430 likes | 546 Views
New York State Higher Education CIO Conference West Point - July 2005. Building an Information Security Culture in a Global Enterprise. Jane Scott Norris, CISSP CISM Chief Information Security Officer U.S. Department of State. Information Security Program. Designed to Protect INFORMATION
E N D
New York State Higher Education CIO ConferenceWest Point - July 2005 Building an Information Security Culture in a Global Enterprise • Jane Scott Norris, CISSP CISM • Chief Information Security Officer • U.S. Department of State
Information Security Program Designed to Protect INFORMATION • Policy and Procedures • To support business objectives while considering security requirements • Informing users of their responsibilities • Employees must know policies, understand their obligations, and actively comply • Monitoring and review of program
Information Security Drivers • Constantly changing IT • Increasing connectivity • Rush to market • Readily available hacking tools • Increasing Risk • Only as strong as the weakest link Insider threat is always greatest: deliberate, careless, irrational or uninformed
3 Waves of Information Security • Technical Wave • Authentication and access control • Management Wave • Policies, procedures • CISO and separate security staff • Institutionalization Wave • Information Security Awareness • Information Security Culture • Standardization, certification and measurement • Human Aspects Von Solms (2000)
It’s A People Problem Information and Information Systems Security: Products Processes People H/W and S/W Management Operational Users Administrators Ensuring that employees receive tailored and timely awareness, training, and education is paramount to maintaining effective security
The Security Gap • Security technology is essential • Firewalls, anti-virus, intrusion detection, encryption etc. • Technology is not enough • Gartner: 80% of downtime is due to people and processes • Tighter the security controls, the harder they are to break and the target becomes the user • Technology can make it difficult to forge IDs but can’t stop people getting real IDs under fake names • Technology can never stop social engineering • People are still tricked into disclosing their passwords • Creating and maintaining a security culture is critical for closing the security gap Creating and maintaining a security culture is critical for closing the security gap
People and Machines • Security controls deal with known risk • People spot irregularities • Employees that are security conscious and correctly trained • Develop a “feeling” for what is “normal” behavior • Recognize unusual, unexpected behavior • Employees need to • Adapt to new scenarios • Report and act on incidents A well informed workforce helps to promulgate good security habits, and to identify and mitigate problems quickly
Awareness, Training & Education “The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16
Security Awareness Program • Communicate security requirements • Policy, rules of behavior • Communicate Roles and Responsibilities • Improve understanding of proper security procedures • At work and at home • Serve as basis for monitoring and sanctions program Majority of organizations view security awareness as important, although they do not believe they invest enough in this area. 2004 CSI/FBI Computer Crime and Security Survey
NIST Guidance NIST SP 800-53 • “An effective information security program should include … security awareness training to inform personnel of the information security risks associated with their activities and responsibilities in complying with organizational policies and procedures designed to reduce these risks” NIST SP 800-50 • “Awareness involves guiding and motivating people on appropriate behaviors” NIST SP 800-16 • The fundamental value of security awareness is to create “a change in attitudes which change the organizational culture”
Information Security Culture • Information Security culture must complement the Organizational culture • Congruent with the mission • Commensurate with risk appetite • Common elements of a security culture across organizations • Privacy, internal controls • Protection of proprietary information • Laws Employee Vigilance and Appropriate Response are natural activities in the daily activities of every employee
Attitude Adjustment • Attitude is important • Predictor of Behavior • Motivator of Behavior • Source of Risk • Irrational behavior based on passion (love, anger) • Attitude can be changed • Social Psychology • Fish! PERSUASION: Changing attitudes and behavior
Social Psychology ATTITUDE Affect Behavior Cognition Influencing Behavior and Decision-Making Sam Chum, CISSP: Change that Attitude: The ABCs of a Persuasive Awareness Program
ABC Model • Affect • Emotional response • More likely to do activities that • Are fun or make us feel good • Avoid negative feelings (guilt, fear, pain) • Behavior • Feedback for attitudes • Doing leads to liking • Cognition • Opinions formed by reasoning
Reciprocity Cognitive Dissonance Diffusion of Responsibility Individualization Group Dynamics Social Proof Authority Repetition CONSISTENCY OF MESSAGE Influence Techniques
Reciprocity • Indebtedness • Obligation to reciprocate on debt • Trinkets • Lanyards, pens, mousepads, lunch bags • Simple slogan • Large ROI
Cognitive Dissonance • Performing an action that is contrary to beliefs or attitude • Natural response is to reduce the tension/discord • Requirement to repeat unpopular procedure makes it more palatable • Examples: • Mandatory, periodic change of password • Requirement for Strong passwords
Diffusion of Responsibility • Members of a group take less personal responsibility when group output, not individual contribution, is measured • Avoid anonymity • Remind employees that they are responsible for all system activity conducted under their logon ELSE Cyber Security: It’s Everyone’s Job! Λ
Individualization • Opposite of Diffusion of Responsibility • Individual Accountability • ID badges • Personalized messages • In-person delivery • Individual rewards Information Assurance – It’s MY job too!
