Security compliance behaviour conflicts resolution model

This article presents the model for analysis and visualisation of a company’s security policy building on the example scenario in relation to productive business activities.

The model aims to provide the means of comparing the perception of security tasks from both users’ and security managers’ points of view and optimising security activities in the company.

A guide for the security manager

On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.

The scenario suggests that the CISO takes ISO 27001 as a framework and then makes a decision on a particular implementation based on his knowledge and past experience. As illustrated by the scenario lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.

By directly comparing security requirements and business processes, the security manager can analyse ISO 27001 policy compliance controls and their consequences in terms of affecting user behaviour.

In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system. It is important to differentiate between malicious non-compliance and cases when security policy obstructs core business process.

Policy compliance
Yes No
Primary task optimised Yes V (X)
No (V) X

Relation between policy compliance and optimisation of the primary task

“V” – CISO is satisfied with users’ compliance efforts.

“X” – CISO is not satisfied with users’ compliance efforts.

(X)” – the case when users perform their tasks efficiently, but not compliant with security policy.

“(V)” – the case when users are formally compliant with security policy, but it prevents them from carrying out their tasks efficiently.

The table emphasises the fact that regardless of formal compliance, users’ perform their core business activities in the inefficient manner due to poorly implemented security controls. The security manager also should pay attention to cognitive burdens and availability aspects of recommended solutions.

In order to mitigate the risk of poor implementation of security controls, the security manager should follow clear processes when implementing ISO 27001 controls.

process

Such guidance supports the security manager’s decision-making process. This method also gives the security manager an opportunity to reflect on his policy implementation in the context of the particular scenario.

Going beyond formally ensuring compliance, this method presents two rounds of compliance checks:

–       Check if organization is compliant (formal box-ticking exercise)

–       Check for collisions with core users’ tasks.

Visualisation technique

In order to minimise the probability of repeating scenario the security manager should pay more attention to users’ day-to-day business activities.

As a first step of the process, the security manager should gain an insight on users’ typical business activities. After understanding typical business activities, the security manager could visualise them for example in form of the workweek schedule.

main_BP

User’s main business process

For instance, the security manager finds out that the analyst runs data analysis software to model risks on Thursday to include this data in his report, which he usually presents at the end of each week to the client.

Furthermore, by gathering information on users’ manual security tasks, the information security manager estimates current users’ workload.

manual

User’s manual security tasks

The information security manager identifies unique security tasks that users undertake during the week and use this information to make those tasks invisible to user. In this case, users would feel less obstructed in completing business tasks. But those activities are still taking place in the background. Only by identifying them, mapping them, and prioritising them could the security manager then do something about them.

Next, as a part of security pre-implementation process of security controls, the security manager looks at scheduled security activities, such as periodic security awareness workshops, review of software and data on users’ workstations or full machine antivirus scans.

scheduled

Scheduled security activities

Merging all these diagrams together helps the security manager to understand total users’ workload and come up with a more effective implementation of security controls, which will not introduce collisions with core security tasks.

total

Total user’s workload

In order to make a decision on a particular implementation of security controls, the security manager should identify how users in his company perceive their security workload and which security tasks they carry out already.

At the moment, there is a possibility to of misconception of perceptions of security tasks of security managers and users. Developed model addresses this issue and helps the CISOs to manage their decision-making process more effectively. Moreover, comparing the security manager’s and users’ perceptions helps to uncover a number of unique security activities, and the amount of time users spend on them.

Validation of the model

The purpose of this section is to validate the model and gather relevant feedback from information security experts.

Method

An interview questionnaire was developed to interview information security experts and collect their opinion on the developed model.

Written consent was collected prior to the interview to explain ethical and privacy points. Additionally, permission to use voice-recording device was obtained for future analysis.

Information, regarding interview procedure, intended questions and brief overview of the study were sent to all participants in advance via e-mail. At least 2 days were allowed for participants to examine the materials and prepare for the interview.

Five interviews were conducted out with information security experts. Every interview took place at participant’s office and at convenient time.

Feedback, provided by information security experts was documented and analysed according to grounded theory method. The following codes were identified:

–       Degree of realistic implementation

–       Potential benefits

–       Business advantages

–       Practical implementation

–       Impact on security manger’s decision-making process

–       Other ways of dealing with the similar issues

–       Drawbacks of the model.

Results

Information in this section is presented according to codes, which were discovered during interview process and further data analysis.

