The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour

ITGP

In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:

  • Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
  • Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
  • Give advice on aligning a security programme with wider organisational objectives.
  • Manage and communicate these changes within an organisation.

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.

It’s now available for pre-order on the UK, EU or US websites.

Project Manager’s Toolkit

ID-100248970.jpg

There are many factors that make an effective project manager. From my experience, project managers face the biggest challenges managing and communicating project inter-dependencies, open actions, risks and issues.

To help myself and others, I’ve developed a simple spreadsheet, which includes templates for the above items.

For example, open actions can be tracked in the table below, making it easier to keep all the stakeholders aligned on what needs to be done and by when.

Date Raised Raised By Original Action Progress Update / Revised Actions Category Owner Priority Target Completion Date Status

Additionally, dependencies can be captured in the table below. This format emphasises the potential conflict between the parties and enables a constructive dialogue to clarify inter-dependencies and agree on the critical path.

Deliverable Title Provider Delivery Date Receiver Required Date HandShake? RAG Comments / Actions

Feel free to download the PM Toolkit template (in the Excel format) along with tabs for risk and issue management and adjust it to your needs.

Image courtesy phasinphoto / FreeDigitalPhotos.net

Security in an Agile World – NextSec event

Santander have kindly agreed to host our next workshop event in their London offices on the 14th October. View the event flyer here.

Hear from leaders in Digital Innovation and Information Security on:
– The balance of Security and Innovation: The Cyber Threat and Opportunity
– Phishing and Social Media
– The Importance of Communication in Security

Speakers
– Edward Metzger, Head of Innovation, Santander
– Matt Bottomley, Senior Manager, Cyber Risk, Lloyds Banking Group
– Christine Maxwell, Head of Digital Security, Governance and Operational Excellence, BP

Networking and Careers Session
– Opportunity to network with junior professionals, students in Information Security and Technology
– Post event drinks and canapés reception
– Information Security careers stands from Santander, EY and KPMG will be at the event

Date: Wednesday 14th October 2015

Register now

Online Safety and Security

ID-100356086

We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?

Issues:

  1. Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
  2. Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
  3. Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.

Solution:

A one-stop-shop for end-to-end protection of online identity and reputation for you and your children.

A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.

Image courtesy ofwinnond / FreeDigitalPhotos.net

Cyber Wargaming Workshop

ID-10071890

I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.

Day 1
Introduction
Course Objectives
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?

  •         Teams
  •         Interaction
  •         Moves

Module 2 Cyber Fundamentals

  •         Practical Risk Management
  •         Problems with risk management
  •         Human aspects of security
  •         Conversion of physical and information security
  •         Attacker types and motivations
  •         Security Incident management
  •         Security incident handling and response
  •         Crisis management and business continuity
  •         Cyber security trends to consider

Module 3: Introducing a Case Study

  •         Company and organisational structure
  •         Processes and architecture
  •         Issues

Module 4 Case study exercises

  •         Case study exercise 1: Risk Management
  •         Case study exercise 2: Infrastructure and Application Security

Day 2
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:

  •         How organisations responded from a business perspective
  •         How organisations responded to the attacks technically
  •         How affected organisations were by the scenario
  •         How they shared information amongst relevant parties

Feedback to the participants
Course wrap up

Image courtesy zirconicusso / FreeDigitalPhotos.net

Removing Unused Firewall Rules

ID-100234172

Implementing cutting-edge technology solutions is not the only way to combat cyber threats. Seemingly mundane administrative tasks such as network infrastructure hardening could yield greater results in terms of risk reduction.

I ran a remediation project for a major blue chip company, which successfully removed over 8,000 unused firewall rules.

Such projects can be complex and require a rigorous process to be designed to ensure that no active rules are removed. For example, a period of monitoring and subsequent hypercare ensured that only a few rules were reverted back to production after being indicated as “unused”. Proactive stakeholder engagement was key in completing the work ahead of schedule and under budget.

As a result, the project improved network security by eliminating the chance an attacker can exploit a weak unused firewall rule. Moreover, the number of rules on the firewalls was cut by half, which made it easier and cheaper to monitor and manage.

Image courtesy renjith krishnan / FreeDigitalPhotos.net

Agile development: Scrum

CSA

Agile frameworks are gaining momentum in software development and beyond. One of them, called Scrum, caught my attention recently.

I’ve had a privilege to work in one of the biggest dot-coms in Europe and immerse myself in the agile environment. I’ve had an opportunity to witness first hand that efficiencies gained through adopting an agile method cannot be underestimated.

To structure my knowledge and practical experience, I’ve decided to study for the Certified Scrum Master (CSM) exam offered by the Scrum Alliance.

I can highly recommend the two-day course which is a pre-requisite for the certification. This short module helps put everything into perspective and allows you to practice some of the key concepts in a safe environment during a number of workshops. For example, I’ve had an opportunity to work with the product backlog, facilitate sprint planning and retrospective sessions and write user stories.

It also clarifies the role of the Scrum Master in the team as a servant-leader and their relationship with Product Owner and the development team.

Find out more on the Scrum Alliance website.

