13
A new tool for Information Security Professionals: the Information Security Force Field Model This thesis offers a detailed plan for how to get users onboard with information security. BY MONIQUE HOGERVORST Produced by the Information Security Group at Royal Holloway, University of London in conjunction with TechTarget. Copyright © 2008 TechTarget. All rights reserved.

A new tool for Information Security Professionals: the ...cdn.ttgtmedia.com/searchSecurityUK/downloads/RH1_Hogervorst.pdf · A new tool for Information Security Professionals: the

Embed Size (px)

Citation preview

A new tool for InformationSecurity Professionals:the Information SecurityForce Field Model

This thesis offers a detailed plan for how to get users onboard with information security.

BY MONIQUE HOGERVORST

Produced by the Information Security Group at Royal Holloway, University of London in conjunction with TechTarget. Copyright © 2008 TechTarget. All rights reserved.

A NEW TOOL FOR INFORMATION SECURITY PROFESSIONALS:THE INFORMATION SECURITY FORCE FIELD MODEL.

Changing the attitude of employees and senior management towards information securitycan solve many of the problems information security professionals face every day. If youwant buy-in from senior management in your Information Security Programme in general,and Information Security Training and Awareness in particular, you need to be able to meas-ure in such a way that you can prove the additional value security brings to the business.

The Information Security Force Field model is a useful new tool for Information Securityprofessionals that helps to: • visualise the link between business processes on one hand and information security

and information security training and awareness on the other; and • measure security and quantify the impact of information security training and awareness.

Information Security Training & Awareness, the way to overcome aversion against information security.

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 2

OVERVIEWWe all know that information security is like-ly to be better in organisations where boththe employees and the management are:

• aware of information security issues;• appreciate the potential impacts of

information security incidents; and • understand the need for information

security controls.

We all know that the best (perhaps theonly) way of providing such organisationaleducation is via a programme that providessome level of Information Security Trainingand Awareness (ISTA). Anyone who hasworked on the “security side” of an organi-sation will know very well that this is far fromthe case: ISTA programmes often sufferfrom several problems! First and foremost,

MoniqueHogervorstSenior Information Security ConsultantAPACS (Administration) [email protected]

Keith M. MartinInformation Security GroupRoyal Holloway, University of [email protected]

This article was prepared by students and staff involved with the award-winningM.Sc. in Information Security offered by theInformation Security Group at Royal Holloway,University of London. The student was judgedto have produced an outstanding M.Sc. thesison a business-related topic. The full thesis is available as a technical report on the Royal Holloway websitehttp://www.ma.rhul.ac.uk/tech.

For more information about the InformationSecurity Group at Royal Holloway or on theM.Sc. in Information Security, please visithttp://www.isg.rhul.ac.uk.

it is often hard for senior management to see a direct return of investment. To a lesserextent, this attitude can also prevail amongstthe employees who will be receiving thetraining. Secondly, it is often far from clearprecisely what an ISTA programme shouldprioritise and where it should most effectivelybe deployed.

To this end, we propose a new tool forhelping organisations to identify both thebenefits of an ISTA programme and wherebest to target its energies. The approachdoes not employ radically new ideas. Itsstrength is its simplicity and its ability tohelp senior management visualise the problem, and clearly see the merits of thepursuit of relevant ISTA. The tool has onlypartially been road tested, but its ease ofuse is compelling. It is a very flexible modeland adaptable to local conditions.

Perhaps this is just the tool you have been waiting for to help you to obtain buy-infrom senior management in your InformationSecurity Programme in general, and ISTA inparticular.

THE NEED FOR ISTAInformation security standards, bestpractices and literature all identify the needfor ISTA. The theory is clear. Surveys1 carriedout in 2006 show that in the real world thesituation is different: the focus of businessesis still on technical information security con-trols aimed at an external attacker, while theinsider attacker remains a serious threat thatis often relatively poorly defended against. A natural defence against insider (and exter-nal) attackers is ISTA and yet it seems thatISTA is not always recognised as a majorcontributor to security of an organisation. As a result, senior management is oftenreluctant to invest time and money in appro-priate ISTA. This situation needs changing,which means changing both the behaviourand attitude of the decision makers in organisations.

