1 / 43

New York State Higher Education CIO Conference West Point - July 2005

New York State Higher Education CIO Conference West Point - July 2005. Building an Information Security Culture in a Global Enterprise. Jane Scott Norris, CISSP CISM Chief Information Security Officer U.S. Department of State. Information Security Program. Designed to Protect INFORMATION

tea
Download Presentation

New York State Higher Education CIO Conference West Point - July 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New York State Higher Education CIO ConferenceWest Point - July 2005 Building an Information Security Culture in a Global Enterprise • Jane Scott Norris, CISSP CISM • Chief Information Security Officer • U.S. Department of State

  2. Information Security Program Designed to Protect INFORMATION • Policy and Procedures • To support business objectives while considering security requirements • Informing users of their responsibilities • Employees must know policies, understand their obligations, and actively comply • Monitoring and review of program

  3. Information Security Drivers • Constantly changing IT • Increasing connectivity • Rush to market • Readily available hacking tools • Increasing Risk • Only as strong as the weakest link Insider threat is always greatest: deliberate, careless, irrational or uninformed

  4. 3 Waves of Information Security • Technical Wave • Authentication and access control • Management Wave • Policies, procedures • CISO and separate security staff • Institutionalization Wave • Information Security Awareness • Information Security Culture • Standardization, certification and measurement • Human Aspects Von Solms (2000)

  5. It’s A People Problem Information and Information Systems Security: Products Processes People H/W and S/W Management Operational Users Administrators Ensuring that employees receive tailored and timely awareness, training, and education is paramount to maintaining effective security

  6. The Security Gap • Security technology is essential • Firewalls, anti-virus, intrusion detection, encryption etc. • Technology is not enough • Gartner: 80% of downtime is due to people and processes • Tighter the security controls, the harder they are to break and the target becomes the user • Technology can make it difficult to forge IDs but can’t stop people getting real IDs under fake names • Technology can never stop social engineering • People are still tricked into disclosing their passwords • Creating and maintaining a security culture is critical for closing the security gap Creating and maintaining a security culture is critical for closing the security gap

  7. People and Machines • Security controls deal with known risk • People spot irregularities • Employees that are security conscious and correctly trained • Develop a “feeling” for what is “normal” behavior • Recognize unusual, unexpected behavior • Employees need to • Adapt to new scenarios • Report and act on incidents A well informed workforce helps to promulgate good security habits, and to identify and mitigate problems quickly

  8. Awareness, Training & Education “The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16

  9. Security Awareness Program • Communicate security requirements • Policy, rules of behavior • Communicate Roles and Responsibilities • Improve understanding of proper security procedures • At work and at home • Serve as basis for monitoring and sanctions program Majority of organizations view security awareness as important, although they do not believe they invest enough in this area. 2004 CSI/FBI Computer Crime and Security Survey

  10. NIST Guidance NIST SP 800-53 • “An effective information security program should include … security awareness training to inform personnel of the information security risks associated with their activities and responsibilities in complying with organizational policies and procedures designed to reduce these risks” NIST SP 800-50 • “Awareness involves guiding and motivating people on appropriate behaviors” NIST SP 800-16 • The fundamental value of security awareness is to create “a change in attitudes which change the organizational culture”

  11. Information Security Culture • Information Security culture must complement the Organizational culture • Congruent with the mission • Commensurate with risk appetite • Common elements of a security culture across organizations • Privacy, internal controls • Protection of proprietary information • Laws Employee Vigilance and Appropriate Response are natural activities in the daily activities of every employee

  12. Attitude Adjustment • Attitude is important • Predictor of Behavior • Motivator of Behavior • Source of Risk • Irrational behavior based on passion (love, anger) • Attitude can be changed • Social Psychology • Fish! PERSUASION: Changing attitudes and behavior

  13. Social Psychology ATTITUDE Affect Behavior Cognition Influencing Behavior and Decision-Making Sam Chum, CISSP: Change that Attitude: The ABCs of a Persuasive Awareness Program

  14. ABC Model • Affect • Emotional response • More likely to do activities that • Are fun or make us feel good • Avoid negative feelings (guilt, fear, pain) • Behavior • Feedback for attitudes • Doing leads to liking • Cognition • Opinions formed by reasoning

  15. Reciprocity Cognitive Dissonance Diffusion of Responsibility Individualization Group Dynamics Social Proof Authority Repetition CONSISTENCY OF MESSAGE Influence Techniques

  16. Reciprocity • Indebtedness • Obligation to reciprocate on debt • Trinkets • Lanyards, pens, mousepads, lunch bags • Simple slogan • Large ROI

  17. Cognitive Dissonance • Performing an action that is contrary to beliefs or attitude • Natural response is to reduce the tension/discord • Requirement to repeat unpopular procedure makes it more palatable • Examples: • Mandatory, periodic change of password • Requirement for Strong passwords

  18. Diffusion of Responsibility • Members of a group take less personal responsibility when group output, not individual contribution, is measured • Avoid anonymity • Remind employees that they are responsible for all system activity conducted under their logon ELSE Cyber Security: It’s Everyone’s Job! Λ

  19. Individualization • Opposite of Diffusion of Responsibility • Individual Accountability • ID badges • Personalized messages • In-person delivery • Individual rewards Information Assurance – It’s MY job too!

