security awareness

Hello Readers,

Often organizations are confused about how to make employees follow information security rules and procedures. They take the step of launching awareness campaigns that spread the security rules and procedures in visual, text and verbal formats. This creates “Awareness”. Organizations often stop here and the reasons is because the organization thinks that if the employee “knows”, then it is enough.

But, “knowing” and “doing” are completely different. If a person “knows”, it is a good beginning, but for a person to “Do”, then there has to be an application of what they “Know”. This must come through a behavioral change. Let us look at a simple fact concerning “Behavior”

What motivates behavior change or adoption of new behavior?

“All behavior is based on the consequence that follows. If the person likes the consequence, the behavior will be repeated. If the person does not like the consequence, then the behavior will not be repeated”.

The first thing that comes to mind while reading the above sentence is the traffic in Bangalore, India. People behave irresponsibly on the road because they know that they can get away with poor behavior. So, what motivates poor behavior? The answer is simple – “poor ENFORCEMENT of rules by the police”". “Enforcement” is the key.

While designing an information security awareness campaign, the responsible people behind it have the challenge of migrating the end-user through 3 stages of change.

1) Stage 1 – I don’t know (… I don’t know anything about information security)
2) Stage 2 – I know, but I don’t do (….Ok I am aware about information security but I don’t apply my learning…)
3) Stage 3 – I know and I do (…I know about the importance of protecting information and I apply my learning on protecting information)

 Please us the following diagram – http://www.himis.org/wp-content/uploads/evolution.pdf – for clarity in the migration between the above 3 stages.

Moving further, the challenge is the migration from stage 2 to stage 3. Stage 2, is the situation where the end-user is “Aware”, but is not “behaving”. So, how do you migrate from “Awareness” to “Behavior”. This is precisely where the power of “Enforcement” comes in.

Let us go back to the case of traffic in Bangalore and the recently implemented law in Mumbai against drunken driving. This is a typical example of poor enforcement vs. good enforcement. Though I am not a Mumbaikar, from what I have read, if you are caught driving drunk, then you spent one day in the cooler. Based on reports, this is has resulted in lesser road accidents in Mumbai and higher revenue collections for  the traffic police. So, enforcement does work.

But, often the problem is “Consistency” and “Repetition” of enforcement strategies. This applies to Police as well as many information security managers. When there is an incident, in the immediate aftermath of an incident, there is strong enforcement for a few days, then it becomes lax. But constant and repetitive enforcement produces excellent results.

In my next post, I shall explore simple but effective enforcement strategies used by 2 organizations which has produced excellent results in the long run. There is no magic formula, but simple and effective application of rules.

Warm regards,

Anup Narayanan
www.himis.org (HIMIS – Human Impact Management for Information Security)

Dear readers,

This post is in succession to my earlier post ( http://isqworld.com/?page=1 ) where I examined behavioral factors that contribute towards people making
mistakes that compromise information. In this post I am presenting an analysis of an information security awareness management system.

During one of my company’s engagement with a large electronic retail chain, we were presented with a following challenge.

1 – The company has spent a few million rupees in information security awareness…(“awareness” alone and not just information security)

2 – They wanted a reality check on how effective the awareness campaign has been?

The strategy we adopted for this exercise was very simple – “Talk to employees and listen to how much they have understood from the “awareness
campaign”?”

So, this is what we did. We analyzed the messages that were conveyed by the company as part of the information security campaign and made a list of the
same. The company had used emails, posters, quizzes; screen savers etc. to spread information security awareness. Presented below is the analysis of just one of the messages and the response of the employees.

Message 1 – Don’t share passwords

Response of the employee(s):

Response 1 – “Which password are you talking about? I have approximately 6 to 8 passwords to remember as part of my work? For example, I am an HR manager
and one of my responsibilities is to process salaries. I store salary information in a spread sheet that is password protected. I have to share this
sheet with my assistant managers and executives so that they can compute the salaries at the end of the month. How do you propose that I get my work done if
I don’t share the password of this spread sheet?”

Response 2 – “I am a sales officer and I have to update the sales calls that I made by 1800 hours every day. Sometimes I am stuck in the traffic; I
don’t have a laptop computer neither a PDA. So, what do I do? My superior officer wants these reports sharp at 1800 hours. The best chance for me is to
share my password with my colleague in the office and ask him to update on the system on my behalf. I do understand that I am breaking the information
security rule, but I am getting the job done. If you were to ask my superior manager, he would agree that I rather break the information security rule if it
is to get the job done”

Here are some more responses….

Response 3 – ” When I return back from vacation my password has expired. The Helpdesk takes anywhere between 24 to 72 hours to reset a password. How can I not work during this period? So, I have to take my colleagues’ password”

So, where is the problem? I believe the problem is that the people who make security rules have not studied the specific characteristics of their business before creating these security rules. Every business is unique like every individual is unique. The information security rules for each business must be made after considering business realities. In the above case, the following facts are evident.

1 – Asking employees not to share passwords is not relevant without having sufficient compensatory mechanisms? Now, what is the cost of the compensatory
mechanism? Is it very costly or do we use “Trust” as a control?

