Cybersecurity awareness training has become a central activity in many firms. It takes time, requires planning and management follow-up, and is very often mandatory for all employees. But does it work? That depends – first and foremost on people’s feelings towards cybersecurity.
A very informal survey in my network shows that most people don’t receive any awareness training at all at work, and among those that do, there are more people who say it does not change their behaviors, than those that think it has had a positive impact.
The results of a simple survey show that most people receive no cybersecurity awareness training, and that among those that do, people do more often than not judge it to be of little value.
At the end of last year I participated in a local meeting in the Norwegian Association for Quality and Risk Management, where I heard a very interesting talk by Maria Bartnes (Twitter: @mariabartnes) from SINTEF on user behaviors and cybersecurity training. She argued that training is only effective if people are motivated for the training – and for that they need to have beliefs and goals that are well aligned with the organization they are a part of. She portrayed this in a matrix with various employee stereotypes, with “feelings towards policies and company goals” on one axis and “risk understanding” on the other axis – which I found was a very effective way of communicating the fact that all employees are not created equal 🙂 . You have people ranging from technical risk experts that love the company and policies they are working for, and you have people who don’t understand risk at all, and at the same time are feeling angry or resentful towards both their company and its policies – and you have everything in between.
Another issue is that many organizations tend to make training mandatory and the same for all. It makes little sense to force your experts to sit through basic introductions that are second nature to them anyway – a lot of knowledge workers experience this when HR departments push e-learning modules to all employees.
What does it all mean?
Some people have argued that security awareness training is completely useless. This is probably going a bit too far but there are clear limits to what can be achieved by “training” of any kind when it comes to changing people’s behaviors. We use computers by habit – the way we act when we read e-mails, research the internet, write Word documents or compile code – it is all “second nature” when you are experienced at it. Changing those habits is hard and it does not happen automagically through training.
Focusing on motivation and feelings is a good start – without the motivation to do so, it is very unlikely that users that exhibit risky behaviors will make any effort to change those behaviors.
Continuous effort is needed to change behaviors, to create new habits. This means that employees must not only receive the knowledge about the “why” and the “how”, but they must also attain practical knowledge by doing. When we realize that, we see that it becomes very important not to demotivate employees that already have positive feelings about cybersecurity. Forcing the highly motivated and technically competent to take very basic e-learning lessons may kill that motivation – and thus increase your organizations risk exposure.
It also becomes very important to motivate those that are feeling resentful, both the technically competent ones, and those in the “worst-case corner” of resentful and low technical competency. Motivation comes before technical know-how.
For cybersecurity awareness training to have a positive effect it is thus necessary to tailor the contents to each employee based on skills and motivation. Further, the real work really starts after the training – it is the action of “doing” that changes habits, not the mere presentation of information about phishing e-mails and strong passwords. This means you need leadership, and you need change agents.
Use your technically skilled and highly motivated people as change agents. They can help motivate others, and they can exemplify good behaviors. Let the these supercyberusers support management, and educate management. And bring the managers on board on following up security regularly – not to outsource it to the IT department. Entertaining abuse cases for discussion in meetings can help, as well as publicly praising employees that make an effort to bring the maturity of both their own security practices, and the security maturity of the company as a whole to a new level.
Summary
Make sure you adapt your training to both motivation and technical skills of those who receive it. See maturity work in the area of cybersecurity as a part of your organization’s continuous improvement program – embed it in the way your organization works instead of relying solely on information campaigns. Use change agents and inspiring leaders in you organization to change the way the organization behaves from the individual to the firm as a whole. That is the only way to success with building security awareness that actually changes behaviors.
Maintaining security is an ongoing process which requires coordinated effort by the whole organization. Without backing from the top management levels and buy-in through the ranks there is little chance of building up resilience against cyber attacks. As organization complexity increases and value creation becomes distributed it will be necessary to have an integrated approach to security; your company needs an information security management system. ISO 27001 is an international standard that sets requirements to such as system based on what has been internationally recognized as best practice.
ISO 27001 [external link] is a management system standard that follows many of the same principles as other ISO standards such as ISO 9001 for quality management. Assuming that the client has a ISO 9001 compliant system in place, the information security management system should be built on the existing processes and workflows. This means that existing auditing systems and reporting requirements should be appended, rather than building everything from scratch.
The following are key elements of information security management system establishment. First we look at the activities that need to be performed in the order of appearance of requirements in ISO 27001. Afterwards, we summarize the bare minimum that you will have to do in a table.
