[BreachExchange] Building a positive security culture

Mon Apr 9 21:00:39 EDT 2018

http://www.bcs.org/content/conWebDoc/59334

‘That’s funny’, Pip muttered quietly, rising from his chair as it wheeled
slowly backwards behind him. ‘This attachment said it needs macros to
display properly, but enabling them didn’t seem to change anything’, he
remarked in bemusement to his colleague sitting across the desk. Without
looking up from her own screen a disinterested reply came back from
Estella, ‘sounds a bit funny, just report it to the service desk and ignore
it.’

You could probably picture a number of ways that this scenario could unfold
and may even have encountered a similar situation yourself. However, would
you consider this a demonstration of human weakness or human strength?

With the General Data Protection Regulation (GDPR) introducing requirements
for reporting data breaches within 72 hours of their discovery, it is more
important than ever to develop a positive security culture in which the
reporting of suspicious activity is encouraged, easy and escalated
appropriately.

Enter the Pygmalion

In Metamorphoses, the Roman poet Ovid recounts the legend of the Cypriot
sculptor, Pygmalion, who carved a statue so beautiful that he fell in love
with it, and inspired the gods to bring her to life. His name is given to
the psychological effect that people tend to behave the way that others
expect them to.

The Pygmalion effect has great significance when planning your information
security awareness campaign, and when communicating about information
security matters more generally. Whether you expect the best or the worst
from people, you’ll be right.

Employees being made aware of information security threats and risks, and
why avoiding them is important to the ongoing success of the organisation
and also what they can do to protect against them will encourage more
secure behaviour by employees who are often assumed to be, (and told that
they are), the weakest link.

Goodbye to the weakest link

In the opening example, Estella recognised that the attachment was
suspicious, and this was quickly reported. This shows excellent security
awareness that should be applauded! A potential security incident can be
quickly assessed and contained.

By contrast, continual reference to human weakness and humans as the
weakest links, sets the expectation that humans are doomed to fail and can
do very little to help the situation. Human error will never be entirely
eliminated, and it is important to recognise and plan for this.

A recent report by the SANS Institute is vociferous in calling out the
Pygmalion effect, imploring the security community to ‘stop blaming
employees as the security problem’ and instead to seek to understand the
root causes in failing to change human behaviour and address those issues.
How can we bring about such a gestalt shift in perception?

Human after all

Put yourself in Pip’s place. What goes through your mind as you realise
that perhaps opening that attachment was not the best idea?

What’s going to happen?
Am I going to get into trouble?
Will anyone know it was me?

Humans are prone to negativity bias and will be more likely to focus on
unpleasant circumstances such as the questions above. Be aware of this
human weakness and address it by providing answers to these natural
concerns.

The culture of an organisation, and in particular the security culture,
will greatly influence how a human in that organisation will react in the
face of an incident. Is the security function seen as a prosecutor making
accusations of wrongdoing or a paramedic on hand to help? Who would you
rather turn to?

Ten million incentives

The GDPR sets out requirements for data controllers to notify personal data
breaches to their supervisory authority (for the UK this is the Information
Commissioner’s Office, ICO) without undue delay, and where feasible, not
later than 72 hours after having become aware of the breach. For many
organisations and industries breach notification will be a new requirement.

The ICO’s communications on this topic reinforce the positive expectations
approach: data breach reporting is not about punishing organisations, and
will not halt criminal activity, but will help to raise the level of
security and privacy protections across the board.

Failure to meet the various requirements pertaining to personal data breach
notification could lead to a maximum penalty of €10million or two per cent
of the organisation’s total worldwide annual turnover, whichever is higher.
The ICO has clarified that fines will be proportionate and not issued in
the case of every infringement. However, the threat of this penalty still
serves as a powerful incentive.

Bringing the statue to life

So, how can taking a positive approach help to meet the GDPR data breach
response requirements? Making clear positive expectations will help people
to understand the actions to take when detecting or responding to a
potential incident.

Make it clear the types of things that should be reported as security
incidents, and describe these in language that all can understand and
contextualise. ‘Sending a customer’s records to the wrong person’ is much
clearer to someone who works day-to-day with customer records than the
security lens of ‘accidentally or deliberately causing a breach of
confidentiality.’

Within a GDPR notification, the controller needs to provide details of the
categories of data and the approximate number of data subjects whose data
have been breached as well as the likely consequences of the breach.
Measures taken to address the breach must also be shared.

An employee reporting a potential security incident should be seen as a
positive event that accelerates the organisation’s ability to resolve it.
‘Tell it all, tell it fast, tell the truth’ offers the ICO. Make it easy to
report suspicions, and easy for people to know how and what to report so
that the incident investigator’s job is made easier.

If employees are unclear on the consequences of reporting, negativity bias
may creep in and they may elect not to report, or to delay reporting. Make
it clear that employees will not be blamed or punished for making genuine
mistakes and that it is far better to report something so that it can be
fixed. Set this positive expectation and handle malicious or grossly
negligent cases as a minority exception.

Consider also suppliers, partners and other data processors working on your
behalf. If they are worried about contractual wranglings in the event of a
data breach you may not be notified promptly.

Personal data breaches only need to be notified under GDPR if it is likely
that the breach will result in a risk to people’s rights and freedoms. If
this risk is high, then the affected data subjects also need to be
notified, unless appropriate controls are in place to mitigate this risk.

Data privacy impact assessments will help to assess this risk. Further
context can also be taken from the incident reporter (if the right
questions are asked) who may well know the specific detail of data that has
been breached and can help to narrow the scope of an investigation.

Turn human weaknesses to strengths

Mistakes are going to happen. Hackers are going to hack. Acknowledge and
anticipate this by setting great expectations of the humans in your
organisations. You may well be surprised at who your benefactors are when
it comes to data breach response.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180409/55c197d7/attachment.html>