Lecture 9: Organisational Cyber Security

Question 1

What is the Behavioural Security Grid described by Beris and Beautement

Answer 1

The Behavioural Security Grid (BSG), as described by Odette Nicole Beris and Adam Beautement, is a framework designed to explore and diagnose employee security behavior within organizations. Let’s delve into the details:

1. Purpose:
   
   • The BSG aims to understand and leverage emotional drivers that influence security behavior.
   • It goes beyond mere risk understanding and compliance, recognizing that positive affective responses play a crucial role.
2. Methodology:
   
   • The BSG is based on the revised Johari Window, originally developed by Luft and Ingham.
   • It introduces two dimensions:
     
     • Affective Security: Refers to emotional responses related to security (e.g., feeling secure or anxious).
     • Risk Understanding: Indicates an employee’s comprehension of security risks.
3. Quadrants:
   
   • The BSG classifies employee security behavior into four quadrants:
     
     1. Positive Affective Security + Positive Risk Understanding: Ideal behavior, where employees understand risks and feel positively about security.
     2. Positive Affective Security + Negative Risk Understanding: Positive emotional stance, but lacking full risk comprehension.
     3. Negative Affective Security + Positive Risk Understanding: Dissatisfaction with security provision despite understanding risks.
     4. Negative Affective Security + Negative Risk Understanding: Indicates circumvention or non-compliance.
4. Implications:
   
   • Creating cultures that foster both positive affective security and positive risk understanding may be the missing link to enhancing organizational security behaviors¹²³.

The BSG provides valuable insights for organizations seeking to strengthen their security practices and employee compliance. 🛡️👥

Question 2

What are the BSG/Johari Windows rules of thumb to classify behaviour?

Answer 2

• Staff that fit in to the ‘Open’ quadrant reported security behavior that was openly aligned with security policy and security-related tasks.
• Staff that fit in to the ‘Blind’ quadrant behaved inconsistently with the policy because primarily they were not aware of the risks.
• Staff that fit in to the ‘Hidden’ quadrant understood the risks but were negative about the security provision in their organization (earlier referred to as shadow security)
• Staff that fit in to the ‘Unknown’ quadrant believe organizational security is poor, while being unaware of many risks themselves.

Question 3

What is Affective Security (AS) and Risk Understanding in BSG?

Answer 3

The emotional dimension we label as ‘ Affective Security’ (AS). Affective security deals with the individual’s emotional response to security, as represented by the organization’s security policy.
The dimension of competence we label as ‘ Risk Understanding’ (RU). Risk understanding denotes the individual’s ability to accurately perceive the existence and severity of the risks associated with the actions they take themselves, as well as those they observe in the surrounding environment

Question 4

What are the 16 categories of indivudals in the BSG?

