Information Assurance Awareness, Training, Education at the U.S.
Download
Report
Transcript Information Assurance Awareness, Training, Education at the U.S.
New York State Higher Education CIO Conference
West Point - July 2005
Building an Information
Security Culture in a
Global Enterprise
Jane Scott Norris, CISSP CISM
Chief Information Security Officer
U.S. Department of State
1
Information Security Program
Designed to Protect INFORMATION
Policy and Procedures
• To support business objectives while
considering security requirements
Informing users of their responsibilities
• Employees must know policies, understand
their obligations, and actively comply
Monitoring and review of program
2
Information Security Drivers
Constantly changing IT
Increasing connectivity
Rush to market
Readily available hacking tools
Increasing Risk
Only as strong as the weakest link
Insider threat is always greatest: deliberate,
careless, irrational or uninformed
3
3 Waves of Information Security
Technical Wave
• Authentication and access control
Management Wave
• Policies, procedures
• CISO and separate security staff
Institutionalization Wave
• Information Security Awareness
• Information Security Culture
Standardization, certification and measurement
Human Aspects
Von Solms (2000)
4
It’s A People Problem
Information and Information Systems Security:
Products
Processes
People
H/W and S/W
Management
Operational
Users
Administrators
Ensuring that employees receive tailored and
timely awareness, training, and education is
paramount to maintaining effective security
5
The Security Gap
Security technology is essential
• Firewalls, anti-virus, intrusion detection, encryption etc.
Technology is not enough
• Gartner: 80% of downtime is due to people and processes
Tighter the security controls, the harder they are to break
and the target becomes the user
• Technology can make it difficult to forge IDs but can’t stop
people getting real IDs under fake names
Technology can never stop social engineering
• People are still tricked into disclosing their passwords
C
r
e
aCreating and maintaining a security
t culture is critical for closing the
i
security gap
n
6
People and Machines
Security controls deal with known risk
People spot irregularities
Employees that are security conscious and
correctly trained
• Develop a “feeling” for what is “normal” behavior
• Recognize unusual, unexpected behavior
Employees need to
• Adapt to new scenarios
• Report and act on incidents
A well informed workforce helps to promulgate good security
habits, and to identify and mitigate problems quickly
7
Awareness, Training & Education
Comparative Framework
Awareness
Training
Education
Attribute
What
How
Why
Level
Information
Knowledge
Insight
Learning
Objective
Recognition &
Retention
Skill
Understanding
Example
Teaching
Method
Media
Practical
Instruction
Theoretical
Instruction
Test Measure
True/False
Multiple Choice
Problem Solving
Recognition &
Resolution
Essay
Intermediate
Long-Term
-Videos
-Newsletters
-Posters
(identify learning)
Impact
Timeframe
Short-Term
-Lecture and/or demo
-Case study
-Hands-on practice
(apply learning)
-Seminar and discussion
-Reading and study
-Research
(interpret learning)
“The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16
8
Security Awareness Program
Communicate security requirements
• Policy, rules of behavior
Communicate Roles and Responsibilities
Improve understanding of proper security
procedures
• At work and at home
Serve as basis for monitoring and sanctions
program
Majority of organizations view security awareness as important,
although they do not believe they invest enough in this area.
2004 CSI/FBI Computer Crime and Security Survey
9
NIST Guidance
NIST SP 800-53
“An effective information security program should
include … security awareness training to inform
personnel of the information security risks
associated with their activities and responsibilities
in complying with organizational policies and
procedures designed to reduce these risks”
NIST SP 800-50
“Awareness involves guiding and motivating
people on appropriate behaviors”
NIST SP 800-16
The fundamental value of security awareness is to
create “a change in attitudes which change the
organizational culture”
10
Information Security Culture
Information Security culture must
complement the Organizational culture
• Congruent with the mission
• Commensurate with risk appetite
Common elements of a security culture
across organizations
• Privacy, internal controls
• Protection of proprietary information
• Laws
Employee Vigilance and Appropriate Response are natural
activities in the daily activities of every employee
11
Attitude Adjustment
Attitude is important
•
•
•
•
Predictor of Behavior
Motivator of Behavior
Source of Risk
Irrational behavior based on passion (love,
anger)
Attitude can be changed
• Social Psychology
• Fish!
