Security

Security: The Human Factor

PAUL KEARNEY
Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 60
https://www.jstor.org/stable/j.ctt5hh5gj
  • Cite this Item
  • Book Info
    Security
    Book Description:

    This pocket guide is based on the approach used by BT to protect its own data security – one that draws on the capabilities of both people and technology. The guide will prove invaluable for IT managers, information security officers and business executives.

    eISBN: 978-1-84928-064-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. FOREWORD
    (pp. 5-6)
    Ray Stanton

    The security of information — corporate, commercial and personal — is under greater threat than ever before.

    The reason is a simple one. We are all caught up in an ‘arms race’ between a guerrilla army of thieves, hackers and mischief-makers on one side, and an equally determined force of ‘good guys’ on the other. As more and more of our lives go online and digital, the stakes are getting higher and higher.

    So who are the good guys manning the defences?

    It’s tempting to focus solely on security professionals. They are, after all, the people who have the best understanding of...

  3. PREFACE
    (pp. 7-7)
    Paul Kearney
  4. ABOUT THE AUTHOR
    (pp. 8-8)
  5. Table of Contents
    (pp. 9-9)
  6. INTRODUCTION
    (pp. 10-13)

    Damage to reputation and brand image, loss of revenue and customer base, leakage of IPR and commercial information to competitors, fines and criminal prosecution, are among the consequences for organisations that suffer security breaches.

    Advances in information technology multiply the potential magnitude of breaches, and the speed at which their consequences propagate. Simultaneously, cybercriminals have grown organised and professional, served by a black economy in stolen information and malware toolkits. Every enterprise needs to be aware of the risks it is exposed to, it must review and refresh its security measures continually, and be ever-vigilant in case of their failure....

  7. CHAPTER 1: CARELESSNESS
    (pp. 14-18)

    Let’s look at some of the ways that human nature can contribute to security breaches, beginning with carelessness.

    Barely a week goes by without a report of a laptop, or a USB stick containing sensitive information, being left on a train, or being stolen when left in plain view on the back seat of a car. Modern electronic equipment is highly portable, and can hold staggering amounts of data. Employees are actively encouraged to take advantage of this portability, to work on the move, and at home, so they can hardly be criticised when they do. We’re not just talking...

  8. CHAPTER 2: ACCIDENTAL DISCLOSURE
    (pp. 19-21)

    This brings me nicely to my next topic — the accidental disclosure of information.

    Even the heads of security-conscious organisations accidentally disclose data they are trying to protect. In April 2009, for example, Britain’s most senior anti-terrorist policeman got out of a car and walked into Downing Street clutching a pile of paperwork⁸. On top of the pile, a page marked ‘secret’ was clearly visible. It set out plans for smashing what was thought to be a terrorist cell in Manchester.

    Unfortunately, the bystanders included media photographers, equipped with high-resolution cameras, telephoto lenses, and so on. The government acted quickly to...

  9. CHAPTER 3: PEOPLE ARE INTELLIGENT
    (pp. 22-24)

    Computers will follow instructions reliably, as long as they are consistent and unambiguous. Humans may not do what they are told, if they don’t see the point, but they will try to make sense of unclear instructions, and can cope in situations where instructions don’t apply.

    Often, employees are faced with a choice between complying, by getting on with their job, and incurring delays and inconvenience, by complying with security policy. An example of this is a policy that requires staff to use only their own individual accounts in an environment such as a shop or a hospital, where many...

  10. CHAPTER 4: AN ASIDE: PASSWORD POLICIES
    (pp. 25-29)

    Password policies provide an interesting case study in the design of security procedures. Some say their days are numbered — that biometrics, smart-cards, and other such technologies, will replace them — but for some considerable time to come, organisations will control who can access their networks and IT systems, using usernames and passwords.

    To be effective in security terms, a password must be remembered by its owner, but to all intents and purposes be a random jumble of characters to anyone else.

    Unfortunately, people often choose passwords that are easy to remember — and are almost as easy for others to guess.

    In...

  11. CHAPTER 5: PEOPLE ARE HELPFUL AND TRUSTING
    (pp. 30-35)

    It is natural for staff to trust people they encounter in the course of their work — especially those who are, or who seem to be, colleagues, customers or suppliers — and to try to assist them if they need help.

