Вы находитесь на странице: 1из 34

The Human Factor:

Title your Prime
of Presentation
Weakness into your
Prime Defence
Dave Whitelegg CISSP CCSP

Session ID: STAR-302

Session Classification: Intermediate

Insert presenter logo

here on slide master

The People Problem

The Human Security Strategy

Tapping into Psychology


The People Problem

The People Problem

• All Information Breaches are caused by People

The People Problem

• The role of Technology in Information Security

• Plug and Play Security
• Tech is just one side of the Equation

People + Technology

• Technology plays a critical part, but

never forget who is behind the wheel

The People Problem

The Real End Point Security

• Example: Social Networking Threat

• Example: The Laptop (bag)
• Example: Audit Logs
– 86% of victims had evidence of the breach in their log file
-Verizon 2010 Data Breach Investigations Report

The People Problem

• Mistakes cause Data Breaches

– Awareness: Not knowing the correct action to take
– Conviction: Not acting to take the correct action

• Tough Economic Times is increasing the

Malicious ‘People’ Threat
• Verizon 2010 Data Breach Investigations Report
• 48% involved privilege misuse (+26%)
• 28% employed social tactics (+16%)
– The Human Security weakness is being targeted
The People Problem

• Individual Risk Appetite doesn’t

equal the Business Risk Appetite
– Non technological-savvy Generation
– Information Age Generation
– Executives (Security doesn’t apply to us)
– Middle ground complacency
- ‘Not our Responsibility’
– And don’t forget those Contractors

The People Problem

The Challenge

• Reduce the People Risk

• Make staff feel responsible and accountable
• Have staff become part of the defence

A People problem is solved with a People solution

The Human Security Strategy

The Human Security Strategy

• People + Technology
• IT Security Strategy + Human Security Strategy

• Good on their own, but better when done together

The Human Security Strategy

The Carrot and The Stick

• Traditionally InfoSec has a ‘Big Stick’ approach

• We are generally very good at applying the Stick
The Human Security Strategy

Where’s the Carrot? Where’s the Balance?

• Stick
– Deterrent against the behaviour we don’t desire
– Highly Reactionary
– Creates an “Us Vs Them” Negative Culture
– Often used in Security Strategies
• Carrot
– Encourages the behaviour we do desire
– Proactive and Preventative
– Creates an “All in this together” Positive Culture
– Often neglected in Security Strategies
The Human Security Strategy

• Why Build a Positive Security Culture?

– Employees become more part of your defence
– Increases Employee General Security Awareness
– Encourages Employees to Question and to Act
– Tends not to be expensive to deliver

– People aren’t robots, so can’t be programmed

to do exactly what we want all the time...
...or can they?

The Human Security Strategy

• How to Build a Positive Security Culture

– Employee Engagement
• Communication and Messaging
– Embedding Information Security Responsibility into Roles
• Making Security Relevant to Employees
– Making Employees feel part of Information Security Programme
• Employee participation and feedback
– Rewarding the desired Behaviour

The Human Security Strategy

• Measure the existing situation before Starting

– Horses for Courses: Need to understand what works and what doesn’t
– Look at the number of reported incidents
– Assess staff Information Security know-how
– Speak with staff at the ground level

• Start with the Information Security Policies

– Make sure you have full ownership of these policies

• Policy Framework
– Organise a Policy Framework which is easy to navigate
– Example: Place IT Policies meant for IT Staff into their own section
– Example: Place General Employee Policies into a separate section
The Human Security Strategy

• Purpose of an Information Security Policy

– Simple Rules
– Direct employees to follow the business perception of risk
– When employees Act on their on perception of risk we have issues
• Remember the HMRC Breach

• Policies must be written for their intended audience

• Policy Writing Tips
– Drop the document padding & excessive formatting
– Drop the Legalese, must be written in ‘Plain English’
– Keep policies less than 3 or 4 pages maximum
– Do a ‘Find & Replace’ on “should” to “must”
The Human Security Strategy

Information Security Policy Writing

Should be: Shouldn’t be:
• Written to provide employees with • Technology documentation
the simple rules to follow to
minimise risks within their role • Non-flexible to real business
• Designed to help employees
become participants with • Closed to business and
information security defence individual feedback

