Download Information Assurance Awareness, Training, Education at the U.S.

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts

Post-quantum cryptography wikipedia , lookup

Cyberwarfare wikipedia , lookup

Mobile security wikipedia , lookup

Airport security wikipedia , lookup

Security printing wikipedia , lookup

Information security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Social engineering (security) wikipedia , lookup

Transcript 
New York State Higher Education CIO Conference
West Point - July 2005
Building an Information
Security Culture in a
Global Enterprise
Jane Scott Norris, CISSP CISM
Chief Information Security Officer
U.S. Department of State
1
Information Security Program
Designed to Protect INFORMATION

Policy and Procedures
• To support business objectives while
considering security requirements

Informing users of their responsibilities
• Employees must know policies, understand
their obligations, and actively comply

Monitoring and review of program
2
Information Security Drivers






Constantly changing IT
Increasing connectivity
Rush to market
Readily available hacking tools
Increasing Risk
Only as strong as the weakest link
Insider threat is always greatest: deliberate,
careless, irrational or uninformed
3
3 Waves of Information Security

Technical Wave
• Authentication and access control

Management Wave
• Policies, procedures
• CISO and separate security staff

Institutionalization Wave
• Information Security Awareness
• Information Security Culture


Standardization, certification and measurement
Human Aspects
Von Solms (2000)
4
It’s A People Problem
Information and Information Systems Security:
Products
Processes
People
H/W and S/W
Management
Operational
Users
Administrators
Ensuring that employees receive tailored and
timely awareness, training, and education is
paramount to maintaining effective security
5
The Security Gap

Security technology is essential
• Firewalls, anti-virus, intrusion detection, encryption etc.

Technology is not enough
• Gartner: 80% of downtime is due to people and processes

Tighter the security controls, the harder they are to break
and the target becomes the user
• Technology can make it difficult to forge IDs but can’t stop
people getting real IDs under fake names

Technology can never stop social engineering
• People are still tricked into disclosing their passwords

C
r
e
aCreating and maintaining a security
t culture is critical for closing the
i
security gap
n
6
People and Machines



Security controls deal with known risk
People spot irregularities
Employees that are security conscious and
correctly trained
• Develop a “feeling” for what is “normal” behavior
• Recognize unusual, unexpected behavior

Employees need to
• Adapt to new scenarios
• Report and act on incidents
A well informed workforce helps to promulgate good security
habits, and to identify and mitigate problems quickly
7
Awareness, Training & Education
Comparative Framework
Awareness
Training
Education
Attribute
What
How
Why
Level
Information
Knowledge
Insight
Learning
Objective
Recognition &
Retention
Skill
Understanding
Example
Teaching
Method
Media
Practical
Instruction
Theoretical
Instruction
Test Measure
True/False
Multiple Choice
Problem Solving
Recognition &
Resolution
Essay
Intermediate
Long-Term
-Videos
-Newsletters
-Posters
(identify learning)
Impact
Timeframe
Short-Term
-Lecture and/or demo
-Case study
-Hands-on practice
(apply learning)
-Seminar and discussion
-Reading and study
-Research
(interpret learning)
“The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16
8
Security Awareness Program

Communicate security requirements
• Policy, rules of behavior

Communicate Roles and Responsibilities

Improve understanding of proper security
procedures
• At work and at home

Serve as basis for monitoring and sanctions
program
Majority of organizations view security awareness as important,
although they do not believe they invest enough in this area.
2004 CSI/FBI Computer Crime and Security Survey
9
NIST Guidance
NIST SP 800-53
 “An effective information security program should
include … security awareness training to inform
personnel of the information security risks
associated with their activities and responsibilities
in complying with organizational policies and
procedures designed to reduce these risks”
NIST SP 800-50
 “Awareness involves guiding and motivating
people on appropriate behaviors”
NIST SP 800-16
 The fundamental value of security awareness is to
create “a change in attitudes which change the
organizational culture”
10
Information Security Culture

Information Security culture must
complement the Organizational culture
• Congruent with the mission
• Commensurate with risk appetite

Common elements of a security culture
across organizations
• Privacy, internal controls
• Protection of proprietary information
• Laws
Employee Vigilance and Appropriate Response are natural
activities in the daily activities of every employee
11
Attitude Adjustment

Attitude is important
•
•
•
•

Predictor of Behavior
Motivator of Behavior
Source of Risk
Irrational behavior based on passion (love,
anger)
Attitude can be changed
• Social Psychology
• Fish!
PERSUASION: Changing attitudes and behavior
12
Social Psychology
Affect
ATTITUDE
Behavior
Cognition
Influencing Behavior and Decision-Making
Sam Chum, CISSP: Change that Attitude:
The ABCs of a Persuasive Awareness Program
13
ABC Model

