The importance of information security awareness - Interview with Gary Hinson

gary-hinson-mugshot.jpgGary Hinson, CEO of IsecT Ltd. and the brains behind NoticeBored. Gary has extensive practical experience of information security, having worked in, managed and provided consultancy support to information security and IT audit functions for large multinationals in financial services, pharmaceuticals, civil & military aerospace and high technology industries since the mid 1980’s. Through an innovative information security awareness service, NoticeBored, he proactively researches and debunks all sorts of information security topics for global customers.

Gary spent some time answering questions posted by Asok Ramachandran, security researcher for whatsyourisq.com. The questions covered a broad range of aspects associated with information security awareness.Continue reading…… Interview questionnaire for Gary Hinson

Asok: Tell us a bit about how you became interested in the “human aspect of information security” i.e. information security awareness?

Gary: It’s something that developed gradually over the course of my career in the field of IT governance (information security management, IT audit and IT risk management). The audit work, in particular, led me to realize that “computer problems” are in fact almost always “people problems” - usually mistakes or misunderstandings by the people that designed and developed software, and sometimes staff and management issues around the way the systems are specified and used. Actual computer errors or failures are much rarer. They mostly do exactly what they are told to do, software bugs notwithstanding. If you accept that basic premise, the obvious next question is ‘So what can we do about it?’ and that’s where security awareness comes in.

Asok: How important is information security awareness for a business?

Gary: It’s a vital element of the information security control mix. Without awareness, people are ignorant of, or simply ignore, the instructions and good advice from management and security professionals. They are under pressure to do their jobs and, if that means taking security shortcuts, they are really not bothered. A $50k firewall can be subverted by an insider unknowingly installing malicious software or innocently installing a WiFi router on the internal network “to make things easier”.

Asok: From your experience can you enumerate some specific areas of human vulnerabilities, for example case studies, that have compromised the information security of organizations?

Gary: There are so many examples - where do I start?! OK, let me tell you about a situation I came across as an auditor, involving intellectual property theft. A major business incident had occurred when an IT maintenance contract went badly wrong. The contractors ripped out the old systems running the plant before the new systems were ready. Delays in the development meant that production was down for months, not the days or maybe a week originally planned. The Procurement person responsible for the maintenance contract was suspected of foul play and was ‘let go’. On his last day at work, he was seen by fellow employees carrying several large black bags to his car … Imagine my surprise to find that all the paperwork relating to the contract negotiation had disappeared, and the Procurement person was now working for the contractor. Nobody had had the sense to stop him removing the evidence or check what he was doing, they just watched, mute. There was no ‘exit interview’ where keys and other important assets were handed over and the company’s policies on protecting its intellectual property reiterated in no uncertain terms. Local managers were naïve and simply did not appreciate the significance of their inaction. Other employees noticed what was happening but also did nothing about it, not even reporting it to management at the time. It was one big costly mess, one of those ‘learning opportunities’ that we all wish we’d never experienced!

Asok: Information security awareness is an “intangible component?” It is difficult to measure an ROI for information security awareness? Do you agree or disagree? Can you elaborate about your view point?

Gary: I think “metrics” is the hardest area of information security at the present time. Measuring the financial return on any security or risk management investment is always difficult, but not totally impossible. The central issue is that you are trying to reduce the probability and/or impact of future security incidents that are not easy to predict. Antivirus controls are relatively simple to cost-benefit justify since there are so many malware incidents that it’s not too hard to measure the pre-control level, estimate and project the ongoing costs (lost productivity, support costs, reinstatement of lost data etc.), then see what happens when antivirus software is installed. Antispyware controls more awkward to justify in the same way since it is harder to measure the costs (how would you value the potential loss of confidential information to an unknown hacker? We would spend ages arguing over the measurement methods alone!). Furthermore, it is impossible to know for sure what level of spyware incidents might have happened if we had not implemented antispyware. Might it have gone down anyway, even if we had done nothing at all? Security awareness is harder again. Properly done, security awareness is a general control that affects the entire organization, creating a ‘security culture’. People are just a bit more wary of risky situations and a bit more knowledgeable about which situations are risky. They know what to do if something bad happens. These kinds of quite subtle behavioral changes are difficult to identify let alone measure. Proving that improved security awareness, specifically, reduces the probability/impact of incidents is all but impossible in any real world situation, although as a scientist by training, I’m sure I could come up with a suitable experimental design involving the comparison of a control group without security awareness against one with it.

Perhaps a better way of looking at this is to examine the business case for NOT implementing a decent security awareness program. There will obviously be savings on the costs of the program although those costs are generally much less than people realize, especially compared to technical security measures such as firewalls and intrusion detection/prevention systems. There will however also be ongoing losses arising from security incidents that would have been avoided or at least ameliorated if an effective security awareness program was running. People will not know as much about their security obligations imposed by corporate policies, laws and regulations, and by generally recommended security practices (such as those promoted by ISO/IEC 27002 and other security standards and guidelines). They will fail to report security incidents promptly, allowing the losses to continue for longer than necessary. They will also fail to get the best value from other security investments due to ignorance and carelessness. Perhaps worst of all, management will be uncertain about the status of the organization’s security - they may be over-confident in controls that are not operating correctly (leading to unanticipated incidents and losses) or reluctant to trust their people to behave securely (inhibiting business initiatives that would otherwise have been fine).