• Living documentation constantly • Written in ‘legalese’

reviewed and updated.
• Easy to find, easy to read and
easy to understand by all staff

The Human Security Strategy

• Information Security Policy Example Format

1. Policy Name, Version Number, Date etc
2. Policy Purpose
Providing a real reason is important
3. Policy Rules
Simple, plain English and short
4. How to report violations of the policy
5. What happens in the event of not following the policy

That’s all. Reference anything else which goes with it

– Need to be more descriptive as per most technical policies?
Create a standard or supplementary documentation
The Human Security Strategy

• Summarise Key Policies with Do’s & Don’ts

The Human Security Strategy

Security Awareness
• Come down from the Ivory Tower
• Every site, every department is different
– A centralised approach isn’t always affective
– Security Awareness need to be Tailored
• Make Security Awareness Relevant
– Engages People
– Instils responsibility
• Auditing doesn’t always give
the Real Picture on the Ground

The Human Security Strategy

• The ‘Security Council’ Approach

– Representative (Security Czar) from each department
– Not Managers, but ask Managers to recommend an individual
• Members don’t have to be Security Experts
• Members do have to care about their job and the business
• Members are respected by their peers
– Keep meetings short, no more than 1.5 hours
– Meeting Every 2 Months
– Meeting Agenda
1. Security Incident Review
2. Security Improvements (actions)
3. General Security Discussion
4. Security Awareness
– Members feedback to their teams

The Human Security Strategy

Security Council Benefits

• Creates a Two Way Street
– Deliver the messages and awareness to the ground level
– You receive feedback on the issues from the ground level
• Creates an independent watchdog in each dept
• Builds a Positive Security Culture
– Employee Engagement
– Embedding Information Security into Roles
– Makes Employees part of the Programme
• Low Cost

The Human Security Strategy

• Security Council Tips

– Encourage the freedom to express by keeping it ‘friendly’
– Make meetings the most interesting and exciting meetings of all
• Provide food to the norm, Pizza, Subway, donuts etc.
• Perform hacking demonstrations
– Have the team create Awareness Campaign for their environment
– Provide Home PC Security Advice
– Obtain feedback on new or changes to policies
– Always assign actions

The Human Security Strategy

• Securing the Gatekeepers

– Reception staff sets the tone for the premises
– Enforcement of People Specific Policies
• Visitors Policy
• Badge wearing
• Tail-gating
– Empower Reception Staff to React
• Give them the means to report violations
– Facilities & Office Managers
• General Physical Security
• Clear Desk Policy

The Human Security Strategy

Clear Desk Policy

• Often overlooked but a key culture changing policy
• A Clear Desk does not mean a Tidy Desk
• Personal Possessions on desks is good!
• Policy Enforcement

How to stop the forgetting of

Name Badges
The Human Security Strategy

• Security Awareness Training Pitfalls

• Computer Based Training (CBT)
– Most off the peg awareness courses are too generic
– Training which doesn’t match reality is counter productive

• Awareness Posters
– Create relevant posters
– Use your Marketing Department (free resource!)
– Change at least Quarterly and Rotate Posters
The Human Security Strategy

Winning Hearts and Minds

Awareness must be continuous, not once a year
• Intranet Site / SharePoint site
• Security focused Magazine
• Competitions
• Provide Home PC Security Advice
• Provide Free Home Anti-Virus
• Great Artists Steal
Look at Health & Safety and Marketing
Tapping into Psychology

Tapping into Psychology

• Harnessing the Power of Psychology

• A tool to Influence and change Behaviour
– Clear Desk Policy example
– How Bad Guys use it (Social Engineering)
– Helps you to become more engaged with staff
– Helps you write Effective Messaging
Tapping into Psychology

• Written Messaging
– Know the objectives of the message
– Understand the target audience & message perception
– Making message personal to the reader
– Include the reasons
– Plain English but professional
– Keep messages short
– Board backed

• When a security message is not effective, it is

always the fault of the message writer, never the
Tapping into Psychology

• Visual Messaging
– Most humans think visually
– Face to Face always works best

• Story Telling

• The Power of Play


• Technology is only part of the answer

• A People Problem is solved with a People Solution
• Using the Carrot more
• Winning over Hearts and Minds
• Practical methods to change Culture
• Using Psychology