During the last post (http://isqworld.com/2008/09/17/part-1-security-awareness-is-not-good-security-behavior/) I had mentioned about the difference between “Awareness” and “Behavior”. “Awareness” means, “I know”, “Behavior” means, “I know and I do”. The gap between “Awareness” and “Behavior” can reduced by “Enforcement”.

Let me explain with two case studies, where we used simple but powerful enforcement strategies that changed user behavior regarding information security.

Case study 1 – In this case the customer was an Offshore Development Company based in India that has a primarily young workforce. The challenges the company faced were as follows,

1) The workforce was downloading songs and videos and storing them on office systems
2) The company had strict policies that employees should not forward the jokes, porn content etc. that they receive. The justification was that, “what comes into the Inbox” is not in one’s hands, but what goes out, definitely is
3) Connecting external devices on the system was disallowed

We devised a simple audit strategy whereby we would do surprise audits of systems at random. But, there was a psychological strategy we employed. We would audit the system and corroborate the findings with the employee in his presence. We used a hard copy audit sheet and noted down the following,

1) Name of the employee
2) Employee ID
3) Time and date of the audit
4) Serial number of the computer or the laptop
5) Violations if any or if there were no violations that too was noted

Once this was done, the auditee was asked to corroborate the findings and SIGN on the document. Subsequently the auditor too would sign it.

Now, there were some instances when the auditee refused to sign the document. The auditor in this case would mention that the “AUDITEE Refused to sign” and inform the information security officer about the same. The information security officer, would then give a call to the employee or ask for a meeting to explore the reasons why.

Now, many readers may be thinking, “what’s so great about this strategy?”. The answer is, the greatness is not in the strategy, but in CONSISTENT REPETITION. To understand this, please view this graph before proceeding – http://www.isqworld.com/wp-content/uploads/enforcement.pdf

In the graph you will see that there was no major change in the “non-compliance” stats for the first 9 months. But, between the 9th and 12th month, there was a sudden dip in non-compliance (almost 35%). What was the reason. The answer is,

1) Employees understood that this audit was serious business and not a once-in-a-blue-moon activity
2) Employees realized that audit could happen anytime and there was no exceptions
3) When a few employees were called for a meeting with the information security officer, the news spread like wildfire (thanks to Corporate gossip culture )

So, there is no magic formula, but good old repetetion of enforcement strategies

Case study 2 – This is an interesting case study. The client is an electronic retail chain and pretty old fashioned. In fact the CEO of the company started using a computer only in 2007. The client has 22 branches that sells electronic goods and the sales system is powered by an ERP application. Each branch manager has a login and password using which he authorizes a sales and notifies to ship the item from the warehouse. As it often happens, the managers started sharing the passwords with cashiers because they wanted to avoid the hassle of inputting the passwords numerous times during the day. Soon an instance of fraud happened.

The solution the company found was simple. The company conducts financial audits every week for the branch office. They incorporated a simple information security audit with 4 check-points into the financial audit procedure.

1) Is the ERP system “logged-in and unattended”?
2) Are food items or drinks kept near the computer?
3) Has the manager changed the password as required?
4) Has the anti-virus been updated?

Any violation has a simple penalty. The first violation made the manager receive a “memo”. The second one meant that the manager lost 5% of his annual bonus. The annual bonus was an assured component equal to 2 months’ gross pay.

The system worked like a charm and there is hardly any non-compliance.

Now, I request you to go back to my document – http://www.isqworld.com/wp-content/uploads/enforcement.pdf and see page 2 and 3. I have explained the simple concept behind enforcement as a graph.

1) Graph 1 shows that people make security trade-offs (i.e. don’t give importance to security) if there is personal inconvenience. It is like jumping traffic signals if you are in a hurry

2) Graph 2 shows that if there is a “COST” attached to a trade-off, then the trade-off will reduce. The COST can be TIME, MONEY, QuALITY of LIFE etc. For example, in case-study 2, the electronic retail chain linked every security trade-off with loss of money for the nmanager. So, for every jumping of traffic signal, if there is a system of automatic fining of Rs. 5000/- then soon no one will jump traffic signals.

So, what is your enforcement strategy? What is the cost you plan to implement on employees for every security trade-off? And, are you prepared to be consistent and repetetive with the enforcement.