Answer 4

Blind:
1. Gung-Ho; Strong Positive AS & Strong Negative RU
a. Individuals of this type can pose a significant, if unintentional, threat to the organization. They see security as something they should be personally involved in, but are burdened by inaccurate risk perception. They will seek to take a leadership role, but will not have a clear view of what constitutes effective action.
2. Uncertain; Strong Postive AS & Weak Negative RU
a. ‘Uncertain’ members of an organization are strongly motivated by security. However, they are unaware of the risks they may encounter, leading them to be unsure as to why certain policies may be in place, or unclear as to the consequences of any potential workarounds.
3. Naïve; Weak Positive AS & Strong Negative RU
a. Hold a generally positive outlook toward security, but are more likely to contravene security policy when it negatively impacts their primary task. Their misconceptions regarding risk can lead them to adopt highly insecure behaviors, sometimes under the misguided assumption that they are acceptable.
4. Passive; Weak Positive AS & Weak Negative RU
a. Individuals in this group feel that security is necessary for the organization, although not something they themselves should have to put time in to. Those in this quadrant should be given targeted education and training.
Open
5. Willing; Strong Positive AS & Weak Positive RU
a. Those with a desire to take a full part in the security processes of the organization, but have only a limited understanding of the risks.
6. Champion; Strong Postive As & Strong Positive RU
a. Ideal members of staff. They combine a high level of motivation regarding security with a good understanding of both the risks they are likely to face, and the implications of those risks.
7. Follower; Weak Positive AS & Weak Positive RU
a. Individuals in this group will follow the prevailing security culture within the organization, without taking much initiative of their own.
8. Expert; Weak Positive AS & Strong Positive RU
a. Expert users possess the same level of risk knowledge as ‘Champions’ but are not as motivated by either security, or the organization, or both.
Unknown
9. Reckless; Weak Negative AS & Strong Negative RU
a. Individuals in this category feel that security is more of a hindrance than a benefit to their primary task, while also actively misunderstanding what constitutes risky behavior.
10. Apathetic; Weak Negative AS & Weak Negative RU
a. Primarily motivated to just keep their heads down and get their jobs done. They do not see the benefit of security, and are unaware of some of the risks, making them prone to committing errors, but do not hold any serious misconceptions about what constitutes insecure behavior
11. Abdicators; Strong Negative AS & Strong Negative RU
a. Represent a serious concern for any organization. Not only do they have active misconceptions about the level of risk associated with a given course of action, but they also do not see any value in organizational policy.
12. Rule Breakers; Strong Negative AS & Weak Negative RU
a. This group is highly dissatisfied with the current security policy, seeing it is strongly negatively impacting their primary task. This may lead them to break the rules whenever they feel it would benefit their productivity.
Hidden or Shadow
13. Excuse Makers; Weak Negative AS & Weak Positive RU
a. Feel that security is a hindrance to their primary process, despite understanding that risks are associated with noncompliance. They tend to excuse their rule breaking by referring to the costs associated with compliance
14. Circumventers; Weak Negative AS & Strong Positive RU
a. This category if individuals share many characteristics with ‘Experts’. However, unlike experts they see security as a barrier to achievement and use their skills and knowledge to circumvent policy when it exceeds their limited tolerance.
15. Disaffected; Strong Negative AS & Weak Positive RU
a. A more extreme case of the ‘Excuse Makers’, this group feels strongly that security is a hindrance and rather than making excuses for their circumvention will feel fully justified in their non-compliant behavior.
16. Shadow Agent; Strong Negative AS & Strong Positive RU
a. ‘Shadow Security’ practitioners seek to completely step outside the company policy as much as possible, even though they have a full understanding of what constitutes secure and risky behavior. This group will include malicious insiders.

Question 5

What is the conclusion of using BSG?

Answer 5

Treating staff as a homogeneous group damages an organization’s ability to provide effective security as policies that do not take the different attitudes, competencies and resulting behaviors of staff populations in to account promote non compliance.
By recognizing that security behavior is driven by both affect and risk understanding we provide a framework based on these dimensions that allows organizations to map the heterogeneity of their staff populations

Question 6

What is the current state of information security according to Kirlappos

Answer 6

Current state of information security:
- It’s Impossible to Comply with Policies AND Get Work Done
- Current Policies are Irrelevant and Burdensome

Question 7

How do security exports respond to insecure behaviour? Kirlappos

Answer 7

1. The ‘Tough’ Approach – (Threat of) Sanctions
2. The Soft Approach – Persuasion

Question 8

What are factors in non compliance according to Kirlappos?

Answer 8

1. Lack of awareness
   a. Employees unaware of security risks or policy content have no clear incentive to exhibit securityconscious behavior.
2. High compliance costs
   a. Mechanisms or processes which impact too heavily upon productivity leave employees with no other option than non-compliance.
3. Compliance impossible
   a. Prescribed behavior cannot be followed due to problematic mechanisms; employees resort to finding other ways to proceed with their primary task.

Question 9

What is Shadow Security according to Kirlapos?