    We are taught at our mother’s knee that it is polite to hold open the door for the person following. Even if we can’t see their pass, then it’s probably under that jacket, or in a pocket.

    But that well-dressed businessman in a hurry, tailgating his way through the security door, could well be intent on industrial espionage. And what about...

  12. CHAPTER 6: HARNESSING HUMAN QUALITIES TO IMPROVE SECURITY
    (pp. 36-39)

    As promised, I will now turn to look at what can be done to utilise human qualities, to improve enterprise security. Later, we will consider human factors in relation to processes and technology.

    Awareness and training are fundamental. People can only help in preventing security breaches, if they are aware of the dangers, and are taught secure behaviours as part of their normal work training. An enterprise must promote a culture in which employees share the responsibility of defending the company against attack — one in which everyone knows how to behave responsibly, is alert to potential problems and understands what...

  13. CHAPTER 7: WHY RAISE AWARENESS?
    (pp. 40-42)

    According to the European Network and Information Security Agency (ENISA)²⁴, an information security awareness programme will:

    Provide a focal point and a driving force for a range of awareness, training and educational activities related to information security, some of which might already be in place, but perhaps need to be better co-ordinated and more effective.

    Communicate important recommended guidelines, or practices, required to secure information resources.

    Provide general and specific information about information security risks and controls, to people who need to know.

    Make individuals aware of their responsibilities in relation to information security.

    Motivate individuals to adopt recommended guidelines...

  14. CHAPTER 8: BEYOND AWARENESS
    (pp. 43-45)

    As important as awareness campaigns and compulsory training are, they can only go so far. Training works best when it is regularly reinforced by experience, and this is a problem in the case of security. Successful security is measured by the absence of bad events, rather than the occurrence of good ones. Consequently, opportunities to reinforce positive behaviour are limited. As mentioned above, punishing staff involved in security breaches, except in cases of deliberate intent, or blatant recklessness, is not a good idea. It encourages secrecy, and gets in the way of learning, on an individual and organisational level.

    For...

  15. CHAPTER 9: THE EXTENDED ENTERPRISE
    (pp. 46-48)

    In today’s complex and challenging world, few companies can do everything themselves. Most need to focus where they excel, and call on outside expertise to get other tasks done. If the outsourcing contractor needs access to sensitive or personal data, you need to consider the security awareness of its staff, as well as your own. It is important, therefore, to assess the contractor’s security policies, processes and culture, as an integral part of selection procedures.

    The sample security policy on outsourcing drafted by the ISO27k Implementers’ Forum, makes it clear what companies should expect²⁶:

    5.4.3 Suitable information security awareness, training...

  16. CHAPTER 10: PROCESS DESIGN
    (pp. 49-51)

    Security is essentially about managing certain categories of operational risk, typically referred to as ‘CIA’ — Confidentiality, Integrity and Availability.

    Standards, such as ISO27001, provide best-practice guidance in designing, setting up, operating, and improving institutions and procedures, based on risk management principles. These are known as Information Security Management Systems.

    However, it is just as vital to take security into account when designing normal business processes. Security tends to be the ‘Cinderella’ requirement, considered belatedly as an add-on, or retrospectively, as a result of a breach or a nearmiss. As a result, conflicts between security and, for example, productivity, are not...

  17. CHAPTER 11: USABILITY
    (pp. 52-56)

    Butler Lampson³² cites two main reasons for software being insecure: bugs and conflicts. The conflicts he is referring to, are between the desire for more bells and whistles, faster time to market, lower cost and greater security. To these I would add poor usability as a distinct issue.

    No matter how much you spend trying to educate people about information security, you’ll face an uphill struggle if your systems and processes are hard for them to understand, or use. There are two ways of looking at the problem, that are best treated as complementary approaches, to be used in combination:...

  18. CHAPTER 12: AND FINALLY...
    (pp. 57-57)

    If you are responsible for the security of your organisation’s information and IT systems, follow these five simple steps, to make sure members of your workforce know precisely what you expect of them:

    Set the scene — Make sure everyone knows why security matters to the organisation, to its customers, and to their jobs. Make it clear it’s what the CEO wants them to do, and is what the CEO is doing him- or herself.

    Train everyone — Explain clearly, and simply, what you want people to do, and why they should do it. Reinforce the message at team level, making sure...

  19. ITG RESOURCES
    (pp. 58-60)