In modern organisations, information systems are intrinsically linked to their abilityto perform their primary business processes.Risks to information systems have the poten-tial to cause damage or loss, and significantlyaffect operational performance and reputa-

1 Surveys studied during the research phase of this project were carried out in 2006 by Deloitte (Global Security Survey for the GlobalFinancial Services Industry) and Price Waterhouse Coopers (DTI Information Security Breaches Survey).

A natural defenceagainst insider(and external)attackers is ISTAand yet it seemsthat ISTA is notalways recog-nised as a majorcontributor tosecurity of anorganisation.

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 3

tion of an organisation. To survive in themodern world of information technology (IT) and all the advantages this has brought,organisations have to protect themselvesagainst the threats and vulnerabilities that IT developments bring with them. Seniormanagement needs to embrace informationsecurity in order to sufficiently protect one of their most critical and valuable assets:information.

Changing the attitude of employees andsenior management can help to solve manyof the problems information security profes-sionals face every day. In the world of dis-tributed corporate environments, globalisa-tion and fast developing technology, therisks to information assets are increasing.Information security professionals have toconvince management that they have toinvest time and money in information securityin order to secure their information. If youwant buy-in from senior management in yourInformation Security Programme in general,and ISTA in particular, you need to be ableto prove the additional value information security brings to the business.

JUSTIFYING THE NEED FOR ISTAUnfortunately for information security

professionals there is no straightforwardsolution to the problem of providing astrong measurable case for an InformationSecurity Program. Most published method-ologies for measuring information securitydo not appropriately incorporate businessprocesses and business managers into thetechniques used for measuring informationsecurity.

ISTA is all about giving people the infor-mation security knowledge and awarenessthat they need for their day-to-day jobs. Thishas little to do with technical controls andeverything to do with human resource secu-rity and psychology. It is this observation thatprovides a vital clue as to where to look forhelp in addressing this significant problem.

Changing behaviour and attitude is proba-bly the most challenging task in organisa-tions. The field of psychology has identifieda number of models to achieve behaviouralchange. Having reviewed these extensively,one model of significant appeal is KurtLewin’s model of the Force Fields. In thismodel two sets of forces work against oneanother: restraining forces and drivingforces. Changing the strength of one of the contributing forces can result in changesto the situation being modelled. This simple

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 4

Senior manage-ment needs toembrace informa-tion security inorder to sufficientlyprotect one oftheir most criticaland valuableassets: information.

concept is very appealing and so the ForceField model (as presented by Steve Wells in a Mini-Tutorial2) was chosen in this projectfor adaptation to an information security setting in order to create a tool to assistinformation security professionals in theircommunication with business managers and the development of effective ISTA programmes. The result is the InformationSecurity Force Field Model (ISFFM), whichwe explain in this article3.

THE INFORMATION SECURITY FORCE FIELD MODEL (ISFFM)Conceptually, the idea of ISFFM is to identify the important driving (enabling)forces and restraining (disabling) forcesbehind information security in an organisa-tion. These forces then require some degree of quantification.

The results of the process can then beused to show in which way information security is linked with business processesand identify where ISTA can be deployed inorder to achieve a more favourable balancein the ISFFM between driving forces andrestraining forces. The beauty is that each

resulting ISFFM can be depicted by meansof a diagram. This diagram visualises thebusiness case for information security and ISTA.

The ISFFM is a useful tool for providingevidence that ISTA is a cost-effective countermeasure because it can be used to graphically indicate that:

• on the one hand it increases the overalllevel of security of an organisation, as usersbecome more aware of the risks;

• on the other hand it decreases therestraining forces, thus making the drivingforces more effective.

The ISFFM can also be used by informa-tion security professionals to:

• communicate effectively to line and senior managers about the link betweenbusiness processes and information security;

• explain how ISTA can impact on infor-mation security and improve security of anorganisation;

• quantify the level of security of anorganisation in comparison with other organ-isations, or in comparison with previouslyused metrics;

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 5

Changing thestrength of one ofthe contributingforces can resultin changes to thesituation beingmodelled.

2 Stephen Wells; Force Field Analysis – Mini Tutorial Quality Management (attached to project report as appendix A; 15-03-2006).3 The full MSc Project report provides more details on how the Information Security Force Field model was developed.