Good luck

Anup

www.himis.org (HIMIS – Human Impact Management for Information Security)

Often organizations are confused about how to make employees follow information security rules and procedures. They take the step of launching awareness campaigns that spread the security rules and procedures in visual, text and verbal formats. This creates “Awareness”. Organizations often stop here and the reasons is because the organization thinks that if the employee “knows”, then it is enough.

But, “knowing” and “doing” are completely different. If a person “knows”, it is a good beginning, but for a person to “Do”, then there has to be an application of what they “Know”. This must come through a behavioral change. Let us look at a simple fact concerning “Behavior”

What motivates behavior change or adoption of new behavior?

“All behavior is based on the consequence that follows. If the person likes the consequence, the behavior will be repeated. If the person does not like the consequence, then the behavior will not be repeated”.

The first thing that comes to mind while reading the above sentence is the traffic in Bangalore, India. People behave irresponsibly on the road because they know that they can get away with poor behavior. So, what motivates poor behavior? The answer is simple – “poor ENFORCEMENT of rules by the police”". “Enforcement” is the key.

While designing an information security awareness campaign, the responsible people behind it have the challenge of migrating the end-user through 3 stages of change.

1) Stage 1 – I don’t know (… I don’t know anything about information security)
2) Stage 2 – I know, but I don’t do (….Ok I am aware about information security but I don’t apply my learning…)
3) Stage 3 – I know and I do (…I know about the importance of protecting information and I apply my learning on protecting information)

 Please us the following diagram – http://www.himis.org/wp-content/uploads/evolution.pdf – for clarity in the migration between the above 3 stages.

Moving further, the challenge is the migration from stage 2 to stage 3. Stage 2, is the situation where the end-user is “Aware”, but is not “behaving”. So, how do you migrate from “Awareness” to “Behavior”. This is precisely where the power of “Enforcement” comes in.

Let us go back to the case of traffic in Bangalore and the recently implemented law in Mumbai against drunken driving. This is a typical example of poor enforcement vs. good enforcement. Though I am not a Mumbaikar, from what I have read, if you are caught driving drunk, then you spent one day in the cooler. Based on reports, this is has resulted in lesser road accidents in Mumbai and higher revenue collections for  the traffic police. So, enforcement does work.

But, often the problem is “Consistency” and “Repetition” of enforcement strategies. This applies to Police as well as many information security managers. When there is an incident, in the immediate aftermath of an incident, there is strong enforcement for a few days, then it becomes lax. But constant and repetitive enforcement produces excellent results.

In my next post, I shall explore simple but effective enforcement strategies used by 2 organizations which has produced excellent results in the long run. There is no magic formula, but simple and effective application of rules.

Warm regards,

Anup Narayanan
www.himis.org (HIMIS – Human Impact Management for Information Security)

This post is in succession to my earlier post ( http://isqworld.com/?page=1 ) where I examined behavioral factors that contribute towards people making
mistakes that compromise information. In this post I am presenting an analysis of an information security awareness management system.

During one of my company’s engagement with a large electronic retail chain, we were presented with a following challenge.

1 – The company has spent a few million rupees in information security awareness…(“awareness” alone and not just information security)

2 – They wanted a reality check on how effective the awareness campaign has been?

The strategy we adopted for this exercise was very simple – “Talk to employees and listen to how much they have understood from the “awareness
campaign”?”

So, this is what we did. We analyzed the messages that were conveyed by the company as part of the information security campaign and made a list of the
same. The company had used emails, posters, quizzes; screen savers etc. to spread information security awareness. Presented below is the analysis of just one of the messages and the response of the employees.

Message 1 – Don’t share passwords

Response of the employee(s):

Response 1 – “Which password are you talking about? I have approximately 6 to 8 passwords to remember as part of my work? For example, I am an HR manager
and one of my responsibilities is to process salaries. I store salary information in a spread sheet that is password protected. I have to share this
sheet with my assistant managers and executives so that they can compute the salaries at the end of the month. How do you propose that I get my work done if
I don’t share the password of this spread sheet?”