Finally, actually measuring security awareness is indeed a worthy challenge. As you say, it is an intangible thing. Market survey and other techniques work quite well though, not just to obtain metrics but also for the feedback and improvement suggestions that arise.

Asok: From your observations and experience do Management understand the importance of information security awareness? Are they able to see value in this?

Gary: They can do, provided it’s explained to them in business terms. As a profession, IT people are great at communicating complex issues amongst our peers but terrible at relating to non-geeks. The archetypal image of geeks as socially inept recluses, totally absorbed with the technology, is not far from the truth (myself included!). By the same token, older generations of managers grew up in a world without IT and sometimes lack the skills and understanding necessary to manage it. We need to find common ground. Most younger managers are more technically competent but even they do not automatically appreciate the value and fragility of information. Focusing on information, as opposed to IT or computer, security has the potential to bring us all to the same table. Very few important business processes these days would exist let alone survive without information, hence there is a heavy reliance on the IT systems and networks. Information security is about providing that reliability, the resilience to unanticipated and unwelcome incidents, and more besides. It’s about how people use the technology too. Security awareness is about putting these points across, promoting comprehension and most of all changing the way people behave. Management need security awareness every bit as much as the rest of us!

Our Generic business case for information security awareness white paper is very popular. Lots of Information Security Managers have used it as the basis for budget proposals and strategies for security awareness programs. The details vary of course but it’s a good starting point that clarifies the linkages between business success and information security through awareness.

Asok: You have worked quite a lot in the ISO 27001 domain? Has the specific inclusion of section “A.8.0 - Human Resources Security “helped to gain more focus on information security awareness?

Gary: Frankly, no, at least not yet. It’s still early days for the ISO/IEC 27000-family of information security management systems standards although they are increasingly being accepted and adopted worldwide. Section 8 recommends that information security be aligned with and integrated into HR/employment practices from before people are offered a job until after they leave. There’s an obvious parallel here with the integration of security into the entire software development lifecycle from outline specification through to decommissioning. Security awareness, training and education activities are valuable at every stage.

Asok: The biggest challenge for spreading information security awareness is the acceptance by the end-user (employees and 3rd parties). It is also safe to say that even the CEO is an end-user from a security perspective. What would you do differently to make people adopt good security practices?

Gary: Better, more engaging employee communications are key. It’s not enough to put some formal information security policies (often written in a curious pseudo-legal language almost guaranteed to confuse the reader!) on the intranet, or to put the whole workforce through an annual “security awareness session” (sheep-dipping, as I call it). Employees are not empty vessels into which security knowledge can be poured. They need to be interested, engaged, persuaded, motivated. This is a gradual and painstaking process, patiently demonstrating that it is in their personal interest to take account of security when handling information and explaining in simple terms how to do so. I like to promote true multimedia communications - much more than just online training/Learning Management Systems which have their place but are certainly not the Ultimate Solution. I’m talking about combining the written with the spoken word, for example security seminars ideally presented by an empassioned security evangelist and accompanied by straightforward handouts such as guidelines or longer briefings. Case studies make excellent learning tools too, especially if the case in question is bang up to date and relevant to the local situation. We often use recent news cuttings about security incidents, drawing out the security lessons through group discussion around some deceptively simple questions (with model answers to help the seminar leaders along if inspiration dries up!).

Getting back to your point about the CEO, senior management has a different perspective on the organization to middle/junior managers and staff. They have a more strategic, holistic and long-term interest which requires a different style of security awareness material. They are intrigued by the strategic possibilities that solid information security can open up for the organization. They might need some help to make the conceptual connections between information security, information management and business strategies, but once the light goes on, genuine top management support for information security energizes the whole organization. It’s surprising how effective a simple statement of support from the top dog can be in persuading lower levels of the hierarchy to pay attention! If security targets get woven into personal development objectives, so much the better.

Asok: Often security is criticized for slowing down work. Do you think the opposite is true? Would you be able to share some examples of good information security practices actually increasing productivity for the business?

Gary: I know of situations where information security programs have enabled the business to do more things as well as do the same old things more securely - eBusiness is a classic example. Nobody these days would be foolhardy enough to put their credit card processing database applications directly on the Web, would they? Oh hang on, let’s back track a moment. IT and IT security involve complex technologies, all too easily misconfigured through ignorance and/or carelessness. Hackers, cybercriminals and IT fraudsters thrive on the opportunities opened up by such mistakes. The headlong rush to market that characterized the first wave of eBusinesses in the late 1990’s inevitably compromised security. Second and third generation eBusinesses have learnt their lessons and incorporate information security from the ground up. The banking industry finds itself in a bit of a pickle right now because they are conservative by nature, slow adopters you might say. Only now are they bolting multifactor authentication front ends into the banking systems and it will be another few years before online backing systems are truly secure.

