Malawareness, InfoSec 101 and security culture

We've spent an unusually busy February updating two key awareness modules.

The awareness module for March covers malware, including bank Trojans, ransomware, APTs, worms and more. We update the malware module annually, and it needs it: malware is a constantly evolving beast, so standing still implies falling back. In the same vein, the module looks forward at how the malware risks are likely to change in the years ahead, prompting a serious discussion with management about strategic options. In our considered opinion having researched the topic in some depth for the module, malware risks that are already serious are getting even worse. The trajectory is clear, with significant implications on the way organizations treat the risks.

The Information Security 101 module has been thoroughly refreshed and updated for use in new employee security orientation sessions, and in launching security awareness programs. Along with many other changes, we've introduced a checklist format for the module listing that we plan to adopt for the regular monthly modules in future, encouraging customers to skim quickly through the contents of the module on receipt and check-off the items they think are worth using. 

Finally, we've tweaked our marketing a little to emphasize the social networking side of what we do - specifically, encouraging staff, managers and professionals to discuss information security among and between themselves, and actively building a network of information security contacts throughout the organization - as part of our effort to help customers establish a culture of security. While this innovative approach seems perfectly obvious and straightforward to us (and, to be honest, we've been quietly developing the theme for several years already), we believe it is a unique differentiator in the security awareness market. 

Contextually relevant information security metrics

In "Business Analytics - An Introduction", Evan Stubbs describes "value architecture" in these terms: "Results need to be measurable, they need to be contextually relevant, they need to link into a strategic vision, and their successful completion needs to be demonstrable".

Breaking that down, I find that there are really only two key factors. If results are measurable, that implies to me that they can be demonstrated. Also, it's hard to see how results that are 'contextually relevant' might not 'link into a strategic vision' since that is the context, or at least a major part of it. So, in short, results need to be both relevant and measurable.

Of those two aspects, measurability is the easier. Read "How to Measure Anything" by Douglas Hubbard! Evan also talks about objectivity, and he is writing in the context of big data analytics, meaning the difficult problem of extracting useful meaning from huge and dynamic volumes of complex data. Measurability is largely a matter of mathematics, or more precisely statistics. I agree it is a major issue but, with all due respect to the statistical wizzards, fairly mechanistic and logical.

That leaves the more awkward question of relevance. What are 'contextually relevant results'? Evan pointed out the strategic element, implying that relevant results can be extrapolated from corporate strategies. Strategies typically elaborate on how the organization intends to achieve identified long-term goals and interim objectives, often using the metaphor of a journey across a landscape passing waypoints en route to a destination. That in turn suggests the idea of measuring the actual direction and speed of travel - the trajectory - relative to the planned route as well as proximity to the eventual goal. Metaphorically speaking, it's more efficient to take a direct route than to be constantly side-tracked and diverted, and perhaps get lost.

So how does this relate to information security metrics? Evan implies that we need to defined the intended results of information security in terms that are both relevant and measurable.

Again I will side-step the measurability angle in order to focus on relevance. How is information security relevant to the organization?

In strategic terms, information security can be expressed in several different ways. Usually, we talk about protecting information assets, the defensive perspective. In this frame of reference, information systems, networks and information need to be defended against all manner of threats that would harm them. Relevant metrics here tend to relate to measuring and assessing the risks (threats, vulnerabilities and impacts, including security incident and business continuity metrics) and security controls (especially control efficiency and cost-effectiveness, implying most financial security metrics). Compliance is a classic defensive objective, hence compliance-related metrics also fit into this group.

Some of us also talk in terms of information security as a business enabler - letting the organization do business, safely, that would otherwise be too risky. Here we're thinking more proactively: security has an offensive as well as a defensive strategic role. Relevant metrics in this domain include the assurance angle, giving management confidence in the security arrangements so that they can concentrate on taking the most direct route. Hence control reliability metrics, plus various test and audit results, are in this group. Proactively exploiting strengths in information security also implies going beyond mere compliance (which, it has to be said, is a low hurdle) towards good or even best practice. Security maturity, benchmarking and governance metrics are relevant to business enablement. Measures of the integration of information security into various business and IT processes and systems are an example.

