1 / 22

The Human Factor in Information Technology

The Human Factor in Information Technology. Introduction. 75% of security incidents caused by human error Technology oriented civilization General ignorance in all layers of the civilization. Work environment. Employees often clueless about security improvements. Incidents often caused by :

dbrian
Download Presentation

The Human Factor in Information Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Human FactorinInformation Technology

  2. Introduction • 75% of security incidents caused by human error • Technology oriented civilization • General ignorance in all layers of the civilization

  3. Work environment • Employees often clueless about security improvements. • Incidents often caused by : • Configuration error • Misinterpretation • Intentionally action

  4. Design issue • Techies needs vs business needs • Business function vs security • User-friendly vs security • The strength of the design is often the downfall to it. Regular users do not think as those who designed it • Design should identify human and societal need

  5. Technology • Technology rapidly changes resulting in inability to manage • Technology often ties us to our work and instead making it easier it gets worse • Top notch technology is expensive and does not guarantee security. • Implementers often external, could leave insecure traces, purposely or by error

  6. Social engineering • Art of deception or persuasion • The exploits • Human based social engineering • Technology based social engineering

  7. Social engineeringThe Exploits • Diffusion of responsibility • Trust relationships • Moral duty • Guilt • Desire to be helpful • Cooperation

  8. Human basedSocial engineering • Impersonation • The VIP approach • Shoulder surfing • Dumpster diving • Piggy backing • Third party approach

  9. TechnologySocial engineering • Popup windows • Mail attachments • Spam, Spim, chain emails, hoaxes • Websites

  10. CountermeasuresBuilding a human firewall • Convince top management • Top down approach • Prove security is business enabler not a cost enabler only. • According to Gartner the executive board has 3 mayor questions when confronted with security issues: • Is our security policy enforced fairly and consistently? • Would employees, contractors and partners know if a security violation occurred? • Would the company know how to handle and react if they recognize a security violation?

  11. CountermeasuresBuilding a human firewall • Assign and clarify roles/responsibilities • Separation of duties, do people have the authority • Careful with overlapping duties • Clear statements from management

  12. CountermeasuresBuilding a human firewall • Define an action plan linked to a budget • Assessment of relative value of information assets • Use a risk assessment approach • Prioritize asset values to simplify budgetting • Involve all units

  13. CountermeasuresBuilding a human firewall • Develop/update the policy framework • Policies evolve just as the law in real life • Written in language everyone can understand • Align with business goals, constraining or contradictory policies end up in the forgotten list

  14. CountermeasuresBuilding a human firewall • Develop incident response program • Reduce damage • Recover quick and efficient • Keep a trace of the security event, learn from it

  15. CountermeasuresBuilding a human firewall • Develop a security awareness program • Conduct a survey to find the weak and strong domains • Repetition is the key to success • Events happening in the world could be the initiator • It should not be limited to a one shot. Use any means possible such as quiz, posters, intranet, mails etc..

  16. CountermeasuresBuilding a human firewall • Develop a security awarenessprogram • Senior management • Mid management • Staff • Technical staff

  17. CountermeasuresTarget audience • Develop a security awareness program • Senior management • Focus on key elements, risk level, loss • Numerical or statistical approach • Examples of real life

  18. CountermeasuresTarget audience • Develop a security awareness program • Mid management • Granular approach on policies, procedures,… • In charge of mapping it to different departments • Use business examples

  19. CountermeasuresTarget audience • Develop a security awareness program • Staff • Repetition = key to success • Split into job related groups • Stress on the importance of his/her job and the security related issues involved

  20. CountermeasuresTarget audience • Develop a security awareness program • Technical Staff • Audit trails often see as work control • Often integrate security after everything is running • Convince them security protects also their work environment

  21. CountermeasuresBuilding a human firewall • Measure your security awareness efforts • A quiz is an excellent tool to measure • Security event statistics can indicate weak spots • Evaluation forms to gain knowledge current issues and where to improve

  22. The Human Factor Q & A

More Related