The Human Factor in Information Security

David Lacey

DL

Security emphasis has changed

Secure buildings 1980s Glasshouse data centres

Managed networks

1990s Network firewalls

?
Streetwise users

? 21st Century
cyberspace road warriors

DL

Organisations are changing

Strong Organism

External relationships

Trend

Machine

Weak Soft
Internal relationships

Hard

DL

People will dominate your future

The future of Information Security is pink and fluffy

Debi Ashenden UK Defence Academy

DL

Power to the people

DL

The death of institutional authority

Individual productivity is down

Group productivity is up
DL

Teamwork has always been the key

The fact is that the system that people work in and the interaction with people may account for 90 or 95 percent of performance
W Edwards Deming

DL

A new world of partnerships

DL

Who controls them?

Networks smash security perimeters

DL

They can also leverage security

How big is your security function?

DL

As big as you want

Proxies are the new foot soldiers

DL

Who is the real enemy?

Network versus network

DL

Massively scalable power for good or bad

Whos watching you?

DL

Friends, voyeurs, fraudsters or spies?

The sneaky side of networks

Damn with faint praise, assent with civil leer, and, without sneering, teach the rest to sneer
Alexander Pope

DL

What is organisation culture?

The emergent result of conversations and negotiations between members

The attitudes, values, beliefs, norms, customs of the organisation

A pattern of basic assumptions thats worked well enough to be considered valid

If it was an animal which one might it be? The insanity you can't see around you

What people do when you're not watching them

DL

What characterises a healthy security culture?

DL

Fear Paranoia Suspicion Streetwise Ownership Responsibility Trust Empowerment Openness

Aim to build a no-blame culture

Blame cultures Ask who screwed up Assume that somebodys carelessness is the cause No-blame cultures Ask what went wrong Expect the fault to lie with training, supervision or design

Believe that someone must be to blame

Sack the most likely candidate Expect incidents not to be repeated

Recognise that the most incidents are blameless

Identify the root causes of the incident Understand that even the best staff make mistakes

Discourage cooperation, honesty and risk-taking

Encourage teamwork and quality improvements

DL

Theres no such thing as an isolated incident

Behind every major safety incident, there are 29 minor incidents, 300 near misses and thousands of bad practices

DL

See and manage the whole incident space, not just the exceptions

Everyone makes a difference

Security staff must know their job

Top management must oversee security

Operations staff must maintain secure infrastructure

Users, staff and customers must adopt secure practices

Programmers must cut secure code

Managers must manage risks

Project staff must specify security

DL

Their needs are not the same

People cant always be trusted

DL

But can you spot a criminal?

10

Emotion, not logic, drives crises

The engine of risk response is outrage

Dr Peter Sandman Risk communications consultant

DL

Factors that affect risk perception

Media influence
Religion Culture Knowledge

Familiarity

Personality

?
Age Maths ability Role

Experience

Gender

Incentives

DL

11

Awareness, attitude & behaviour

Awareness requires creative communications Behaviour is influenced by perception, experiences and external cues

Attitudes can only be changed through self-discovery

DL

Analogies help understanding

DL

Motoring is the most popular

12

Other aids to understanding, learning & recall

Associations help people remember

People Stories are powerful learning vehicles

Places

Things Symbols convey information efficiently

DL

People remember things that are visual, vivid, colourful, 3Dimensional, sense-laden, funny, positive, pleasant

Long words can also be sticky

DL

13

Personal discovery shapes attitudes

Imaginary situations, such as stories and games, help by encouraging people to suspend disbelief

Workshops, discussions, videos and case studies are more effective than simple communications

Long, participative sessions, such as scenario planning or crisis exercises, are powerful learning vehicles

DL

Influential people

Connectors

Chief Executive

Super salesman

Thought leader

Maven

Peer group

DL

14

Influences on personal behaviour

Stories heard Games played Consequences of actions Management authority Perceived role

Media coverage
Recent experiences Physical environment DL

Actions of colleagues
Rules & procedures

Cues & controls in systems

Cyberspace environment

What has most impact on behaviour?

Cues
Instructions Standards Policies Rules

Consequences
Rewards Punishments Pleasure Satisfaction

DL

Capabilities

Answer: Consequences that are personal, immediate & certain

15

Rewards and punishments

Punishments leave a negative, de-motivating impression

People justify their behaviour to themselves and will rarely accept criticism

Rewards leave a positive, motivating impression

But its easier to punish people than reward them

DL

Environments shape behaviour

DL

16

Cyberspace is different
In cyberspace, we feel anonymous and concealed Many actions have no immediate impact We relax more, open up, feel less inhibition

We mix fantasy with reality We can explore unacceptable subjects such as pornography We can commit acts, or reveal information, that wed never contemplate in the physical world We can be unusually hostile, rude and angry

DL

See John Sulers The Psychology of Cyberspace

People design technology

DL

But technology is not designed for people

17

The art of user centric design

Talk to users

Watch them at work

Find out what they like

Walk through new designs

Observe eye movements

Test prototypes

DL

Thank you all for listening

David Lacey

DL

18