Industrial Control Systems Security: Information Exchange

There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.

The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):

They also highlight the risks of wireless connectivity of physical security systems

Similar information exchange centres were established in Japan and Spain,

For the introduction to Industrial Control Systems Security see my previous blogs (Part I, Part II, Part II) or ICS Security Library

Third-party security assessments: applying SABSA

Organisations around the world are increasingly relying on third-party vendors to provide them with competitive advantage. Many companies in a race to optimise processes and reduce costs begin to outsource core functions. This leads to increased risk profile and new challenges of supplier oversight.

Dealing with third-parties has grown bigger than being just a procurement issue. Suppliers companies increasingly rely on, pose not only legal but also reputational risks that cannot be fully transferred. Security and privacy related incidents related to third-party providers are presenting new management challenges. Moreover, regulators are increasingly demanding the management of the third-party risk.

Suppliers, however, have their own challenges. Constant squeeze on costs from their clients reduces the profit margins making it increasingly difficult for vendors to prioritise security requirements implementation.

How do we make sure the suppliers we work with are trustworthy? How do we minimise the risk exposure from a potential incident? What level of assurance is required for a supplier?

These are the questions I’m going to answer in this blog.

Understanding business drivers and goals is essential for developing a third-party risk management approach. By analysing company’s corporate strategy I was able to derive multiple business attributes relevant to the shareholders. One of them stands out: Trusted. I’m going to disregard other attributes and focus on this one for the purposes of this case study. Not only it is important for the company to be trusted by its customers, but trustworthiness is also something I’m going to explore in this blog from the third-party relationship standpoint.

After a workshop with the CIO and IT managers in various business units, I’ve defined the following IT attributes supporting the main business attribute (Trusted): Transparent, Assured and Managed.

How does the security function support the wider IT objectives and corresponding attributes? After a number of workshops and analysing the security strategy document I’ve managed to create a number of security attributes. Below is a simplified example correlating to the business and IT attributes in scope:

1

Dealing with customers and managing relationships with them is one of the core activities of the company.  As discussed above, being trusted by the customers is one of the main values of the organisation. IT department through the implementation of their technology strategy supported the business stakeholders in Sales and Marketing to outsource customer relationship management platform to a third party provider. A cloud-based solution has been chosen to fulfill this requirement.

A combination of attribute profiling, trust modelling and risk analysis is used to assess the degree of assurance required and compare third-party providers. Below is a recommended approach based on the attributes defined.

2

Security attributes mapping

Based on the internal security policy the following questionnaire has been developed to assess the supplier. Responses from the supplier have been omitted to preserve confidentiality. Below is a short excerpt from one of the sections of the questionnaire related to cloud services.

Are terms of services and liabilities clearly defined in service agreements? Governed
Are escrow arrangements in supplier contract agreement and cloud service agreements registered with procurement and documented in cloud service register. Identified
Are physical security and environmental controls present in the data centre that contains company data? Integrated
Are procedures for user authentication, authorization and access termination documented? Access-Controlled
Has the Business Continuity Plan been reviewed and approved by the executive management? Governed
How often is the Business Continuity Plans and Disaster Recovery Plans tested? Available
Is there a specific Recovery Time Objective(s) (RTO) and Recovery Point Objective(s) (RPO)? If yes, specify the RTO and RPO for the company services. Available
Are default settings customized to implement strong encryption for authentication and transmission? Access-Controlled

Attribute compliance is assessed based on the questionnaire answers, as every question is mapped to a specific attribute. Where a specific combination of an attribute corresponds to multiple questions, all answers are rated separately then an average rating for that attribute weight is calculated. Exceptions apply where certain specific questions are identified to have priority (higher level of impact on attribute compliance) over the other questions mapped to the same attribute. Expert judgement is applied to analyse such situations.

Attributes are evaluated with three main levels:

  • High level of compliance with policy (Green),
  • Medium level of compliance with policy (Amber),
  • Low level of compliance with policy (Red)

3

 

SC Awards, BSides London and Infosecurity Europe

It was a busy week for security professionals in London; InfoSecurity Europe, BSides London and SC Magazine Awards were happening almost simultaneously.

IMG_4721

We were provided with a booth at the InfoSecurity Europe conference & exhibition to host another NextSec event entitled “Finance and Cyber Security: How Banks Are Evolving To Combat The External Cyber Landscape”. Two global financial institutions discussed how they are reacting to the cyber threats that affect them, and how they are looking to combat that threat.

Attendees had an opportunity to gain insight into how financial institutions are dealing with cyber threats on both strategic and operational levels as well as to understand challenges and approaches to managing information security risk in large financial organisations

cyber-academy-service-478x185

I was also invited to attend the SC Magazine Awards as part of KPMG’s Cyber Academy team. I helped to develop KPMGs IT Security Concepts course and also delivered it internally. It was a great honour to know that the course’s quality was recognised beyond the firm.

BSides2015

Finally, BSides London 2015 was great as always. KPMG were running a lockpicking competition, where I managed to make it to the Top 30. It was also nice to catch up with Thom, Javvad, Lawrence, Iggi and other great professionals in the field.