  1. Degree of realistic implementation: all security managers agree that developed model is realistic and can be implemented in the real-world company.
  2. Potential benefits: all interviewed experts believe that the model is beneficial to their organizations.
  3. Business advantages: 3 out of 5 security experts were able to name possible economic advantages of implementing the model.
  4. Practical implementation: 2 out of 5 interviewed security managers agreed to run pilot testing of the model in their organisation.
  5. Impact on security manager’s decision-making process: 4 out of 5 interviewed experts stated that presented model changed their attitude towards compliance behaviour issues. One security manager commented that this model doesn’t affect his decision-making process.
  6. Other ways of dealing with the similar issues: no other ways of dealing with issues of impact of users’ behaviour in a proactive manner were presented.
  7. Drawbacks of the model: all interviewees agree that implementation of the model might be time- and resource-consuming.

Discussion

This section presents a discussion of interview findings.

Degree of realistic implementation

All the interviewed experts agree that the model could be implemented in the real-world scenario, but commented that it should be refined and validated with the real data. For example, one security manager said:

“I think the approach is sound and it’s realistic, but needs validation with the real data. And in the absence of the real data it’s got rather limited value.”

Another expert commented:

“I think that’s all sounds very interesting. You are definitely on the right track, but you need to collect more data to validate this model.”

Another security manager said:

“I believe it is realistic if it works, it will be relevant to any business. I don’t think many have considered practically addressing this dimension of security in their organisations.”

Potential benefits

Security experts can see the potential benefits of implementing developed model in their companies. For instance, one expert said:

“I think that issue of usability and security is really important. Understanding where those tensions are and then represent those tensions might in some way help us to understand the cost associated with mitigating the risk.”

Another security manager commented:

“This model might help us to highlight where we can be creative and do something slightly different to make it easier for users to do what they want to do and do it in the default secure way. So yes, anything that can help us shed light on that going to be beneficial.”

One expert said:

“I think it’s beneficial, because it allows you to channel these thought about users’ workflow versus your workflow. How we squeeze security tasks all together with business activities.”

Business advantages

According to the experts, developed model yields some direct economic benefits for the company. For example, one security manager suggested:

“It is a very relevant model also from resource management perspective. How is my staffs’ time being utilised? Am I utilising my staff for the best? ”

One security expert suggested, that presented model can help him to make better decisions regarding risk assessment and investments in information security controls:

“It can be very valuable input into our risk assessment process and into our security investment decision-making process. Do we want to invest in one security tool or the other? Your model can provide means to compare security investment opportunities.”

Another expert agrees:

“You can understand what the business process is and what security solution would fit the best in order to maximise value.”

Another security manager’s quote supports the same point:

“Security really struggles to justify return on investment. What you could do is if you actually will break it down, saying that during the day typical user spends thirty minutes doing security activities. That cost, say 2 million pounds for a user. Does this security control bring 2 million worth saving in a year? If yes, or more, then it worth it. If no, then maybe you are doing the wrong controls. When maybe you should accept the risk. For example, yes maybe USB stick may introduce a virus to the system. Fine, but don’t spend five minutes every time scanning it.”

Practical implementation

Some security managers agreed to run a pilot test in his company. One expert commented:

“It provided a different prospective on security – we have not considered how specific security controls may affect user behavior and productivity. I would be happy enough to run it as a small pilot to see if it yields promised results.”

Another said:

“If it could be used as a means to ensure greater user efficiency/reduced non-compliance, we could consider including it in our security review.”

This indicates that the model could be implemented in the real-world companies for the future analysis.

Impact on security manger’s decision-making process

The majority of security mangers mentioned that presented model made them realise the impact of their actions on users and how they might struggle with particular security controls they implemented in the company.

Some security mangers came up with particular scenarios of how they would now make decision on implementation of security controls: On expert said: 

“As a result you can make a decision to implement a technology solution that going to scan all the USB sticks in the background, rather than making each and every user do it manually. The cost of such implementation would be justified by you model. It will save user’s time and you can get security benefit as well.”

However, one security manager confessed that this model would not change the way he makes decision on security policy implementation:

“If it ain’t broken – don’t fix it! If the process we have in place is already compliant, I will not risk changing it just to satisfy the users who are not complaining anyway.”

The results imply that developed model helped most of the security managers to change their attitude towards compliance behaviour in their companies.

Other ways of dealing with the similar issues

All of the interviewed security managers agree that they are not actively dealing with issues of negative impact of security controls on users’ performance. One expert said:

“It’s very passive. The impact on users is important but it’s not the issue I spend a lot of time thinking about.  Our approach is more reactive. The model presented, on the other hand, is more proactive technique.”

