Research – Page 4 – Cyber Security Leadership

The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour

In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:

Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
Give advice on aligning a security programme with wider organisational objectives.
Manage and communicate these changes within an organisation.

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.

It’s now available for pre-order on the UK, EU or US websites.

Online Safety and Security

We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?

Issues:

Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.

Solution:

A one-stop-shop for end-to-end protection of online identity and reputation for you and your children.

A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.

Image courtesy ofwinnond / FreeDigitalPhotos.net

Cyber Wargaming Workshop

I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.

Day 1
Introduction
Course Objectives
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?

Teams
Interaction
Moves

Module 2 Cyber Fundamentals

Practical Risk Management
Problems with risk management
Human aspects of security
Conversion of physical and information security
Attacker types and motivations
Security Incident management
Security incident handling and response
Crisis management and business continuity
Cyber security trends to consider

Module 3: Introducing a Case Study

Company and organisational structure
Processes and architecture
Issues

Module 4 Case study exercises

Case study exercise 1: Risk Management
Case study exercise 2: Infrastructure and Application Security

Day 2
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:

How organisations responded from a business perspective
How organisations responded to the attacks technically
How affected organisations were by the scenario
How they shared information amongst relevant parties

Feedback to the participants
Course wrap up

Image courtesy zirconicusso / FreeDigitalPhotos.net

Giving a talk on information security

I delivered a talk at the London Metropolitan University today where I was invited to share my story and participate in the university’s mentoring scheme. Although there were many students from different fields present, I focused on the computer science and information security area.

I elaborated on the possible and the transferable skills that young students can develop and apply during their undergraduate and postgraduate programmes. We also talked about job search, the general application process and the various career paths available to students in the information security and computer science areas.

Giving a lecture at the Royal Holloway University of London

I was invited by the RHUL Computing Society to give a lecture on human aspects of security.

After my presentation, I gave the students an exercise to help them understand the different perspectives on information security policies. As a result, they learned the importance of the role of information security in an organisation and it’s important enabling function.

It was really nice to get such an active participation on their behalf. After the talk we had an interesting conversations on current security research trends and opportunities.

Presenting at the ISACA London Chapter event

I shared some research findings with the ISACA London Chapter members at the November event. We discussed resolving conflicts between security compliance and human behaviour. The talk was followed by a panel discussion with other presenters, where I answered questions regarding human aspects of information security.

During the networking session after the presentation I’ve had many other interesting conversations with the participants. People were sharing their stories and experiences implementing and auditing security controls.

The video of the talk is available on the ISACA London Chapter website.

The Analogies Project

I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.

That’s why I decided to contribute to The Analogies Project.

Here’s what their website say about about the project:

Mission
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.

Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.

Please feel free to check out my profile and read my analogies.

Find out how security controls affect productivity in your company

To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.

The interactive simulation was created to allow users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.

The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.

Please get in touch if you have any feedback or would like to discuss the underlying research findings.

Discussing Human Aspects of Information Security

I delivered a seminar on the human aspects of information security at the University of West London. We discussed conflicts between security and productivity in companies and possible solutions. Research students with different backgrounds helped to drive the debates around usability, awareness and policy design.

We also talked about the practical applications of behavioural theories, where I shared my views on user monitoring and trust in organisations within the context of security culture.

Daniel, one of the participants, summarised his experience in his blog.

Image courtesy of Vlado / FreeDigitalPhotos.net

Delivering a Seminar at the IT Security & Computer Forensics Pedagogy Workshop

I presented at the HEA STEM Workshop on human aspects of information security.

The aim of the workshop is to share, disseminate and stimulate discussions on: the pedagogy of teaching subjects related to IT security and computer forensics, and issues relating to employability and research in these areas.

During the workshop the speakers presented topics that focus on: delivery of innovative practical tutorials, workshops and case studies; course design issues; demand for skills and employment opportunities; countering the “point & click” approach linked to vendor supplied training in industry; and current research exploring antivirus deployment strategies.