The difference between the Reality and Feeling of Security: Information Security and the Human Being

No ratings

Presented at ClubHack 2012 by

Thomas Kurian

Let us assume that a person knows the traffic rules. But, does knowing the traffic rules make a person a better driver? Apply the same for information security. Does knowing the security policies guarantee that a person will practice the policies correctly and as required while at work. So, how do you make a person accept and apply information security? To answer this question, what we must understand is that for security practitioners, information security is a mathematical probability based on threats, vulnerabilities, impact and risk. For the end user (which is more than 99% of the workforce), security is a feeling. By influencing the feeling of security, it is possible to make the end user adopt responsible information security practices#. The paper shall focus on the following: The paper shall focus on the following: 1) Introduction to the problem: Focus on security awareness, not behavior 2) Real life case study of why a US$100, 000 security awareness project failed a. Identifying the human component in information security risks b. Addressing the human component using awareness and behavior strategies 4) Sample real-life case studies where quantifiable change has been observed Original research and Publications The talk is modeled on the methodology HIMIS (Human Impact Management for Information Security) authored by Anup Narayanan and published under Creative Commons,