Infosecurity Professional - Issue 9 - ISC

More documents

Recommendations

Info

I LLUSTRATION BY E UG E N P/SH UTTE RSTOCK Sherri Davidoff used to rob banks. She’d get up in the morning, put on a nice business suit, walk into the heavily secured offices of large financial institutions and walk out—through the front door—with their computers. Davidoff isn’t a felon, however; she’s a principal in the Montana office of Lake Missoula Group LLC, a security consulting firm specializing in penetration testing, forensics, network assessment and security awareness training. Her “thefts” were tests of the strength of banks’ security systems, and they serve as a reminder of just how weak those systems can be. One day, technology may make it impossible for a thief to pick up and walk off with a computer. That fact doesn’t necessarily mean future computers will be any more secure than today’s are. That’s because there’s something technology can’t control: the human element. “Technology for the most part doesn’t fail,” says Dow Williamson, CISSP, CSSLP and executive director of SCIPP International, which develops, delivers and manages security awareness credential and certification programs. “It’s the human being that causes the problem,” he says. The human concept of acceptable behavior, for example, played a big role in the success of Davidoff ’s bank larcenies. “We’ve been trained since we were young to hold the door for people,” she says. “We feel bad letting [it] slam on them.” Likewise, it can feel awkward to confront a young, well-dressed female who looks like she 8 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9
illustration by SASHIMI/theispot belongs—even if she is walking out the door with an office computer. “The human being is the most precious asset a company has, and the most dangerous thing,” says Martin Smith, founder of The Security Company (International) Ltd., a U.K.-based firm that helps implement security awareness campaigns to achieve long-term, sustainable changes in employee behavior. There isn’t a computer program in existence that can counter human nature, but there are ways to address the effect of human nature on the security of your organization’s information. What follows is a look at what works and what doesn’t when it comes to the human side of technology. Where We Go Wrong Geordie Stewart, an IT security consultant with London-based Risk Intelligence, which specializes in information security management, took a close look at the human factor in his thesis for the Master of Science degree at Royal Holloway college, Maximising the Effectiveness of Information Security Awareness Using Marketing and Psychology Principles. “There are three main problems with how information security awareness techniques are commonly implemented,” he says. The first problem revolves around awareness versus culture. “Information security awareness is based on a narrow assumption that if only someone was aware of the risk or threat, then their behavior would change,” Stewart says. “The reality is that people may well be aware of the risk but feel constrained by other factors, such as entrenched business culture.” The second problem is that information security professionals don’t realize information security awareness is all about marketing—targeted marketing: Mouse mats and motivational posters don’t cut it. “Unfortunately, it’s much easier to roll out screen savers with messages cut and pasted from the organization’s security policy,” Stewart says. What does work are campaigns involving “audience research, careful targeting of communications, and measuring the outcome,” he adds. It’s in measuring outcomes that the third problem lies. “The benefit of awareness campaigns isn’t actually awareness,” Stewart says. “The benefit is in someone behaving differently in a way that benefits the organization’s overall risk profile.” In other words, knowing an employee is aware of a company’s password policy isn’t the same thing as knowing whether he or she follows it. Smith thinks the problem with implementing information security isn’t so much in the method used as in the fact that it’s information security professionals doing the implementing. “You’re asking computer people to solve a people problem, which doesn’t make sense,” he says. “I am tired of dealing with CISOs who don’t understand the need of addressing the people part of it.” In addition, as the techniques of criminals get simpler, the ways in which organizations respond get more complex: “The patient is dying of the common cold due to poor nursing, and yet the doctors are concen- Experts say that information security professionals must consider human behavior when it comes to security awareness, Maggie Starvish writes. ISSUE NUMBER 9 InfoSecurity <strong>Professional</strong> 9
Page 1 and 2: issue number 9 An (ISC) 2 Digital P
Page 3 and 4: issue 9 2010 VOLUME 1 14 To view th
Page 5 and 6: executive letter From the desk of t
Page 7 and 8: (ISC) 2 MEMBER NEWS (ISC)² Hires F
Page 9: The password to your future is NSU.
Page 14 and 15: son’s social position. “Breache
Page 16 and 17: You’ve probably developed, or are
Page 18 and 19: frankly, your enemy.” The more ti
Page 20 and 21: Each year, (ISC) 2 participates in
Page 22 and 23: global insight international inform
Page 24: The one security blanket you won’

Infosecurity Professional - Issue 9 - ISC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?