Answer 9

instances where security-conscious employees who think they cannot comply with [- or are unaware of -] the prescribed security policy create a more fitting alternative to the policies and mechanisms created by the organization’s official security staff”
It materializes as security workarounds, usually not visible to official security and higher management. They reflect the best compromise staff can find between getting the job done and managing the risks to the assets they us

Question 10

What are the Four Distinct elements in Shadow Security according to kirlappos?

Answer 10

1. Employees have reasons to comply with security and are motivated to do so, but
2. Security mechanisms are not fit to support the primary task.
   a. The security burden was articulated in various ways:
   i. Time: enacting the prescribed security behavior slowed completion of primary tasks.
   ii. Increased cognitive load: the associated cognitive load was perceived as excessive for the task.
   iii. Disruption: security restrictions led to disruption of employee primary tasks
   iv. Lack of adaptability: lack of adaptability in the organizational IT systems in the face of change to organizational conditions
3. A significant amount of security mediation takes place at team level.
4. The inability of the organization to address employee security concerns accentuates the problem as employees become isolated from the security division.

Question 11

What are the implications for organizational security according to Kirlappos

Answer 11

Rather than remaining passive, employees, peer groups, and managers use their own understanding of security - individually or collectively - to devise adaptations of unsatisfactory security measures or introduce their own novel solutions.
Security-aware employees bring a number of positive qualities for the organization
1. Are for the most part motivated to invest some proportion of their time in security.
2. Willing to take action to address potential risks when insecure conditions or behaviors were identified.
3. Security mechanisms that impose minimal additional workload positively affect employee compliance behaviors.

Question 12

What are the Risks of shadow security?

Answer 12

1. It creates a false sense of security.
2. Ineffective communication of policy to managers can lead to the development of security ‘micro-cultures’ within teams.
3. Inefficient ‘hard’ technical solutions can negatively impact employee productivity,
   create disgruntlement and can lead to alienation of employees.
4. Not responding to employee feedback about identified security shortcomings
   validates adaptation of security.
5. The presence of a shadow security environment can lead to the
   non-compliant organizational security culture.

Question 13

What are the lessons from shadow security

Answer 13

Shadow security happens naturally and is a valuable indicator that security solutions are not serving the business
- Shadow security practices emerge when the organization could do more to align security with productivity goals
Where shadow security practices begin to emerge, contributory factors can be addressed to improve organizational security and identify more workable security implementations that align with productivity objectives.

1. Reduce Compliance Costs
   a. This requires a move to a participative, risk-based approach that works with users to understand where and how security can align with the productive activity to protect valuable organization assets, especially during times of chang
   b. Security experts believe that there is a tradeoff between usability and security. This misconception lead them to think it is ok to ask users to make extra effort because it’s either ease-of-use or security that must win
   i. But usability is a hygiene factor for security: solutions that are not usable will be circumvented, and lead employees to create shadow security practices.
2. Engage low- and middle-management
   a. Collaborative decentralized approach to security
   b. Motivation for effective security behavior can come from managers in organizations: employees often turn to them when making security decisions
   c. Security-specific training for managers should then be tailored to acknowledge their role as mediators of security.
3. Engage users in security design
   a. Security managers do not see security from the perspective of users,
   b. reframe securing the organization as a collaborative activity
4. Assess security for its effectiveness

Question 14

How to transform shadow security? Kirlappos

Answer 14

Adaptation is necessary to manage the complexity of business environments, and that if the organization is not willing to adapt, employees will enact those adaptations themselves.
- In this context of change, security cultures can benefit from becoming more learning oriented
Measuring security behavior helps security managers to understand how security fits with productive tasks in practice.
- Managers can observe real usage data and user feedback to learn how to adapt security provisions to achieve both productivity and security.

Question 15

How to manage shadow security?