Here in New Zealand, our eBay equivalent is TradeMe, a highly successful online auction service that takes a very proactive stance on security. The clever people behind TradeMe are constantly reacting to new security and fraud threats, appreciating that consumer confidence in the trading platform is critical to their continued success. They have established close working relationships with our Police force and the banks, for example identifying someone using stolen credit cards for purchases on different auctions, linking them through common logon IDs, email addresses, phone numbers etc. This kind of multiparty cooperation on information security is an emerging trend that is supported by a common appreciation of standards such as the ISO/IEC 27000-family. It leads to a safer business environment for all concerned.

Asok: Currently the single most preferred medium for spreading information security awareness is “training” which is often dry, long and boring. Some organizations have taken a step further and use emails, posters etc. Is there a different way to spread awareness, I mean in a more creative way?

Gary: Training courses have their place and needn’t necessarily be boring, though I agree they often are. NIST’s Special Publication SP800-50, Building an Information Technology Security Awareness and Training Program, is recommended reading for anyone planning a professional approach to security awareness, training and education activities. It helps for a start by clarifying the differences between those terms.

As to creative awareness approaches, there’s so much one can do. Here are a few of my favorite techniques:

- While the annual sheep- dip approach brings things quickly to the boil, it soon cools off and is stone cold within a few weeks. Rolling or continuous security awareness programs keep things gently simmering along by drip-feeding information in smaller, easily digested packages. It also, by the way, lets people pick up on security when they have a spare moment rather than making them take time away from the day job for security.

- Rolling awareness programs lend themselves to topic-based education. We pick a different information security topic every month. Some prefer more or less frequent updates but we find a month is long enough to go into some depth on a focus area such as social engineering without boring the pants off everyone. All 30-odd topics in our portfolio revolve around the same core tenets of information security: confidentiality, integrity and availability.

- The audience for security awareness is not just an amorphous blob - “employees”. There are distinct groups within the organization that have differing needs. I’ve already mentioned management who, in the main, appreciate the business-view of security. Staff in general tend to respond better to the personal-view, “What’s in it for me [and my family]?” IT professionals are a third target audience, sadly often neglected. We expect IT to implement, maintain and use security technologies, so shouldn’t we make sure they understand they technology and give them a bit of a clue about what we need them to do? It seems patently obvious to me!

- “Multimedia” means far more to me than animated cartoon graphics with a dreadful voice-over. By individually addressing the audiences noted above, employees get consistent messages from their seniors, peers and subordinates, and perhaps from the people in IT, not just from the awareness materials themselves. We actively encourage security awareness people to get out there and interact with their audiences instead of sitting in their offices. Putting stuff on the intranet and sending a few emails is fine but something like a “black bag run” (trawling the offices out of hours for ‘contraband’ - confidential materials left on display - and rewarding those who have clear desks with a token gift or even a simple note) can bring security to life. Right now, I’m working with a security manager on a presentation to his senior management, accompanied by an investment proposal and strategy, all around security awareness. His chances of success on the big day ahead will be significantly increased by going to meet the Directors individually ahead of the Board meeting, not just to outline his proposal but to seek their input to it along with guidance on the process. Security awareness is not a spectator sport!

- Well-written security awareness materials draw people in like a good story. They describe a situation, explain the implications and end with a call-to-action. We borrow techniques from the world of advertising, for example, to help present security as an integral and necessary part of everyday business, focusing on the outcomes rather than the means. We use topical news stories to illustrate the risks and pick out the security lessons from the likes of TJX and Enron. We incorporate mind maps and diagrams for those who prefer pictures to words. We bring a touch of humor to sweeten the pill.

- Quizzes, puzzles and competitions all help to liven things up a bit. It’s OK to have fun while learning - ask any six year old! Sure, security is an important topic but it needn’t be dry as a bone. [Don’t fall into the trap of treating your adult audience literally like six year olds though - we’re talking about adult education here not kindergarten.]

Asok: Finally, what would you say was the “killer app”, the one thing that makes information security awareness an absolute imperative for organizations as we enter 2008?

Gary: It’s the idea of building a genuine, widespread security culture. Information security professionals often say that security is everyone’s responsibility, yet in most organizations it is left almost entirely to the information security function or IT. To my mind, an organization of 1,000 people has 2,000 security ears and eyes. Making security “the way we do things around here” is not something you can achieve overnight. It takes persistence and creativity. It needs senior management understanding and support, coupled with highly effective employee communications. The pay-off comes when an office cleaner notices and reports an unlocked filing cabinet; when a junior in HR recognizes and responds appropriately to a potential social engineering attempt; when a middle manager sets aside some of the development project budget for security architecture. Under the right circumstances, any one of these could save more than the entire security awareness budget.

Thank you very much for the opportunity to spout-off about security awareness, my favorite topic. I’m fascinated by your own approach to this issue and look forward to seeing things develop in the forthcoming months. Have a happy new year and good luck with your exciting new venture.

References

Please visit the embedded URLs or contact Gary Hinson (Gary at isect dot com) for further information.