What are we left with?  Mmm, I'm not sure I can think of any information security metric that doesn't fit into one or other of those categories. Can you?

Holistic security metrics

Yet again today I find my blood pressure reading as I read yet another incredibly biased pronouncement on security metrics from security vendors:

"Do you know what security metrics are right for your organization? For a holistic view, both network and host metrics are required, including firewalls, routers, load balancers, and hosts."

To claim that having network and host security metrics qualifies as holistic almost beggars belief, for any thinking person's definition of the term but I'm afraid it's typical of the incredibly myopic purely technical perspective on security metrics, continually reiterated for blatantly obvious marketing reasons by the purveyors of ... IT security products.

Being sick and tired of explaining that IT security is a dead end off the main information security highway, I'll merely suggest a few non-technical security metrics that might get us a tiny bit closer towards a truly holistic view:

• Information security ascendancy - a measure of the importance of information security in the eyes of management
• Value of information assets owned by each information asset owner - brings up the whole notion of accountability and responsibility for protecting valuable and yet vulnerable information
• Security governance maturity - mmm, governance, yes, I've heard of that
• Business continuity plan maintenance status - oh I suppose we ought to consider the remote possibility that our expensive antivirus systems and firewalls might not be the perfect solutions we were sold
• Corporation's economic situation - can we even afford those fancy security gadgets?
• Number of important operations with documented & tested security procedures - oh yes, procedural controls, I've heard of them
• Information security budget variance - a lone example of a substantial class of financial metrics that are distinctly relevant to both information security and the business
• Security metametrics, such as PRAGMATIC - a way to sift seeds from chaff.

For an holistic view of information security, I respectfully submit that "network and host metrics" fall woefully short of sufficient.  They are needed, yes, but they are definitely not enough.  

Security culture: what it is and how to do it

In the previous blog, I promised to expand on security culture, so here goes ...

Most traditional security awareness programs are designed around circulating or broadcasting security messages throughout the organization. The focus is on the communications, mostly outbound from the security function to others. Our style of awareness program, however, emphasizes bidirectional communications between Information Security and The Business.

Why? What's the point?

The point is that we're exploiting the socialization of security to drive cultural change.

Establishing a strong social network of security friends and supporters throughout the organization takes commitment and sustained effort on the part of the entire Information Security function but promises a huge payback over the medium to long-term. An actively engaged and supportive corporate social network will keep the awareness program, and in fact the information security program as a whole, business-aligned and relevant to current security issues in the organization, broadening and deepening the department’s influence. On top of that, you can achieve far more through a distributed network of supportive contacts than you can possibly manage alone.

“Corporate culture ultimately sets the course for process, people, plans, policies, but changing corporate culture is like turning an oil tanker”

Duncan Harris, Oracle

We know cultural change takes time, so we’re here for the long haul. We’ve been developing and using our security awareness methods in conjunction with numerous organizations over three decades or so, launching this as a packaged commercial service in 2003. Way back in the 80’s when Kevin Mitnick was a kid, the accepted wisdom of the day was to put employees through an annual “IT security training session”. After the obligatory lecture to the troops from a senior manager about how important it was for staff (!) to pay attention, there followed a mind-numbingly tedious assortment of do’s and don’ts, interspersed with dire warnings and implied threats about ignoring the security rules.  Oh how we yawned!

Would you teach someone to drive safely by subjecting them

to an annual lecture about sticking to the speed limits?!

Within hours of the session, employees were back to their normal tricks, and within days all most of them could remember was the sheer pointlessness of it. They were bored stiff with the well-meaning lectures and notices, and about as far from engaged and motivated as one could possibly be. It was patently obvious from the lack of progress that conventional wisdom was failing us badly - the annual “sheep dip” approach to awareness was naïve and fundamentally flawed.