Another commented:

“Very informally. We don’t really draw on a real data. I think, having a framework of some description would be very useful. Something that focuses that kind of thinking.“

One security manager said that he never considered users being part of the system, hence never used any techniques, as mentioned in the following quote:

“We never considered user compliance from this perspective before – so have not considered / applied alternative principles.”

Drawbacks of the model

All interviewees agree that implementation of the model might be time- and resource-consuming. One expert commented:

“You need an easier way to implement it – that’s the biggest challenge. Because you need to come up with all users’ business tasks, then all security tasks, and then map them all together. All these things have to also be categorised and measured. And humans a very difficult to measure.”

Another manager mentioned:

“Getting it implemented I see as a big challenge. But once it’s implemented you can get a really good value.”

Another commented:

“The method is very good, but it takes a lot of effort to compile this.”

Despite identified possible benefits, the model is considered to be difficult to implement. Cost-benefit analysis could be performed to support the decision on the implementation of the model.

Conclusion

According to the security experts, the model can yield additional benefits to the company, such as optimisation of security activities, cost reduction, and information security projects investment justification.

The interview results reveal the main benefit of the model: it points a security manager in the direction of a better understanding of the users in his company.  It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.

As some of the interviewees suggested, the security manager can implement this model in any company: all he has to do is to pick a process, pick a regulation and then apply the model.  Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s compliance decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company.

Despite the potential benefits, the model has drawbacks. Interview results suggest that implementation of the model might be cost- and resource-consuming. To assess the degree of such problem, real-world data should be collected. Moreover, as one expert mentioned, the model has limited value in the absence of the real data. The limited time scope of the current project didn’t allow the validation of the model with such data. Furthermore, access to the real data was restricted due to protective attitude of the companies who don’t want to be seen in bad light.

Attitudes towards information security policy and its effect on users’ business activities should be measured before and after implementing the model in the company in order to assess the effectiveness of the model.

Security policy compliance behaviour case study

ISO 27001 Standard is high-level and provides only basic recommendations on implementation of security controls. This fact gives a security manager in a company a lot of flexibility in choosing particular information security policies.

When making a decision on the how to introduce new security controls to achieve compliance with the ISO 27001 standard, security managers lack a clear process and rely mostly on their past experience.

Such lack of a clear process and guidance from ISO 27001 may result in arbitrary implementation of information security controls, which will collide with the core business activities of users in the company.

This article presents a scenario of such implementation and provides specific examples of how those controls may affect users’ behaviour.

The company

Scrooge Bank is a global financial services firm, offering a range of solutions, including asset management, strategic advice, money lending, and risk management to clients in more than 100 countries.

From the organisational structure standpoint, Scrooge Bank consists of three departments in the business unit and three departments in the support unit.

Orgchart

The Chief Information Security Officer (CISO) reports directly to the Compliance and Risk Manager, and is responsible for ensuring legal and regulatory compliance, data loss prevention activities, and security incident management.

A decision taken by the CISO affects the whole organisation, including the analyst in the Investment Banking Department.

The business process

An analyst is a typical role in Scrooge Bank. He is involved in various business activities during the week.

BP

On a weekly basis the analyst receives information from the client. There are several ways he can obtain this data: it might be copying information on a USB stick during a face-to-face meeting, or via e-mail as an attachment.

There are instances when the information received was exported from the client’s proprietary software products, which are not directly compatible with the widely used packages, such as Microsoft Excel, used by the analyst. Hence, the analyst was forced to use special data extracting software to access the data.

On a regular basis, the analyst needs search for additional information on the Internet to prepare a report for the client.

Once a week he runs data analysis software to analyse the potential risk for the client. This software is very powerful and commonly used in Scrooge Bank. However, it analyses vast amounts of data and consumes a lot of CPU time and memory.

When a report is finalised, the analyst exports it on a USB stick in order to present it to the Client.

Compliance requirements, controls implementation and impact on users’ behaviour

In order to more effectively protect against malicious code, Scrooge Bank decided to implement the ISO 27001 Standard. According to chapter 10.4.1 of the standard, “Controls against malicious code”, “detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.”

The ISO 27001 Standard suggests that “Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code. Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users should be made aware of the dangers of malicious code. Managers should, where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code.”