Answer 15

o Information Flow
 It is common for employees to engage with colleagues situated in various locations, even overseas. Remote collaboration results in sensitive organizational information being present at various locations across many devices, increasing the potential points of failure that could lead to security compromises. Employees can devise work arounds, like using dropbox, to make this easier.
o Access control – Provisioning of accounts
 There are a number of metrics that an organization can use to identify account misuse:
* Mean time for leaver account deactivation.
* Mean time for new account creations.
* Account usage
o IT support - Response to helpdesk requests
 If call response times are slow, employees with momentary pressures (e.g., deadlines, oneoff meetings with associated deliverables) will have to adapt there and then using their own understanding of IT and security expectations

Question 16

What are the levels of information security culture

Answer 16

Levels of Culture
1. Level One: Artifacts
a. Artifacts are what can be observed, seen, heard, and felt, in an organization.
2. Level Two: Espoused Values
a. An organization’s espoused values are the ‘‘reasons’’ an organizational insider would give for the observed artifacts. The values which the organization wants to live up to.
3. Level Three: Shared Tacit Assumptions
a. If strategies based on specific beliefs and values continue to be successful, these beliefs and values gradually come to be shared and taken for granted. These values, beliefs, and assumptions that have become shared and taken for granted in an organization, form the essence of that organization’s culture
i. Beliefs, in this sense, refer to a group of people’s convictions about the world and how it works.
ii. Values, refer to a community’s basic assumptions about what ideals are worth pursuing.

These three levels of corporate culture could be seen to correspond closely to the behavioral aspects of the ‘‘human factor’’ in information security
It cannot be assumed that the average employee has the necessary knowledge to perform his/her job in a secure manner.
Information security knowledge, or a lack thereof, could therefore be seen as a fourth level to an information security culture that will affect each of the other three layers.

Question 17

What is Elasticity in information security culture?

Answer 17

Elasticity is a general economic concept that measures the change in one variable caused by changes in other, related variables
elasticity measures how sensitive a variable is to change in another variable.
In the presented model, the concept of elasticity will be borrowed to illustrate the fact that change will be inherent in any such system and that the speed at which such change takes place depends on the degree of elasticity in the system
To a certain extent, it can be argued that the policies and procedures comprising the espoused values in an information security culture are an indication of how much security management is ‘‘demanding’’ from employees. Similarly, the shared tacit assumptions can be seen as a reflection of how much ‘‘compliance’’ employees are willing to ‘‘supply’’. If one were to model these two ‘‘supply’’ and ‘‘demand’’ curves, the intersection of these curves would be an indication of the actual amount of effort employees are willing to give.

The artifact level is represented by the shaded area between the two possible intersection points. - -This reflects the fact that it would be difficult to predict how employees will actually behave (artifacts) in a scenario where management demands (espoused values) and the effort employees are willing (shared tacit assumptions), or able (knowledge), to supply are not in equilibrium.
More ‘‘demanding’’ espoused values will have an elastic effect on the artifacts, and will require a matching increase in the shared tacit assumptions and/or the knowledge level(s).
Without such matching increases in the other levels of the security culture, the culture will not be in equilibrium and it would thus become more difficult to predict the resulting employee behavior (artifacts).
The knowledge level can be seen as representing the ability to ‘‘pay’’ the demanded ‘‘price’’, and as such will have an equally important effect on the resulting employee behavior (artifacts) as the other two levels.

Question 18

What is Information security culture: a conceptual framework

Answer 18

The overall effect of an organization’s information security culture can be seen as an accumulation of the effects of each of the culture’s underlying levels.
The elements in the framework can be described as follows: BL = Minimum Acceptable Baseline SL = Nett Security Level AF = Artifacts EV = Espoused Values SA = Shared Tacit Assumptions KN = Knowledge

The combination of the espoused values, and the ‘‘elasticity effect’’, of the shared tacit assumptions and the user knowledge on these espoused values, results in the visible, and measurable artifacts. From a security viewpoint, the artifact level is a very good indication of the overall security of the organization’s information, since this level reflects what actually happens in the day-to-day operations
In an information security culture the visible artifacts are thus dependent on both the supporting knowledge as well as this relationship between espoused values (management demands) and shared tacit assumptions (employees’ underlying beliefs and values).