• quantify the impact of ISTA.

The devil is of course in the detail, whichin this case is in the development of themodel itself. We must identify the rightforces and the right metrics by which toassess them. When using the ISFFM in an organisation, the information security professional must ensure that the model hasits roots in the business processes. Theanalysis of the forces and the assessmentsof these forces should indicate in businessterms how the level of security has changedover time and how security contributes tothe business objectives.

The list of forces employed in the modelshould be configured by a particular organi-sation and selected forces will clearly differbetween organisations.

The sample ISFFM depicted in Figure 1(which shows only a list of forces and notthe measures used to assess them) coversall areas of information security: technical,physical, procedural and personnel security.A large number of the forces in Figure 1are closely related to people, the majorityof which are restraining forces. This iswhere the implementation of structuredISTA could make a difference: decreasing

the strength of the restraining forces andtherefore making the driving forces moreeffective and efficient.

The following list contains examples of

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 6

Figure 1: Information Security Force Field diagram

Cost reduction through Change and Project Management

Prevent downtime

Dependence on information and information technology

Protecting company’s information and reputation

Legal & regulatory compliance

Support from senior management

Security governance and organisational security structure

Lack of awareness of the (current) risks to information

Culture

Lack of support from senior management

Limited budget

Lack of understanding

Lack of awareness of the (current) risks to information

Lack of security governance and organisational security structure

potential driving forces that could be includ-ed in an ISFFM:

• Change & Project Management (costreduction).

When information security is consideredfrom the start (and not as an add-on at theend) this will lead to reduction of cost inchanges and projects in Information Technology.

• Business opportunities. Having an established Information Securi-

ty Management System can result in poten-tial customers and partners having confi-dence in your organisation.

• Prevention of downtime.

• Dependence on information and Infor-mation Technology.

• Protection of an organisation’s informa-tion and reputation.

• Legal & Regulatory compliance.• Support from senior management. Often the direct line of managers is very

supportive of the Security Team, probablybecause they have a better understanding of

information security than senior manage-ment in other areas of the organisation. (This is also, however, identified as a potential restraining force).

• Duty of care. Both from organisation to employees and

vice versa.

• Data Protection.Depending on the type of organisation

and the function of some of the employees,the Data Protection Act can be a very strongdriving force; therefore this force needs tobe treated separately (from Legal & Regula-tory compliance) for some organisations.

• Security governance and organisationalsecurity structure.

This force includes a number of drivers thatmay need to be defined separately, but theyare collated together: security governanceencouraging risk-based approach, distrib-uted security organisation, respect and trustin security personnel and company policies.

• Reduction of commercial risk.

• Audits.

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 7

• Security minded culture. Some organisations are part of an industry

that embraces information security naturally;an example is the defence industry.

The following examples of restrainingforces could be included in an ISFFM:

• CultureIn contrast to a security minded culture

(identified as a driving force) culture canalso be against information security. Oftenheard remarks include “I have been doingthis job for 20 years in this way, why do Inow need to do it differently?” or “why arelimitations (by introducing information secu-rity controls) being enforced on me?” Whatsome people do not realise is that the intro-duction of IT and the Internet have changedthe risks to information.

• Lack of understanding. Mainly the understanding of the need to

protect information.

• Budget limitations.• Lack of awareness of the (current)

risks to information.

• Lack of support from senior management.

As a restraining force, this is mainly afinancial matter. Managers in, for example,the Account Management Team may seeinformation security as costly and a constraint on the business achieving its financial goals.

• Non-availability of instructors.

• Drive to adopt Commercial off theShelf (COTS) products.

COTS products can save an IT depart-ment a lot of money. However their use canalso result in an insecure IT solutionbecause the COTS product does not havethe precise security features that an organi-sation needs. This often leads to the needfor additional investment in order to estab-lish the right information security controls.

• Lack of support from the IT department.

• Project pressures. This mainly relates to high-level projects

with a high visibility to senior managers andexternal parties. Project managers are oftenput under pressure to progress projectsleading to the acceptance of (informationsecurity) risks that are not properly

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 8

assessed. Later, controls need to be put inplace or the security team is required to“clean up” the problems. These activities arebound to be much more expensive thaninvolving security from the start of a project.