Under which regulatory regimes does the organization operate?
Who are the main threat actors based on the external context? (Script kiddies, hacktivists, cyber criminals, nation states, etc.)
Internal stakeholder definitions
Who are the system owners?
Who are the system users?
Which process owners depend the most on the information assets?
Who are responsible for maintaining security?
Identify main information assets
What are the critical information objects?
Why are they critical in the context of operations?
Are there assets that require security due to external stakeholder situations (legal or commercial requirements, or due to risk drivers)
The most efficient approach for this type of context development is a working meeting with the organization’s top management where these key issues are identified.
Building a management system requires the involvement from the whole organization. Focusing on business strategy, key stakeholders and the value chain in terms of core competence, contracts with the supply chain and how to drive compliance (e.g. through auditing) is key to securing the organizations’ assets in the long run.
Policy development and leadership
(ISO 27001 Section 5)
Top management must be involved in policy development, and promote its integration in the overall management system of the organization
A policy should be developed and be sanctioned and signed by top management. The policy shall include the following:
Policy objectives
Should commit the organization to compliance with infosec requirements, and to continuous improvement. It should therefore refer to the organizations existing systems for compliance measurement and continuous improvement processes, as well as to internal information security standards with more practical requirements.
The policy shall be documented and made available and communicated to all users
Top management shall assign responsibility and authority for follow-up of information security, and for reporting to top management. In most organizations a single role is recommended for this, and a person competent in both the organization’s core activity and in information security principles should take this role. In most commercial organizations this role is designated as CISO.
Policy objectives should conform to the requirements of Clause 6.3 of ISO 27001. In order to identify these goals when building a new system it is recommended to write the policy after an initial risk and vulnerability assessment has been performed.
Recommended practice is to develop the policy in cooperation with the assigned CISO (if existing at this point). A policy document should be written and discussed with top management before it is updated. The policy should be dated, and an expiry date should be set in order to guarantee regular reviews (this is not an ISO 27001 requirement but is considered good practice for security critical process documents).
Information security risk management planning
(ISO 27001 Section 6)
Define a process for information security risk assessment. The recommended elements of this process:
Requirements to documentation of [USERS, HARDWARE, SOFTWARE, NETWORKS]
Requirements to performing risk assessments
Risk acceptance criteria. It is recommended to keep this at a coarse level and use qualitative descriptors
HAZID-type risk identification (use of guidewords)
Control planning methodology (ref. to Annex A of ISO 27001)
Perform a risk assessment for all applicable systems (Scope definition à HAZID à Risk ranking à Risk treatment planning)
Produce a statement of applicability for the controls in Annex A of ISO 27001
Formulate infosec objectives (ref policy development). These objectives should be measurable, or at least possible to evaluate with respect to performance. The objectives should align well with the overall criticality of the information assets (ref. risk context). Annex A of ISO 27001 is a good guidance point for developing objectives. Also, the organization should not choose objectives that are inconsistent with the maturity and capabilities of the organization.
The risk assessment procedure should be written in a practical way, such that the organization can apply it with the available resources. It should include examples of format for reporting, and also the recommended guidewords/threat descriptors.
A key difficulty for infosec risk assessments is the risk ranking. There are several ways this has been approached, varying from using “complexity of attack vector” as an proxy for probability and generic ratings for impact, to context related impact assessments in operationally relevant categories such as revenue loss, legal and litigation consequences, or reputation loss. The probability dimension can also be treated using aggressor profiling techniques, which is recommended for sophisticated organizations with a good understanding of the threat landscape. You can read more about that technique in this blog post from 2015: https://safecontrols.blog/2015/09/08/profiling-of-hackers-presented-at-esrel-2015/
Support
(ISO 27001 Section 7)
The organization must perform a competence requirements mapping with respect to infosec for the various roles in the organization. This work should be performed in cooperation with the organization’s HR department, and set verifiable requirements for groups of employees. Responsibility for following up this type of competence should be given, preferably to the HR director or similar. Typical employee groups would be:
Senior leadership
HR and middle management
Information system users
IT personnel
Specific roles (CISO, internal auditor, etc.)
The organization must develop an awareness program. The awareness program should as a minimum include:
Making employees aware of the policy
Why complying with the policy and the procedures is necessary and beneficial
Implications of non-compliance (up to and including employee termination and criminal charges in serious circumstances, depending on local legislation)
Information security aspects should be included in the communication plans for both internal and external communication.
