The Psychology of Information Security
eBook - ePub

The Psychology of Information Security

Resolving conflicts between security compliance and human behaviour

  1. 116 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Psychology of Information Security

Resolving conflicts between security compliance and human behaviour

About this book

Ensure the success of your security programme by understanding users' motivations

"This book cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making it an easy read with some very real practical takeaways."

Thom Langford, Chief Information Security Officer at Publicis Groupe

"Based on real world examples the book provides valuable insights into the relationship of information security, compliance, business economics and decision theory. Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program."

Daniel Schatz, Director for Threat & Vulnerability Management at Thomson Reuters

In today's corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company's assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users' core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual's perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company's best assets.

Product description

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour, helping security professionals understand how a security culture that puts risk into context promotes compliance.

Contents

  • Chapter 1: Introduction to information security
  • Chapter 2: Risk management
  • Chapter 3: The complexity of risk management
  • Chapter 4: Stakeholders and communication
  • Chapter 5: Information security governance
  • Chapter 6: Problems with policies
  • Chapter 7: How security managers make decisions
  • Chapter 8: How users make decisions
  • Chapter 9: Security and usability
  • Chapter 10: Security culture
  • Chapter 11: The psychology of compliance
  • Chapter 12: Conclusion - Changing the approach to security
  • Appendix: Analogies

About the author

Leron Zinatullin ( zinatullin.com ) is an experienced risk consultant specialising in cyber security strategy, management and delivery. He has led large-scale, global, high-value security transformation projects with a view to improve cost performance and support business strategy.

He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors.

He has an MSc in information security from University College London, where he focused on the human aspects of information security. His research was related to modelling conflicts between security compliance and human behaviour.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The Psychology of Information Security by Leron Zinatullin in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY

Information security encompasses many aspects of business, including financial controls, human resources and protection of the physical environment, as well as health and safety measures. But who are security professionals? What skills do they have?
I asked these questions of Javvad Malik, security advocate and blogger, during one of our lunches. I met Javvad at a security conference in London. He helped me to prepare for my first talk at said conference, sharing his views and experience on the security industry. He also expressed his vision on this subject: “When I was starting in the field, nobody really knew what security was,” he said. “Then came the perception that it was all about hackers working from their mums’ basements. Then, they were assumed to be IT specialists, and then that they were specialists who didn’t necessarily know much about IT but who knew more regulation and legislation. And now everyone is just confused.”
A security professional is responsible for protecting a company against cyber threats. However, security itself is very broad. It is similar to medicine: there are general practitioners who know a little bit about everything, which is the base level of knowledge. For complex cases they will refer you to specialists in blood, heart, eyes, ears and other specific body parts. The same applies to security. There are broad generalists and technical experts. There are also non-technical security professionals, who understand the business, the risks and how to integrate security into the corporate strategy. Additionally, there are product- or technology-specific experts who can help to tune events and incident management systems, or forensically investigate platforms. Just as you can’t replace a surgeon with a GP, you can’t replace a technical subject-matter expert with a generalist, and vice versa.
Information security issues in organisations were being raised long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. In other words, all organisations have assets, which help a company to generate revenue. Hence the goal of information security is to identify and protect these assets.
The world of information security rests on three pillars: confidentiality, availability and integrity.
Confidentiality is crucial to any company, because it ensures that a secret remains a secret so that intellectual property, such as trading algorithms, engineering designs or client records, is protected against competitors.
Security professionals also have to find a balance between securing sensitive information and also making it available to the people who need it. There is no point in having data that can’t be accessed. Denial-of-service attacks can be a popular tactic employed by attackers to impede the business. This becomes especially important if it is conducted online, as in the case of e-commerce websites.
Integrity ensures that information remains unaltered during transmission or storage unless required. Attackers may want to interfere with bank transactions, for example, because modifying a single digit in an account number can compromise everything.
Image
Figure 1: Three pillars of information security
These three pillars must be linked back to business requirements. In order to do that, information security professionals should identify the relevant assets, for which confidentiality, availability and integrity are a critical requirement. Engaging business stakeholders can help to identify these assets. In other words, the business defines what needs to be protected. It is up to security professionals to determine which appropriate measures are required and to communicate them in business terms.
It is here that security professionals face their first challenge: the language of the business and the language of information security are different, and it is their responsibility to manage this translation effectively.
Thankfully, business and security professionals have common ground – they are both involved in managing risk.