The Standard also recommends the particular security controls to be implemented in order to protect against malicious code. In order to address the described issues and ensure formal compliance with the Standard, the security manger decides on the following implementation of the security controls. The following table also shows examples of how users in various departments of the company could potentially violate security policy, because it prevented them from perform their main business tasks

ISO 27001 control implementation guidance Context Behavioral impact
Establishing a formal policy prohibiting the use of unauthorized software Scrooge Bank’s CISO came up with a policy document, outlining a list of authorized software, which can be installed on users’ workstations according to principle of least privilege – users should only have access they require to perform their day-to-day activities and no more.Each department contributed to the policy, submitting a list of software which is essential to carrying out tasks by employees in this department.After finalizing this list, all users were denied access to install any new software without written permission from CISO. John is performing an analysis of the company for the client. The deadline is fast approaching but there is still a lot of work to be done.The night before the deadline, John realizes that in order to finalize his analysis he requires a special data analysis tool, which was not included in the list of authorised software. He’s also unable to install it on his workstation, because he doesn’t have the required privileges to install new software.Getting the formal written approval from the CISO is not feasible, because it is going to take too long.John decides to copy sensitive information required for the analysis on his personal laptop using a USB flash drive to finish the analysis at home, where he can install any software he wants.

John understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review at the end of the year.

Unfortunately he leaves his bag with the USB stick in the taxi on the way back home.

He never tells anyone about this incident to avoid embarrassment.

Establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken In order to prevent obtaining files and software either from or via external networks, or on any other medium, CISO established a policy restricting use of file sharing websites and limited access to CD/DVD and USB flash drives.According to the policy, if a user wants to obtain a specific file from the internet or from an external device, he has to file a written request to his manager, who will decide if this file is essential to perform his duty. After management’s approval, the Information Security Department employee will process this request, downloading this file or copying it from the external medium, using a special isolated PC with thorough antivirus checks. Mary works closely with a client to finalise her report on risk analysis for an international energy company.She works directly with the CFO of this company who is very impatient and busy with other tasks.Mary doesn’t want to annoy him, because he may complain directly to her line manager and she can be disciplined, because this is a very important client, which brings millions to the company.The client is not aware of the new policy which was recently implemented by the CISO of Scrooge Bank and uploads important pieces of information to the file sharing website in form of the encrypted archive, because it is too big to transfer over the corporate e-mail.

He communicates the password to Mary over the phone and sends her the link.

Mary was scared to explain the new policy to the client and right now she is unable to access this file to finalise her report.

She decided to go to internet café during her lunch break and download the important file from there, understanding the risk, but realising that getting all necessary approvals may take way too long.

At the internet café she not only downloads the encrypted file but also opens it on the local machine to check its integrity to avoid returning back, because she won’t have any breaks later in a day.

Because the internet café is far from the office and she didn’t have her lunch yet, she hurries and forgets to delete the decrypted file from the machine in the internet café.

She realizes her mistake when she’s back in the office but thinks that it is not a big deal and nothing bad can happen.

Conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated The CISO established a procedure of monthly checks of users’ workstations for presence of unauthorized data and software.If such data or software were be found, the employee would be given a warning. After three warnings he would be fired because of non-compliance with the security policies of the company. Juliet uses data and files in her analysis, which she obtained from various sources, and she is not sure if it is approved or not. She’s afraid to clarify this situation with the CISO, because she’s afraid to be fired.In order to avoid being caught using such files, she decided to store this information on her personal laptop.But after a while she realised that it takes too long to copy and delete data from her corporate PC to personal laptop and vice versa, hence she decided to process all the information, including sensitive, on her personal computer.As always, she took her laptop with her on holiday, but it was stolen in a public place
Installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the checks carried out should include:1)  checking any files on electronic or optical media, and files received over networks, for malicious code before use;2)  checking electronic mail attachments and downloads for malicious code before use; this check should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization;3)  checking web pages for malicious code; The CISO implemented antivirus software on each workstation and configured automatic daily full machine scans to ensure that no malicious code was present on workstations.The CISO also established a formal policy, which requires every employee to run manual antivirus checks before opening e-mail attachments and using electronic or optical media. Robin is a derivatives trader. Time and efficiency are critical success factors for him.Robin carries out thousands of deals per day using the electronic terminal on his PC.Introducing a new antivirus software slowed down his workstation performance, especially during full machine scans. This directly affects his job performance – he is unable to act as fast as before and misses many valuable opportunities.Robin understands the risk of malicious software but he is also frustrated by his inability to work as efficiently as before.

He finds a way to manually disable the antivirus agent on his PC.

During the search for information on the internet he accidentally accesses a spoofed website and introduces a Trojan on his workstation.

