harnessing the human side of security
What can grocery-shopping carts teach us about building security awareness that works to influence behavior change? Turns out perhaps more than imagined. During a recent hotel stay, I took a trip to a local grocery store to buy some snacks. I pulled into the lot, parked and headed to the store. Since I only needed [...]
Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows Considering the meaning, purpose and expression of security awareness is a personal and professional pursuit. In fact, it’s my sole focus and the reason [...]
By Julie Fugett So much of what we do in information security is immediately measurable: how many packets did the firewall drop? How many security incidents did we handle this week? Elsewhere, however, our reach can be more difficult to measure. How effective is our awareness program? Are we talking about the right topics to [...]
The goal in building an effective security awareness training campaign is changing behaviors. While there are many factors to consider, and important factor is useful feedback, presented in a meaningful way to the end user. Many of the security awareness training programs we evaluate use measures to point out when users do something wrong – for example, using pink or red tape flags or other notices when people violate a clean desk policy.People are then surprised when these measures fail. Put yourself in their shoes – do you like being told you’re wrong all the time?… USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K…. Turns out that people looking to lose weight through increased movement get good results when they use a pedometer. they have a challenge and an external tool helping them keep trackthey write their progress in a journal, which has three distinct benefits1…. they have a record of their events, so they can establish a trend and measure progress (or understand lack of progress)3. they establish a challenge for themselves – and a good (and reasonable) challenge motivates!While the motivations for losing weight and protecting information may be different – how would your security awareness training be improved if you provided user-friendly feedback that could reinforce behaviors?
I’ve heard other authors exclaim that at the end of the writing process, it felt as if they were ready to give birth — and couldn’t wait for this labor of love to be done…. Now that I’m nearing the home stretch of this book, I’m starting to understand…Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos…. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.I could use your helpIf you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like…. I’m happy to share.When you will get the bookI plan to have the galley copies out by the end of the month to my review team…. I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance.
Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth…. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination. Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick…. The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them…. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site…. As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting…. Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon…. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.The Google-DoubleClick acquisition has put online privacy at the forefront of government concern.
Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect…. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.Minnesota PCI LegislationEffective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data…. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.†So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.Consequences for the Courts As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information…. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners. While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches…. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).Preparing for the changeAs a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion…. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information.
I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient)…. With the help of Patrick Romero, this is what we found:Some Background on DisclaimersTurns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability…. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message…. However, ECPA defines “intercept†as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.  Can encryption provide privacy and confidentiality email?I have spent a lot of time reminding people recently that “solutions follow requirements†– and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications…. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).Encryption solutions are available for commercial and personal use…. Think before you press send.One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).Every organization should put in place a company policy with regards to sending confidential information through e-mail…. In the end, some do, some don’t and you get to choseCurrently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à -vis e-mail disclaimers.
You may have noticed the new look and feel for the Security Catalyst Blog. We’re in the process of rolling out a brand new website, as well as a more focused blog and podcast. To help, I am pleased to welcome Patrick Romero to the team. He has an impressive background, has served our country well – and is passionate about information protection. Patrick is currently in law school, and will be contributing on a weekly basis.Meet PatrickPatrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal.
Michael Santarcangelo is the catalyst* called upon to deliver successful results when others have struggled and failed to harness the human side of security. Blending a degree in human ecology with … [Read More...]
Effective communication of security ensures that whether written, spoken or blended across delivery options efforts are positioned to reduce friction, bring technology and business objectives into alignment and inspire those we serve to … [Read More...]
Engage with Michael Santarcangelo