CHAPTER 2: RISK MANAGEMENT

From the information security perspective, the people, processes and technology supporting the business are not bulletproof, and their vulnerabilities may be exploited. This scenario is called a threat, which has a certain impact on a company’s assets.
Impact = Vulnerability × Threat
Threats vary in probability and therefore the degree of impact. For example, in a company which handles customers’ personal data online, the probability of human error leading to disclosure of sensitive information might be greater and have a larger business impact than someone bringing down the website.
Additionally, the exploitation of a vulnerable critical system may have a greater impact than that of one used purely for archiving.
This relationship defines risk.
Risk = Probability × Impact
In order to reduce the probability and impact of the threat, information security professionals can implement countermeasures, otherwise known as controls.
When thinking in terms of protection measures, it is useful to know who the attackers are. Security professionals should understand that attackers are people too, who differ in resources, motivation, ability and risk propensity. According to Bruce Schneier, author of Beyond Fear,1 the categories of attacker are:
  • Opportunists: The most common type of attacker. As the category indicates, they spot and seize an ‘opportunity’ and are convinced that they will not get caught. It is easy to deter such attackers via cursory countermeasures.
  • Emotional attackers: They may accept a high level of risk and usually want to make a statement through their attack. The most common motivation for them is revenge against an organisation due to actual or perceived injustice. Although emotional attackers feel powerful when causing harm, they sometimes ‘hope to get caught’ as a way of solving the issues they were unhappy with but were unable to change from the beginning.
  • Cold intellectual attackers: Skilled and resourceful professionals who attack for their own gain or are employed to do so. They target information, not the system, and often use insiders to get it. Unlike opportunists, cold intellectual attackers are not discouraged by cursory countermeasures.
  • Terrorists: They accept high risk to gain visibility and make a statement. Not only are they hard to deter by cursory countermeasures, but they can even see them as a thrill.
  • Friends and relations: They may introduce a problem to both individuals (in the form of financial fraud, for example) and companies (by abusing authorisation credentials provided to legitimate employees). In this scenario, a victim and an attacker are sharing physical space, which makes it very easy to gain login and other sensitive information.
Image
Figure 2: Categories of attackers
Information security vulnerabilities, threats and risks are part of today’s corporate world, and are just as relevant and important to information security specialists as to the business.
Information security professionals are comfortable thinking in terms of threats and vulnerabilities, but the focus of risk management should be on assets, not threats. Focusing solely on security regardless of the business’s needs can be counterproductive.
Information security should support and enable the business – as such, security professionals must consider the cost aspect of implementing countermeasures. They should implement the controls ensuring that the cost is appropriate for the asset to which it is applied.
Many information security professionals view risk negatively and believe that all risk must be removed. It is, however, also important to communicate the positive aspects of risk as well. Threats in this paradigm could be replaced by opportunities, vulnerabilities by strengths and impact by benefits.
Despite this negative view, operational risk-taking is required in order to realise business opportunities. Security professionals should make a habit of communicating information security risks to the business in a positive way.
For example, employees may believe that security professionals’ only priority is to stop viruses, in order to prevent widespread infection across the network. In reality, there is also a valid business reason for such activities. Security team members therefore have to go a step further and demonstrate that virus prevention can also increase the availability of resources and the productivity of employees, because they can focus on their work rather than waiting for their laptop to be cleared of malicious software (malware).
Among other concerns, business personnel may care about enabling business opportunities or enhancing brand reputation and trust. In order to find out what their priorities are, security professionals must engage them to collect business drivers, goals and objectives and understand how they can support the business.
A clear link should be preserved between business concerns and countermeasures so that security professionals can demonstrate the value they bring.
Business teams are much more likely to accept this perspective, because doing business means taking risks and exploiting opportunities. Therefore a company’s risk appetite must be determined.
To determine the risk appetite, one should understand that security risk is just one of the many types of risk that a business faces on a day-to-day basis: socio-economic, financial, geopolitical, legal and personnel are just a few examples. Any of these may be a higher priority to the company than security, which security professionals should bear in mind. Based on this prioritisation, a company can define an acceptable level of risk under which to operate.
It is perfectly normal to accept the risk that falls below this threshold.
Treating information security risks as another facet of the business can yield great results. For example, SWOT and PEST analyses can be performed to broaden the view of risk.
SWOT stands for Strengths, Weaknesses, Opportunities and Threats. It is a simple technique, which involves listing external and internal factors that are helpful and harmful for an organisation.
Image
Figure 3: SWOT analysis
When performing this analysis in a security context, one should consider using the strengths both to exploit opportunities and to confront threats.
For example, a business partner would be reassured in the safety of doing business with a company if said company had implemented adequate security measures, which also mitigate the risk of cyber attacks. Effective security can therefore lead to the additional benefit of increasing trust and, as a result, sales.
One should also consider mitigati...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Foreword
  5. Preface
  6. About The Author
  7. Acknowledgements
  8. Contents
  9. CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY
  10. CHAPTER 2: RISK MANAGEMENT
  11. CHAPTER 3: THE COMPLEXITY OF RISK MANAGEMENT
  12. CHAPTER 4: STAKEHOLDERS AND COMMUNICATION
  13. CHAPTER 5: INFORMATION SECURITY GOVERNANCE
  14. CHAPTER 6: PROBLEMS WITH POLICIES
  15. CHAPTER 7: HOW SECURITY MANAGERS MAKE DECISIONS
  16. CHAPTER 8: HOW USERS MAKE DECISIONS
  17. CHAPTER 9: SECURITY AND USABILITY
  18. CHAPTER 10: SECURITY CULTURE
  19. CHAPTER 11: THE PSYCHOLOGY OF COMPLIANCE
  20. CHAPTER 12: CONCLUSION - CHANGING THE APPROACH TO SECURITY
  21. APPENDIX: ANALOGIES
  22. SOURCES
  23. ITG RESOURCES