaction

• To me all information is sensitive

• Does this mean that I cannot share it even with my colleagues

• How do I protect?

More reactions!

“It takes 48-96 hours to get a password reset –

What should I do, not do my work?”

“I get these annoying “Security Screen Savers” every

90 seconds. Why so much overkill!!”

“We have 100 new employees every month, whereas

the security training is once in 6 months. How will you

handle these “unaware” employees”

Root cause analysis

Poor Visibility - 50% of the workforce are off-role employees, they don’t have an email ID – Not covered in the campaign

Poor Clarity – Examples

“See something suspicious – Report it”

“Don’t share passwords”

“You have zero privacy anyways – Get over it”

Poor business relevance

Generic

Not business specific

Poor enforcement

Problem 2: Poor Enforcement

Awareness:

“I know, but I

don’t do”

Behavior:

“I know and I

do”

Migration is

determined by

ENFORCEMENT

19

Remember !!

The poster near the

water cooler is great

for the 1st 2 weeks

Then it BLENDS into the

environment

Methodology Content (Awareness) Enforcement

Solution model21

First, Methodology

Enforcement

Content

Methodology

22

Methodology:

Creative Commons License, Free for Non-Commercial use

Download from www.himis.org, created and owned by First

Legion

HIMIS™

Human Impact Management

for Information Security

First Legion

23

What can you do with HIMIS?

1. Assess the current level of

Information Security Awareness and

Behavior

2. Understand the business impact

3. Define “Desirable Information

Security Behavior” for each function

group (HR, R&D, Finance etc.)

4. Define “Enforcement Strategies”

5. Create a roadmap, measure and

monitor

24

HIMIS: Notes

DNV (Det Norske Veritas), a leading “Safety Risk

Management Company”, has created an

“Independent Assessment Model” for HIMIS

HIMIS is the first “Information Security Behavior”

methodology to achieve this

Vodafone India is the first organization to undergo

the verification assessment through DNV

25

Next, Content

Tool

Content

Methodology

26

Importance of Content

Content is a key propellant for

creating good Information Security

awareness

27

Qualities of a good Information Security Awareness Campaign

Defined by HIMIS

The campaign must have

Reach

Visibility

Content must have the following qualities

1. Business relevance: Not generic but Specific

2. Impact visualization: Show what can go wrong

3. Consider cultural factors: Consider the characteristics of the

population

4. Clarity & Ease of understanding: Keep it simple; Less

Jargons

28

“I can’t attend the information security training”

I have to prepare a

report

I will be on

vacation

I am traveling on

businessI have a meeting

People are busy!

29

Fact: Inputs to designing a good security awareness

campaign

How clear is my

language?

Is the impact

visualized clearly?

Security Awareness Campaign

What’s my workforce?

Who am I talking to?

What information

do they access?

Next, Enforcement

Enforcement

Content

Methodology

31

Remember!

Awareness:

“I know, but I

don’t do”

Behavior:

“I know and I

do”

Migration is

determined by

ENFORCEMENT

32

Solution Model

Create two teams,

The Core Information Security Management Team

A Team of Information Security Champions

Tasks

The Core Information Security Management Team will create the

“Enforcement Strategies”

The Information Security Champions will assess the awareness

and behavior levels, create awareness and provide feedback

The Core Information Security Management team will

enforce awareness strategies based on the feedback

33

The Solution: Steps of Execution

Step 1 – Core team defines the Enforcement Strategies

Step 2 – Create a team of “Information Security Champions”

The champions will be trained on Information Security Awareness and

Behavior Management

They champions will be given tools to analyze and record awareness and

behavior levels

Step 3 – Support the champions with “Information Security

Awareness Content”

The champions will be given a set of content to be distributed to their

target group

The content will be created after taking the inputs from the champions

Step 4 – The champions provide the feedback to the core team

for enacting enforcement strategies

34

What is the benefit of this model?

1. Information security enters a micro level (functional level)

rather than being at a superficial top level

2. Information security awareness is tailor-made for each

functional level

Eg:- A champion from Finance team will focus on protecting financial

data

Eg:- A champion from HR team will focus on protecting privacy of

employee records

3. Business relevance – The champions will give inputs for

creating information security awareness content

35

What is the benefit of this model? (Contd….)

4. The champions will be assigned targets that will

be monitored and measured

5. You gain an internal capability to manage

information security awareness rather than

depending on an external consultant

36

The importance of Enforcement & how it

produces results

Case Study37

Case Study 1: IT Business

Company

Offshore Development, 3 Centers in India

Young workforce: Majority between 22-27

Security Rules

Don’t forwards emails with unofficial attachments

No downloads of videos, music, freeware

No storage of personal content in official systems

38

Case Study 1: IT Business

What we did?

Quarterly “End-User Desktop Audits”

Findings were immediately “Signed and Agreed by

Auditee”

Disputes were noted and “Signed”

Audit findings were submitted to InfoSec Team

39

The key: Repetition and Consistency

?

40

Whatever “Enforcement

Strategy” you may decide, the

key is “Repetition and

Consistency”

Remember!!41

Time and resource requirements

A roadmap of 3 years

A team of InfoSec Champions for year 1 targeting

approximately 5% - 10% of the total workforce

(One champion per 50-100 users’)

Average effort of 18 man-hours per champion per

year

6 hours in quarter 1

4 hours each in remaining 3 quarters

42

Additional notes

The solution model is ISO 27001 aligned

The targets that this solution will achieve will help in

complying to the “Human Resources Security

(Domain A.8 of ISO 27001: 2005)

43

Closing notes: To change behavior

“ All behavior is learned through the

consequences that follow. If a

person likes the consequence, the

behavior will be repeated; if a

person does not like the consequence,

the behavior is less likely to be

repeated.”

44

Presented by

Anup NarayananCISA, CISSP

Founder & Sr. Consultantanup@firstlegion.net

w w w . f i r s t l e g i o n . n e t

45