With no antivirus software to prevent malware from stealing sensitive information from his PC, it becomes a victim.

Defining management procedures and responsibilities to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks The CISO developed a set of procedures to prevent malicious code.According to these procedures, each head of a department is responsible for preventing malicious code attacks in his/her department.The CISO wants to raise awareness, train and educate users how to record, prevent and recover from malicious code attacks. He decided to run regular monthly workshops to achieve these goals. Employees of the organization not showing up for the workshops and not paying attention, because CISO’s efforts driven mainly by corporate directives, rather than security needs. Moreover, programme is the same for everyone, regardless of roles and responsibilities and it doesn’t change year after year.
Preparing appropriate business continuity plans for recovering from malicious code attacks, including all necessary data and software back-up and recovery arrangements The CISO developed appropriate plans identifying critical information assets, and gathering input from asset owners.The CISO also performs data back-ups on a regular basis and maintains recovery arrangements. Scrooge Bank recently acquired a small company and all its IT infrastructure.Because the CISO failed to update the business continuity plan in a timely manner to include recent changes, the company was very inefficient to recover from a malicious code attack.Furthermore, employees weren’t familiar with what they should do in this situation due to a lack of education and involvement during plan testing.
Implementing procedures to regularly collect information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code The CISO assigned regular collection of information about new malicious code to a member of Information Security Department in addition to the other tasks he performs. An employee of Information Security Department receives too much information daily from antivirus vendors’ websites and mailing lists, so he started to ignore it and focus more on his main tasks (i.e. handling information security incidents)
Implementing procedures to verify information relating to malicious code, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malicious code, are used to differentiate between hoaxes and real malicious code; all users should be made aware of the problem of hoaxes and what to do on receipt of them The CISO wants to raise awareness of the employees on the issue of hoaxes.He decided to run regular monthly workshops to achieve this goal. People don’t attend information security awareness training workshops, because they scheduled at the same day as an important meeting with the client.

The table shows examples that regardless of the fact that the CISO developed a set of information security polices and implemented controls to ensure compliance with ISO 27001 Standard, users managed to find workarounds which negatively affected the company as a whole. In each and every case users violated security policy in in order to accomplish their main business tasks.

Additional security controls, which were added by the CISO, not only introduced additional cognitive burdens on the analyst, but also placed obstacles preventing him from performing his core business tasks.

BP_total

For example, the information security awareness training workshop was scheduled at the same day that the analyst has an important meeting with the client and he have to skip it in order to meet his deadline. Additionally, he managed to shut down the antivirus agent on his workstation because scheduled manual antivirus checks consume too many resources, which are needed to run his risk simulation and analysis software. The analyst also skips manual antivirus and anti-phishing checks either because they are too time consuming or because he is worried about the integrity of the data.

This chapter presented a scenario of a particular realistic implementation of security controls, which can lead to in huge numbers of collisions between security and business tasks.

This scenario emphasises the importance of making users part of the system when implementing security controls.

MSc Information Security research project: Overview of the methods and materials

It is difficult to ensure effectiveness of information security programme in the company without paying attention to users’ behaviour. One of the challenges for the security manager, when implementing information security policy, is to differentiate between malicious non-compliance and non-compliance due to the obstruction of business activities.

The main goal of this project is to gain an insight into information security behavior issues, from both an end-users’ and security managers’ perspectives. The study aims to develop a model to support security managers’ decision-making process when implementing security policy in the organisation. It is important to help security managers make a user a part of the system and to go beyond formal box-ticking when ensuring compliance with legal and regulatory requirements.

In order to achieve the objectives of the study, a method consisting of three parts was followed, including presenting example scenario and development of the model to address the research question for the first part, a survey and interviews for the second part, and interviews for the third part.

Stage one: Develop a model

The objective of the first stage is to motivate the research problem, presenting example scenario of poorly implemented security policy in the fictitious company, and to develop a model to support security manager’s decision-making process in implementing security controls in a company.

The example scenario presents the hypothesis that users’ experience and role of the manager are mismatched. Manager may think that user’s effort is unlimited. At the moment there is no way of directly comparing users’ and security manager’s perception of behavioural impact of security policy in the organisations.

The model is developed to support security managers’ decision-making process when implementing security policy in a company and to provide a tool of assessing users’ workload with security tasks.

The following stage shows that described mismatch exists and the developed model deals with the outlined problem.