PERSUASION: Changing attitudes and behavior
12
Social Psychology
Affect
ATTITUDE
Behavior
Cognition
Influencing Behavior and Decision-Making
Sam Chum, CISSP: Change that Attitude:
The ABCs of a Persuasive Awareness Program
13
ABC Model
Affect
• Emotional response
• More likely to do activities that
Are fun or make us feel good
Avoid negative feelings (guilt, fear, pain)
Behavior
• Feedback for attitudes
• Doing leads to liking
Cognition
• Opinions formed by reasoning
14
Influence Techniques
Reciprocity
Cognitive Dissonance
Diffusion of
Responsibility
Individualization
Group Dynamics
Social Proof
Authority
Repetition
CONSISTENCY OF
MESSAGE
15
Reciprocity
o
Indebtedness
• Obligation to reciprocate on debt
Trinkets
• Lanyards, pens, mousepads, lunch bags
• Simple slogan
Large ROI
16
Cognitive Dissonance
o
o
o
Performing an action that is contrary to
beliefs or attitude
Natural response is to reduce the
tension/discord
Requirement to repeat unpopular
procedure makes it more palatable
Examples:
• Mandatory, periodic change of password
• Requirement for Strong passwords
17
Diffusion of Responsibility
o
o
Members of a group take less personal
responsibility when group output, not
individual contribution, is measured
Avoid anonymity
Remind employees that they are
responsible for all system activity
conducted under their logon
ELSE
Cyber Security: It’s Everyone’s Job!
Λ
18
Individualization
o
o
Opposite of Diffusion of Responsibility
Individual Accountability
ID badges
Personalized messages
In-person delivery
Individual rewards
Information Assurance –
It’s MY job too!
19
Group Dynamics
o
In a group, individuals tend to adopt more
extreme attitudes to a topic over time
• Diffusion of Responsibility
• Leaders tend to be those with stronger views,
more extreme attitudes
Group interaction will enhance security in
a group that has a propensity for security
Peer Pressure
20
Social Proof
o
People mimic others’ behavior
Be aware of informal communications
• Most frequent
• Must be on message
Ensure good examples; discourage bad
behavior
One ill-chosen comment from an influential
person can undo months of awareness efforts
21
Obedience to Authority
o
Natural tendency to obey authority
Ensure executive commitment
Ensure line manager buy-in
Message Multipliers:
Senior Management Participation
and Senior Leadership by Example
22
Repetition
o
Repeated exposure to a consistent
message can change attitudes
More familiar with policies and procedures,
the more that correct behavior is induced
Use all channels of communication
• Formal and Informal
• Push and Pull
If a stimulus, originally an attention-getter, is used
repeatedly, the learner will selectively ignore the
stimulus. NIST SP 800-16
23
Fish! Approach to Work
Choose Your Attitude
Play
Make Their Day
Be Present
“Boost Morale and Improve Results”
Fish!
Lundin Stephen C., Paul, Harry and Christensen, John
Hyperion Books, 2000
24
Consistency
Familiarity breeds contempt?
Repetition induces liking
• Chun: Change that Attitude
Even a boring job can be fun
• Fish!
Variety is the spice;
Consistency the Staple
25
Target Audience
Every system user
NIST defines 5 roles
•
•
•
•
•
Executives
Security Personnel
Systems Owners
Systems Admin and IT Support
Operational Managers and System Users
26
The Awareness Team
Senior Management
CIO and CISO
Functional Elements
Security Professionals
System Administrators
Every individual employee!
The more YOU know,
the stronger WE are!
