modelling conflicts
TRANSCRIPT
Modelling Conflicts Between
Security Compliance and
BehaviourLeron Zinatullin
http://www.zinatullin.com
Overview
• Motivation and Goal
• Method
• Contribution
• Conclusion
• Limitations and Future Work
Motivation and Goal
• Effectiveness of security programme
• Security behavior issues
• Develop a model to support security
managers’ decision-making process
Literature review
• Security policy and ISO 27001 Standard
• Human behaviour
• Business processes
Example scenario
Adjust security controls
Distinguish cases of non-compliance
due to obstruction of core business
process
Look for clashesMerge two
diagrams together
Visualise business process of a
particular role
Visualise security tasks
To compare views on the security compliance
behaviour in a organisation
Never, that I can recall
Once or twice a year
Once every 3 months
Once a month
Weekly
Daily
0 5 10 15 20 25 30
53% of participants
experience problems with
security policy
less than 30
minutes per week
30-60 minutes
per week
more than 1 hour per
week
20% of participants spend more than
30 minutes per week on various security tasks
“We work through the user’s role … so we
become familiar with particular department’s
user activities.”Security Manager
Energy
“At a high level we are aware. At the detailed
process level really only when we are doing a
project in that department. When we need to
understand the process within the project.”
Security Manager
Investment Bank
To validate the model
“This model will be relevant to any business.
I don’t think many have considered practically
addressing this dimension of security in their
organisations.”
Security Manager
Professional Services
“As a result you can make a decision to
implement a technology solution .... The cost of
such implementation would be justified by you
model. It will save user’s time and you can get
security benefit as well.”
Security Manager
Investment Bank
Conclusion
• ISO 27001 Standard is not enough
• Better understanding of the users
• Support decision-making process
Limitations and Future Work
• Other frameworks and regulations
• Drawbacks of the sample
• Information comes from different contexts