Managing Risk and Information Security: Protect to Enable

by Malcolm Harkins

we need to influence employees’ behavior both within the workplace and when they are home or traveling.

wanted to achieve more than a level of compliance. I wanted to initiate a feeling of commitment.

The term compliant behavior implies making the minimum effort necessary to achieve good performance to a predefined standard.

Creating a culture of self-motivated commitment rather than compliance can make a big difference,

Dov Seidman. His group looked at behavioral differences between businesses with a culture of self-governance, in which an organization’s purpose and values inform employee decision-making and behavior, and those with a culture of blind obedience based on command-and-control and coercion.

Organizations based on self-governance experienced three times more employee loyalty and half as many incidents of misconduct, compared with organization...

To counter these new risks, we need to make employees aware and empowered, so they act as an effective part of the security perimeter.

We’ve found that another effective technique is to embed security and privacy training into business processes.

The focus on personal concerns is also a recognition that the way employees behave outside the office is as important to enterprise security as their behavior in the office.

Information Risk Executive Council

Ponemon Institute,

disruption. I think this example provides a useful metaphor for information security. Some security controls are like stop signs or barriers: we simply block access to technology or data. But if we can shape the behavior of employees rather than blocking them altogether, we’ll allow employees, and therefore the company, to move faster.

we’ve found that the productivity benefits easily outweigh the risks.

The CIO’s conclusion was that employees simply take better care of devices when they use them for personal purposes. Due to the lower loss rates, the company saved money.

Adoption of disk encryption accelerated when states began passing privacy protection laws, and the consequences of data theft increased as a consequence.

Data Breach Investigations Report,

To compete, suppliers focus on bringing products to market faster and adding new features, rather than on improving quality.

that the commitment of employees is as important as the policies and procedures you have in place.

we’re implementing monitoring technology that tracks users’ logins and access attempts.

our strategy is to make login information available to users so that they can act as part of the perimeter,

spot anomalous access attempts.

It’s up to us, as security professionals, to recognize that people, policy, and technology are all fundamental components of any security system, and to create strategies that balance these components.

we need to create a sense of personal commitment and security ownership among our employees.

More data is online and vulnerable to attack, and millions of new Internet-connected devices are inevitably introducing new risks.

help information security groups stay ahead of the attackers and focus their limited resources on mitigating the most important threats.

The security team relies on external sources, such as news feeds and alerts, as well as informal anecdotes, to gather information about emerging threats.

risks are incorporated into plans on an ad hoc basis, and not all risks are adequately mitigated.

people outside the security group remain unaware of emerging risks and don’t know how to respond when they experience an attack.

We use a product life cycle analogy to track threats as they mature from theoretical risks into full-blown exploits.

mine a diverse variety of sources to get a more complete picture of immediate and future threats.

research a wide range of individual security topics in depth.

mine academic research and hacker discussion forums, and they network with other...

scan the regulatory horizon to identify upcoming law...

communicate with each other frequently to identify areas of potential overlap.

predict the likely evolution of each threat based on the trends we’ve identified.

introducing simple yet effective measures to reduce the risk that catastrophes will occur.

Trust Is an Attack Surface

attacking the trust landscapr

These actions usually undermine even the most rigorous system-level controls,

Studies have shown users trust social media services more than other information sources—a user is more likely to click a link if it appears to have been sent by a social media “friend.”

The exploitation of trust also extends to the relationships between systems.

we anticipate trust will become a commodity that is bought and sold.

The digital reputation of systems and services will become critically important.

In the past, tokens of trust, such as digital certificates and social computing credentials, were stolen for immediate use. In the future, they will be stolen so they can be sold in underground markets. The value of these tokens depends upon the access they...

I expect social engineering attacks will continue to present significant risks because they exploit human weaknesses and will adapt to take advantage of new technologies.

To reduce the risk to the enterprise, we need to make users more security-aware and influence them to act in more secure ways.

Our adversaries gravitate toward the path of least resistance.

several of these barriers have begun to crumble as a result of trends such as cloud computing, lower-cost communications components, and commodity malware toolsets.

the environment becomes more complex with millions of new devices, each running its own operating system and collection of applications.

There is no silver-bullet solution for eliminating edge-case insecurities.

it has become clear that security through obscurity is poor security. To quote the maxim coined by Claude Shannon, one of the founders of modern computing: “The enemy knows the system.”