Question 19

What is the definition of Security?

Answer 19

• Definitions
  o A state (being secure) – free from danger
  o Protection (of data) from unauthorised modification, destruction, disclosure
• Socio-technical approaches:
  o Technical solutions
  o Human centred

Question 20

What are the top security issues?

Answer 20

• Spam
• Viruses
• WiFi hacking
• Insider threat
• Port scanning
• Denial of Service
• Phishing
• Spoofing
• Social Engineering
• Trojans

Question 21

What is the current trend of Cyber Security?

Answer 21

• We are actually improving:
• Due to increased security awareness
• Increasingly secure OS’s (but more application vulnerabilities)
• But…losses are increasing:
• Key risks are moving to:
• Web based applications
• Users (via social engineering and excessive admin rights)

Question 22

What are the External Security Threats

Answer 22

• APT (Advanced persistent threats)
• Professional Cyber Criminals & Terroists
  o Hard to detect
• Disgruntled employees
• Competitors
• Hacktivist
• Script Kiddies
  o Advertise actions

Question 23

What are examples of security behaviour in organisations?

Answer 23

• Insider Threat
• Shadow Security
  o * Getting the job done > secure behaviour
  o * Workarounds
  o * Not always less secure * E.g. using own USBs, devices, transfer websites etc.
• Compliance Budget
  o Enough is enough
  o Employees can only take so much
  o Limited resource

Question 24

What are the phishing susceptibility factors?

Answer 24

• Message factors
  o Social influence
  o Needs & wants
  o Loss
  o Trust
• Individual Factors
  o Propensity to trust
  o Goals and motivation
  o Personality (Big 5)
  o Knowledge, expertise, experience
• Context factors
  o Current state (mood)
  o Wider context (culture)

Question 25

What are common phishing techniques?

Answer 25

• Sense of urgency
• Invoking emotions
• Legitimacy cues
• Social Influence Processes
• Decision Biases

Question 26

What is Social Engineering?

Answer 26

• Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders
• The goal of social engineering is to trick someone into providing valuable information or access to that information.
• Also a ‘human vulnerability’ * Increasingly likely in organizations that are: * authoritarian * hierarchical * low in trust
  Combination of techniques
• Phishing/vishing * Impersonation * Tailgating * Baiting

Question 27

What are the 6 weapons of Engineering according to Cialdini

Answer 27

• 6 weapons of influence - Cialdini
• Compliance inducing techniques: * Authority * Commitment and consistency * Liking * Reciprocity * Scarcity * Social proof

Question 28

What is Reciprocation?

Answer 28

• • Opening doors
• • Tailgating
• • Influence techniques: * Door in the face * Foot in the door
• • Remember: Charity giving you free money * Disclosure is reciprocated too

Question 29

What is Mimicry/Mirroring?

Answer 29

• Mirroring can occur using:
  o Non-verbal body language / facial expressions
  o Linguistic style
  o Lexical matching (I see)
  o Accent intonation
• Waitresses who repeat back your order get bigger tips

Question 30

What are the solutions in organizational security?

Answer 30

Solutions in organizational security
* Make security usable
o * What (are) might the unintended consequences be?
o * How do my protocols interfere with employees productivity / core task?
- Limit access to information
o Mitnick & Motorola SW code
- External security != internal security
o both physical access and protective measures
- Don’t just ban or monitor, but enable staff
o Accept risk - have recovery plans
- Link corporate security practices to personal security behaviour.
- Work with end-users to create workable processes (e.g. how to distribute information and share files).
- Create policy on how to act when job tasks and security practices do not align, in order to avoid individual shadow security practices.

Question 31

What are the elements of security culture?

Answer 31

• More than a set of behaviours
• Requirements
• Physical security
• Cyber security
• Board buy-in
• Leading by example