Stage two Comparing views on security compliance behaviour in an organisation

The aim of the second part is to gather real-world data to highlight the importance of security compliance behavior and identify relevant problems which can arise when a security manager chooses a particular way of implementing information security controls in the organization. Moreover, this part aims to compare views of security managers and users on the problem of compliance behaviour.

For the purpose of this stage a combination of qualitative and quantitative methods was used.

1

As a part of the quantitative method, semi-structured interviews with five information security experts were conducted. In parallel 64 users were surveyed using an online surveying platform. For the purpose of the survey, eleven multiple-choice questions were developed, in collaboration with an academic with experience in this field.

Stage three: Validation of the developed model

The goal of the third stage of the study was to validate the model and gather relevant feedback from information security experts.

Five semi-structured interviews were conducted with information security experts.

2

Invitations for an interview were also distributed to outline the approximate duration of the interview, intended questions, to give insight on the procedure and to provide high-level information on the study.

Written consents were collected from the interviewees prior to the interview.

Interviews with security experts consisted of two parts:

  1. General questions on the security manager’s decision-making process regarding the implementation of security controls when ensuring compliance within the company (Stage two).
  2. Validating the model to support the security manager’s decision-making process (Stage three).

Pilot interviews were first carried out. Feedback gathered from the pilot interviews was used to improve model presentation technique, modify existing questions, and add new questions. Materials from the pilot interviews were not included in the thesis.

Each interview took approximately 50 minutes. All interviews were conducted face-to-face and at participants’ offices at a time convenient for them.

In the second part of the interview the same experts were presented the model after they had answered the question around validation of the importance of compliance behaviour. The study aims to assess how the presented model changed their decision-making process when thinking in terms of making users an essential part of the system.

Audio recordings were subsequently used by the researcher to develop interview transcripts, parts of which are presented in this work to support various points and provide insight on relevant issues.

MSc Information Security thesis abstract

speak

Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards.

Interviews with experts show that security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience.

Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds.

This piece of research presents example scenarios of such clashes and explores the root causes of events of non-compliance.

A model is developed that supports security managers’ decision-making process and incorporates users into the system in a way that mitigates the negative impact on users’ behaviour of security policy.

A combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers: the survey was created and 64 participants were surveyed to gain an insight into users’ perspective of implemented information security controls; semi-structured interviews with five experts were conducted, who have seven or more years of experience in the information security field and currently hold managerial positions.

The study illustrates that company can be formally compliant but still inefficient in performing its revenue-generating activities. Moreover, there is a mismatch between users’ and security managers’ perception: security managers think that they are already paying attention to the users, but 23% users complain that security activities negatively affect their performance.

The presented model is validated by information security experts and provides clear guidance to security managers in organisations as to implementation of security controls. The majority of experts liked the approach, but said that it needs to be tried with real-world processes.

Modelling conflicts between information security compliance and behaviour

With this post I’m starting a series of articles on information security compliance and behaviour issues.

It is important for security managers to understand that their decisions affect the company as a whole.  However, there are instances when business activities and security tasks are not synchronised. For example, the New York Times website was unavailable for several hours on the 14th of August 2013. While a malicious attack was initially suspected, the problem was caused simply by scheduled system maintenance procedure.
On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.

Security managers and users may share different views on security activities. In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system.

Lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.

Cloud Computing Security – A brief overview of Threats, Vulnerabilities, and Countermeasures

Threats

In 2013 the Cloud Security Alliance released a report, which identifies and describes 9 significant threats to Cloud computing [3]. This report was conducted through a survey of experts and intends to help companies in their Risk assessment. The Cloud Security Alliance (CSA) is one of the first nonprofit organizations that have tried to set up standards for best practices for secure cloud computing. They further try to offer guidance and security education.

The identified threats are listed in accordance to their severity:

1. Data Breaches: Data breaches occur when sensitive information of a company falls into the hands of its competitors and cloud computing introduces new ways of attack [1,3].

2. Data Loss: Data Loss can happen in several ways and is a terrifying thought for businesses. Accidental deletions by the CSP or physical catastrophes are examples of possible ways of loosing data in the cloud. Another example is if the consumer encrypts the data before uploading it to the cloud but then looses the encryption key [1, 3].

3. Account or Service Traffic Hijacking: There are different ways an account can be hijacked such as social engineering. If an attacker is able to get access to an account he can access, for example, sensitive data, manipulate it, and also redirect transactions [3, 9].

4. Insecure APIs: Services provided by CSPs can be accessed through APIs and therefore the security of the cloud depends also highly on the security of these APIs.  Weak credentials, insufficient authorization checks and insufficient input-data validation are some problems that can arise with APIs [3, 9].

