The difference between the Reality and Feeling of Security

Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)

She looks
trustworthy
Im gonna steal
your toys
Focus of the talk
The Human Factor in Information Security
From Security Awareness to Security Awareness and
Competence
Solution model
What others are doing?

2
Awareness
I know the traffic rules.
3
Competence?
Does it guarantee that I am a good driver?
4
Awareness >> Behaviour >> Culture
Awareness
I know
Behaviour
(Competence)
I do
Culture
We know
and do
An organization must aim for a responsible security culture
5
What organizations need?
A system that periodically shows
the current Security Awareness
and Competence Levels

LOW AWARENESS

MEDIUM AWARENESS

HIGH AWARENESS
Awareness score is 87%
Competence score is 65%

LOW COMPETENCE
MEDIUM
COMPETENCE

HIGH COMPETENCE
6
The power of perception
Why do people make security mistakes?
Imagine
Will you accept it?
Nelson Mandela walks into this room right
now and offers you this glass of water.
8
Now, imagine this
Will you accept it?
This man walks into this room right now
and offers you this glass of water.
9
Question
Which water did
you accept?

Why?
10
Analysis
People decide what is good and what is bad based on
trust
Perception is influenced by Trust
Were you checking the water or the person serving
the water?
11
Why must we address the human
factor?
(or)
Is the human factor worth addressing?
Case Study 1
LinkedIn Password leak
13
The most popular passwords in LinkedIn
link
1234
work
god
job
12345
angel
the
ilove
sex

jesus
connect
monkey
123456
michael
jordan
dragon
soccer
killer
pepper

14
Analysis
You may think you are safe when you are actually not

15
People get more terrified thinking of getting eaten by a shark then dying of
heart attack..but more people die of heart attacks

Analysis
People exaggerate risks that are abnormal

16
More kids die choking on french fries than due to Adrenoleukodistrophy

Adrenoleukodistrophy
Reason 1: Security is both a Reality and Feeling
17
For security practitioners
security is a Reality based
on the mathematical
probability of risks

For the end user security is a
feeling

Success lies in influencing
the feeling of security




Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:
So what? RSA was hacked



Control efficiency
Risk severity/
Attacker
Smartness/
Attack
Efficiency
Technology & Processes
Awareness & Competence
Automatic security controls AV, Updates
Technology + Human Firewall configuration,
Choosing a secure Wifi
Human Recognizing a zero day attack,
Phishing mails, Not posting business
information in social media
The very smart attacker
1
2
3
4
18
Reason 3: Technologyyes, but humansof course!
19
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more advanced,
but will you choose a hospital for its machines or
the doctors?
The Solution Model
Security Awareness and Competence Management
The solution is based on HIMIS
HIMIS Human Impact
Management for
Information Security
Released under Creative
Commons License
Free for Non-Commercial
Use
http://www.isqworld.com/himis
21
Security Risk
analysis
Identify the
human factor
Awareness
Behaviour
(Competence)
Assess,
Improve, Re-
assess
ESP Expected Security Practice
1. Awareness Vs. Competence
22
Consider both Awareness and Competence independently
2. Visualize, engage .and influence perception
23
24
3. Remember drip irrigation
Small doses, more frequent

Which is more effective Drip irrigation or spraying a lot of water once a day?
25
4. Re-measure frequently
26

LOW AWARENESS

MEDIUM AWARENESS

HIGH AWARENESS
Organizations awareness score was 87%
Organizations competence score was 65%

LOW COMPETENCE
MEDIUM
COMPETENCE

HIGH COMPETENCE
?
?
Threat forecast
27
Natural disasters
Diminishing end user
security awareness
Moving to cloud
Social media proliferation
& data leaks
Corporate frauds
Attacks using GPS
tracking
Economic espionage
Introduction of new devices
(smart phones etc.)
Online leaks
Fast development and
release of apps without
testing
Smart outsourcing resulting in
less workforce loyalty
Emerging threats 2013 (report by ISF)
Summary
29
Technology
(Firewall)
Process People
Information
Technology and processes are only as good as the people that
use them
Lets switch ON the Human
Layer of Information Security
Defence
Thank You
Anup Narayanan
www.isqworld.com