Beyond Security Awareness Achieving culture and avoiding fatigue

Transcription

1 Beyond Security Awareness Achieving culture and avoiding fatigue Prof. Steven Furnell Centre for Security, Communications & Network Research University of Plymouth United Kingdom

2 Session Content Introduction Security Awareness Fatigue and Bad Practices Understanding Security Behaviour Conclusions

3 Introduction It is increasingly recognised that technology alone cannot solve security the attitudes, awareness, behaviour and capabilities of users can have significant influence Factors such as lack of understanding and unreasonable demands from technologies can dramatically impede users security efforts Employers have a significant role to play in helping to overcome the challenges

4 The Security Hurdles Perception Priority Responsibility Confidence Capability Usability

5 Security Awareness

6 Getting users to act securely Without adequate awareness, users may neglect to consider security, leading them to: open unknown attachments, without considering the possibility that they could contain malware select obviously weak passwords, or share their access with other people, thereby leaving their account vulnerable to misuse become complacent about warning messages from applications or the operating system, simply selecting the OK button without reading messages in order to make them disappear neglect safeguards such as making backup copies of their data

7 The need for awareness DTI ISBS 2000: 16% claimed that lack of training was the reason for their most significant incident in the previous year Ernst & Young GISS 2002: 66% cited employee awareness as a barrier to effective security PWC ISBS 2010: Last paragraph of Executive Summary states: Given the rising level of breaches seen in the survey it is more critical than ever that organisations raise security awareness among all their staff

8 Promoting Security How is it done? Source: DTI/BERR ISBS

9 Investment in training Percentage of Security Budget Source : CSI 2009

10 Investment in training Adequacy of investment Source : CSI 2009 Survey assessed four areas: End-user Security Awareness Training Regulatory Compliance Efforts Security Technology Security Service Training was the only case in which the majority view was too little

11 It s not enough! Many do not do enough about awareness AND Awareness alone is not enough anyway even security-aware users can reject and disobey it Going beyond awareness requires buy-in users need to understand, accept and engage with security as part of their natural behaviour This is unlikely to be the default position

12 Fatigue and Bad Practices

13 Getting users to act securely Without adequate awareness, users may neglect to consider security, leading them to: open unknown attachments, without considering the possibility that they could contain malware select obviously weak passwords, or share their access with other people, thereby leaving their account vulnerable to misuse become complacent about warning messages from applications or the operating system, simply selecting the OK button without reading messages in order to make them disappear neglect safeguards such as making backup copies of their data

14 Explaining bad practice Despite widespread recognition, many fail to follow good security practice maybe due to lack of awareness, skill or investment failings can still happen despite these being in place Often relates to how people perceive security, and how it is promoted to them many already see a barrier rather than an enabler starts from a disadvantage for gaining user acceptance SAI Global Information Security Awareness Survey 2008 (>1,280 respondents) - almost 1/3 believed security interfered with their ability to get the job done

15 Security Fatigue A threshold at which it simply gets too hard or burdensome for users to maintain security This is not simply disregarding security or not being bothered with it at all a gradual process of decline people have been following good practice but then drift (or completely switch) into becoming tired or disillusioned with it Adds a further dimension to what may already be an uphill struggle

16 Why Security Fatigue? Lacey suggests that security is basically about persuading people to do things they don t want to do at the least it often requires users to adopt behaviours that may not come naturally to them May become amenable if enthusiasm can be generated through (e.g. via security education) this may wane over time as the novelty wears off Already lower on the to do list than a variety of must do productivity tasks fatigue will increase the ease of slipping down the list

17 A Fatigue Example User Account Control Introduced within Windows Vista Limits application software to standard user privileges unless an administrator specifically grants additional permissions intention to prevent malware compromising the OS Manner of implementation meant users could be continually interrupted by UAC dialogues asking permission for software to run Many quickly got frustrated and sought to turn it off then fatigued in another way, with Vista continually reporting that UAC was switched off!

18 A Fatigue Example User Account Control Microsoft is on record as suggesting that UAC was specifically intended to annoy users Behaviour toned down in Windows 7 dialogues no longer appear in relation to actions directly initiated by the user via mouse or keyboard

19 Potential to fatigue us A fundamental factor that can cause fatigue is that controls become more demanding the longer you use them e.g. passwords and the need to change them while the underlying mechanism remains the same, the more passwords you have had, the more difficult it is to choose and remember new ones so, if used correctly, the overall approach is progressively more demanding Meanwhile, other controls (e.g. backup) levy a consistent overhead once operational they just need to be set up in the first instance

20 Factors of Fatigue Effort what the security requires of the user in order to achieve compliance (e.g. frequency and extent of activities). Difficulty how easy it is to provide the required effort relates to how the security concept has been realised in practice (e.g. ease of use etc) Importance how the user perceives and prioritises the need to secure a given asset reflects their motivation to keep going despite effort and convenience issues of the related controls

21 The measure of Fatigue Effort and Difficulty are essentially judged relative to Importance to determine Fatigue: Potential Fatigue = Effort x Difficulty Importance