5. Denial of Service (DoS): Cloud System Resources are being overused by an attacker, which prevent users from being able to access their data or applications [1, 3].

6. Malicious insiders: This threat refers to the fraud, damage or theft of information and misuse of IT resources caused from inside the CSP [3, 9].

7. Abuse of Nefarious Use:  CSP are known to have weak registration processes and therefore can give easy access to attackers. Possible impacts include decoding and cracking of passwords and executing malicious commands [1, 3].

8. Insufficient due diligence: Some companies do not have the right resources and understanding of the cloud environment to correctly evaluate the risk associated with responsibilities. Some implications can be contractual issues and operational and architectural issues [3].

9. Shared Technology Vulnerabilities: This threat can occur in all service models and refers to the fact that a single vulnerability could compromise the entire provides cloud [3].

Vulnerabilities in the Cloud

Vulnerability is the second factor companies have to consider when assessing the risk of migrating data to the cloud. Even though many types of vulnerabilities exist, when identifying them it is important to make sure they are cloud specific.

What makes a Vulnerability cloud specific?

According to the research conducted in [5] there are several criteria, which can be met by a vulnerability to make it cloud specific.

  • Virtualization, service- oriented architecture and cryptography are examples of core technologies of cloud computing. A Vulnerability is cloud specific if it is frequent and fundamental to these core technologies.
  • Elasticity, resource pooling and pay-as-you go mode are example on the other hand of cloud characteristics [4]. A Vulnerability is cloud specific if its root cause is in one of those characteristics.
  • Another criteria that makes a vulnerability cloud specific is if it hard to implement existing security controls to cloud innovations.
  • The last criteria they mention is that it has to be frequent in established state-of-the-art cloud services

Knowing what makes a vulnerability cloud specific one can then identify vulnerabilities in the cloud. The paper [1] has identified in total 7 major vulnerabilities of cloud computing:

1 Session Riding and Hijacking: This vulnerability is related to web applications weaknesses. Session Hijacking is unauthorized access is gained through a valid session key [8]. Session riding on the other hand is when the attacker sends commands to a web application by tricking the user open an email or to visit a malicious website [1].

2. Reliability and Availability of Service: This vulnerability takes into consideration that cloud computing is not perfect. More and more service are built on top of cloud computing infrastructures. In case of a failure a large amount of Internet based services and applications may stop working. The paper [1] give the example of an event in 2008 when Amazon’s Web Service cloud storage infrastructure went down for several hours. This caused data loss and access issues.

3. Insecure Cryptography: One of the fundamental problems in cryptography is the random generation of numbers. If numbers used in cryptographic algorithm are not truly random flaws can be found easily. The Virtual machines used on the cloud do not have enough sources of entropy and are therefore susceptible to attacks [1].

4. Data Protection and Portability: This vulnerability addresses the questions of what happens with the sensitive data in case of contract termination or in case the CSP goes out of business [1].

5. Virtual Machine Escape: This vulnerability refers to the possibility of breaking out of a virtual machine and interacting with the host operating system. Given that many virtual machine can exist in the same location increases the attack surface for the attacker [1].

6 Vendor Lock-in: The vulnerability lies in companies being dependent on the CSP they have initially chosen. Inconsistencies between CSPs and lack of standards make it hard for companies to switch providers [1].

7. Internet Dependency: Cloud Computing is very much dependent on the Internet. Users usually access services through web browsers. Some critical operation such as Healthcare systems needs to be up and running 24 hours. The question arises in situations where the Internet is not reliable [1].

Countermeasures

 Having identified the risks of cloud computing it is then possible to assess which data or applications should be migrated and how much security is needed. Further, it is possible to come up with countermeasures or safeguards to mitigate these risks. Countermeasures may come in various forms such as policies, procedures, software configurations, and hardware devices [4].

For the threats and vulnerabilities mentioned in this report there exist countermeasures that can help mitigate the risk. Papers such as [6], [3], and [9] give possible solutions to these risks. Some of them are for example Identity and access management guidance for the threat of account or service hijacking [6]. The CSA has issued a report to provide a list of best practices such as separation of duties and identity management [2]. For the threat of data leakage for example the main countermeasure is encryption [8, 6].

Even though there are many countermeasures that have been identified a good practice for companies is to have a good Service Level agreement (SLA) with the CSP. SLAs are the only legal agreement between client and service provider and should cover aspects such as security policies and their implantation and also should discuss legal issues in case of misuse of services [7]. The CSA further has come up with a framework that can assist in looking at the aspects of Governance, Risk and Compliance (GRC) in a company’s IT policy when adopting a new solution. Their framework assists in assessing Clouds provided by CSPs against established best practices and standards.

