I’ve been interviewed by Javvad Malik about my career in InfoSec

I’ve been interviewed by Javvad Malik about my career in Information Security. He published the interview on his website

The difference between Leron and anyone else that has ever asked for advice is his willingness to learn and take on board as much knowledge as possible and then apply it. In a few short years, not only was Leron able to complete his MSc, but he landed a job (while turning down other offers), spoke at events, and wrote a book. Achieving more in 3 years than most people do in 10.

So, the roles are now reversed. I needed to catch up with Leron and pick his brains about his journey and see what I could learn from him.
Read the full story


Pokemon Go and Security Awareness

I wrote about the games you can play to enhance your privacy and cyber security knowledge. We also talked about gamification in the security context. But how do we apply this knowledge to “gamify” security awareness efforts in you organisation?

A recent company I’ve been working with has been experimenting with their security awareness programme; in particular, they’ve designed posters to remind employees of potentially risky behaviours. They placed these posters in the areas where violations could occur: near the confidential bins or printers. They’ve invested in a memorable design and created funny-looking creatures people can relate to. For example, they’ve had something resembling an angry Twitter bird to emphasise the fact that employees should be mindful of what they share on social media. Other examples included monsters on the lookout for confidential data.

IMG_20150611_182528

I liked the idea and I saw employees discussing the posters shortly after they were released. But what if we wanted to take this a step further? What if people could not only look at the posters but also engage with them?

The recently released and hugely popular Pokemon Go app gives us an example of how this could be done. In the game, players are encouraged to explore the real world around them and catch creatures that appear on the map. The game uses augmented reality to make the experience of catching Pokemon a lot more fun.

IMG_2126

The app developers used classic game design elements in this game:

  • There’s a ton of items to be collected, like stardust, pokeballs, various potions and eggs.
  • You get frequent rewards and feedback on your progress.
  • The game is very social in nature and players are encouraged to engage with each other.
  • There are leadership boards and there is a chance to get your name displayed in a gym – a place where Pokemon battles take place.

How can some of the ideas from this game be applied to a security awareness programme?

What if we take the monsters from the company’s posters above and make them more engaging? It only takes a small financial investment to attach a QR code to a monster, so an employee could get immediate access to the relevant section in the security policy. Or how about giving employees a quick quiz and, if answered correctly, reward them with bonus points?

These points could be also collected for accomplishing other tasks. Your employee volunteered to participate in a security awareness presentation with her story? 100 points! Attended a lunch and learn session? How about 20 points? Reported a phishing email? Stopped a tailgater? There are many ways people can demonstrate their involvement in a security awareness programme.

As long as participation is voluntary, there are clear objectives and rules, feedback is readily available and rewards are desirable, we’ve got a chance to change security culture for the better!


The Psychology of Information Security book reviews

51enjkmw1ll-_sx322_bo1204203200_

I wrote about my book  in the previous post. Here I would like to share what others have to say about it.

So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
KPMG UK

This is an easy-to-read, accessible and simple introduction to information security.  The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject.  Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

Read the rest of this entry »


Presenting at the IT & Security Forum

ITSF

I was invited to speak at the IT & Security Forum in Kazan, Russia. The conference spanned over three days and combined technical and non-technical talks, round table discussions and vendor presentations.

I spoke about the friction between security and productivity in the Oil & Gas sector. The participants shared their issues, after which we discussed potential solutions.

It was great to see that security managers in the audience recognised the potential negative impact to the business of poorly implemented security policies and controls and that they are willing to tackle such challenges.

 


Digital decisions: Understanding behaviours for safer cyber environments

DART

I was invited to participate in a panel discussion at a workshop on digital decision-making and risk-taking hosted by the Decision, Attitude, Risk & Thinking (DART) research group at Kingston Business School.

During the workshop, we addressed the human dimension in issues arising from increasing digital interconnectedness with a particular focus on cyber security risks and cyber safety in web-connected organisations.

We identified behavioural challenges in cyber security such as insider threats, phishing emails, security culture and achieving stakeholder buy-in. We also outlined a potential further research opportunity which could tackle behavioural security risks inherent in the management of organisational information assets.

2016-04-25 14.50


Talking to PhD students about cyber security

presentI recently had the pleasure to help organise and host PhD students from Royal Holloway, University of London (RHUL), who spent a day at my company interacting with the team in order to gain industry insights.

This day-long event included presentations by the students, their lecturers, our partners and consultants.

During one of these presentations, I shared some of my own experiences as an information security consultant, in which I talked about my role and area of expertise. I also discussed current security challenges and provided some career advice.

Several round table discussions provided everybody with much needed food for thought. We covered topics like security monitoring, threat intelligence, information protection in digital health and the role of the C-suite.

We received positive responses from the professors – the students enjoyed the presentations and learned a lot from the interactions during the day.


Correlation vs Causation

chart

Scientists in various fields adopt statistical methods to determine relationships between events and assess the strength of such links. Security professionals performing risk assessments are also interested in determining what events are causing the most impact.

When analysing historical data, however, they should remember that correlation doesn’t always imply causation. When patterns of events look similar, it may lead you to believe that one event causes the other. But as demonstrated by the chart above, it is highly unlikely that seeing Nicolas Cage on TV causes people to jump into the pool (although it may in some cases).

This and other spurious correlations can be found on this website, with an option to create your own.