The Difference Between the Reality and Feeling of Security ISO 27001:2013

8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013

1/30

The difference between the Reality and Feeling of Security

Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)

She looks

trustworthyIm gonna steal

your toys
http://www.isqworld.com/


2/30

Focus of the talk

The Human Factor in Information Security

From Security Awareness to Security Awareness and

Competence

Solution model

What others are doing?

2


3/30

Awareness

I know the traffic rules.

3


4/30

Competence?

Does it guarantee that I am a good driver?

4


5/30

Awareness >> Behaviour >> Culture

Awareness

I know

Behaviour(Competence)

I do

Culture

We knowand do

An organization must aim for a responsib le secur i ty cu l ture

5


6/30

What organizations need?

A system that periodically shows

the current Security Awarenessand Competence Levels

LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS

Awareness score is 87%

Competence score is 65%

LOW COMPETENCE

MEDIUM

COMPETENCEHIGH COMPETENCE

6


7/30

The power of perception

Why do people make security mistakes?


8/30

Imagine

Will you accept it?

Nelson Mandela walks into this room rightnow and offers you this glass of water.

8


9/30

Now, imagine this

Will you accept it?

This man walks into this room right now

and offers you this glass of water.

9


10/30

Question

Which water did

you accept?

Why?

10


11/30

Analysis

People decide what is good and what is bad based on

trust

Perception is influenced by Trust

Were you checking the water or the person serving

the water?

11


12/30

Why must we address the human

factor?

(or)

Is the human factor worth addressing?


13/30

Case Study 1

LinkedIn Password leak

13


14/30

The most popular passwords in LinkedIn

link

1234

work

godjob

12345

angel

the

ilove

sex

jesus

connect

monkey

123456michael

jordan

dragon

soccer

killer

pepper

14


15/30

Analysis

You may think you are safe when you are actually not

15

People get more terrified thinking of getting eaten by a shark then dying of

heart attack..but more people die of heart attacks


16/30

Analysis

People exaggerate risks that are abnormal

16

More kids die choking on french fries than due to Adrenoleukodistrophy

Adrenoleukodistrophy


17/30

Reason 1: Security is both a Reality and Feeling

17

For security practitionerssecurity is a Reality based

on the mathematical

probability of risks

For the end user security is a

feeling

Success lies in influencing

the feeling of security


18/30

Reason 2: Not every attack(er) is that smart

People exaggerate risks that are spectacular or uncommon:

So what? RSA was hacked

Control efficiency

Risk severity/

Attacker

Smartness/

Attack

Efficiency

Technology & Processes

Awareness & Competence

Automatic security controlsAV, Updates

Technology + HumanFirewall configuration,

Choosing a secure Wifi

Human Recognizing a zero day attack,Phishing mails, Not posting business

information in social media

The very smart attacker

1

2

3

4

18


19/30

Reason 3: Technologyyes, but humansof course!

19

Aircrafts have become more advanced, but does it

mean that pilot training requirements have reduced?

Medical technology has become more advanced,but will you choose a hospital for its machines or

the doctors?


20/30

The Solution Model

Security Awareness and Competence Management


21/30

The solution is based on HIMIS

HIMISHuman Impact

Management for

Information Security Released under Creative

Commons License

Free for Non-Commercial

Use

http://www.isqworld.com/himis

21
http://www.isqworld.com/himishttp://www.isqworld.com/himis


22/30

Security Risk

analysis

Identify the

human factor

Awareness

Behaviour

(Competence)

Assess,

Improve, Re-

assess

ESPExpected Security Practice

1. Awareness Vs. Competence

22

Consider both Awareness and Competence independently


23/30

2. Visualize, engage .and influence perception

23


24/30

24


25/30

3. Remember drip irrigation

Small doses, more frequent

Which is more effectiveDrip irrigation or spraying a lot of water once a day?

25


26/30

4. Re-measure frequently

26

LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS

Organizations awareness score was87%

Organizations competence score was65%

LOW COMPETENCE

MEDIUM

COMPETENCEHIGH COMPETENCE

?

?


27/30

Threat forecast

27


28/30

Natural disasters

Diminishing end user

security awareness

Moving to cloud

Social media proliferation& data leaks

Corporate frauds

Attacks using GPS

tracking

Economic espionage

Introduction of new devices

(smart phones etc.)

Online leaks

Fast development andrelease of apps without

testing

Smart outsourcing resulting in

less workforce loyalty

Emerging threats 2013 (report by ISF)


29/30

Summary

29

Technology(Firewall)

ProcessPeople

Information

Technology and processes are only as good as the people that

use them
http://www.isqworld.com/


30/30

Lets switch ON the Human

Layer of Information SecurityDefence

Thank You

Anup Narayanan

www.isqworld.com
http://www.isqworld.com/http://www.isqworld.com/http://www.isqworld.com/

Documents

The Difference Between the Reality and Feeling of Security ISO 27001:2013