The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
To keep up to date with the recent data breaches, one can use DataLossDB. It is a research project aimed at documenting known and reported data loss incidents world-wide.
For something more visual, Information is Beautiful presented world’s biggest data breaches as bubbles of various size depending on the amount of records lost. Short stories and explanations are also available for some of the incidents.
For real-time information, Google developed the Digital Attack Map. It is a live data visualization of DDoS attacks around the globe, built through a collaboration between Google Ideas and Arbor Networks. The tool surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day.
In my previous post I discussed free online courses in information security. Here I would like to share a few more resources.
“In this course, we will study security and trust from the hardware perspective. Upon completing the course, students will understand the vulnerabilities in current digital system design flow and the physical attacks to these systems. They will learn that security starts from hardware design and be familiar with the tools and skills to build secure and trusted hardware.”
“This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them — such as buffer overflows, SQL injection, and session hijacking — and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a “build security in” mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.”
“This course focuses on how to design and build secure systems with a human-centric focus. We will look at basic principles of human-computer interaction, and apply these insights to the design of secure systems with the goal of developing security measures that respect human performance and their goals within a system.”
“The impact of technology and networks on our lives, culture, and society continues to increase. The very fact that you can take this course from anywhere in the world requires a technological infrastructure that was designed, engineered, and built over the past sixty years. To function in an information-centric world, we need to understand the workings of network technology. This course will open up the Internet and show you how it was created, who created it and how it works. Along the way we will meet many of the innovators who developed the Internet and Web technologies that we use today.”
“Cybercrime has become both more widespread and harder to battle. Researchers and anecdotal experience show that the cybercrime scene is becoming increasingly organized and consolidated, with strong links also to traditional criminal networks. Modern attacks are indeed stealthy and often profit oriented.
Malicious software (malware) is the traditional way in which cybercriminals infect user and enterprise hosts to gain access to their private, financial, and intellectual property data. Once stolen, such information can enable more sophisticated attacks, generate illegal revenue, and allow for cyber-espionage.
By mixing a practical, hands-on approach with the theory and techniques behind the scene, the course discusses the current academic and underground research in the field, trying to answer the foremost question about malware and underground economy, namely, “Should we care?”.
Students will learn how traditional and mobile malware work, how they are analyzed and detected, peering through the underground ecosystem that drives this profitable but illegal business. Understanding how malware operates is of paramount importance to form knowledgeable experts, teachers, researchers, and practitioners able to fight back. Besides, it allows us to gather intimate knowledge of the systems and the threats, which is a necessary step to successfully devise novel, effective, and practical mitigation techniques.”
“In this course, you will explore several structured, risk management approaches that guide information security decision-making. Course topics include: developing and maintaining risk assessments (RA); developing and maintaining risk management plans (RM); regulatory and legal compliance issues affecting risk plans; developing a control framework for mitigating risks; risk transfer; business continuity and disaster recovery planning from the information security perspective.”
Image courtesy of cooldesign/ FreeDigitalPhotos.net
The 2014 Cyber Careers Fair event registration is now open.
If you are thinking about a Career in Cyber Security or Technology then why not come along and meet prospective employers and training providers. This is a great opportunity for you to find out what employers are looking for in the graduate market, ask questions in a relaxed environment to HR and junior professionals recently hired by these employers, and to grow your network!
Exhibitors confirmed: KPMG, PWC, Citi Group, Morgan Stanley, Lloyds Banking Group, BP, Microsoft, HP, BAE Systems, Royal Signals – British Army, Cyber Security Challenge and (ISC)2.
Exhibitors invited and to be confirmed soon: EY, Goldman Sachs, AXA, Shell, Royal Bank of Scotland, BT, Lockheed Martin UK, HMGCC, and GCHQ.
Date: 30 October 2014 from 10:30 to 16:30 (GMT)
Location: University of Westminster, 115 New Cavendish St, London W1W 6UW
Visit our website www.nextsec.org and watch a short video of last year’s event.
Please use the link below to register for a free ticket to attend and meet employers and HR teams from the participating organisations.
Another successful event organised by NextSec and hosted by KPMG.
Great speakers and fantastic networking opportunities for junior security professionals.
I feel very proud to be a NextSec committee member.
I participated in UK Cyber Security Challenge.
Our university team won the competition.
It was an interesting experience and through teamwork we solved all the challenging puzzles other universities had submitted.
Try to crack Christmas Cipher 2012 to practice for upcoming UK Cyber Security challenges.
A major UK-based telecommunications company proposed to conduct a joint research with MSc Information Security students at UCL.
The use of cloud computing as a way of providing and consuming on-demand, pay-as-you-consume ICT service has revolutionised the industry. Services like Amazon EC2 have seen a huge increase in its revenue. However, currently it is the Small and Medium Enterprises (SMEs) that are leading the way in the use of these public Infrastructure as a Service (IaaS) offerings.
The company envisages that as these services become more mature and secure, they will be adopted and used by more “traditional” enterprises like the finance, health and government sector.
Governance, Risk and Compliance (GRC) plays a very important role in the IT policies of these institutions and as such, for any solution to be adopted by them, these aspects of the IT policies will have to be considered. Several initiatives have been started to address this issue. The Cloud Security Alliance’s GRC Stack is one of the most mature and accepted initiative in this area. It consists of four main stacks – Cloud Controls Matrix, Consensus Assessments Initiative, Cloud Audit and Cloud Trust Protocol.
It was very interesting to participate in the series of workshops to investigate how this framework would impact and be used by the company. This helped me to learn a lot about the telecoms industry and the way they are adopting cloud technologies in a secure way.