Group Dynamics • In a group, individuals tend to adopt more extreme attitudes to a topic over time • Diffusion of Responsibility • Leaders tend to be those with stronger views, more extreme attitudes • Group interaction will enhance security in a group that has a propensity for security • Peer Pressure
Social Proof • People mimic others’ behavior • Be aware of informal communications • Most frequent • Must be on message • Ensure good examples; discourage bad behavior One ill-chosen comment from an influential person can undo months of awareness efforts
Obedience to Authority • Natural tendency to obey authority • Ensure executive commitment • Ensure line manager buy-in Message Multipliers: Senior Management Participation and Senior Leadership by Example
Repetition • Repeated exposure to a consistent message can change attitudes • More familiar with policies and procedures, the more that correct behavior is induced • Use all channels of communication • Formal and Informal • Push and Pull If a stimulus, originally an attention-getter, is used repeatedly, the learner will selectively ignore the stimulus. NIST SP 800-16
Fish! Approach to Work • Choose Your Attitude • Play • Make Their Day • Be Present “Boost Morale and Improve Results” Fish! Lundin Stephen C., Paul, Harry and Christensen, John Hyperion Books, 2000
Consistency • Familiarity breeds contempt? • Repetition induces liking • Chun: Change that Attitude • Even a boring job can be fun • Fish! Variety is the spice; Consistency the Staple
Target Audience • Every system user • NIST defines 5 roles • Executives • Security Personnel • Systems Owners • Systems Admin and IT Support • Operational Managers and System Users
The Awareness Team • Senior Management • CIO and CISO • Functional Elements • Security Professionals • System Administrators • Every individual employee! The more YOU know, the stronger WE are!
Tailored Approach • Mandatory annual awareness presentation for all • General • Real world examples • Lots in the Press about Identity Theft • Home PC Security • Bring the message home • Other sessions tailored for particular groups • Targeted messages and examples • Involve people in awareness to overcome their resistance to change Individuals have different learning styles
Delivery • Prior to being granted privileges • No access without awareness • Periodically • Mandatory Annual Awareness • Classes or On-line • Interim, short communiqués • E-mails, broadcasts, “Tip of the Day” • In response to new threats, vulnerabilities and policies • Small group sessions • Less formal events • Fairs, Awareness Days • Games – Security Jeopardy • Push – Pull techniques
On-going Program • Cultural Change takes time • Continuous Program • Maintain employee awareness and organizational commitment Awareness presentations must be on-going, creative, and motivational, with the objective of focusing the learner’s attention so that learning will be incorporated into conscious decision-making. NIST SP 800-16
ROI from Security Awareness • Cost Avoidance • Support of Mission Objectives • Protection of Image • Prevention of Down Time, Damage and Destruction Security conscious employees make better cyber citizens
Measurement of Program Externally in response to FISMA: • Congress and OMB • Quarterly and Annually • President’s Management Agenda • Congress FISMA Grade Internally: • Quarterly Bureau Scorecards • Feedback What gets measured gets done!
Output vs. Outcome • Outputs • Number of employees trained • Outcomes • Fewer Audit Findings • Fewer material weaknesses • Fewer violations • Less severe incidents • Less repetition of errors • Less damage • Reduced cost of compliance
Measurement of People • Measurement by organizational element • Peer pressure • Measurement by individual • Awards/Rewards • Include in employee evaluation • Sanction by individual
Security Minded Culture • When Employees … • Are aware of the threats, vulnerabilities and consequences of exploits • Recognize and report suspicious activity • Can discuss why controls are necessary • Take an active role in protecting information A risk managed approach balances security requirements and mission need
A Habit not a Mandate • If we understand why observing good information assurance practice is the right thing to do • Then we will do things because we believe it’s the right thing to do, rather than because we’re told to do them Assimilation: An individual incorporates new experiences into an existing behavior pattern
Challenge for Security Professionals • Keep current on new threats, vulnerabilities and solutions • Educate general users and senior management of threats and exploits. Show them why cyber security is needed and what they can do to protect information • Instill in all employees a feeling of shared responsibility • Sell information security
It’s a Dialogue Security Awareness personnel need to … Understand • Security climate • Business objectives • Line managers’ concerns, problems • Individual and group issues Possess • IT Background and security knowledge • Communication Skills • Marketing Skills • Business Savvy
The Business Case for Security • Use the language of business • Show how security supports mission objectives • Demonstrate the return on investment associated with good security • Talk with management (and users) in terms they can understand – avoid the language barrier Drop the “Geek Speak”
Summary • Attitudes • Behavior • Culture Whether it’s a homogeneous group in a campus setting or a diverse, global workforce, a variety of techniques and consistency of message are needed
10 Cs of Information Security Culture • Comedy • Complete • Consistent Message • Customized Sessions • Current, relevant content • Communication Channels • Common (plain) Language • Commitment from Executives • Continuing Awareness Program • Compulsory Annual Awareness Offering
References • Chun, Sam: “Change that Attitude: The ABCs of a Persuasive Awareness Program”Information Security Management Handbook, 5th Edition, Volume 2, Auerbach, 2005 • NIST Special Publication 800-53: “Recommend Security Controls for Federal Information Systems”, Feb 2005 • NIST Special Publication 800-50: “Building an Information Technology Security Awareness and Training Program ”, Oct 2003 • de Zafra, Dorothea: “The Human Factor in Training Strategies”presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991 as quoted in NIST SP800-16 • NIST Special Publication 800-16: “Information Technology Security Training Requirements: A Role- and Performance-Based Model”, April 1998 • Lundin Stephen C., Paul, Harry and Christensen, John: “FISH!” Hyperion Books, 2000
Contact Information For further information or comments, please e-mail: CISO@State.gov Subject: NY State CIOs