For document control and similar processes, it is assumed that the organization has an appropriate system. If not, see ISO 27001 Section 7, Clause 7.5.3, as well as ISO 9001 requirements).
The awareness program should be made the responsibility of either the CISO or the training manager /HR. These departments must cooperate on this issue.
The communication plan for information security can be integrated in other communication plans but shall be approved by the CISO. It is recommended to develop a specific plan for information security that other communication plans can refer to. This is especially relevant for communications during incident handling, which may require tight stakeholder cooperation and maintaining good public relations and media contacts.
Operations and Performance Monitoring
(ISO 27001 Section 8-9)
The organization must implement and document the performance of the risk mitigating controls. A lot of the proof can be extracted from data from technological barrier functions, whereas other measures may be necessary to document organizational controls.
Information security aspects should be included in the organizations change management procedures (ref. ISO 9001 requirements)
Information security monitoring should be implemented based on control and objectives
Information security auditing should be included in the internal auditing program. It is recommended to build up on the existing system, and to include requirements to competence for the subject matter expert assisting the head auditor (ref. back to competence management and HR processes). Some extra reading about auditing and what it is good for can be found here, but for the context of reliability engineering. It should be equally applicable in the context of cybersecurity: Why functional safety audits are useful
Include infosec in management review. In particular ensure efficient reporting on infosec objectives. It is recommended to create a simple and standardized reporting format (e.g. a dashboard) for this use.
Continuous Improvement
(ISO 27001 Section 10)
Include infosec into the existing non-conformance system
Assign CISO as owner of infosec related deviations
Activity summary and sequence
Building a management system requires multiple activities that have interdependencies, as well as dependencies on other management system artifacts. The following sequence is a suggested path to developing an information security management system from scratch in a robust organization.
Note that it should be expected that some iterations will be needed, especially on:
Policy and objectives
Risk assessment procedure and risk and vulnerability study (the procedure is updated based on experience with the method)
Objectives and measurements will need to be reviewed and updated based on experience
Note also that a consultant has been included in the “People” category. For organizations that do not have sufficient in-house competence in management system development it can be beneficial to contract a knowledgeable consultant to help with the project. For organizations with sufficient in-house capacity this is not necessary, and it is not a requirement for compliance with ISO 27001.
Main activity
Sub activities
Inputs
Outputs
People
Context development
Stakeholder mapping
Customers/users, organization charts, suppliers, partner lists, etc.
Information in technical note on Context: stakeholders. Should include who, why, what and how with respect to the information security risk.
Top management
Consultant
Context development
Inventory mapping
Network topologies, asset lists, document systems
Prioritized inventory description as section in technical note on Context.
CISO
IT department
Archiving department
Consultant
Context development
Threat actor assessment
Outputs from previous activities.
News and general media. Experience from previous incidents.
Open security assessments from police and intelligence communities.
List of threat actor categories with descriptions of motivations and capabilities.
CISO
Consultant
Risk procedure development
Risk assessment procedure document
CISO
Consultant
Risk assessment
Scope definition for risk assessment
Context note with inventory.
Topology drawings. Organization charts. Use cases.
Scope presentations
Consultant
System owners
CISO
Risk assessment
Risk identification
Use of guidewords for each scope node, ref risk assessment procedure.
Risk identification table (HAZID table)
Consultant
System owners
CISO
Risk assessment
Risk evaluation
HAZID table.
Risk ranking.
Consultant
System owners
CISO
Risk assessment
Mitigation planning (including ISO 27001 Annex A review)
HAZID table with risk ranking.
List of actions and controls to be evaluated or implemented.
Consultant
System owners
CISO
Risk assessment
Reporting
HAZID table and risk mitigation results.
Risk and vulnerability report.
Consultant
Statement of applicability
Review each control in Annex A
Context note. Risk and vulnarbility report.
Statement of applicability (report)
Consultant
CISO
Objectives development
Suggest objectives based on previous activities and maturity of the organization
Risk assessment, context, statement of applicability
Information security objectives, including measurement and review requirements in technical note or procedure.
Consultants
Objectives development
Review of objectives with key stakeholders
Objective note.
Revised objective note.
CISO
Top management
Consultant
Policy development
Develop draft policy for information security.
Objectives, statement of applicability, risk and vulnerability report, context, policy templates.