• Lack of security governance andorganisational security structure.

This includes a number of forces thatcould otherwise be described by phrasessuch as “lack of clear security structure orsecurity responsibilities”, “no respect or trustin security personnel” or “management riskappetite”.

DEVELOPMENT OF AN ISFFMAn ISFFM shows how ISTA can contributeto the security of an organisation. By makingthe forces measurable, it provides a tool tomeasure the impact of ISTA. So how do wego about building an ISFFM?

From the first step it is necessary toinvolve business managers from a wide variety of disciplines within the organisation.There is no standard list of indicators thatcan be introduced and used in every organi-sation. These are specific to each organisa-tion and should be allied to the businessprocesses and objectives. Although some

preparatory work must be done by informa-tion security professionals, the actual appli-cation of this method mandates the presenceof “the business”.

The development of an ISFFM involves anumber of steps, which we now outline.

Step 0: Preparatory workThe information security manager and teamneed to explore the objectives of the exer-cise and develop an initial ISFFM that isused as the starting point for discussions. It is easier to discuss and develop an organi-sation specific ISFFM diagram if there issomething visible to initiate the discussion.This Initial ISFFM diagram could, for exam-ple, be a localised version of Figure 1 withsome connections to business processes.

The next task to be performed beforestarting the development is to define a scaleof values to use to measure the strengths ofthe forces that are defined in steps 3 and 4of the development process. Initial values ofstrength will be given at step 5. It is alsoimportant that the information security man-ager familiarises him/herself with the busi-ness process, how information plays a partin these business processes and what thelatest business objectives are. It might be

From the first stepit is necessary toinvolve businessmanagers from awide variety ofdisciplines withinthe organisation.

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 9

necessary to have a number of versions ofthe ISFFM, each relating to a specific busi-ness process or a specific information asset.

Step 1: Identify the connections betweenbusiness processes and security Intro-duce the (different versions of the) initialISFFM. The information security manager facilitatesdiscussions identifying the connectionsbetween business processes and informa-tion security. This needs to be carefully documented as it will form the basis of rest of the development process.

Step 2: Identify the objectives of developing a valuation method The aim of the whole exercise is to developways to measure security and impact oftraining and awareness. This is work that ispartially prepared in advance, but needs tobe addressed with the results of step 1 inmind.

Step 3: Determine the driving forcesThe list of driving forces are now deter-mined, including any new driving forces thatwere identified during discussions with thebusiness managers. At this stage it is impor-tant to try to define the forces in such a way

that they can be valued both now and in thefuture. (to allow long term comparison andanalysis of changes over time).

Step 4: Determine the restraining forcesUse the same approach as in step 3 todetermine the list of restraining forces.

Step 5: Assign initial impact values to the forcesDuring Step 0 the information security teamshould have designed a scale of values (forexample 1 = very weak, 2 = weak, 3 =strong, 4 = very strong). If risk managementis established in the organisation, it might be helpful to use the business impactassessment matrix as the basis for this initialassignment. Using the risk managementmatrix makes the values recognisable tobusiness managers. In Step 5 the strengthof the identified forces will be given an initialvalue. This is a “first impression” of theimpact of each force on the businessprocesses it is linked to. Later, in steps 7and 8, the values will undergo a moredetailed analysis.

Step 6: Chart the forces in a new diagramThe connection between security and thebusiness, based on the contributions from

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 10

a multi-disciplinary group involved in thisdevelopment, are now visualised. The result-ing diagram of the ISFFM will provide acompact overview of where and how ISTAcan impact on the forces identified. Theresult is the organisation specific ISFFM diagram that was mentioned in Step 0. Figure 2 provides an example that resultedfrom a case study.

Step 7: Analyse forces and possible metrics contributing to the strengthThe forces identified in the ISFFM have aninitial impact value given in Step 5. The nextstep is to identify the contributing factors thatdetermine the strength of a force. Each forcethus needs to be analysed, and the indica-tors and parameters that contribute to thestrength of the force need to be document-ed. This is necessary for the development of a measuring method that can be usedrepeatedly without changing the baseline.

