Category Archives: Research

Giving a talk on information security

Met

I delivered a talk at the London Metropolitan University today where I was invited to share my story and participate in the university’s mentoring scheme. Although there were many students from different fields present, I focused on the computer science and information security area.

I elaborated on the possible and the transferable skills that young students can develop and apply during their undergraduate and postgraduate programmes. We also talked about job search, the general application process and the various career paths available to students in the information security and computer science areas.

Giving a lecture at the Royal Holloway University of London

IMG_20141202_205219

I was invited by the RHUL Computing Society to give a lecture on human aspects of security.

After my presentation, I gave the students an exercise to help them understand the different perspectives on information security policies. As a result, they learned the importance of the role of information security in an organisation and it’s important enabling function.

It was really nice to get such an active participation on their behalf. After the talk we had an interesting conversations on current security research trends and opportunities.

IMG_20141202_205259

Presenting at the ISACA London Chapter event

Goal

I shared some research findings with the ISACA London Chapter members at the November event. We discussed resolving conflicts between security compliance and human behaviour. The talk was followed by a panel discussion with other presenters, where I answered questions regarding human aspects of information security.

During the networking session after the presentation I’ve had many other interesting conversations with the participants. People were sharing their stories and experiences implementing and auditing security controls.

The video of the talk is available on the ISACA London Chapter website.

The Analogies Project

The-Analogies-Project-Presnetation-Logo

I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.

That’s why I decided to contribute to The Analogies Project.

Here’s what their website say about about the project:

Mission
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.

Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.

Please feel free to check out my profile and read my analogies.

Find out how security controls affect productivity in your company

 

speedometer

To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.

The interactive simulation was created to allow users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.

The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.

Please get in touch if you have any feedback or would like to discuss the underlying research findings.

Discussing Human Aspects of Information Security

June 11 (1)

I delivered a seminar on the human aspects of information security at the University of West London. We discussed conflicts between security and productivity in companies and possible solutions. Research students with different backgrounds helped to drive the debates around usability, awareness and policy design.

We also talked about the practical applications of behavioural theories, where I shared my views on user monitoring and trust in organisations within the context of security culture.

Daniel, one of the participants, summarised his experience in his blog.

Image courtesy of Vlado / FreeDigitalPhotos.net

Delivering a Seminar at the IT Security & Computer Forensics Pedagogy Workshop

HIGHER EDU

I presented at the HEA STEM Workshop on human aspects of information security.

The aim of the workshop is to share, disseminate and stimulate discussions on: the pedagogy of teaching subjects related to IT security and computer forensics, and issues relating to employability and research in these areas.

During the workshop the speakers presented topics that focus on: delivery of innovative practical tutorials, workshops and case studies; course design issues; demand for skills and employment opportunities; countering the “point & click” approach linked to vendor supplied training in industry; and current research exploring antivirus deployment strategies.

Risks to Risk Management

Nasim Taleb in his book The Black Swan provides the following examples of Mirage Casino’s four largest losses:

  • $100 million from a tiger mauling
  • Unsuccessful attempt to dynamite casino
  • Neglect in completing tax returns
  • Ransom demand for owner’s kidnapped daughter

How many of these losses could’ve been identified and managed appropriately?

John Adams in his research Risk, Freedom and Responsibility suggests that “Risk management is not rocket science – it’s much more complicated.” He further elaborates on this point in his research: “The risk manager must […] deal not only with risk perceived through science, but also with virtual risk – risks where the science is inconclusive and people are thus liberated to argue from, and act upon, pre-established beliefs, convictions, prejudices and superstitions.”

According to Adams, there are three types of risk:

three_kinds_or_risk

  • Directly perceptible risks are dealt with using a proper judgment. “One does not undertake a formal, probabilistic, risk assessment before crossing the road.”
  • Risks perceived through science are subject to formal risk managementprocess.  “Here one finds not only biological scientists in lab coats peering through microscopes, but physicists, chemists, engineers, doctors, statisticians, actuaries, epidemiologists and numerous other categories of scientist who have helped us to see risks that are invisible to the naked eye. Collectively they have improved enormously our ability to manage risk – as evidenced by the huge increase in average life spans that has coincided with the rise of science and technology.”
  • Virtual risk is not perceived through science, hence people are forced to act based on their convictions and beliefs.Such risks may or may not be real, but they have real consequences. In the presence of virtual risk what we believe depends on whom we believe, and whom we believe depends on whom we trust.”

Klein in his Streetlights and shadows: searching for the keys to adaptive decision making suggests the following issues with risk management:

  • It works best in well-ordered situations
  • Fear of speaking out may result in poor risk identification
  • Organisations should understand that plans do not guarantee success and may result in a false sense of safety
  • Risk Management plans may actually increase risk.

Klein also identifies three risk decision making approaches:

  • Prioritise and reduce
  • Calculate and decide
  • Anticipate and adapt

To illustrate individual’s decision-making process while dealing with risk, Adams introduces another concept called “Risk thermostat”

risk_thermostat

The main idea behind it is that people vary in their propensity to take risks which is influenced by the perception of risk, experience of losses, and potential rewards.

People tend to overestimate spectacular but rare risks, but downplay common risks. Also, personified risks are perceived to be greater than anonymous risks.

The protection measures also can be introduced to only increase perceived security, rather than implement actual mechanisms. A possible example might be using National Guard in airports after 9/11 to provide re-assurance. However, such a security theatre has other applications in relation to motivation, deception and economics.

Finally, Adams discusses the phenomenon of risk compensation and appropriate adjustments which take place in the risk thermostat. He argues that introducing safety measures changes behavior: for example, seat belts can save a life in a crash, so people buckle up and take more risks when driving, leading to an increased number of accidents. As a result, the overall number of deaths remains unchanged.

Giving a talk at the University of Greenwich

presentation

I was invited to the University of Greenwich to discuss career opportunities in the information security field. We had a productive discussion with the young people who are finishing their degree in Computer Security and Forensics. After the presentation I was introduced to several PhD students who are currently researching various issues around privacy and social media. I’m very happy that people are becoming more interested in solving information security and privacy issues.

Research Proposal: People and Security

UCL - research proposal
Purpose: The study aims to develop a model to support security managers’ decision-making process when implementing security policies in their organisations and incorporates users into the system in a way that mitigates the negative impact of users’ behaviour on security controls

Background: Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. The company can be formally compliant but still inefficient in performing its revenue-generating activities.
Security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds. There is a mismatch between users’ and security managers’ perception of workload, introduced by security tasks

Method: To achieve the goal of the study, a combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers.

Research benefits. The model points a security manager in the direction of a better understanding of the users in his company.  It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company