Response 2 – “I am a sales officer and I have to update the sales calls that I made by 1800 hours every day. Sometimes I am stuck in the traffic; I
don’t have a laptop computer neither a PDA. So, what do I do? My superior officer wants these reports sharp at 1800 hours. The best chance for me is to
share my password with my colleague in the office and ask him to update on the system on my behalf. I do understand that I am breaking the information
security rule, but I am getting the job done. If you were to ask my superior manager, he would agree that I rather break the information security rule if it
is to get the job done”

Here are some more responses….

Response 3 – ” When I return back from vacation my password has expired. The Helpdesk takes anywhere between 24 to 72 hours to reset a password. How can I not work during this period? So, I have to take my colleagues’ password”

So, where is the problem? I believe the problem is that the people who make security rules have not studied the specific characteristics of their business before creating these security rules. Every business is unique like every individual is unique. The information security rules for each business must be made after considering business realities. In the above case, the following facts are evident.

1 – Asking employees not to share passwords is not relevant without having sufficient compensatory mechanisms? Now, what is the cost of the compensatory
mechanism? Is it very costly or do we use “Trust” as a control?

2 – The information security team must talk to and understood the genuine problems the employees will face if they follow the security rules to a
“T” and how it will affect business productivity

3 – The employees are having a feeling that the information security team is creating these campaigns and rules, without really understanding the business. This creates the effect of “these security guys are on the other side of the table and don’t understand my genuine problems”

Hence, from my learning, I have developed a concept that I prefer to call – “Qualities of an Information Security Awareness System”. These qualities are,

1. Reach: Cover Workforce not employees. I will talk more about this in the next post.

2. Visibility: Where are the messages available and viewable?

3. Business relevance: Be specific about the information security awareness message and not generic. Example, when you say, “Don’t share passwords”, which
passwords are you talking about?

4. Impact visualization: Show what can go wrong if security rules are not followed. Often end-users cannot visualize the impact like the security professionals can.

5. Consider cultural factors: Consider the characteristics of the population such as culture of the country etc.

6. Clarity & Ease of understanding: Keep it simple; Less Jargons

Warm regards,

Anup

www.himis.org ( HIMIS – Human Impact Management for Information Security )

In continuation to my previous post (http://isqworld.com/2008/09/08/part-1-the-human-gap-in-information-security/), in this post I am exploring human behavior and it’s links to information compromise.

I have created a short PDF titled “Human Behavior Characteristics” (please download here – http://isqworld.com/wp-content/uploads/humanbehaviorcharacteristics.pdf). Based on my experience, I have made a simple list of human behavior characteristics and they are,

1 – Desire for recognition
2 – Obedience/ Fear
3 – Reluctance to change
4 – Curiosity
5 – Self preservation
6 – Desire to help
7 – Oppression to authority
8 – Low motivation

Please note that I am not a psychologist by profession and the above list is a simple listing of behavioral traits, the way I understand it.

Now, let us look at 2 simple Social engineering tests and answer a few questions.

Instance 1: This test was conducted 4 years back in an organization that has just begun it’s ISMS implementation. Till then information security was not present in the management’s or the employees’ radar. The test was conducted as follows.

The tester, with the permission of the CFO initiated a call from the CFO’s office deskphone. This organization had deskphones for all employees with a display unit that identified the source of the phone call. The tester called 5 employees in random and repeated the following dialogue.

“I am calling from the CFO’s room and I am your ERP consultant. We are implementing a new system to process your salaries next month onwards. We need your user name and password to integrate this to your User Directory Entry”

5 out of 5 employees revealed their passwords. One employee even had the courtesy to call back and confirm that we had noted the password down carefully!

So, what are the behavioral characterestics that were exploited by the tester. From  my perspective it could be,

1 – Obedience/ Fear
2 – Self preservation

There could be other characteristics too…as there are no hard and fast rules. The reader may want to ask, “What is Self Preservation?”. The answer to this is in the form of a question – “Why do you look both sides when you cross the road?”. It is because, inspite of what you may be doing (speaking on the phone, listening to your iPod, lost in thought….) when you come to the road your subconscious mind makes you look both sides. This is because your body and mind is trained to protect you.

Instance 2: An organization hired us to test the resilience of the perimeter security team (security guards) to penetration attempts. The test was done as follows.

