Upload
dreamzprince
View
220
Download
0
Embed Size (px)
Citation preview
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
1/30
The difference between the Reality and Feeling of Security
Anup Narayanan, Founder & CEO, Information Security Quotient (ISQ)
She looks
trustworthyIm gonna steal
your toys
http://www.isqworld.com/8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
2/30
Focus of the talk
The Human Factor in Information Security
From Security Awareness to Security Awareness and
Competence
Solution model
What others are doing?
2
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
3/30
Awareness
I know the traffic rules.
3
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
4/30
Competence?
Does it guarantee that I am a good driver?
4
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
5/30
Awareness >> Behaviour >> Culture
Awareness
I know
Behaviour(Competence)
I do
Culture
We knowand do
An organization must aim for a responsib le secur i ty cu l ture
5
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
6/30
What organizations need?
A system that periodically shows
the current Security Awarenessand Competence Levels
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Awareness score is 87%
Competence score is 65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
6
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
7/30
The power of perception
Why do people make security mistakes?
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
8/30
Imagine
Will you accept it?
Nelson Mandela walks into this room rightnow and offers you this glass of water.
8
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
9/30
Now, imagine this
Will you accept it?
This man walks into this room right now
and offers you this glass of water.
9
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
10/30
Question
Which water did
you accept?
Why?
10
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
11/30
Analysis
People decide what is good and what is bad based on
trust
Perception is influenced by Trust
Were you checking the water or the person serving
the water?
11
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
12/30
Why must we address the human
factor?
(or)
Is the human factor worth addressing?
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
13/30
Case Study 1
LinkedIn Password leak
13
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
14/30
The most popular passwords in LinkedIn
link
1234
work
godjob
12345
angel
the
ilove
sex
jesus
connect
monkey
123456michael
jordan
dragon
soccer
killer
pepper
14
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
15/30
Analysis
You may think you are safe when you are actually not
15
People get more terrified thinking of getting eaten by a shark then dying of
heart attack..but more people die of heart attacks
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
16/30
Analysis
People exaggerate risks that are abnormal
16
More kids die choking on french fries than due to Adrenoleukodistrophy
Adrenoleukodistrophy
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
17/30
Reason 1: Security is both a Reality and Feeling
17
For security practitionerssecurity is a Reality based
on the mathematical
probability of risks
For the end user security is a
feeling
Success lies in influencing
the feeling of security
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
18/30
Reason 2: Not every attack(er) is that smart
People exaggerate risks that are spectacular or uncommon:
So what? RSA was hacked
Control efficiency
Risk severity/
Attacker
Smartness/
Attack
Efficiency
Technology & Processes
Awareness & Competence
Automatic security controlsAV, Updates
Technology + HumanFirewall configuration,
Choosing a secure Wifi
Human Recognizing a zero day attack,Phishing mails, Not posting business
information in social media
The very smart attacker
1
2
3
4
18
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
19/30
Reason 3: Technologyyes, but humansof course!
19
Aircrafts have become more advanced, but does it
mean that pilot training requirements have reduced?
Medical technology has become more advanced,but will you choose a hospital for its machines or
the doctors?
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
20/30
The Solution Model
Security Awareness and Competence Management
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
21/30
The solution is based on HIMIS
HIMISHuman Impact
Management for
Information Security Released under Creative
Commons License
Free for Non-Commercial
Use
http://www.isqworld.com/himis
21
http://www.isqworld.com/himishttp://www.isqworld.com/himis8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
22/30
Security Risk
analysis
Identify the
human factor
Awareness
Behaviour
(Competence)
Assess,
Improve, Re-
assess
ESPExpected Security Practice
1. Awareness Vs. Competence
22
Consider both Awareness and Competence independently
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
23/30
2. Visualize, engage .and influence perception
23
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
24/30
24
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
25/30
3. Remember drip irrigation
Small doses, more frequent
Which is more effectiveDrip irrigation or spraying a lot of water once a day?
25
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
26/30
4. Re-measure frequently
26
LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS
Organizations awareness score was87%
Organizations competence score was65%
LOW COMPETENCE
MEDIUM
COMPETENCEHIGH COMPETENCE
?
?
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
27/30
Threat forecast
27
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
28/30
Natural disasters
Diminishing end user
security awareness
Moving to cloud
Social media proliferation& data leaks
Corporate frauds
Attacks using GPS
tracking
Economic espionage
Introduction of new devices
(smart phones etc.)
Online leaks
Fast development andrelease of apps without
testing
Smart outsourcing resulting in
less workforce loyalty
Emerging threats 2013 (report by ISF)
8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
29/30
Summary
29
Technology(Firewall)
ProcessPeople
Information
Technology and processes are only as good as the people that
use them
http://www.isqworld.com/8/12/2019 The Difference Between the Reality and Feeling of Security ISO 27001:2013
30/30
Lets switch ON the Human
Layer of Information SecurityDefence
Thank You
Anup Narayanan
www.isqworld.com
http://www.isqworld.com/http://www.isqworld.com/http://www.isqworld.com/