Draft policy.
Consultant
CISO
Policy development
Review draft policy in meeting with top management. Top leadership needs to be involved and take ownership, headed by the CISO.
Draft document
Revised policy
Top management
CISO
Consultant
HR Integration: competence management
Develop competence requirements for roles
Role descriptions
Updated competence requirements in role descriptions
HR
CISO
Consultant
Awareness program
Develop awareness program, tailored to competence requirements of groups.
Updated role descriptions
Awareness program plan
HR/Training responsible
CISO
Consultant
Internal auditing requirements
Update internal auditing requirements
Infosec policy and procedures, objectives
Updated audit plans and competence requirements for subject matter expert
CISO
Internal auditor
Consultant
Other integrations
Update change management system and management’s annual review reporting requirements
Infosec policy and objectives
Updated change management procedure
Updated reporting format to top management.
CISO (recommend that this is done internally unless consultant’s assistance is needed)
After the management system has been established, it is recommended to perform an internal requirements audit to identify gaps.
After the system has been in operation for 6 months an internal security audit with focus on evidence of use is recommended.
Summing up what you just read
You have determined your company needs a security management system. This blog post gives you a blueprint for building one from scratch. Keep in mind that the system with its processes, governing documents and role descriptions only provide a framework to work within. Key to getting value from this process is starting to use the system.
Building a management system from scratch is a big undertaking, and for many companies it makes more sense to do it piece by piece. Start with a minimum solution, start using it, and improve on the processes and documents based on your experience. That is much better than trying to build the system to be fully compliant from day 1 – and you will start to see real benefits much sooner.
A term that is often used in the cybersecurity community is threat hunting. This is the activity of hunting for intruders in your computer systems, and then locking them out. In the more extreme cases it can also involve attacking them back – but this is illegal in most countries. Threat hunting involves several activities that you can do to find hackers on your network. The reason we need this is that the threats are to some extent intelligent operators who adapt to the defenses you set up in your network – they find workarounds for each new hurdle you throw at them. Therefore, the defense needs to get smart and use a wide arsenal of analysis techniques to find the threats; meaning analysis of data that can indicate that an intrusion has occurred. Data on user behavior, logins, changes to files, errors, and so on can be found in the systems logs. In addition to things that can be automated (looking for peaks in network traffic, etc.), threat hunting will always include some manual inquisitive labor by the analyst – both for understanding the context more deeply, and perhaps utilizing statistical and data science tools for special cases. Based on successful hunts, automated signals can be added to improve future resilience. The interplay between automated red flags, context intelligence and data science is shown below.
Threat hunting is active search for threats, instead of waiting for an attack to occur and react after the fact. It means you need to tie together a number of activities, both automated scans, threat landscape intelligence and context development, and smart use of machine learning, data science and creative data exploration.
The conglomerate joint venture deal: a potential source of an advanced persistent threat?
Johnny the Hunter was going to work as usual in the morning. He got a cup of coffee at sat down at his computer to start his day. As most office workers, Johnny first skimmed his e-mails, and checked his Twitter feed for any interesting news. He noticed one e-mail that stood out, from one of the sys.admins, who told him that one of the application servers had rebooted without any good reason last night. No functionality had been lost, and no significant downtime was recorded – it was just a simple reboot. The logs on the server did not show any suspicious activity.
This triggered Johnny’s curiousity – what had casued the reboot? Was it some random hardware issue? Was it a software bug causing a kernel crash? Probably not, that would have been recorded in the server logs.
Johnny decided to make this the starting point for a hunt. First, he checked all automated surveillance systems; there were a few orange flags (detected abnormal activity but not something considered critical). He decided he needed to review the newest intelligence data they had on the threat landscape. There was nothing from the typical providers that caught his attention, so he turned to the intranet to check if something was going on internally in the company. He noticed the CEO had posted a video explaining that they were negotiating with an Asian conglomerate about buying up one of the conglomerate’s competitors as a joint venture. They had not yet agreed on who would be the controlling company in the joint venture. He didn’t notice any other big news.
He then called HR to ask if there were any new hires onboarding that would have anything to do with the Asian deal. The HR director told him that they had several applicants, all coming from the Asian conglomerate, and they were all highly qualified. It seemed a waste of talent not to hire at least one of them but the CSO had told HR to hold it off.