So we set out to reinvent security awareness

The combination of three distinct innovations distinguishes our unique approach to information security awareness:

1. We tackle a different information security topic every month.  Not only do we keep up with the constantly changing landscape of security risks, controls and incidents, but the awareness program itself is more stimulating and vibrant – more topical in fact. It rolls gently along all year round, touching on all manner of security issues along the way while continually re-emphasizing the core messages and themes (governance, risk management, compliance, control, accountability ...). A month is just long enough to delve into the subject, yet short enough to avoid terminal boredom.
   
   
2. Three parallel awareness streams address three distinct corporate audiences: staff, managers and professionals.  The security awareness materials and messages are designed to suit their respective concerns, perspectives and information needs and, since we cover the same monthly topic for all three audiences at the same time, they end up singing from the same hymn sheet. Most awareness programs focus exclusively on staff, or worse still IT users. We've always taken the line that managers need to be security aware too, in fact we'd go so far as to say that the lake of management-level security awareness is the primary reason that security awareness programs fail - assuming they even get off the ground in the first place.  If you find yourself constantly fighting an uphill battle to get any resources for information security, isn't that a symptom of management's lack of appreciation of the business value of what you are doing?
   
   
3. By engaging employees at all levels and in all parts of the business, encouraging them to think and talk about a wide variety of security-related topics, we’re leveraging corporate social networks to spread and embed information security in the very fabric of the organization.  Literally before you know it, information security has become an integral part of the corporate culture – in other words, the way we do things here. Culture, to us, is an emergent property of any social group. In conjunction with individuals' values and drivers, the culture determines how people think, what they find acceptable or unacceptable, and what they do in many situations, including those where they face personal choices. "Shall I click that attachment to find out what it is, or should I heed the security advice to leave it well alone?" is a classic information security example. 'Doing the right thing' in situations like that hinges on the person's perception of what's right and wrong, which in turn is strongly influenced by their social context, plus their understanding of the issues and an appreciation of the likely consequences. In psychological terms, such choices may be made subconsciously but the conscious mind has a major role, provided the person is security-aware.

The corporate social networking element of our service marks a new direction in our marketing but the concept itself has been gently incubating for about a decade. My December 2012 piece about treating security awareness as a benign application of social engineering was a massive clue to the way things were heading!

In the same vein, we are actively creating, researching and developing further innovative approaches to security awareness right now, so you don’t have to … because security awareness is what we do.

Our unique collaborative approach to creating and sustaining the corporate security culture

We've just about finished updating the website, again, this time rationalizing the textual description of our security awareness service using the simple process diagram above. They say a picture is worth a thousand words - fair enough, but to do it justice we had to cheat a bit by splitting the process into three sections:

1. Our part in the process outlines what we do behind the scenes every month, researching, preparing, polishing and packaging the next security awareness module, basically providing the materials and impetus to set you up for your part;
   
   
2. Your part in the process: downloading, unpacking, reviewing, customizing and deploying the awareness materials, which includes liaising with your professional colleagues to mold the program according to the organization's specific needs;
   
   
3. What we achieve together: this is the vital bit! Here the unique features of our service come together through our joint efforts to influence the corporate culture, improve information security, and most of all deliver the business benefits. Without this, the rest is just a lot of hard work!

We're convinced of the value of informing and engaging the entire workforce (staff, managers and professionals) over the long term, socializing information security in order to generate and sustain a widespread and deep-rooted security culture. What do you think?

Many information security specialists, advisers, gurus and consultants talk in positive terms about creating a culture of security but hardly any explain what that means, let alone how to achieve it. I'll make a stab at it in the next blog piece. Meanwhile, having spent several creative days drawing and redrawing pretty process diagrams in Visio, I really must knuckle-down to catch up with our part of the process for the next awareness module on malware. Lots to do and it doesn't happen all by itself!

