Non-Malicious Security Violations



Similar documents
1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

7 Risks of Dropbox to Your Corporate Data

Internet Security Priorities. Benenson Strategy Group and American Viewpoint December 20, 2013

(U) Law Enforcement at Risk for Harassment and Identity Theft through Doxing

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Vulnerabilities: A 360 Degree Approach

Social Media Single Sign-On: Could You Be Sharing More than Your Password?

Insider Threat: Focus on Suspicious Behaviours

Cyber Liability. What School Districts Need to Know

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

The Growing Importance of Social Media in the UK Labour Market. Adecco Group UK & Ireland

DETECT. LEARN. ADAPT. DEFEND. WIN EVERY ATTACK.

Impact of Data Breaches

Modern two-factor authentication: Easy. Affordable. Secure.

CLOUD ADOPTION & RISK IN GOVERMENT REPORT

SOCIAL MEDIA: LEVERAGING VALUE WHILE MITIGATING RISK

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

PHI- Protected Health Information

PREPARED TESTIMONY OF THE NATIONAL CYBER SECURITY ALLIANCE MICHAEL KAISER, EXECUTIVE DIRECTOR ON THE STATE OF CYBERSECURITY AND SMALL BUSINESS

U. S. Attorney Office Northern District of Texas March 2013

Chapter 6: Fundamental Cloud Security

How to Justify Your Security Assessment Budget

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Managing the Ongoing Challenge of Insider Threats

WRITTEN TESTIMONY OF

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Advanced Biometric Technology

CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks Date: 16/

Chapter 1: Introduction

The Year 2013 Has Become 1984

The problem with privileged users: What you don t know can hurt you

Fire Risk Assessment Network

Human Resources Policies and Procedures

Developing a robust cyber security governance framework 16 April 2015

Image credits: Front cover: U.S. Army photo by Sgt. Brandon Little, Task Force XII PAO, MND-B Inside back cover: U.S Army photo by Staff Sgt.

Presented by Evan Sylvester, CISSP

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Cybersecurity Threats, Responses & Best Practices Claudia Rast Butzel Long rast@butzel.com Scott Bailey N1 Discovery scott.bailey@n1discovery.

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

My Docs Online HIPAA Compliance

I ve been breached! Now what?

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data

Session 11 : (additional) Cloud Computing Advantages and Disadvantages

White Paper: Are there Payment Threats Lurking in Your Hospital?

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

Identity theft: A situation of worry

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

Social Media and Cyber Safety

Supplier Vigilance: A Critical Layer of Defense

Technical Testing. Network Testing DATA SHEET

Table of Contents CLOUD ADOPTION RISK REPORT INTRODUCTION...2 SENSITIVE DATA IN THE CLOUD...3

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

Wireless (In)Security Trends in the Enterprise

ACE European Risk Briefing 2012

Transcription:

Non-Malicious Security Violations Carl D. Willis-Ford Senior Technical Advisor II, SRA International, Inc. Senior Member, ISSA Doctoral Candidate, Capitol College

Speaker Background 9 years U.S. Navy, nuclear reactor operator, fast attack submarines 25+ years experience: Data Management, IT process, Technical Management, B.S. Computer Science (1993) M.S. Network Security (2006) M.S. Technology Management (2008) CIO University Certificate (Federal Executive Competencies), GSA/CIOC (2008) Doctor of Science in Information Assurance, 2014 (expected) 2

What do we mean by NMSVs? Intentional self-benefiting without malicious intent voluntary rule breaking possibly causing damage or security risk Guo, et al. (2011) The most common reasons for NMSVs: To make job easier or more convenient (or doable) To help a co-worker 3

Common NMSVs, Part 1 Ponemon Institute (2012) 4

Common NMSVs, Part 2 5

Example (from a 3M privacy filter ad) 6

Real-World Example #1 January 2012 conference call between FBI and U.K. s Serious Organized Crime Agency (SOCA) Subject of call was to discuss strategies in handling hacktivist group Anonymous Recorded call was released by Anonymous in early February After arrests in March, details revealed: Hacker had compromised home email accounts of Irish police officers, one of whom had forwarded conference call details from his business account to his home (Gmail) account. he didn t want to drive into the office for the call 7

Real-World Example #2 Snowden case Investigation into how he was able to access such a wide array of information Reports are that he talked at least one co-worker (possibly several) into either giving him their passwords or typing their passwords on his computer to give him one-time access (he copied what they typed). Snowden s actions were malicious (social engineering) Co-workers actions were NMSVs 8

Real World Example #3 Do you know this woman? she wants to be your friend 9

The Robin Sage Experiment December 2009 to January 2010 Fake Facebook, Twitter, LinkedIn profiles, posing as a Cyber Threat Analyst Sent requests and established social network connections with over 300 security professionals Men and women of all ages NSA, DoD, and Global 500 companies Results Deployed troops discussing locations and movement Consulting opportunities from Lockheed Martin and Google Given business sensitive documents for review Able to determine answers to password change questions based on information provided in online conversations http://media.blackhat.com/bh-us-10/whitepapers/ryan/blackhat-usa-2010-ryan-getting-in-bed-with-robin-sage-v1.0.pdf 10

Under the Radar or not? Snowden widely reported as having stolen passwords, when, at least initially, they apparently given to him or voluntarily typed into his machine to give him access Verizon Data Breach report includes NMSVs as accidents Computer Security Institute s annual survey, as of 2009, recognizes malicious vs. non-malicious security violations 2010/2011 survey 14.5%: over 80% of financial losses due to NMSVs. Anecdotally: NMSVs frequently open the door to other attacks, which get more publicized. 11

MeriTalk Research, October 2013 Interviewed IA professionals and end users at unspecified government agencies Half of all breaches caused by lack of user compliance Only 40% of security pros say that focus is on end-user experience with security 20% of end users recalled an instance where they were unable to complete a work assignment on time due to security measures 31% of end users say they use some kind of security workaround at least once/week 12

MeriTalk Research, October 2013 MeriTalk, 2013 13

From research sources: Prioritizing the end user experience Strategies MeriTalk survey: think about the end user trying to follow policy in their daily work rhythm. Help them figure out how to get things done while being compliant Ban personal thumb drives but don t allow purchase through organization Single Sign-On Look to Industrial Safety Programs Traditional view of risk communication in awareness training is flawed to achieve effective and efficient communications it is critical to understand the relevant beliefs of the audience. It is not enough to know what behaviours exist that are causing information security risk. Communicators must understand why the behaviour is occurring which requires an understanding of an audience s constraints and supporting beliefs. Stewart & Lacey, 2012 14

Strategies Educate users on risks to organization MeriTalk survey Adams & Sasse (2009) Herath & Rao (2009) relative advantage for job performance, perceived security risk, workgroup norm, and perceived identity match are the key predictors of intent to perform NMSVs. (Guo, Yuan, Archer, & Connelly(2011) Cert Insider Threat Team Training and awareness programs should focus on enhancing staff s recognition of the UIT problem and help individuals identify possible cognitive biases and limitations that might put them at a higher risk of committing such errors or judgment lapses Overcome the convenience factor 15

Resources Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40 46 Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203 236. Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154 165 MeriTalk: The Cyber Security Experience, October 15, 2013 Stewart, G., & Lacey, D. (2012). Death by a thousand facts. Information Management & Computer Security, 20(1), 29 38 CERT Insider Threat Team. (2013) Unintentional insider threats: A foundational study. 16

Contact Information Carl Willis-Ford carl_willis-ford@sra.com LinkedIn: Carl Willis-Ford (http://www.linkedin.com/in/srxdba/) 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information