We asked the organization to create for us a fake employee ID card without access credentials enabled, whereas the regular employee card works as an access card as well. On a rather busy Thursday morning, at 11 am the tester wore the card around his neck and approached the door. He pretended to swipe the card and expressed his disappointment that it was not working. He shouted out across the floor for the security guard who came running. The tester questioned him rather curtly as to why the card was not working. The security guard apologized and requested the tester to approach the guard station. There the tester was asked to write his name and phone number in a register. Following this, the tester was asked to follow the security guard back to the door, where the securty guard politely opened the doors by swiping his own card and let the tester in. Further the tester was able to tailgate and approach the production area on the 4th floor, take some photographs and exit the building throuh the route he came in.

Again, what were the behavioral characterestics that were exploited ? From my perspective they are,

1) Obedience/ Fear
2) Self preservation

So, the learning for me here is that you can have the best technology and the best information security policies, but there is a gap in information security. This gap is the “human gap”.

In the next post I will talk more about dealing with end-users (read…the non-security guys) and how wonderful an experience it was. In fact how often have you listened to your employees  before drafting your security policies??

More about this in the next post.

Warm regards,

Anup

HIMIS (Human Impact Management for Information Security – www.himis.org)
 

I would like to start this post by narrating a social engineering test that my organization was hired to do once for a large IT company. The test was designed to test the “human resilience” towards information disclosure attempts.

The test began by initiating a telephone call to the front office executive. We politely informed the executive that we were calling from a large network equipment manufacturing company. Our research had shown that this client of ours was a major buyer of equipments of this network equipment manufacturer. We informed the executive that the network equipment manufacturer publishes a monthly magazine which profiles their best customers’ and this month the company that was chosen was hers. We congratulated her and requested her to connect us to the network monitoring team. She eagerly did so.

We repeated the same story with the engineer from the network monitoring team and requested them to answer a few questions so that we could publish them. We also requested the engineer whether we could “quote” him and use his name. He was eager and agreed. Next we started asking questions, some of them which are listed below, in the form of the actual questions asked during the dialogue.

Question – Can you tell us some of the higher end range of the equipments that you have purchased from us?

Question – I am sure you must be using our high end VPN facility. Can you tell us to how many client locations you have VPN connectivity?

Question – …and what would some of these clients be ??

Question – ….and are you happy with the speed at which we solve bugs in the RTOS (Real Time Operating System)?

Question – …and did you install the last updated RTOS version that we released on…?

Question – …and what would the version No: of the RTOS be ?

At the end of this conversation, we had collected the following information.

1 – The version no: of the RTOS running on the equipments
2 – The last date of update
3 – The clients the organization has
4 – The list of clients to whom VPN connectivity was established
5 – The model no: and list of equipments used by the organization

Based on the above information, we could draw out a fairly detailed network architecture of the organization. We also knew the VPN tunnels running out of the company. We queried existing information security vulnerability databases to identify the current security issues with the RTOS used in the equipments.

We submitted the reports to the client. The client was obviously not pleased with the way information was disclosed. What displeased the client most was that the employee disclosed the names of their customers’ which was considered sacrosanct. As per the official policy of the company, such information should be disclosed only through the PR (public relations) department of the organization.

So, what is the learning. From my perspective, the fact is that inspite of the best technology available to protect information, people will still disclose information.

In the next part of this post, I shall be exploring behavioral factors that are the root cause for people committing information security errors.

Warm regards,

Anup

http://www.firstlegion.net

The cross section of the story
Let’s go to that in detail, we are not concerned about the man or his wife, our only concern is the reason for this. As I told he had the best security system in place but he was not able to ASSERT the working. He had security guards against the intruders but he never checked the credentials or integrity. He had several traps and controls also but was not able to preserve the confidentiality of the same. This is the case of Information Security with many organizations. They have the worlds best Access Control in place they will have the best Firewalls, IDS, or let say the best technical & process controls in place. So obviously they will have a feeling that we are 100% secure and our information has no chances for leakage. In fact the truth is that, they are most vulnerable to attacks. Now the question is, if it is not technical controls or processes what is the factor that influences Information Security to the greater extent. It is the HUMAN FACTOR, nothing else. As you all know in the early times, war was with weapons like stone, sword and Knife later it was transferred to Guns and missiles, as technology advanced then came the nuclear warfare and now it is the time of Information Warfare.