PRAGMATIC Security Metric of the Quarter #7

PRAGMATIC Information Security Metric of the Seventh Quarter

According to the overall PRAGMATIC scores assigned by ACME's managers, the latest metric discussed was the top choice in the three months just past, but it was a close-run thing:

Example metric	P	R	A	G	M	A	T	I	C	Score
Information security incident management maturity	90	95	70	80	90	85	90	85	90	86%
Information security ascendancy	97	87	15	94	86	90	99	97	99	85%
Quality of system security	83	88	83	73	90	68	80	82	10	73%
Integrity of the information asset inventory	82	66	83	78	80	43	50	66	70	69%
Proportion of systems security-certified	72	79	73	89	68	32	22	89	88	68%
Number of different controls	71	75	72	75	88	30	50	65	43	63%
Controls consistency	78	83	67	60	71	33	27	31	27	53%
Value of information assets owned by each Information Asset Owner	48	64	78	57	79	38	50	22	26	51%
Number of information security events and incidents	70	60	0	50	72	35	35	70	50	49%
% of business units using proven identification & authentication	69	73	72	32	36	4	56	2	50	44%
Distance between employee and visitor parking	1	0	6	93	2	93	66	45	66	41%
Employee turn vs account churn	30	30	11	36	44	36	62	57	20	36%
Non-financial impacts of information security incidents	60	65	0	20	60	6	30	20	17	31%

"Maturity of the organization's information security incident management activities" seems to us to be an excellent proxy or indicator for the organization's overall approach to information security. The maturity scoring process we have described makes this a valuable metric, not just in terms of the final maturity rating but also the additional information that emerges when comparing current practices against accepted good practices.

Just as interesting are the metrics languishing at the bottom of the league table. For example, "Non-financial impacts of incidents" may appear, at first glance, to hold considerable promise as a security metric but the PRAGMATIC score clearly indicates ACME management's severe misgivings once they explored the metric in more detail.

Instead of simply selecting metrics on the basis of their the overall PRAGMATIC scores, management could instead select high-rating metrics for any one of the individual PRAGMATIC criteria, or any combination thereof - for example, 'information security ascendancy' is rated the most predictive and cost-effective security metric of this little lot.

In researching and developing the PRAGMATIC method for the book, we explored the possibility of weighting the PRAGMATIC ratings in order to place more or less emphasis on the criteria. There may be situations where that is a sensible approach but, in the end, we decided that the overall PRAGMATIC score was the most valuable and straightforward metametric.

Welcome! Sign here, here, here .... and here

Information security should be an integral part of every employee’s time with the organization, from their first day to their last.  Most organizations put newcomers through some sort of ‘welcome aboard’ rite-of-passage not long after they join although the details vary markedly.  For some it is a full immersion course lasting one or more more agonizing days, for others it’s little more than a quick chat with someone from HR and off you jolly well go.  Neither approach is ideal for everyone because we are all different, but it seems tailoring orientation sessions to suit the newcomers is beyond the capabilities of man.

The fundamental purpose of induction or orientation training is to bring new employees quickly up to a basic level of understanding regarding their new work environment.  With respect to information security, the accepted wisdom in many organizations is that new recruits must be informed in particular about their information security obligations laid out in various laws, regulations and policies.  These are of course Very Important Things, therefore the information should be put across in a very formal and stilted manner, apparently, complete with the rigmarole of our intrepid newcomers signing numerous pieces of paper to acknowledge receipt of said obligations. 

Given our unique approach to awareness, you won’t be surprised to discover that we prefer something a bit different.  We see a newcomer’s first days on site as a clean-slate opportunity for us (Information Security) to tell them a little about what makes us tick, and to find out just a bit about them (our new colleague).  Most of all, we’d like to initiate a productive, mutually beneficial relationship that will last, we hope, for a good long time.  Given our overall aim to establish a corporate culture of security, we know there is more to this than forcing newcomers to sign a few forms and heed the implied warnings about keeping in line.  The orientation/induction sessions are our first chance to start explaining to newcomers what information security is about, why it is necessary, what it involves, and how everyone plays a part ... and at the same time an opportunity to discover their preconceptions, their needs, even their hopes and dreams. 

