I wrote about the games you can play to enhance your privacy and cyber security knowledge. We also talked about gamification in the security context. But how do we apply this knowledge to “gamify” security awareness efforts in you organisation?
A recent company I’ve been working with has been experimenting with their security awareness programme; in particular, they’ve designed posters to remind employees of potentially risky behaviours. They placed these posters in the areas where violations could occur: near the confidential bins or printers. They’ve invested in a memorable design and created funny-looking creatures people can relate to. For example, they’ve had something resembling an angry Twitter bird to emphasise the fact that employees should be mindful of what they share on social media. Other examples included monsters on the lookout for confidential data.
I liked the idea and I saw employees discussing the posters shortly after they were released. But what if we wanted to take this a step further? What if people could not only look at the posters but also engage with them?
The recently released and hugely popular Pokemon Go app gives us an example of how this could be done. In the game, players are encouraged to explore the real world around them and catch creatures that appear on the map. The game uses augmented reality to make the experience of catching Pokemon a lot more fun.
The app developers used classic game design elements in this game:
- There’s a ton of items to be collected, like stardust, pokeballs, various potions and eggs.
- You get frequent rewards and feedback on your progress.
- The game is very social in nature and players are encouraged to engage with each other.
- There are leadership boards and there is a chance to get your name displayed in a gym – a place where Pokemon battles take place.
How can some of the ideas from this game be applied to a security awareness programme?
What if we take the monsters from the company’s posters above and make them more engaging? It only takes a small financial investment to attach a QR code to a monster, so an employee could get immediate access to the relevant section in the security policy. Or how about giving employees a quick quiz and, if answered correctly, reward them with bonus points?
These points could be also collected for accomplishing other tasks. Your employee volunteered to participate in a security awareness presentation with her story? 100 points! Attended a lunch and learn session? How about 20 points? Reported a phishing email? Stopped a tailgater? There are many ways people can demonstrate their involvement in a security awareness programme.
As long as participation is voluntary, there are clear objectives and rules, feedback is readily available and rewards are desirable, we’ve got a chance to change security culture for the better!
“So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.
Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.
No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.”
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
“This is an easy-to-read, accessible and simple introduction to information security. The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject. Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.”
Dr David King
Visiting Fellow of Kellogg College
University of Oxford
I recently had the pleasure to help organise and host PhD students from Royal Holloway, University of London (RHUL), who spent a day at my company interacting with the team in order to gain industry insights.
This day-long event included presentations by the students, their lecturers, our partners and consultants.
During one of these presentations, I shared some of my own experiences as an information security consultant, in which I talked about my role and area of expertise. I also discussed current security challenges and provided some career advice.
Several round table discussions provided everybody with much needed food for thought. We covered topics like security monitoring, threat intelligence, information protection in digital health and the role of the C-suite.
We received positive responses from the professors – the students enjoyed the presentations and learned a lot from the interactions during the day.
The UCLU Technology Society invited me to deliver a talk on information security to UCL students. Together with my colleague, I discussed various aspects of information security focusing on both technical and non-technical topics.
We talked about Advanced Persistent Threats and common misconceptions people have about them. When referring to protection measures, I emphasised the importance of considering human aspects of security. I described typical causes of a poor security culture in companies, along with providing some recommendations on improving it.
I concluded the evening with a discussion on managing and communicating the necessary changes within the organisation and the skills required to successfully do that.
The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?
- Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
- Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
- Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.
A one-stop-shop for end-to-end protection of online identity and reputation for you and your children.
A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.
Image courtesy ofwinnond / FreeDigitalPhotos.net
I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?
Module 2 Cyber Fundamentals
- Practical Risk Management
- Problems with risk management
- Human aspects of security
- Conversion of physical and information security
- Attacker types and motivations
- Security Incident management
- Security incident handling and response
- Crisis management and business continuity
- Cyber security trends to consider
Module 3: Introducing a Case Study
- Company and organisational structure
- Processes and architecture
Module 4 Case study exercises
- Case study exercise 1: Risk Management
- Case study exercise 2: Infrastructure and Application Security
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:
- How organisations responded from a business perspective
- How organisations responded to the attacks technically
- How affected organisations were by the scenario
- How they shared information amongst relevant parties
Feedback to the participants
Course wrap up
Image courtesy zirconicusso / FreeDigitalPhotos.net
Implementing cutting-edge technology solutions is not the only way to combat cyber threats. Seemingly mundane administrative tasks such as network infrastructure hardening could yield greater results in terms of risk reduction.
I ran a remediation project for a major blue chip company, which successfully removed over 8,000 unused firewall rules.
Such projects can be complex and require a rigorous process to be designed to ensure that no active rules are removed. For example, a period of monitoring and subsequent hypercare ensured that only a few rules were reverted back to production after being indicated as “unused”. Proactive stakeholder engagement was key in completing the work ahead of schedule and under budget.
As a result, the project improved network security by eliminating the chance an attacker can exploit a weak unused firewall rule. Moreover, the number of rules on the firewalls was cut by half, which made it easier and cheaper to monitor and manage.
Image courtesy renjith krishnan / FreeDigitalPhotos.net
There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.
The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):
They also highlight the risks of wireless connectivity of physical security systems
It was a busy week for security professionals in London; InfoSecurity Europe, BSides London and SC Magazine Awards were happening almost simultaneously.
We were provided with a booth at the InfoSecurity Europe conference & exhibition to host another NextSec event entitled “Finance and Cyber Security: How Banks Are Evolving To Combat The External Cyber Landscape”. Two global financial institutions discussed how they are reacting to the cyber threats that affect them, and how they are looking to combat that threat.
Attendees had an opportunity to gain insight into how financial institutions are dealing with cyber threats on both strategic and operational levels as well as to understand challenges and approaches to managing information security risk in large financial organisations
I was also invited to attend the SC Magazine Awards as part of KPMG’s Cyber Academy team. I helped to develop KPMGs IT Security Concepts course and also delivered it internally. It was a great honour to know that the course’s quality was recognised beyond the firm.
Finally, BSides London 2015 was great as always. KPMG were running a lockpicking competition, where I managed to make it to the Top 30. It was also nice to catch up with Thom, Javvad, Lawrence, Iggi and other great professionals in the field.