1 / 100

Security Awareness 101 ……and Beyond

Security Awareness 101 ……and Beyond. “Vision without action is only a dream Action without vision is merely passing the time Vision with action will change the world.” - Joel Barker. 20th Annual Computer Security Applications Conference December 6, 2004 Tucson, Arizona Kelley Bogart

MikeCarlo
Download Presentation

Security Awareness 101 ……and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Awareness 101 ……and Beyond “Vision without action is only a dreamAction without vision is merely passing the timeVision with action will change the world.” - Joel Barker 20th Annual Computer Security Applications Conference December 6, 2004 Tucson, Arizona Kelley Bogart Melissa Guenther

  2. 'The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.' Kevin Mitnick

  3. 'The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems. Always remember: Amateurs hack systems, professionals hack people.' Bruce Schneier

  4. Introductions A complimentary team approach • Ms. Kelley Bogart (University of Arizona for the University's Business Continuity and Information Security Office as the Information Security Coordinator. • Initial work was dedicated to policy and best practices related to Business Continuity and Information Security topics. • Last two years have been dedicated to developing and implementing a Campus Security Awareness Campaign. • Received international recognition. • Appointed Co-Chair of the EDUCAUSE Security Awareness Task Force, which is a international group that focuses on IT issues and solutions specific to academia. And works directly with the National Cyber Security Alliance with regard to Security Awareness. • Recently she is working on a partnership agreement with Arizona Homeland Security to use UA's Awareness Campaign for a Statewide Awareness Campaign Initiative. • Ms. Melissa Guenther – Advisor to Phoenix InfraGard and Security Awareness Consultant • Assists teams in creating blueprints and designing interventions for change, primarily in the Security Awareness area. • Clients include Texaco, U of A, Manitoba Information Protection Centre and Public Service of New Mexico. • Over 20 years of culture Change Management and Training experience, providing a strong base for proven results. • Requested presenter at various security conferences, such as SANS, CSI, and the Arizona Chapter of High Technology Crime Investigation Association (ACHICIA), both nationally and internationally. • Created the plan and blueprint for the University of Arizona's Security Awareness campaign, and assisted in the implementation.

  5. Introduction to Our Work • If the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded. • At times, you will hear strong recommendations around proprietary products and processes. We make no apologies, for we would do all a disservice if we failed to disclose with great passion those interventions that can change your company. At the same time, we provide guidelines and suggestions on how to create your own versions of these solutions. • As you take your own journey, we would like to hear from you and invite you to email us with your questions and stories of your victories as you chart your own change path.

  6. A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future. • Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant. People. • Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work. • Getting people involved in the process - because people are the ones who make changes work - is key.“Organizations don’t change – people change. And then people change organizations.”

  7. Awareness...to focus attention on security National Institute for Standards and Technology

  8. Identify program scope Goals and objectives Identify training staff and identify target audiences Motivate management and employees Administer the program Maintain the program Evaluate the program NIST (1995, 1998) Framework 1

  9. Framework 2 • Plan • Design • Implement • Evaluate • Continuous Improvement • M. Guenther, LLC.

  10. Aims of the Program Start Up Environmental scan Policies and procedures Technical review Culture Survey Stakeholder analysis Regulatory compliance Overall structure Project Phases Resources and Skills Budget and Costs Project communication Project documentation Target Audience Groups Management and Monitoring Maintenance and transition Program Content Topics Messages Sources of Material Program methods and tools Intranet website Communication methods “Branding” Program Management Governance Management Plan and major activities Measuring the program Cost benefit analysis Program costs Business benefits Conclusion References Appendix A – Target audience segments Appendix B – Potential information, physical and personal security topics Appendix C – Outline and timeline of program plan Appendix D – Communication methods Awareness Program Overview

  11. Content • Topics of awareness include but are not limited to: • The responsibility of users to report issues • The fact that a users activities can be audited • The legal requirement for data (citing legislation, as appropriate) • Privacy expectations of internal and external users • The ownership of data • Password requirements • The acceptable use policy for E-mail and Internet access • The intellectual property requirements; • The sensitivity of department systems to threats, risks and vulnerabilities; and • Physical, personal and information vulnerabilities