Affect
• Emotional response
• More likely to do activities that



Are fun or make us feel good
Avoid negative feelings (guilt, fear, pain)
Behavior
• Feedback for attitudes
• Doing leads to liking

Cognition
• Opinions formed by reasoning
14
Influence Techniques








Reciprocity
Cognitive Dissonance
Diffusion of
Responsibility
Individualization
Group Dynamics
Social Proof
Authority
Repetition
CONSISTENCY OF
MESSAGE
15
Reciprocity
o
Indebtedness
• Obligation to reciprocate on debt

Trinkets
• Lanyards, pens, mousepads, lunch bags
• Simple slogan

Large ROI
16
Cognitive Dissonance
o
o
o

Performing an action that is contrary to
beliefs or attitude
Natural response is to reduce the
tension/discord
Requirement to repeat unpopular
procedure makes it more palatable
Examples:
• Mandatory, periodic change of password
• Requirement for Strong passwords
17
Diffusion of Responsibility
o
o

Members of a group take less personal
responsibility when group output, not
individual contribution, is measured
Avoid anonymity
Remind employees that they are
responsible for all system activity
conducted under their logon
ELSE
Cyber Security: It’s Everyone’s Job!
Λ
18
Individualization
o
o




Opposite of Diffusion of Responsibility
Individual Accountability
ID badges
Personalized messages
In-person delivery
Individual rewards
Information Assurance –
It’s MY job too!
19
Group Dynamics
o
In a group, individuals tend to adopt more
extreme attitudes to a topic over time
• Diffusion of Responsibility
• Leaders tend to be those with stronger views,
more extreme attitudes


Group interaction will enhance security in
a group that has a propensity for security
Peer Pressure
20
Social Proof
o

People mimic others’ behavior
Be aware of informal communications
• Most frequent
• Must be on message

Ensure good examples; discourage bad
behavior
One ill-chosen comment from an influential
person can undo months of awareness efforts
21
Obedience to Authority
o


Natural tendency to obey authority
Ensure executive commitment
Ensure line manager buy-in
Message Multipliers:
Senior Management Participation
and Senior Leadership by Example
22
Repetition
o


Repeated exposure to a consistent
message can change attitudes
More familiar with policies and procedures,
the more that correct behavior is induced
Use all channels of communication
• Formal and Informal
• Push and Pull
If a stimulus, originally an attention-getter, is used
repeatedly, the learner will selectively ignore the
stimulus. NIST SP 800-16
23
Fish! Approach to Work




Choose Your Attitude
Play
Make Their Day
Be Present
“Boost Morale and Improve Results”
Fish!
Lundin Stephen C., Paul, Harry and Christensen, John
Hyperion Books, 2000
24
Consistency

Familiarity breeds contempt?

Repetition induces liking
• Chun: Change that Attitude

Even a boring job can be fun
• Fish!
Variety is the spice;
Consistency the Staple
25
Target Audience

Every system user

NIST defines 5 roles
•
•
•
•
•
Executives
Security Personnel
Systems Owners
Systems Admin and IT Support
Operational Managers and System Users
26
The Awareness Team






Senior Management
CIO and CISO
Functional Elements
Security Professionals
System Administrators
Every individual employee!
The more YOU know,
the stronger WE are!
27
Tailored Approach

Mandatory annual awareness presentation for all
• General
• Real world examples
• Lots in the Press about Identity Theft

Home PC Security
• Bring the message home

Other sessions tailored for particular groups
• Targeted messages and examples

Involve people in awareness to overcome their
resistance to change
Individuals have different learning styles
28
Delivery

Prior to being granted privileges
• No access without awareness

Periodically
• Mandatory Annual Awareness
• Classes or On-line

Interim, short communiqués
• E-mails, broadcasts, “Tip of the Day”
• In response to new threats, vulnerabilities and policies


Small group sessions
Less formal events
• Fairs, Awareness Days
• Games – Security Jeopardy

Push – Pull techniques
29
On-going Program



Cultural Change takes time
Continuous Program
Maintain employee awareness and
organizational commitment
Awareness presentations must be on-going, creative,
and motivational, with the objective of focusing the
learner’s attention so that learning will be incorporated
into conscious decision-making. NIST SP 800-16
30
ROI from Security Awareness