At the root of it all, we see our fellow employees not as "our biggest security challenge", Jack, but as partners and allies who are, on the whole, fighting our corner.  Opening the dialog, exploring common ground and building a trusted relationship will, we believe, make a huge difference in the long run - and it starts right there and then on day one.

From the jaws of disaster

"Waking Shark II", the UK financial services industry's latest "Desktop Cyber Exercise" (incident management/business continuity desktop walkthrough), successfully got all the main participants together in London to act out a coordinated response to a credible attack scenario.  

The simulated three-day incident was compressed into a few hours, presumably using an accelerated clock - an interesting application of a technique more commonly used in product testing. 

Among the reported findings and recommendations, I'm a bit surprised to see the suggestion that "In future exercises it may be beneficial to provide firms with more scenario detail in advance of the exercise and possibly allow part of the exercise to be played out internally before convening in an exercise to respond as a sector."  Surely a key part of this kind of exercise is to simulate dealing with a major incident that blows up out of the blue?  Giving participants a chance to prepare for a specific scenario may help them appear more coherent and coordinated in the exercise, but (in my opinion) seriously detracts from its value.  The question is: do they want to look good or to be good?

Something else that sings out from the report is that there are lots of fingers in the pie.  The financial sector is a significant part of the UKs economy, hence it is no surprise that exercises such as this generate so much government and regulatory interest and involvement.  The sheer number of agencies or groups that have crept out of the woodwork, and even now are presumably still vying for their piece of the action, is symptomatic of the extent of regulatory oversight and associated red tape.  I wonder if a future exercise might involve a scenario involving regulatory risk?

Nevertheless, I heartily recommend downloading, reading and using the report as a business continuity awareness exercise in your organization, regardless which particular industry segment you inhabit.  Think and talk through the not insignificant matters raised in the report, such as how you will - in practice - contact, liaise and coordinate with various external parties in the event of a major incident, including (as one of the findings notes) the authorities if criminal acts are involved.  Who would actually do that?  What authority would they need?  Who would they need to contact for approval, and how would it be done?  Now is a good time to work through issues such as these.

And if you think you need pre-warning of the next disaster exercise scenario, I suggest having a full and frank discussion with senior management about business continuity, resilience and contingency. Because, as far as I know, cyber-crooks, foreign superpowers and tornadoes don't usually explicitly pre-warn their targets ...

SMotW #91: incident management maturity

Security Metric of the Week #91: information security incident management maturity

Notwithstanding the photo, we're using 'maturity' here in the sense of wisdom, stability and advanced development, rather than sheer age! The idea behind maturity metrics is to assess the organization against the current state of the art, also known as good practice or best practice.

This particular metric measures the organization's processes for managing (identifying, reporting, assessing, responding to, resolving and learning from) information security incidents. 

That's all very well in theory, but how do we actually identify good/best practices, and then how do we measure against them?

The maturity metrics described in PRAGMATIC Security Metrics employ a method that I developed and used very successfully over 3 decades in information security and IT audit roles. The scoring process breaks down the area under review into a series of activities and offers guidance notes or criteria for bad, mediocre, good and best practices in each of those activities, based on an appreciation of the related risks and control practices gained from experience and research. The scoring tables contain a distillation of knowledge in a form that gives reasonably objective guidance for the assessment, without being overly restrictive. The approach is flexible since the table is readily updated as new practices and issues emerge (including good and not so good practices discovered in the course of my audits, assessments and consultancy work across hundreds of organizations and business units, plus advice gleaned from standards, advisories, textbooks, vendors, blogs and so forth), either by amending the wording of the existing rows in the scoring table or by adding new rows. Furthermore, the assessor has some latitude at run-time (during the assessment) to read between the lines, applying his/her expertise and knowledge in determining how well the organization is really doing against each of the criteria. The metric deliberately and consciously blends objectivity with subjectivity through a measurement process that turns out to be surprisingly useful, informative and repeatable in practice.