Johnny decided to start looking at network logs from the last 2 years, to have a baseline, and then to look for anomaly’s after negotiations about the buy-up started. For this he collected logs not only from the application servers, e-mail servers, web servers and network security devices, but also news items and social media posts. He deciced he would use supervised learning to correlate news events with network anomalies and called up Sin Jing, the head of their internal big data and machine learning R&D unit to discuss how best to do this.
Using a range of techniques Johnny investigated behaviors and could find a correlation between news and strange network activities from the last 4 months. Prior to that there was no such correlation. He also tracked down the activity to two user accounts in the accounting department, and the activity was always managed over VPN outside of normal office hours. He had a lead on the threat actors – and decided to discuss it with the HR department to assess the possibility of this being an insider threat, or if the compromised accounts were simply compromised accounts not detected by their endpoint security solutions.
This is threat hunting – and for the most advanced threats it is the only way to decrease detection time, and to effectively reduce the attack surface.
Protecting your personal data is important, whether you are a teenager or in retirement. A lot of people are confused about what they can do to avoid becoming victims of internet fraud. Cyber criminals use phishing attacks – email scams where they trick you to click a download link to viruses, or to open attachments that are no good for you. This is by far the most common way to steal someones data, and to abuse it.
Keep the criminals away from your personal data!There are two common ways hackers steal your money;
They hold your computer hostage by using a virus type known as ransomeware or cryptovirus. What this does is it locks your computer files with a password, and they demand money to give you the password back. Sometimes they make you pay several times and don’t give it back to you anyway.
They steal your payment data, like a credit card. Malware that monitors your purchases can send your credit card data to the hacker, who then abuses the credit card by buying things or paying to himself by setting up a merchant account with a credit card processing company like PayPal.
The question is: what can you do to avoid this? The following list contains about the same information that big companies are offering their employees as cyber awareness training. If you follow these 6 rules you will reduce the risk of this type of cyber attack by around 90%:
Always be critical of e-mails you receive and don’t open links or attachments you are not sure about. Check the actual internet address of the link and see if it makes sense before opening it. Copy and paste it into your browser instead of clicking it to see this. Don’t visit the site if it looks suspicious.
Keep all of your software up-to-date. Software upgrades are normally security fixes – they are removing vulnerabilities hackers need to attack your software. Only use software from reputable sources.
Don’t use public open wifi without a virtual private network (VPN). A VPN creates a protected path for your data communication with the internet, making it impossible for hackers on the network to read your data traffic.
Always have antivirus software running on your computer, and a firewall.
Regularly back up your data. You can use a USB drive for this, and disconnect it when you are done backing up. This way hackers can’t lock your files away from you, because you have a safe backup they cannot reach.
Don’t use the same passwords for many online sites. Sites on the internet are hacked quite often, and if you have used the same email and password on many sites, they get access to everything. ID theft is a big problem, partly because people use the same password everywhere.
My answer to What are the things that need to be considered when doing a risk assessment?
Answer by Håkon Olsen:
The process can be summed up in three layers – the continuous flows of stakeholder communication, risk assessment itself, and the risk treatment.
Here’s my answer from Quora:
Risk assessments can be performed at many levels of granularity but the same general structure of the process can be used for all such assessments. There is an ISO standard that describes this approach which is generally recognized as best practice (ISO 31000). This involves:
Defining the context
Identification or risk factors
Analysis of risk (likelihood and impact)
Evaluation of risk
Treatment planning
Monitoring of risk and treatment
Stakeholder communication and consulting
The context includes the scope of your assessment, who the stakeholders are, what is considered acceptable and not acceptable risk levels and how the value chain is affected by the risk exposure.
Identificaiton of risk factors can be done in many ways, but the use of “guidewords” is very common, hooks to get the ideas running. This is a sort of guided brainstorming, taking past experience into account but also avoiding disregarding events that have not yet happened. Typical guidewords for the risk to an office building could be; fire, bomb threat, hurricane, power outage, robbery. The list of guidewords must be tailored to the scope, and the context in general.
Analysis of risk means assessing how likely each scenario is, and what the potential impact can be. This can be done in a purely qualitative way, or it can be a sofisticated mathematial modeling excercise involving computer simulations and advanced statistics. The point is to arrive at an assessment of how likely something is to happen, and how bad it would be.