2 – The information security team must talk to and understood the genuine problems the employees will face if they follow the security rules to a
“T” and how it will affect business productivity

3 – The employees are having a feeling that the information security team is creating these campaigns and rules, without really understanding the business. This creates the effect of “these security guys are on the other side of the table and don’t understand my genuine problems”

Hence, from my learning, I have developed a concept that I prefer to call – “Qualities of an Information Security Awareness System”. These qualities are,

1. Reach: Cover Workforce not employees. I will talk more about this in the next post.

2. Visibility: Where are the messages available and viewable?

3. Business relevance: Be specific about the information security awareness message and not generic. Example, when you say, “Don’t share passwords”, which
passwords are you talking about?

4. Impact visualization: Show what can go wrong if security rules are not followed. Often end-users cannot visualize the impact like the security professionals can.

5. Consider cultural factors: Consider the characteristics of the population such as culture of the country etc.

6. Clarity & Ease of understanding: Keep it simple; Less Jargons

Warm regards,

Anup

www.himis.org ( HIMIS – Human Impact Management for Information Security )

The Man and his Beautiful wife
Once there lived a man who had a beautiful wife. The man was so concerned about the lady and dared to take her for parties or in public gatherings. He was afraid that someone will take his beautiful wife away .He got the best Security System in place to protect the house from Intruders. He had round the clock security for his house against trespassers. He planted several traps for Intruders around the place. But in spite of all these one fine morning he found his wife missing from his house and finally came to know that she was taken away by his servant. How did this happen? He had everything in place to protect his wife but still he lost her.

The cross section of the story
Let’s go to that in detail, we are not concerned about the man or his wife, our only concern is the reason for this. As I told he had the best security system in place but he was not able to ASSERT the working. He had security guards against the intruders but he never checked the credentials or integrity. He had several traps and controls also but was not able to preserve the confidentiality of the same. This is the case of Information Security with many organizations. They have the worlds best Access Control in place they will have the best Firewalls, IDS, or let say the best technical & process controls in place. So obviously they will have a feeling that we are 100% secure and our information has no chances for leakage. In fact the truth is that, they are most vulnerable to attacks. Now the question is, if it is not technical controls or processes what is the factor that influences Information Security to the greater extent. It is the HUMAN FACTOR, nothing else. As you all know in the early times, war was with weapons like stone, sword and Knife later it was transferred to Guns and missiles, as technology advanced then came the nuclear warfare and now it is the time of Information Warfare.

Firewalls, Antivirus, IDS & Myths
In today’s business, for any organization, information is the primary and critical asset. It is this information that keeps the company exists in its competitive world. So if the company cannot preserve the Confidentiality, Integrity or Availability (we Information Security professionals call it the CIA) this means that the organization cannot exist in their domain. If the company needs to preserve the CIA of the information they should understand the influence of the Human Factor. If they can understand this, we can say that they started knowing Information Security. Many Organizations have a feeling that if they have a Firewall, Antivirus and an IDS in-place, they are safe from attacks and they have achieved 100% Security. This is completely wrong. Technical controls can contribute a mere 10% to Information Security. Deploying technical controls is the easiest part in Information security; the most complicated part is of-course the human intervention. Whatever processes you implement and defenses you build, if the users have zero awareness on the CIA of information they handle, all you do is a waste. That is why organizations are spending more money & resources in User Awareness, Training etc.

Information Security – Where should it start from?
Information Security of any Organization should start from the employees. The employees should know the seriousness of the data they handle and of course the value of it too. Many organizations has a false believe that an ISO (Information Security Officer) and a Security Team will make the organization secure, you can’t expect the Information Security Officer to make your organization 100% secure. ISO is like all other employees, he has limitations. So if you need the organization to be secure, the employees should work together for the common objective of achieving a 100% security (Although 100% security is a myth, at least the organization will be at its best to preserve the CIA of the information it handles).

Employee background check
Proper background check should be done for employee prior to the appointment. Performing verification for the sake of doing it won’t be of any use. (This is what most organization does).The verification should track his past employment, the reason for leaving the past employer, criminal track records and his family background.

Employee Training
The employees should undergo awareness programs & training for Information security and the most important thing is, this should be interactive, nobody likes long trainings packed with solid technical & process stuff, instead it should be made interesting with case studies, role-play. There should be methods to measure the current awareness level of the employees on Information Security. This can be done by of test or interviews. The training calendar should be prepared for the year and of course information security should be a part of the induction process

Security needs innovative thinking and creativity
The security team should think from the basic level, perspective or I would rather say that InfoSec team should come down to the employee level. This is where the real expertise of an information security professional lies. He should be able to communicate in their wave length. You can’t expect an employee in the assembly line to have knowledge on social engineering. But it is possible to educate them on social engineering, for this the team should find out their own strategy. The training should be a continuous process. The training program should be modified according to time and needs.
To conclude, an organization that realize information security and not as a show piece will have their policies and processes lined up to meet these challenges.

Thomas Kurian Ambattu

Hello,

Observing the traffic in Bangalore, you realize something important that you can apply for information security awareness management. Almost all drivers in Bangalore are “AWARE” of the traffic rules and that is the reason why they have passed the driving license exam and received their licenses.

But “AWARENESS” does not necessarily translate into BEHAVIOR (see the image above).

This is the situation with Corporate Information Security Awareness programs too. They focus very much on creating awareness through training sessions, posters, emails etc. But, how often do they go beyond awareness to check whether the awareness translates into “Behavior”.

Anup