The maturity metrics scoring tables given in the book are illustrations or examples to demonstrate the approach and get you started, but it's up to you to take them forward, adapting and developing them henceforth. The scoring tables, and hence the metrics, are themselves intended to continue evolving and maturing over time. 

ACME gave this metric an overall PRAGMATIC score of 86%, putting it firmly in contention as our "security metric of the quarter" ...

The next post on the Security Metametrics blog will list the quarter's metrics in order of their PRAGMATIC scores

Just how dynamic is information security?

"Information security is not the easiest of things to manage.  The lack of suitable metrics makes it even harder in many organizations.  Security management decisions are generally made on the strength of someone’s gut feel (an important but fallible and potentially biased approach), or for external compliance purposes (seldom aligned with the organization’s risk appetite).  Metrics are the only way to tell whether best practices are truly good enough, and provide the data to make informed choices, identify improvement opportunities, and drive things in the right direction." 

That's the executive summary of a new management paper on security metrics for our Information Security 101 security awareness module, which we are currently revising and updating.  The current module was released at the end of 2010 and, despite being a relatively superficial overview of a selection of general-interest information security topics for new hires, it's surprising how much has changed over the past 3 years.  BYOD, cloud computing, ransomware and SIEM, for examples, were barely on the radar back then, while the whole Big Brother NSA thing was still under wraps.  

That set me thinking about the rate of change of information security.  Infosec pros like me often spout off about ours being a 'highly dynamic field'.  Are we justified in saying so?  On what basis do we assert that?  What do we even mean?  Is infosec any more or less dynamic than other fields, in fact?  The questions keep coming!

Being a self-confessed metrics freak, I can't help but wonder at whether and how we might actually measure this, ideally in such a way as to be able to compare different areas on a common basis.  Let's simplify things down to a comparison of infosec against, say, risk management or perhaps management as a whole.  That train of thought suggests the idea of inviting managers and subject matter experts to rate a bunch of activities or concerns on the basis of their perceived changeability or dynamism.  A straightforward survey would suffice, asking respondents to rank maybe 5 to 10 areas, perhaps allowing them to add additional areas as they see fit.

Meanwhile, an even more pragmatic metric is staring us in the face: 2 paragraphs ago I mentioned that our Information Security 101 awareness module needs revision after just 3 years. How does that review period compare to the equivalent awareness/training materials covering things such as HR, compliance, health & safety etc.?  You might argue that there are several factors driving the review and update process aside from changes in those fields, and indeed there are but we could potentially address that issue by surveying numerous organizations, somehow avoiding the self-selection bias by, for instance, polling the readers of a general management website or magazine, or members of groups such as the Institute of Directors.  Supplemental survey questions could help us identify and sift out biased responses.

OK, well it's all starting to look a bit difficult and expensive at this point, and things are just as awkward on the other side of the cost-benefit equation.  What would we gain by measuring the dynamics of information security?  A facile reason would be to put some meat on the bones of the bland assertions by us infosec pros, but that's hardly a valid business driver.  A more useful purpose for the metric would be to help drive the strategy, for instance emphasizing the need for more rapid and tactical responses to emerging information security issues.  I can imagine a number of governance, strategy and policy decisions in various organizations being guided by the numbers ... or not.

At the end of the day, gut feel, presumptions, assertions and perceptions appear to be sufficient to drive strategy right now, so I'm not entirely convinced there is a clear value case for a metric concerning the rate of change in information security.  However, if you are an infosec manager or CISO pondering how to argue your next budget or investment proposal, this rambling piece might just spark a novel approach.