In evaluation of the risk you sort which risks must be reacted to, and which ones you can disregard. You typically prioritize risks that are both likely and with a potentially serious outcome. Thse risks are usually unacceptable to leave as they are. Then there is an intermediate ground with risks that are somewhat likely, or somewhat bad, or bouth, that you may want to do something with. In many areas these risks are treated if actions can be found that will reduce them without adding excessive cost – often referred to keeping risk ALARP (as low as reasonably practicable – a UK legal concept).
Treatment planning is all about what you do about your risks. You can build barriers to reduce the likelihood of the event happening (automatic pressure relief valves on pressure cookers), or that will reduce the impact (sprinklers to fight fires). This is called mitigation. You can also in many cases defer the risk to other partis through buying insurance – but this is not always possible. You can also avoid the risk if you cannot find a reasonable way to deal with it by stopping the risky activity, or redesigning whatever it is you do. Finally, you may also choose to accept the high rist because you think the rewards are great enough to justify it.
Over to practice; you need to monitor the risk level and the integrity or quality of the barriers you have built. If risk is building up you need to take action. This is a continuous activity, something banks, chemical factories and airlines do a lot of.
Finally, and perhaps one of the most overlooked parts of risk assessments, is communication. You have a lot of stakeholders that you should have identified in the concept description. Keeping them involved and engaged throughout your assets lifecycle is key to managing risk effectively. You can read more about the people management aspect of stakeholder engagement here: 4 steps to engaging people in risk conversations (my blog – lots of stuff about risk assessment there, have a look around!)
Here’s an article I shared on linkedIn some time ago – it spurred some interesting discussion about how digital transformation is changing the way we work and how we look at attendance. A key question not discussed in that piece is “are people able of protecting corporate data and intellectual property when the social fabric of the physical office is dismantled? I’d love to hear your thoughts about that!
Technically we can work from anywhere – but are people able to maintain the necessary level of information security?
Excerpt: Telecommuting has been a thing for some years. It works well for some, and not at all for others. Technology has come a long way, and it should now be possible to interact and work remotely for most types of “knowledge work”. In spite of this, we just can’t make it really work. More often than not, when trying to have a video conference at work, we spend 20-25 minutes to set the meeting up and make everything work. Usually because someone at the other end doesn’t know how to use his or her equipment. Clearly, technology is not enough by itself, it is necessary for people to learn how to use it. And, unfortunately, “professional” communication equipment has extremely bad UX design. Compare a top-of-the-line conferencing set up with Skype or Google Hangouts – there is a real difference in ease of use, and the feel of the whole thing.
Risk management is about managing uncertainty; it is the planning, monitoring and handling of the unexpected. All of this happens in a specific context. You have something you want to protect from various risks, and you have the people who depend on that something. Communication with those people is key to all phases of risk management. If you cannot involve your colleagues, your suppliers and your customers in the way you deal with risk, you are going to fail. Let us first look at who the people you most likely need to deal with are.
The boss
The supplier
The workhorse
The consumer
The boss is responsible for the stuff you are trying to protect and must be involved in determining which risks are OK to take. The boss also needs to own the outcome and make sure everyone is on board pulling in the same direction. Getting the boss on your team should be a high priority.
The suppliers are all the people you depend on to do what you do, to make what you do. If the suppliers don’t want to play ball you are going to have a hard time understanding what can hit you, and you may not be able to deal with difficulties without their help. Communication can be difficult here, because the suppliers also have their own context and see the world from a different mountain top than you do.
The workhorse is the doer, the expert, your colleagues. These are the people you need to understand how things work, and the people you need to take action. If they don’t work with you on dealing with risk, you will definitely not succeed. Not all workhorses are going to want to help – this is where you need to engage through others; the boss, other workhorses that already are engaged, and perhaps even the suppliers and consumers (hopefully not).
The consumer is the customer, the client, the user. It is the people who depend on you to provide a service or product. Risks hitting you are hitting the entire supply chain, and the consumer may be the people who have the most to lose from bad risk management. The consumer may also be able to help with dealing with risks, and in resolving difficult situations. Involving the consumer in your risk management should always be a priority.
Your communication style must be tailored to the role of the person you are trying to involve, and to the ability of that person to contribute. If you do not think about this in advance, communication is not likely to be successful. This is why you need a plan.
