Вы находитесь на странице: 1из 34

The Human Factor:

Turning
Title your Prime
of Presentation
Weakness into your
Prime Defence
Dave Whitelegg CISSP CCSP
Capita

Session ID: STAR-302


Session Classification: Intermediate

Insert presenter logo


here on slide master
Agenda

The People Problem

The Human Security Strategy

Tapping into Psychology

Questions

2
The People Problem

3
The People Problem

• All Information Breaches are caused by People

4
The People Problem

• The role of Technology in Information Security


• Plug and Play Security
• Tech is just one side of the Equation

People + Technology

• Technology plays a critical part, but


never forget who is behind the wheel

5
The People Problem

The Real End Point Security

• Example: Social Networking Threat


• Example: The Laptop (bag)
• Example: Audit Logs
– 86% of victims had evidence of the breach in their log file
-Verizon 2010 Data Breach Investigations Report

6
The People Problem

• Mistakes cause Data Breaches


– Awareness: Not knowing the correct action to take
– Conviction: Not acting to take the correct action

• Tough Economic Times is increasing the


Malicious ‘People’ Threat
• Verizon 2010 Data Breach Investigations Report
• 48% involved privilege misuse (+26%)
• 28% employed social tactics (+16%)
– The Human Security weakness is being targeted
The People Problem

• Individual Risk Appetite doesn’t


equal the Business Risk Appetite
– Non technological-savvy Generation
– Information Age Generation
– Executives (Security doesn’t apply to us)
– Middle ground complacency
- ‘Not our Responsibility’
– And don’t forget those Contractors

8
The People Problem

The Challenge

• Reduce the People Risk


• Make staff feel responsible and accountable
• Have staff become part of the defence

A People problem is solved with a People solution


The Human Security Strategy

10
The Human Security Strategy

• People + Technology
• IT Security Strategy + Human Security Strategy

• Good on their own, but better when done together


The Human Security Strategy

The Carrot and The Stick

• Traditionally InfoSec has a ‘Big Stick’ approach


• We are generally very good at applying the Stick
The Human Security Strategy

Where’s the Carrot? Where’s the Balance?

• Stick
– Deterrent against the behaviour we don’t desire
– Highly Reactionary
– Creates an “Us Vs Them” Negative Culture
– Often used in Security Strategies
• Carrot
– Encourages the behaviour we do desire
– Proactive and Preventative
– Creates an “All in this together” Positive Culture
– Often neglected in Security Strategies
The Human Security Strategy

• Why Build a Positive Security Culture?


– Employees become more part of your defence
– Increases Employee General Security Awareness
– Encourages Employees to Question and to Act
– Tends not to be expensive to deliver

– People aren’t robots, so can’t be programmed


to do exactly what we want all the time...
...or can they?

14
The Human Security Strategy

• How to Build a Positive Security Culture


– Employee Engagement
• Communication and Messaging
– Embedding Information Security Responsibility into Roles
• Making Security Relevant to Employees
– Making Employees feel part of Information Security Programme
• Employee participation and feedback
– Rewarding the desired Behaviour

15
The Human Security Strategy

• Measure the existing situation before Starting


– Horses for Courses: Need to understand what works and what doesn’t
– Look at the number of reported incidents
– Assess staff Information Security know-how
– Speak with staff at the ground level

• Start with the Information Security Policies


– Make sure you have full ownership of these policies

• Policy Framework
– Organise a Policy Framework which is easy to navigate
– Example: Place IT Policies meant for IT Staff into their own section
– Example: Place General Employee Policies into a separate section
The Human Security Strategy

• Purpose of an Information Security Policy


– Simple Rules
– Direct employees to follow the business perception of risk
– When employees Act on their on perception of risk we have issues
• Remember the HMRC Breach

• Policies must be written for their intended audience


• Policy Writing Tips
– Drop the document padding & excessive formatting
– Drop the Legalese, must be written in ‘Plain English’
– Keep policies less than 3 or 4 pages maximum
– Do a ‘Find & Replace’ on “should” to “must”
The Human Security Strategy

Information Security Policy Writing


Should be: Shouldn’t be:
• Written to provide employees with • Technology documentation
the simple rules to follow to
minimise risks within their role • Non-flexible to real business
requirements
• Designed to help employees
become participants with • Closed to business and
information security defence individual feedback