We have looked at Threats and Vulnerabilities and come to conclude that there are still several issues to cloud computing that need to be solved. Therefore, it is only understandable that companies still view cloud computing skeptical and do not adopt it as an option without consideration. Companies themselves should ensure through service level agreements that they get the security they need. Further we are able to see through organizations such as the Cloud Security Alliance that there are efforts in trying to create standards and help companies in choosing the right provider.

References

[1]       Bamiah, Mervat Adib, and Sarfraz Nawaz Brohi. “Seven Deadly Threats and Vulnerabilities in Cloud Computing.” International Journal of Advanced Engineering Sciences and Technologies (IJAEST) (2011).

[2]       Brunette, Glenn, and Rich Mogull. “Security guidance for critical areas of focus in cloud computing v2. 1.” Cloud Security Alliance (2009): 1-76.

[3]       Cloud Security Alliance, “The Notorious Nine Cloud Computing Top Threats in 2013”, Cloud Security Alliance, 2013, [Online]

[4]       Dahbur, Kamal, Bassil Mohammad, and Ahmad Bisher Tarakji. “A survey of risks, threats and vulnerabilities in cloud computing.” In Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, p. 12. ACM, 2011.

[5]       Grobauer, Bernd, Tobias Walloschek, and Elmar Stocker. “Understanding cloud computing vulnerabilities.” Security & Privacy, IEEE 9, no. 2 (2011): 50-57.

[6]       Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1 (2013): 5.

[7]       Kandukuri, Balachandra Reddy, V. Ramakrishna Paturi, and Atanu Rakshit. “Cloud security issues.” In Services Computing, 2009. SCC’09. IEEE International Conference on, pp. 517-520. IEEE, 2009.

[8]       Munir, Kashif, and Sellapan Palaniappan. “Secure Cloud Architecture.” Advanced Computing: An International Journal (ACIJ), 4 (1), 9-22. (2013).

[9]       Yu, Ting-ting, and Ying-Guo Zhu. “Research on Cloud Computing and Security.” In Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, pp. 314-316. IEEE, 2012.

Risk management and compliance tools

Citicus

Citicus MOCA – iPhone/iPad tool that enables you to complete a criticality assessment in minutes, anywhere, anytime, using a highly-respected technique that has been successfully applied to many thousands of assessments over the last decade.  In essence, this highlights the maximum credible loss to your organisation if the worst happens to an asset (e.g. theft, fire, flood, malfunction).

Control Systems Security Program (CSSP) – free tool that provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

If you struggle to comply with HIPAA, the NIST HIPAA Security Toolkit Application can help you better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess implementations in operational environment.

Information security e-learning

The Internet gives us unlimited opportunities to educate ourselves. Here I want to share with you some free resources, which can help you understand information security concepts better.

1. For those of you who want to familiarize yourself with ISO 27001 standard  I recommend free e-learning course

“The purpose of this course is to enable information security practitioners to successfully implement an ISO 27001 compatible information security management system in their respective organizations. This course is made freely available to interested candidates and is modeled on ISO 27001 Lead Implementer courses.” (c) ISQ

2. Designing and Executing Information Security Strategies course provides you with opportunities to integrate and apply your information security knowledge. Following the case-study approach, you will be introduced to current, real-world cases developed and presented by the practitioner community. You will design and execute information assurance strategies to solve these cases. A term-long capstone project leads you through an actual consulting engagement with a local organisation  adding experience to your resume before you even complete the program.

3. Stanford University provides free online cryptography courses.

Basic

“This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.” (c) Dan Boneh

Advanced

“The course begins with constructions for digital signatures and their applications.   We will then discuss protocols for user authentication and zero-knowledge protocols.    Next we will turn to privacy applications of cryptography supporting anonymous credentials and private database lookup.  We will conclude with more advanced topics including multi-party computation and elliptic curve cryptography” (c) Dan Boneh

4. One-hour seminar by Xeno Kovah (Mitre) on rootkits highlights the few weaknesses in detection methodologies and many weaknesses in tools

5. Using buffer overflows

– Understanding the Stack – The beginning of this video explain Intel x86 function-call conventions when C code is compile

– Buffer Overflow Exploitation Megaprimer for Linux video series

6. Series of videos introducing wireless networking and the application of penetration testing tools to WLANs