27
Tailored Approach
Mandatory annual awareness presentation for all
• General
• Real world examples
• Lots in the Press about Identity Theft
Home PC Security
• Bring the message home
Other sessions tailored for particular groups
• Targeted messages and examples
Involve people in awareness to overcome their
resistance to change
Individuals have different learning styles
28
Delivery
Prior to being granted privileges
• No access without awareness
Periodically
• Mandatory Annual Awareness
• Classes or On-line
Interim, short communiqués
• E-mails, broadcasts, “Tip of the Day”
• In response to new threats, vulnerabilities and policies
Small group sessions
Less formal events
• Fairs, Awareness Days
• Games – Security Jeopardy
Push – Pull techniques
29
On-going Program
Cultural Change takes time
Continuous Program
Maintain employee awareness and
organizational commitment
Awareness presentations must be on-going, creative,
and motivational, with the objective of focusing the
learner’s attention so that learning will be incorporated
into conscious decision-making. NIST SP 800-16
30
ROI from Security Awareness
Cost Avoidance
Support of Mission Objectives
Protection of Image
Prevention of Down Time, Damage and
Destruction
Security conscious employees
make better cyber citizens
31
Measurement of Program
Externally in response to FISMA:
•
•
•
•
Congress and OMB
Quarterly and Annually
President’s Management Agenda
Congress FISMA Grade
Internally:
• Quarterly Bureau Scorecards
• Feedback
What gets measured gets done!
32
Output vs. Outcome
Outputs
• Number of employees trained
Outcomes
•
•
•
•
•
•
•
Fewer Audit Findings
Fewer material weaknesses
Fewer violations
Less severe incidents
Less repetition of errors
Less damage
Reduced cost of compliance
33
Measurement of People
Measurement by organizational element
• Peer pressure
Measurement by individual
• Awards/Rewards
• Include in employee evaluation
Sanction by individual
34
Security Minded Culture
When Employees …
• Are aware of the threats, vulnerabilities
and consequences of exploits
• Recognize and report suspicious activity
• Can discuss why controls are necessary
• Take an active role in protecting
information
A risk managed approach balances
security requirements and mission need
35
A Habit not a Mandate
If we understand why observing good
information assurance practice is the right
thing to do
Then we will do things because we believe
it’s the right thing to do, rather than
because we’re told to do them
Assimilation: An individual incorporates new
experiences into an existing behavior pattern
36
Challenge for Security Professionals
• Keep current on new threats,
vulnerabilities and solutions
• Educate general users and senior
management of threats and exploits.
Show them why cyber security is needed
and what they can do to protect
information
• Instill in all employees a feeling of shared
responsibility
• Sell information security
37
It’s a Dialogue
Security Awareness personnel need to …
Understand
Security climate
Business objectives
Line managers’ concerns, problems
Individual and group issues
Possess
IT Background and security knowledge
Communication Skills
Marketing Skills
Business Savvy
38
The Business Case for Security
Use the language of business
Show how security supports mission
objectives
Demonstrate the return on investment
associated with good security
Talk with management (and users) in terms
they can understand – avoid the language
barrier
Drop the “Geek Speak”
39
Summary
Attitudes
Behavior
Culture
Whether it’s a homogeneous group in a
campus setting or a diverse, global
workforce, a variety of techniques and
consistency of message are needed
40
10 Cs of Information Security Culture
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Comedy
Complete
Consistent Message
Customized Sessions
Current, relevant content
Communication Channels
Common (plain) Language
Commitment from Executives
Continuing Awareness Program
Compulsory Annual Awareness Offering
41
References
Chun, Sam: “Change that Attitude: The ABCs of a Persuasive Awareness
Program” Information Security Management Handbook, 5th Edition, Volume 2,
Auerbach, 2005
NIST Special Publication 800-53: “Recommend Security Controls for
NIST Special Publication 800-50: “Building an Information Technology
Federal Information Systems”, Feb 2005
Security Awareness and Training Program ”, Oct 2003
• de Zafra, Dorothea: “The Human Factor in Training Strategies”
presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991
as quoted in NIST SP 800-16
NIST Special Publication 800-16: “Information Technology Security
Lundin Stephen C., Paul, Harry and Christensen, John: “FISH!”
Training Requirements: A Role- and Performance-Based Model”, April 1998
Hyperion Books, 2000
42
Contact Information
For further information or comments,
please e-mail:
[email protected]
Subject: NY State CIOs
43