Firewalls, Antivirus, IDS & Myths
In today’s business, for any organization, information is the primary and critical asset. It is this information that keeps the company exists in its competitive world. So if the company cannot preserve the Confidentiality, Integrity or Availability (we Information Security professionals call it the CIA) this means that the organization cannot exist in their domain. If the company needs to preserve the CIA of the information they should understand the influence of the Human Factor. If they can understand this, we can say that they started knowing Information Security. Many Organizations have a feeling that if they have a Firewall, Antivirus and an IDS in-place, they are safe from attacks and they have achieved 100% Security. This is completely wrong. Technical controls can contribute a mere 10% to Information Security. Deploying technical controls is the easiest part in Information security; the most complicated part is of-course the human intervention. Whatever processes you implement and defenses you build, if the users have zero awareness on the CIA of information they handle, all you do is a waste. That is why organizations are spending more money & resources in User Awareness, Training etc.

Information Security – Where should it start from?
Information Security of any Organization should start from the employees. The employees should know the seriousness of the data they handle and of course the value of it too. Many organizations has a false believe that an ISO (Information Security Officer) and a Security Team will make the organization secure, you can’t expect the Information Security Officer to make your organization 100% secure. ISO is like all other employees, he has limitations. So if you need the organization to be secure, the employees should work together for the common objective of achieving a 100% security (Although 100% security is a myth, at least the organization will be at its best to preserve the CIA of the information it handles).

Employee background check
Proper background check should be done for employee prior to the appointment. Performing verification for the sake of doing it won’t be of any use. (This is what most organization does).The verification should track his past employment, the reason for leaving the past employer, criminal track records and his family background.

Employee Training
The employees should undergo awareness programs & training for Information security and the most important thing is, this should be interactive, nobody likes long trainings packed with solid technical & process stuff, instead it should be made interesting with case studies, role-play. There should be methods to measure the current awareness level of the employees on Information Security. This can be done by of test or interviews. The training calendar should be prepared for the year and of course information security should be a part of the induction process

Security needs innovative thinking and creativity
The security team should think from the basic level, perspective or I would rather say that InfoSec team should come down to the employee level. This is where the real expertise of an information security professional lies. He should be able to communicate in their wave length. You can’t expect an employee in the assembly line to have knowledge on social engineering. But it is possible to educate them on social engineering, for this the team should find out their own strategy. The training should be a continuous process. The training program should be modified according to time and needs.
To conclude, an organization that realize information security and not as a show piece will have their policies and processes lined up to meet these challenges.

Thomas Kurian Ambattu

Observing the traffic in Bangalore, you realize something important that you can apply for information security awareness management. Almost all drivers in Bangalore are “AWARE” of the traffic rules and that is the reason why they have passed the driving license exam and received their licenses.

But “AWARENESS” does not necessarily translate into BEHAVIOR (see the image above).

This is the situation with Corporate Information Security Awareness programs too. They focus very much on creating awareness through training sessions, posters, emails etc. But, how often do they go beyond awareness to check whether the awareness translates into “Behavior”.

Anup

Sitting at the new international airport in Bangalore, I was thinking about the hue and cry the new airport raised. Of course, the fundamental problem was not the airport in itself, but the connectivity from the Bangalore City to the airport. But, unfortunately, the airport ended up as the villain of the piece. Readers from India, may be familiar with the whole story.

In spite of all the issues that is raised, I am sure that it is only a matter of time before the airport proves it’s worth. The simple reason being that for “1″ negative aspect, there are a “100″ other positive aspects to the new airport.

Sometimes, information security works in the same manner. For the end-user information security means “restriction”. This means restriction of internet access, email, where you can go within the company, where you cannot go etc. Hence, initially, similar to the Bangalore airport, the acceptance is low. But over a period of time, people start seeing the positives. Some of the positives of good information security are,

• More business, because customers are more confident
• This means, employees get more rewards (pay, promotions etc.)
• More business means, the company earns more respect, which in turn makes employees proud and gather more self esteem

Good information security has many intangible benefits that people should see through. Of course, a good information security manager will be able to see this and slowly guide his workforce through the period of change. Just like the new Bangalore airport

Anup