Step 1: Make a communication plan
The different roles need different information to feel engaged. They may also have different interests in the asset you are trying to protect. The key to creating engagement through communication is to tailor your plan to the interests of your stakeholders. That being said, you also need this to be a two-way street; you need feedback, you need to gather information. Your communication plan shouldn’t be a long and formal document, a simple plan where you think through the key aspects of communication with each stakeholder is enough. The key steps are:
Identify the stakeholders and roles: who are they, what are their roles, what interest do they have in your asset, how much time do they have to support you and what do you need each of them to do?
Plan what each person needs to be involved in and how
Plan how you distribute information in various channels to the stakeholders – a matrix or table is a nice way of doing this in a condensed format. Think face-to-face meetings, town-halls, e-mails, intranet/web spaces, social media, phone calls, whatever channel you are planning to use. Keep in mind that effective communication works best in the channel the receiver prefers
Set up a schedule for how often you are going to communicate with each stakeholder – and make sure you don’t make it a “set and forget”
Step 2: Value relationships as much as results
Risk management is people management. Often risk managers are quite technocratic by nature and prefer to focus on results and technical matters. This is of course necessary, but you also need to value the relationships you have with the people you are communicating with. This means spending time with people, thanking them for their contributions and actively listening to what they have to say – even if it is not related to you risk management activities.
Step 3: Don’t give pole position to compliance
Compliance is important but far too often risk management is reduced to a checklist exercise of controls. This mindset is detrimental to good communication and can contribute to increased risk. The most important risk in risk assessments is overlooking the obvious – and the reason people do this is because they are not engaged in the process. Don’t forget compliance but use it as a driver for continuous improvement instead of being the focus in every activity.
Step 4: 30.000-foot view
With regular intervals, you should take a step back and reflect. Ask yourself open ended questions and try to find answers based on your experience with the various stakeholders in the project.
What did Mr. X contribute with?
What did Ms. Y not tell me and why not?
Do I have what I need?
Who is satisfied with their involvement and who is dissatisfied? Why?
What do I need to change to get what I need?
What do I need to change to make sure every stakeholder feels valued?
If you follow these steps, things may still go wrong. The chances are, however, that you will get much more useful involvement, much more engagement from the people you need to deal with, than if you go about communication in an unplanned ad-hoc way.
It is interesting to see the effect on the dynamic probability of failure on demand from a theoretical perspective. Consider now instead the problem of collecting operational data and adjusting the test intervals to optimize uptime while keeping within the PFD constraints given by the SIL requirement. To do this in a robust manner, one must take the uncertainty in the data into account. We are seeking to solve this problem:
In other words; maximize the test interval while keeping the upper confidence bound on the average value of the PFD above the set value C, given that the standard deviation of the rate of dangerous undetected failures is known. To make things more practical, we consider a simple SIL loop where the PFD value is dominated by the final element. We make the simplification, for the sake of the calculation, that a single component is the loop. Let us then assume we have 20 valves of the same type that have operated over an aggregated 400 000 hours, and we have a theoretical failure rate of 10-6 per hour for these valves. We have not had any real demand trips, and the original test frequency was once per year. Testing has revealed that one valve had a dangerous failure in its first year of operation. Can we use this to extend the test interval without increasing the risk to our assets?
A naïve estimate the failure rate based on our observations indicate a failure rate of 1.25 x 10-6, which is obviously better than the a posteriori estimate from the design data. However, the design data is based on a larger data set and should not be disregarded if we wish to be reasonably sure about our decisions. So, the expected mean time to failure would be somewhere between 114 years and 913 years – a significant difference. SINTEF has released a report that gives a simplified approach to updating the failure rate. This approach requires you to define a conservative estimate of the failure rate based on the a priori data – often chosen to be the double of the original failure rate: λDU_CE = 2 λDU. Uncertainty parameters are then calculated based on the Gamma distribution as
Then the combined (updated) failure rate estimate is given as
where is the number of dangerous failures observed, and is the aggregate operational time. Using this on our example gives us
What is going on here – the combined failure rate is higher than the a priori? The expected number of failures in 400.000 hours with an a priori MTTF of 1 million hours is clearly less than 1 – and we had one failure. So the estimate is sound. SINTEF’s methodology will give you lots more details, including credibility intervals for the Bayesian updates.
So – now to the test intervals – if the new combined failure rate is accepted – we should probably test more often, right? It depends, SINTEF argues that it is important to be conservative when updating test intervals to make sure insufficient data do not lead us astray. They propose the following simple rule:
If the new failure rate is less than half of the original failure rate, and the upper 90% confidence bound on the new failure rate is lower than the a priori failure rate, the test interval can be doubled.