  20. Group Dynamics • In a group, individuals tend to adopt more extreme attitudes to a topic over time • Diffusion of Responsibility • Leaders tend to be those with stronger views, more extreme attitudes • Group interaction will enhance security in a group that has a propensity for security • Peer Pressure

  21. Social Proof • People mimic others’ behavior • Be aware of informal communications • Most frequent • Must be on message • Ensure good examples; discourage bad behavior One ill-chosen comment from an influential person can undo months of awareness efforts

  22. Obedience to Authority • Natural tendency to obey authority • Ensure executive commitment • Ensure line manager buy-in Message Multipliers: Senior Management Participation and Senior Leadership by Example

  23. Repetition • Repeated exposure to a consistent message can change attitudes • More familiar with policies and procedures, the more that correct behavior is induced • Use all channels of communication • Formal and Informal • Push and Pull If a stimulus, originally an attention-getter, is used repeatedly, the learner will selectively ignore the stimulus. NIST SP 800-16

  24. Fish! Approach to Work • Choose Your Attitude • Play • Make Their Day • Be Present “Boost Morale and Improve Results” Fish! Lundin Stephen C., Paul, Harry and Christensen, John Hyperion Books, 2000

  25. Consistency • Familiarity breeds contempt? • Repetition induces liking • Chun: Change that Attitude • Even a boring job can be fun • Fish! Variety is the spice; Consistency the Staple

  26. Target Audience • Every system user • NIST defines 5 roles • Executives • Security Personnel • Systems Owners • Systems Admin and IT Support • Operational Managers and System Users

  27. The Awareness Team • Senior Management • CIO and CISO • Functional Elements • Security Professionals • System Administrators • Every individual employee! The more YOU know, the stronger WE are!

  28. Tailored Approach • Mandatory annual awareness presentation for all • General • Real world examples • Lots in the Press about Identity Theft • Home PC Security • Bring the message home • Other sessions tailored for particular groups • Targeted messages and examples • Involve people in awareness to overcome their resistance to change Individuals have different learning styles

  29. Delivery • Prior to being granted privileges • No access without awareness • Periodically • Mandatory Annual Awareness • Classes or On-line • Interim, short communiqués • E-mails, broadcasts, “Tip of the Day” • In response to new threats, vulnerabilities and policies • Small group sessions • Less formal events • Fairs, Awareness Days • Games – Security Jeopardy • Push – Pull techniques

  30. On-going Program • Cultural Change takes time • Continuous Program • Maintain employee awareness and organizational commitment Awareness presentations must be on-going, creative, and motivational, with the objective of focusing the learner’s attention so that learning will be incorporated into conscious decision-making. NIST SP 800-16

  31. ROI from Security Awareness • Cost Avoidance • Support of Mission Objectives • Protection of Image • Prevention of Down Time, Damage and Destruction Security conscious employees make better cyber citizens

  32. Measurement of Program Externally in response to FISMA: • Congress and OMB • Quarterly and Annually • President’s Management Agenda • Congress FISMA Grade Internally: • Quarterly Bureau Scorecards • Feedback What gets measured gets done!

  33. Output vs. Outcome • Outputs • Number of employees trained • Outcomes • Fewer Audit Findings • Fewer material weaknesses • Fewer violations • Less severe incidents • Less repetition of errors • Less damage • Reduced cost of compliance

  34. Measurement of People • Measurement by organizational element • Peer pressure • Measurement by individual • Awards/Rewards • Include in employee evaluation • Sanction by individual

  35. Security Minded Culture • When Employees … • Are aware of the threats, vulnerabilities and consequences of exploits • Recognize and report suspicious activity • Can discuss why controls are necessary • Take an active role in protecting information A risk managed approach balances security requirements and mission need

  36. A Habit not a Mandate • If we understand why observing good information assurance practice is the right thing to do • Then we will do things because we believe it’s the right thing to do, rather than because we’re told to do them Assimilation: An individual incorporates new experiences into an existing behavior pattern

  37. Challenge for Security Professionals • Keep current on new threats, vulnerabilities and solutions • Educate general users and senior management of threats and exploits. Show them why cyber security is needed and what they can do to protect information • Instill in all employees a feeling of shared responsibility • Sell information security

  38. It’s a Dialogue Security Awareness personnel need to … Understand • Security climate • Business objectives • Line managers’ concerns, problems • Individual and group issues Possess • IT Background and security knowledge • Communication Skills • Marketing Skills • Business Savvy

  39. The Business Case for Security • Use the language of business • Show how security supports mission objectives • Demonstrate the return on investment associated with good security • Talk with management (and users) in terms they can understand – avoid the language barrier Drop the “Geek Speak”

  40. Summary • Attitudes • Behavior • Culture Whether it’s a homogeneous group in a campus setting or a diverse, global workforce, a variety of techniques and consistency of message are needed

  41. 10 Cs of Information Security Culture • Comedy • Complete • Consistent Message • Customized Sessions • Current, relevant content • Communication Channels • Common (plain) Language • Commitment from Executives • Continuing Awareness Program • Compulsory Annual Awareness Offering

  42. References • Chun, Sam: “Change that Attitude: The ABCs of a Persuasive Awareness Program”Information Security Management Handbook, 5th Edition, Volume 2, Auerbach, 2005 • NIST Special Publication 800-53: “Recommend Security Controls for Federal Information Systems”, Feb 2005 • NIST Special Publication 800-50: “Building an Information Technology Security Awareness and Training Program ”, Oct 2003 • de Zafra, Dorothea: “The Human Factor in Training Strategies”presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991 as quoted in NIST SP800-16 • NIST Special Publication 800-16: “Information Technology Security Training Requirements: A Role- and Performance-Based Model”, April 1998 • Lundin Stephen C., Paul, Harry and Christensen, John: “FISH!” Hyperion Books, 2000

  43. Contact Information For further information or comments, please e-mail: CISO@State.gov Subject: NY State CIOs

More Related