The difference between the Reality and Feeling of Security
Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
She looks trustworthy Im gonna steal your toys Focus of the talk The Human Factor in Information Security From Security Awareness to Security Awareness and Competence Solution model What others are doing?
2 Awareness I know the traffic rules. 3 Competence? Does it guarantee that I am a good driver? 4 Awareness >> Behaviour >> Culture Awareness I know Behaviour (Competence) I do Culture We know and do An organization must aim for a responsible security culture 5 What organizations need? A system that periodically shows the current Security Awareness and Competence Levels
LOW AWARENESS
MEDIUM AWARENESS
HIGH AWARENESS Awareness score is 87% Competence score is 65%
LOW COMPETENCE MEDIUM COMPETENCE
HIGH COMPETENCE 6 The power of perception Why do people make security mistakes? Imagine Will you accept it? Nelson Mandela walks into this room right now and offers you this glass of water. 8 Now, imagine this Will you accept it? This man walks into this room right now and offers you this glass of water. 9 Question Which water did you accept?
Why? 10 Analysis People decide what is good and what is bad based on trust Perception is influenced by Trust Were you checking the water or the person serving the water? 11 Why must we address the human factor? (or) Is the human factor worth addressing? Case Study 1 LinkedIn Password leak 13 The most popular passwords in LinkedIn link 1234 work god job 12345 angel the ilove sex
jesus connect monkey 123456 michael jordan dragon soccer killer pepper
14 Analysis You may think you are safe when you are actually not
15 People get more terrified thinking of getting eaten by a shark then dying of heart attack..but more people die of heart attacks
Analysis People exaggerate risks that are abnormal
16 More kids die choking on french fries than due to Adrenoleukodistrophy
Adrenoleukodistrophy Reason 1: Security is both a Reality and Feeling 17 For security practitioners security is a Reality based on the mathematical probability of risks
For the end user security is a feeling
Success lies in influencing the feeling of security
Reason 2: Not every attack(er) is that smart People exaggerate risks that are spectacular or uncommon: So what? RSA was hacked
Control efficiency Risk severity/ Attacker Smartness/ Attack Efficiency Technology & Processes Awareness & Competence Automatic security controls AV, Updates Technology + Human Firewall configuration, Choosing a secure Wifi Human Recognizing a zero day attack, Phishing mails, Not posting business information in social media The very smart attacker 1 2 3 4 18 Reason 3: Technologyyes, but humansof course! 19 Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for its machines or the doctors? The Solution Model Security Awareness and Competence Management The solution is based on HIMIS HIMIS Human Impact Management for Information Security Released under Creative Commons License Free for Non-Commercial Use http://www.isqworld.com/himis 21 Security Risk analysis Identify the human factor Awareness Behaviour (Competence) Assess, Improve, Re- assess ESP Expected Security Practice 1. Awareness Vs. Competence 22 Consider both Awareness and Competence independently 2. Visualize, engage .and influence perception 23 24 3. Remember drip irrigation Small doses, more frequent
Which is more effective Drip irrigation or spraying a lot of water once a day? 25 4. Re-measure frequently 26
LOW AWARENESS
MEDIUM AWARENESS
HIGH AWARENESS Organizations awareness score was 87% Organizations competence score was 65%
LOW COMPETENCE MEDIUM COMPETENCE
HIGH COMPETENCE ? ? Threat forecast 27 Natural disasters Diminishing end user security awareness Moving to cloud Social media proliferation & data leaks Corporate frauds Attacks using GPS tracking Economic espionage Introduction of new devices (smart phones etc.) Online leaks Fast development and release of apps without testing Smart outsourcing resulting in less workforce loyalty Emerging threats 2013 (report by ISF) Summary 29 Technology (Firewall) Process People Information Technology and processes are only as good as the people that use them Lets switch ON the Human Layer of Information Security Defence Thank You Anup Narayanan www.isqworld.com