the difference between the reality and feeling of security by thomas kurian
DESCRIPTION
The paper shall focus on the following: The paper shall focus on the following: 1) Introduction to the problem: Focus on “security awareness”, not “behavior” 2) Real life case study of why a US$100, 000 “security awareness” project failed a. Identifying the human component in information security risks b. Addressing the human component using “awareness” and “behavior” strategies 4) Sample real-life case studies where quantifiable change has been observed Original research and Publications The talk is modeled on the methodology HIMIS (Human Impact Management for Information Security) authored by Anup Narayanan and published under “Creative Commons,TRANSCRIPT
![Page 1: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/1.jpg)
The difference between the “Reality” and “Feeling” of Security
Human Perception and it’s influence on Information Security
She looks
trustworthyI’m gonna steal
your toys
![Page 2: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/2.jpg)
The 3 pieces that makes up information security
2
Technology (Firewall)
ProcessPeople
Information
Technology and processes are only as good as the people that
use them
![Page 3: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/3.jpg)
Focus of the talk
• The Human Factor in Information Security
• The difference between “Awareness and Competence”
• The power of perception
• Solution Model + Examples
3
![Page 4: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/4.jpg)
Awareness
I know the traffic rules….
4
![Page 5: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/5.jpg)
Competence?
Does it guarantee that I am a good driver?
5
![Page 6: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/6.jpg)
….even in Information Security!!!!
6
Security Security Security Security
PolicyPolicyPolicyPolicy
Never share
passwords
Don’t tell anyone,
my password is…..
![Page 7: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/7.jpg)
Awareness >> Behaviour >> Culture
Awareness
• I know• I know
Behaviour (Competence)
• I do• I do
Culture
• We know and do
• We know and do
Aim for a responsible security culture
7
![Page 8: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/8.jpg)
What organizations need?
A system that periodically shows the current
Security Awareness and Competence Levels
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Awareness score is 87%
Competence score is 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
8
A smart attacker will always try to influence the perception of the employee
![Page 9: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/9.jpg)
The power of perception
Why do people make security mistakes?
![Page 10: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/10.jpg)
Imagine…
APJ Abdul Kalam walks into this room right
now and offers you this glass of water….
10
![Page 11: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/11.jpg)
Now, imagine this…
This man walks into this room right now
and offers you this glass of water….
11
![Page 12: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/12.jpg)
Question
Which water did
you accept?
Why?
12
![Page 13: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/13.jpg)
Analysis
People decide what is good and what is bad based on “trust”
Perception is influenced by Trust
Were you checking the water or the person serving the water?
13
![Page 14: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/14.jpg)
How people make security decisions?
Influence of perception
14
![Page 15: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/15.jpg)
Analysis
Of these two, which terrifies you the most?
15
More people die of heart attacks than by getting eaten by sharks
You may feel safe when you are actually not
![Page 16: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/16.jpg)
Analysis
Of these two, which terrifies you the most?
16
More kids die choking on french fries than due to Adrenoleukodistrophy
People exaggerate risks that are uncommon
Adrenoleukodistrophy
![Page 17: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/17.jpg)
I hope now it is clear that we must address the human factor….
Let us summarize…
17
![Page 18: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/18.jpg)
Reason 1: Security is both a “Reality” and “Feeling”
18
For security practitionerssecurity is a “Reality” based
on the mathematical
probability of risks
For the end user security is a
“feeling”
Success lies in influencing the “feeling” of security
![Page 19: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/19.jpg)
RSA Attack
19
![Page 20: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/20.jpg)
The Incident
In March 2011, RSA, one of the foremost security
companies in the world disclosed that cyber-attacks had
penetrated its internal networks and extracted information
from its systems.
The consequences were
• Financial Loss
• Reputational Loss
![Page 21: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/21.jpg)
Attack
Employee clicked on the attachment of the mail
The embedded component exploited the
vulnerability
![Page 22: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/22.jpg)
Analysis: Why did the attack happen?
![Page 23: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/23.jpg)
RSA must be having best-in-class firewalls, anti-viruses and other
security systems. So, how did this attack happen?
You may wonder…
Failed to address the Human Factor
![Page 24: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/24.jpg)
Reason 2: Technology…yes, but humans…of course!
24
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more advanced,
but will you choose a hospital for it’s machines or
the doctors?
![Page 25: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/25.jpg)
The Solution Model
Security Awareness and Competence Management
![Page 26: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/26.jpg)
The solution is based on HIMIS
• HIMIS – Human Impact
Management for
Information Security
• Released under Creative
Commons License
• Free for Non-Commercial
Use
http://www.isqworld.com/himis
26
![Page 27: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/27.jpg)
HIMIS Implementation Model
27
Define Strategize Deliver Verify
Responsible Information Security Behavior
![Page 28: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/28.jpg)
Define
28
• Choose the ESPs
• Review and approval of ESPs
![Page 29: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/29.jpg)
Strategize
29
For awareness management
• Coverage
• Format & visibility: Verbal, Paper and Electronic
• Frequency
• Quality of content
• Retention measurement.(surveys,quiz)
For behavior management
• Motivational strategies
• Enfoncement/ disciplinary stratégies
![Page 30: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/30.jpg)
Deliver
30
• Define tolerable deviation
• Efficiency
• Collection of feedback
• Confirmation of receipt
![Page 31: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/31.jpg)
Verify
31
• Audit strategy
• Selection of ESP’s
• Define sample size
• Audit methods
For awareness: Interviews, Surveys, Quizzes,
For behavior: Observation, Review of incident reports, Social
engineering?
![Page 32: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/32.jpg)
Examples
• Deploy false emails seeking
information
• Tailgating into the facility
• Placing media labeled with
‘confidential information’ in
cafeteria or other places
32
![Page 33: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/33.jpg)
Reporting model
33
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s awareness score was 87%
Organization’s competence score was 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
![Page 34: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/34.jpg)
HIMIS Focus
![Page 35: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/35.jpg)
ESP
Awareness
Behaviour
(Competence)
Assess,
Improve, Re-
assess
ESP – Expected Security Practice
1. Differentiate between Awareness Vs. Competence
35
Consider both “Awareness” and “Competence” independently
![Page 36: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/36.jpg)
2. Visualize ….and influence perception
36
![Page 37: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/37.jpg)
3. Scenario based training (Make people solve challenges)
37
![Page 38: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/38.jpg)
Example
38
Video (PLAY)
![Page 39: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/39.jpg)
4. Remember drip irrigation
Small doses, more frequent
Which is more effective – Drip irrigation or spraying a lot of water once a day?
39
![Page 40: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/40.jpg)
5.Re-measure frequently
40
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organization’s awareness score was 87%
Organization’s competence score was 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
?
?
![Page 41: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/41.jpg)
Summary
41
“A smart user in front of
the computer is a good
security control and is
not that expensive.”
![Page 42: The Difference Between the Reality and Feeling of Security by Thomas Kurian](https://reader033.vdocument.in/reader033/viewer/2022051514/5492618bac7959412e8b45ce/html5/thumbnails/42.jpg)
Let’s switch ON the Human Layer of Information Security Defence
Thank You
http://www.isqworld.com/himis