  12. Objectives and Background • Provide direction and guidance in the areas of program development and changes to culture • Address the following questions • What are the premises, nature and point of departure of awareness? • What is the role of attitude, and particularly motivation: the possibilities and requirements for achieving motivation/user acceptance with respect to information security tasks? • What approaches can be used as a framework to reach the stage of internalization and end-user commitment? • Commitment to something means that one wants it and will make it happen (Peter Senge, 1990)

  13. Culture Washington State anthropologist John Bodley defines culture as "shared, learned values, ideals, and behavior — a way of life."

  14. Changing Behaviors • The goal of awareness is to change behavior • People only adopt new patterns of behavior when... the old are no longer effective • People change when the pain of changing is less than the pain of staying the same. • Three concepts about human behavior to note:

  15. Changing Behaviors 1. People’s behavior is based upon their principles and their values 2. An effective awareness program helps the workforce adopt the organization’s principles and values 3. A message is persuasive when the addresser selects information that the addressee perceives as relevant in terms of his or her values

  16. Knowledge does not guarantee a change in behavior. Changing Behaviors • “We’ll just create some new policies.” What are the fallacies of policy? • “We just send everyone to training.”

  17. Your ideas for involvement? Involvement • To change culture and behaviors we need involvement from those who will be most impacted by the change • WII-FM: What’s In It For Me? • People like to be included

  18. Company Policies Important note: Don’t wait until P&P’s are done to start awareness!! Security Awareness Program Purposes Integrate Define Feedback Activities Implement Elicit Employees Model 1 - The Security Awareness Program Flow

  19. Another Step … Security Advisory Group or Council • Group of upper management level people • Represent all areas of the business • Promote security awareness • Promote consistent approach to security • Drivers of corporate wide security policy

  20. Involvement • Host special events • Look for “teachable moments” • Develop security “champions” • Leverage a “negative event” • Use the “Grapevine”

  21. PLANNING The beginning is the most important part of the work. Plato

  22. Strategic Planning • Step 1: Where are we now? (Situation Assessment) • Step 2. Where do we want to be? (Strategic Direction) • Step 3 - How do we plan to get there? (Implementation Planning) • Step 4 - How will we monitor progress? (Monitoring)

  23. Compelling Issues • Vast amounts of information. • Open environment. • Decentralized functions. • Customer expectations. • Institutional responsibility. • Financial, operational & reputational risks. • Increasing threat profile.

  24. Security Awareness Culture Survey

  25. It’s the Culture • Culture drives the behavior of the organization and it’s people. • Implementing a behavioral security process without a solid cultural foundation is the cause of most incidents.

  26. Danger Signs • Unclear who is responsible for what. • Belief that everything is ok, “we are in good shape” • Belief that rule compliance is enough for security (If we’re in compliance – we’re ok) • No tolerance for whistle-blowers • “culture of silence” • Problems experienced from other locations not applied as “lessons learned” • Lessons that are learned are not built into the system • Defects / errors became acceptable • Security is subordinate to production • Emergency procedures for severe events is lacking

  27. Danger Signs • Policies and Procedures are confusing, complex and “hard to find”. • Security resources and techniques are available but not used. • Organizational barriers prevent effective communication. • There are undefined responsibility, authority, and accountability for security. • Security belonged to “IT” • The acceptance of defects / errors becomes Institutionalized. • Because nothing has happened (or we are unaware of what has happened), we’re ok. • Culture is resilient, hard to change, and will revert to old habitsif not steered by leadership.

  28. What is Culture? • Social Culture - Our beliefs, philosophies, attitudes, practices that govern how we live. • Organizational Culture -What employees believe (perceptions), attitudes, practices, rules, regulations, philosophies, values, etc.

  29. What is Culture? • It is the atmospherewhich shapes our behavior. • Invisible forcethat largely dictates the behavior of employees & management.

  30. Company Culture Production Culture vs. Security Culture Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.

  31. What is a Production Culture? • Belief that only production matters. • Whatever it takes to get the job done. • Security performance is not measured. • Security performance is not part of supervisor’s job.