22 The complicating factor Gaining actual values for each factor is easier said than done Difficulty and Importance will in turn be affected by several underlying influences: difficulty will depend upon how security has been presented (encompassing issues such as usability) plus what the user understands of the technology and/or task involved importance will relate to the priority placed by the organisation (assuming a workplace scenario), plus a highly subjective element based upon individuals perceptions

23 More complications Factors may evolve over time and influence each other: e.g. a task initially seen as important, but requiring much effort to adhere to (or found to be difficult to implement) may lose its perceived importance over time i.e. the user becomes fatigued by a task, influenced by the required effort and difficulty, and justifies lowering its importance if a task becomes easier over time and requires less effort to perform, or the user gains a deeper understanding of the need for it, then the perceived importance of the task may increase effectively offsetting fatigue Therefore, effort, difficulty and importance are involved in a continuous feedback loop with each potentially affecting the others

24 Implications of fatigue Users may try to find workarounds to avoid controls if they do not fully understand the risks of doing so e.g. turn off Automatic Updates to avoid interruption by restarts Fatigue could be a major issue in preventing people from adhering to security practices one bad experience could affect attitudes towards other encounters in the future if users decide that security is something that they don t like, then in future they may behave as if they are fatigued from the outset As a user becomes more fatigued, the less security compliant they will become

25 Understanding Security Behaviour

26 Users security behaviour Often not a simple case of being secure or insecure Individual commitment to security can be categorised on a scale reflecting: their acceptance of the issue the consequent compliance exhibited in their behaviour Yields a set of resulting levels of compliance and non-compliance

27 Non-compliance Compliance Categorising staff behaviour Culture Commitment Obedience Awareness Ignorance Apathy Resistance Disobedience The ideal state, in which security is implicitly part of the user s natural behaviour. Security is not a natural part of behaviour, but if provided with appropriate guidance/leadership then users accept the need for it and make an associated effort. Users may not fully understand or buy into the principles, but can be made to comply via appropriate authority (i.e. implying a greater level of enforcement than simply providing guidance). Users are aware of their role in information security, but are not necessarily fully complying with the associated practices or behaviour as yet. Users remain unaware of security issues and so may introduce inadvertent adverse effects. Users are aware of their role in protecting information assets, but are not motivated to adhere to good information security practices. Users work against security, through factors such as laziness and disregard for known procedures. Users actively work against security, with insider abusers intentionally breaking the rules and circumventing controls.

28 Staff compliance and disruption within organisations Culture Degree of Compliance Commitment Obedience Awareness Ignorance Apathy Resistance Disob. Degree of Non- Compliance Source: Furnell and Thomson, 2009

29 Considering the boundaries Not necessarily a clear boundary between compliance and non-compliance awareness and ignorance categories can be considered a grey zone resulting user behaviours not consistently compliant or non-compliant Staff in the middle area are likely to share similar characteristics relatively easy to effect a transition into the compliance category?

30 Towards disobedience Users at lower levels (apathy, resistance, disobedience) all possess security knowledge but have chosen to reject it a different basis for non-compliance to those acting out of ignorance increasing levels of severity as we move down the list Need to cultivate buy-in and support rather than just educate them about security

31 A realistic target? The level of compliance will rarely be homogenised across an organisation even the compliance of an individual may vary depending upon context Achieving the culture state across all users may not be viable natural distribution is likely to be as shown in the diagram getting them all at least into a compliance category is a worthy target

32 Points to note More difficult to get compliance once fatigue has set in once the threshold has been reached it may not be possible to tangibly reduce fatigue Identify those who have reached the threshold could enable compensation via additional checks, reminders etc May be necessary to revive the security message being sent throughout an organisation reduce the potential for a seen it all before attitude

33 Relating Influences to Job / Role Policy Framework Supervision / Leadership Colleague Behaviour Organisation -controlled Behaviour (a work-in-progress model) Personality Filter Situation Filter Security Behaviour Prior Experience Claimed Benefits Media Coverage Organisation -independent Source: Rajendran, Furnell and Gabriel, 2011

34 Conclusions

35 Conclusions It is all too easy to focus upon technology and forget the people that use it Awareness and training are essential but are not a panacea More awareness may not deliver more tolerance overexposure could lead to apathy that would exacerbate the issue repeatedly receiving the message without evidence of a breach could engender complacency Need to properly consider how to pitch and communicate the messages

36 Conclusions The way in which security is promoted should depend upon the people involved Recognition of the compliance categories can help to inform awareness-raising framing messages to reach different portions of the the audience Requires a flexible approach to security awareness varying the approach and the message according to the context of the user

37 References From culture to disobedience: Recognising the varying user acceptance of IT security S.Furnell and K.Thomson Computer Fraud & Security February 2009, pp5-10. Recognising and addressing security fatigue S.Furnell and K.Thomson Computer Fraud & Security November 2009, pp7-11.

38 Prof. Steven Furnell Centre for Security, Communications & Network Research