If the failure rate is more than double the original failure rate, and the lower 90% confidence bound on the new failure rate is higher than the a priori failure rate, the test interval can be halved (e.g. from one year to every 6 months).
This means that in our case – the test interval stays the way it is.
A few days ago, I asked my followers on Twitter if they used the two-factor authentication on Twitter, or if they knew what two-factor authentication was in the first place. The result was that almost no one is using this. Most accounts that are hacked, are hacked because users are stupid and use terrible passwords, and they use the same passwords on every site where they have an account. This means that whenever some news site with terrible security is hacked, the hacker has access to more or less all these users’ accounts, including e-mail, social media and their favorite online stockbroker… This is admittedly bad.
Two-factor authentication comes to the rescue – using this, you cannot log in simply because you have the password and the username. You also need to have some third-party security token, like an app on your phone, a confirmation SMS sent to you, or a code generator device. If the hacker does not have access to this third-party token, he or she cannot take over your account. That is, at least, the design intent.
So, how can a hacker bypass the need for a third-party security token, or getting your leaked password in the first place? They can use a good old phishing attack. Set up a web page that looks like the one you want to log in to, trick you to go to the fake site and enter the login data, and then use these to access the real page. This process is illustrated below.
First, you need to trick the user to visit your fake login page, typically by sending some form of e-mail asking to log in and update something. The user submits username and password in the fake view, that you transfer to the real view in order to generate the third-party confirmation code. The real page, believing it is communicating directly with the legitimate user, sends the confirmation code to the user’s call phone. The user then submits this through your fake login view. Then you, as the hacker, will have access to the confirmation code, and you can take over the account. Depending on the type of site you can execute actions, or at least gain insight to the user’s personal data. For very poorly secured financial applications you can even steal the user’s money.
Of course, this is much more complicated to get to work than simply stealing a username and password, or brute-forcing a weak password, so 2-factor authentication makes a lot of sense. But like all barriers you put in place in risk management, it is not a magic pill solving all headaches. You still need to keep your guard up – don’t fall for phishing scams, don’t use the same password on multiple sites, use strong passwords and keep up to date on security features on the sites you are using and that are critical to you. Sites like Facebook and Google’s products can send you an e-mail or text you whenever there is a new login, with location and type of computer/browser. This is a very good extra layer of security.
To sum it up: use two-factor authentication, but also don’t forget to follow other common good security practices.
REMA1000 did not use any form of authentication on their customer database used by a loyalty program. They claim that this is nothing to worry about. I disagree. Identity theft, blackmail and potential surveillance are threats worth worrying about.
REMA1000, a Norwegian discount store chain, recently released a new customer loyalty program they named ‘Æ’. The letter ‘Æ’ is also the local word for ‘I’ in the Norwegian dialect in the area where Rema1000 is headquartered (Trondheim, the city where I live).
The Æ app promising you discounts. And previously it was exposing your data to the world.
The way the loyalty system works, is that you install an app on your smartphone, and register your debit card in the app. Whenever you make a purchase they will register what you have bought, and you are offered a 10% discount on the 10 items you spend the most money on, as well as on all vegetables and fruits. Sounds like a sweet deal, right?
The problem is only that the app was launched without requiring any form of authentication between the app and the backend database. This is reported by the Norwegian newspaper Aftenposten.no today. The vulnerability would allow anyone to download customer data from their database, down to each item purchased, as well as key customer data such as phone mumbers and partial credit card numbers. The vulnerability was discovered by infosec professional Hallvared Nygård, who spoke to Stavanger Aftenblad about the issue (another Norwegian newspaper).
In a comment to Aftenposten, Rema1000 claims that they “take the situation seriously”, and accuse the security researcher of having obtained access to the information in an illegal way. They say customers have no reason to worry with regard to security with regard to the data they leave with the stores.
This attitude shows a lack of understanding of security risks from REMA1000. First of all, lack of authentication between frontend and backend in a web application is close to inexcusable. It would be disovered by any reasonable web app security scanner. Protecting database access through secure authentication is the core concept of web application security and should be taught in any introduction to secure development class at your nearest university. Even more worrisome is perhaps that REMA1000 claims customers have nothing to worry about. Identity theft, blackmail and surveillance is pretty serious stuff to worry about if you ask me. On top of this, REMA1000 is seemingly looking to blame the security researcher for reporting the vulnerability.
safecontrols 