• Living documentation constantly • Written in ‘legalese’


reviewed and updated.
• Easy to find, easy to read and
easy to understand by all staff

18
The Human Security Strategy

• Information Security Policy Example Format


1. Policy Name, Version Number, Date etc
2. Policy Purpose
Providing a real reason is important
3. Policy Rules
Simple, plain English and short
4. How to report violations of the policy
5. What happens in the event of not following the policy

That’s all. Reference anything else which goes with it


– Need to be more descriptive as per most technical policies?
Create a standard or supplementary documentation
The Human Security Strategy

• Summarise Key Policies with Do’s & Don’ts

20
The Human Security Strategy

Security Awareness
• Come down from the Ivory Tower
• Every site, every department is different
– A centralised approach isn’t always affective
– Security Awareness need to be Tailored
• Make Security Awareness Relevant
– Engages People
– Instils responsibility
• Auditing doesn’t always give
the Real Picture on the Ground

21
The Human Security Strategy

• The ‘Security Council’ Approach


– Representative (Security Czar) from each department
– Not Managers, but ask Managers to recommend an individual
• Members don’t have to be Security Experts
• Members do have to care about their job and the business
• Members are respected by their peers
– Keep meetings short, no more than 1.5 hours
– Meeting Every 2 Months
– Meeting Agenda
1. Security Incident Review
2. Security Improvements (actions)
3. General Security Discussion
4. Security Awareness
– Members feedback to their teams

22
The Human Security Strategy

Security Council Benefits


• Creates a Two Way Street
– Deliver the messages and awareness to the ground level
– You receive feedback on the issues from the ground level
• Creates an independent watchdog in each dept
• Builds a Positive Security Culture
– Employee Engagement
– Embedding Information Security into Roles
– Makes Employees part of the Programme
• Low Cost

23
The Human Security Strategy

• Security Council Tips


– Encourage the freedom to express by keeping it ‘friendly’
– Make meetings the most interesting and exciting meetings of all
• Provide food to the norm, Pizza, Subway, donuts etc.
• Perform hacking demonstrations
– Have the team create Awareness Campaign for their environment
– Provide Home PC Security Advice
– Obtain feedback on new or changes to policies
– Always assign actions

24
The Human Security Strategy

• Securing the Gatekeepers


– Reception staff sets the tone for the premises
– Enforcement of People Specific Policies
• Visitors Policy
• Badge wearing
• Tail-gating
– Empower Reception Staff to React
• Give them the means to report violations
– Facilities & Office Managers
• General Physical Security
• Clear Desk Policy

25
The Human Security Strategy

Clear Desk Policy


• Often overlooked but a key culture changing policy
• A Clear Desk does not mean a Tidy Desk
• Personal Possessions on desks is good!
• Policy Enforcement

How to stop the forgetting of


Name Badges
The Human Security Strategy

• Security Awareness Training Pitfalls


• Computer Based Training (CBT)
– Most off the peg awareness courses are too generic
– Training which doesn’t match reality is counter productive

• Awareness Posters
– Create relevant posters
– Use your Marketing Department (free resource!)
– Change at least Quarterly and Rotate Posters
The Human Security Strategy

Winning Hearts and Minds


Awareness must be continuous, not once a year
• Intranet Site / SharePoint site
• Security focused Magazine
• Competitions
• Provide Home PC Security Advice
• Provide Free Home Anti-Virus
• Great Artists Steal
Look at Health & Safety and Marketing
Tapping into Psychology

29
Tapping into Psychology

• Harnessing the Power of Psychology


• A tool to Influence and change Behaviour
– Clear Desk Policy example
– How Bad Guys use it (Social Engineering)
– Helps you to become more engaged with staff
– Helps you write Effective Messaging
Tapping into Psychology

• Written Messaging
– Know the objectives of the message
– Understand the target audience & message perception
– Making message personal to the reader
– Include the reasons
– Plain English but professional
– Keep messages short
– Board backed

• When a security message is not effective, it is


always the fault of the message writer, never the
recipient
Tapping into Psychology

• Visual Messaging
– Most humans think visually
– Face to Face always works best

• Story Telling

• The Power of Play

32
SUMMARY

• Technology is only part of the answer


• A People Problem is solved with a People Solution
• Using the Carrot more
• Winning over Hearts and Minds
• Practical methods to change Culture
• Using Psychology

33
Questions?

34