Step 7 is very important as it forms thebasis of all future measurements related toISTA. In order to use the method over a peri-od of time it is paramount that the reasoningbehind the assignment of a strength value isrepeatable. Using metrics for analysis andreasoning creates a basic tool to assess

strength of forces in a reasonably objectiveway. The output of this step is a set of valuesthat may well differ from those used in Step5 to assign an initial impact value (but theycould also be the same). The result is a setof impact values that are based on indica-

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 11

Figure 2: Organisation specific ISFFM diagram

3 Business opportunities

3 Prevent downtime

4 Data Protection Act

4 Dependence on Info. and IT

4 Protect Cy’s Info and reputation

4 Legal & regulatory compliance

Project Pressures 4

Culture 1

Lack of understanding 1*, 2*

Lack of awareness of risks to info. 1*, 3*

Non-availability of instructors 2

Lack of dupport from Senior Mgt. 1**, 3**

* Note 1: The low value of the restraining force is related to those EDS employees who havereceived a number of the sessions described in Section 2 (Q1). The higher value is for new-comers.

** Note 2: When discussed in concept senior managers do support Infosec initiatives (value = 1),but when they realise what the consequences are (in reality) the value of this force becomes 3.

tors and parameters that can be measuredin practice.

Step 8: Carry out a baseline assessmentUsing the strength values identified in Step7, each force is re-assessed and a new valueis assigned. This new value will be under-pinned by measurable indicators and param-eters, as a result of Step 7. The reasoningand assessment process needs to be docu-mented and the first version of this assess-ment functions as a baseline for futuremeasurements.

The difference between the total strengthof driving and restraining forces can beused as an indicator of the level of security.If the balance is in favour of the drivingforces, the level of security is acceptable(although there is always room for improve-ment and new forces may appear in thefuture). If the balance is in favour of therestraining forces, there should be concernabout the level of security and effort shouldbe directed to improving the security of theorganisation.

Analysis of the forces can indicate pre-cisely where improvements can be madeand will often also indicate where the bestreturn of investment is achievable.

Step 9: Repeat this assessment periodicallyPeriodically this assessment will have to berepeated.

Step 10: Analysis of the assessmentsChanges in the strength of the forces indi-cate changes in the level of security. Analy-sis of the changes is necessary to find outexactly which improvement action has hadwhich impact on security. This analysis willindicate the impact of training and aware-ness. Further, a repeated assessment of thestrength of certain forces makes it possibleto put precise figures to the benefits (forexample cost reduction or a positive returnof investment) of structured ISTA.

PARTIAL TESTING OF THE ISFFMAt this stage the ISFFM has not been fully tested in the real world. Although there is clearly a potential for this model to become a widely used tool, it needs further development and more guidelinesfor its use.

Part of this project included a case study,full details of which appear in the full report.During this case study the ISFFM was testedwithin an organisation. Figure 2 shows an

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 12

example of an organisation specific ISFFMdiagram that resulted from this exercise. Allthe interviewees involved in the case studycommented that the ISFFM, and theprocess required to establish it, has thepotential to become a helpful tool for infor-mation security professionals like them-selves4. More specifically, the fact that theISFFM diagram visualises where ISTA canbe effective was mentioned as one of themain benefits of the model.

The interviews that were carried out aspart of the case study included questions

about the impact ISTA has made (or couldmake) on organisations. The outcomestrongly indicated that ISTA has a positiveimpact on the overall security of an organisa-tion. This impact can take the form of areduction in information security incidents(and the time information security profes-sionals invest in investigating these), savingsin project turnaround times and projectcosts, and increasing (timely) involvement inbusiness projects. More examples of identi-fied benefits of ISTA are listed in Chapter 7of the full report.m

Royal Holloway series Information security force field model

• STANDARDS • ISFFM • ORGANISATION • TESTING 13

4 All interviewees were Information Security Professionals or managers with a strong security responsibility as part of their jobs.

Ron CondonUK bureau chiefsearchsecurity.co.UK

Ron Condon has been writingabout develop-ments in the ITindustry formore than 30years. In thattime, he hascharted the evolution from big main-frames, to minicomputers and PCs inthe 1980s, and the rise of the Internetover the last decade or so. In recentyears he has specialized in informationsecurity. He has edited daily, weeklyand monthly publications, and haswritten for national and regionalnewspapers, in Europe and the U.S.