We’re struggling to manage cyber security risk. Partly it’s because attackers are more agile than defenders. But it’s also because we struggle to get accurate information to make good risk management decisions. To make good risk management decisions we need to understand who the threat actors are, their capabilities, how likely it is that we…
DetailsShould we try to reason with criminals? Is the threat of punishment the only influence that criminals will respond to? What should we do when we suspect people are taking data with them when they leave a company, leaking to the competition or stealing equipment from the office but can’t prove it? As well as…
DetailsIn our efforts to promote secure behaviour, our task is often made more difficult by the fact that often the people we need to influence are often not the same people who would suffer in the event of a security breach. Typically, the people who would suffer most in the event of a breach are…
DetailsMost people have no idea of the dozens of ways that their information could be used to cause them harm. As security professionals, we try to raise awareness that all information and computers have an intrinsic value. That no matter how small or trivial, someone out there would like to steal it, leak it or…
DetailsSo you’re an IT geek and you’ve just been put in charge of your organisation’s security awareness? If only there was a manual or a white paper about how to program those tricky humans to be more reliable. Unfortunately, there’s no such batch job as fix_humans. The next best thing is to build your understanding…
DetailsWhen it comes to security awareness, there’s no such thing as a blank canvas. Your audience will already have pre-conceived notions about your topic. The language, tone and media you use will invoke associations in people’s mind, both helpful and unhelpful. These associations will influence how people view the root causes, likelihood and potential outcomes.…
DetailsWhy do people ignore security warnings? Why do they pay attention to some advice but ignore others? Why are spammers and phishers apparently so good at getting people’s attention? Over the course of each day, we often receive dozens of warnings. We’re told that web sites are using untrusted certificates, that downloads might harm our computers and that scripts may be unsafe. We’re so used to these warnings that we hardly even notice them anymore. But what makes an effective warning message? Why do people stop and consider some messages but happily ignore others?
DetailsSenior management support® is something often mentioned as critical to the success of an information security awareness campaign. There are a number of reasons for this. Firstly, senior management help direct the usage of resources within the organization. Without their support, you won’t get much of a training budget, permission to take staff away from productive duties and you might even struggle to get a room booking. Secondly, managers set the tone for behavior in the organization and it’s common for staff to imitate their manager. This is often exhibited in the way they dress like their managers and also when they behave like their managers. Do your managers scoff that ‘the rules’ are for everyone else? That training is only for the IT-illiterate and don’t bother to show up? The bad news is that many of your staff will copy these behaviors.
DetailsA common objective of information security awareness is to encourage whistleblowers to use internal mechanisms to report their concerns. External whistleblowing and the airing of concerns in public view risks brand damage and exposure of sensitive information. The Snowden affair has shown how divided we are on the ethics of external whistleblowing. To date, much of the debate has been speculation about Snowden’s character flaws. Sometimes when trying to understand a controversial decision such as Snowden’s it helps to understand the chain of events leading up to the decision since failures in complex systems can rarely be given justice in a single newsbyte. In this case there are a series of failures that occurred prior to the employee of a subcontractor deciding to flee the country and leak sensitive information to foreign journalists:
DetailsAs I escorted him to his desk I became conscious that everyone was looking at me. I did all the usual self-checks of fly, food on face and freaky hair but came up negative on all counts. When someone had tailgated me through a secure door I had challenged them. Rather than leave them outside when they didn’t have their pass with them I offered to walk them to their desk. I found his manager who told me with an expression more serious than a budget facelift: ‘Yes, of course he works here – he’s hardly here for the view’. What had encountered amongst the engineers at this small satellite office was a very different security culture than what I was used to with my head office, ivory tower view of the world. The culture that I had encountered worked on high levels of trust. They all trusted Dave so couldn’t understand why I didn’t (even thought I’d never met him). I less than a block from the head office of this organisation and yet the security culture was completely different. For me, the experience was an eye opener that effort is needed to understand not just if people are following security policy but the extent to which policy is reflected in security culture.
Details