  32. Security Culture • Security is not a priority - it is a corporate Value. • All levels of management accountable. • Security performance measured & tied to compensation. • Security integrated into all operations.

  33. The Purpose Of The Program • Security is everyone’s responsibility • Provide all opportunities to determine how in their daily roles • Knowledge (what) • Skill (how) • Attitude (want) Education Awareness

  34. Motivation vs. Attitude • Motivation tends to be dynamic in nature • Lasts minutes or weeks • Intrinsic motivation plays a role • People feel free to make their own choices • Need to justify actions in terms of internal reasons • Attitudes is a more static, internalized factor • Lasts months to years • Staged as readjustment, cooperation, acceptance and internalization • User acceptance and internalization must be considered gradual processes and long-term goals

  35. A Collection of Approaches

  36. Analysis and Problem-solvingWhat We Looked at • People • Business • Measuring, evaluating

  37. Break

  38. People • Identify key relationships. • Establish rapport with students, faculty and staff. • Become visible and available. • Develop security awareness program. • Be the person who is there to help. • Emotional/psychological management

  39. Business • Understand… • Business and customer expectations • Relationships between business and customer • Key information and other assets, owners and custodians

  40. Strategy Metrics/ Benchmark Communication Culture Regulatory Education Marketing Strategic Planning

  41. Design National Institute for Standards and Technology

  42. TheAwarenessProgram The security process is more than the implementation of technologies Redefinition of the corporate culture Communication of managements message Employee understanding of value of information Employee understanding of importance of their actions to protect information

  43. Scope The scope of any Security Awareness campaign will reach all network users, beginning with senior department executives working towards each and every member of the community. Who are the members of your community?

  44. Customizing the Message Plan to address segmented groups with messages specifically designed for those areas. • Leadership • Staff • Students • Faculty • Senior Management • Line Supervisors • End Users • Contractor and Temp

  45. Needs Assessment • Senior Management - will be expecting a sound, rational approach to information security. • Line supervisors - These individuals are focused on getting their job done. • Employees - are going to be skeptical. They have been through so many company initiatives that they have learned to wait. If they wait long enough and do nothing new, the initiative will generally die on its own. It will be necessary to build employees awareness of the information security policies and procedures. Identify what is expected of them and how it will assist them in gaining access to the information and systems they need to complete their tasks.

  46. The Information Security Message • The employees need to know that information is an important enterprise asset and is the property of the organization. • All employees have a responsibility to ensure that this asset, like all others, must be protected and used to support management-approved business activities. • To assist them in this process, employees must be made aware of the possible threats and what can be done to combat those threats. • Is the program dealing only with computer held data or does it reach to all information where ever it is resident? • Make sure the employees know the total scope of the program. Enlist their support in protecting this asset. • The mission and business of the enterprise may depend on it.

  47. Special events Security classes CBT Video COST Security newsletter Screen saver Giveaways Posters Recognition awards Brochure Web site E-mail broadcast Sign-on banner EFFECTIVENESS Not recommended Recommended Highly recommended Delivering the Message

  48. Formats for Communication • Individual meetings • Staff meetings • Conference calls • E-mails • Videoconferences • Messages • Faxes • Graphics and logo

  49. U of A Intranet UA Security Awareness Campaign Being Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within our computer systems and through out our organization. Therefore, it would be prudent to support the assets of our institution (information, physical, and personal) by trying to stop that from happening. 2004 Information SecurityAwareness Day Current Security Events UA Information Security Awareness Day  Computer Security: What you need to know 2004 Information Security Brown Bag Series (.pdf) Calendar of Campus Security Awareness Events Presentations Security Awareness Presentations Security Plan Information Security Awareness Campaign Initiatives(.pdf)Security Awareness Campaign Feedback QuestionnaireEvaluation Model(.pdf) Send comments and suggestions to:Kelley Bogartbogartk@u.arizona.eduor call 626-8232 UA Privacy Statement Please send comments, suggestions or questions to:Business Continuity & Information Security(520) 626-0100bcis@u.arizona.edu Website created and maintained by:CCIT Information Delivery Team

More Related