Cost Avoidance
Support of Mission Objectives
Protection of Image
Prevention of Down Time, Damage and
Destruction
Security conscious employees
make better cyber citizens
31
Measurement of Program
Externally in response to FISMA:
•
•
•
•
Congress and OMB
Quarterly and Annually
President’s Management Agenda
Congress FISMA Grade
Internally:
• Quarterly Bureau Scorecards
• Feedback
What gets measured gets done!
32
Output vs. Outcome

Outputs
• Number of employees trained

Outcomes
•
•
•
•
•
•
•
Fewer Audit Findings
Fewer material weaknesses
Fewer violations
Less severe incidents
Less repetition of errors
Less damage
Reduced cost of compliance
33
Measurement of People

Measurement by organizational element
• Peer pressure

Measurement by individual
• Awards/Rewards
• Include in employee evaluation

Sanction by individual
34
Security Minded Culture
When Employees …
• Are aware of the threats, vulnerabilities
and consequences of exploits
• Recognize and report suspicious activity
• Can discuss why controls are necessary
• Take an active role in protecting
information
A risk managed approach balances
security requirements and mission need
35
A Habit not a Mandate


If we understand why observing good
information assurance practice is the right
thing to do
Then we will do things because we believe
it’s the right thing to do, rather than
because we’re told to do them
Assimilation: An individual incorporates new
experiences into an existing behavior pattern
36
Challenge for Security Professionals
• Keep current on new threats,
vulnerabilities and solutions
• Educate general users and senior
management of threats and exploits.
Show them why cyber security is needed
and what they can do to protect
information
• Instill in all employees a feeling of shared
responsibility
• Sell information security
37
It’s a Dialogue
Security Awareness personnel need to …
Understand
 Security climate
 Business objectives
 Line managers’ concerns, problems
 Individual and group issues
Possess
 IT Background and security knowledge
 Communication Skills
 Marketing Skills
 Business Savvy
38
The Business Case for Security

Use the language of business

Show how security supports mission
objectives

Demonstrate the return on investment
associated with good security

Talk with management (and users) in terms
they can understand – avoid the language
barrier
Drop the “Geek Speak”
39
Summary

Attitudes
 Behavior
 Culture
Whether it’s a homogeneous group in a
campus setting or a diverse, global
workforce, a variety of techniques and
consistency of message are needed
40
10 Cs of Information Security Culture
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Comedy
Complete
Consistent Message
Customized Sessions
Current, relevant content
Communication Channels
Common (plain) Language
Commitment from Executives
Continuing Awareness Program
Compulsory Annual Awareness Offering
41
References

Chun, Sam: “Change that Attitude: The ABCs of a Persuasive Awareness
Program” Information Security Management Handbook, 5th Edition, Volume 2,
Auerbach, 2005

NIST Special Publication 800-53: “Recommend Security Controls for

NIST Special Publication 800-50: “Building an Information Technology
Federal Information Systems”, Feb 2005
Security Awareness and Training Program ”, Oct 2003
• de Zafra, Dorothea: “The Human Factor in Training Strategies”
presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991
as quoted in NIST SP 800-16

NIST Special Publication 800-16: “Information Technology Security

Lundin Stephen C., Paul, Harry and Christensen, John: “FISH!”
Training Requirements: A Role- and Performance-Based Model”, April 1998
Hyperion Books, 2000
42
Contact Information
For further information or comments,
please e-mail:
[email protected]
Subject: NY State CIOs
43
Related documents
WO CHANG Mr. Wo Chang is of NIST Data Coordinator and Digital
WO CHANG Mr. Wo Chang is of NIST Data Coordinator and Digital
key terms – chapter 14
key terms – chapter 14
No Slide Title
No Slide Title
Aronson, Wilson, Akert
Aronson, Wilson, Akert
LiveCD - University of Houston
LiveCD - University of Houston
Marketing Research - Montgomery County Public Schools
Marketing Research - Montgomery County Public Schools
Chapter 12 Powerpoint
Chapter 12 Powerpoint
Human Communication
Human Communication
monitor
monitor
The Measurement of Attitudes
The Measurement of Attitudes
Social Perception
Social Perception
Measurement and Standards for Chemical and Biochemical Analysis
Measurement and Standards for Chemical and Biochemical Analysis
http://tf.nist.gov/general/pdf/844.pdf
http://tf.nist.gov/general/pdf/844.pdf
An Introduction to NIST Special Publication 800
An Introduction to NIST Special Publication 800
PowerPoint Slide (Office 2007)
PowerPoint Slide (Office 2007)