HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community
You Must Be Logged In
You must be a member of this group and logged in to rate this post. Please see the links above on joining this group and/or logging in.

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.


Group Administrator

"ScottWright"

65% of honey sticks to date have been used in risky ways that could impact business operations. What's a Honey Stick? - Look for the link at the bottom of any article on this page for an explanation.

 

Customer Service Rep Security Awareness Test
Product ID: 00000002

Find out what your CSR knowledge of security policies and general security best practices is... before your clients do it for you! In the CSR Security Awareness Test, we schedule 5 randomly scheduled inquiries to your phon ... More »

Non-Member Price: $299.00 $249.00

February 2009 Posts

Archives
  The Honey Stick Project - Measuring risk decisions
Blog Entry

Humans FAIL 58% of the time - My measurement of simulated real risk decisions tells the sad story...

Tuesday, February 10th 2009 @ 12:00 AM (not yet rated)    post viewed 8959 times

The numbers are astonishing! Business executives in every industry should be very concerned about the implications of these statistics. If you're not actively trying to protect your business processes and systems by educating staff about these risk, you are playing Russian Roulette with your operations and probably your career.

The Statistics to Date

After deploying 48 USB Flash Drives that safely simulate one of the most dangerous information security threats, 28 have so far been used in a way that shows poor judgement by the people who found them. That's a 58 percent failure rate.

Even after the Downadup worm was identified as having infected at least 1 in 9 Windows computers around the world in late 2008 - with the potential to capture passwords and attack other computers - people are still oblivious to these risks. Since the Downadup virus became public, I have deployed 10 devices, and at least 6 of them have been used.

Am I Putting a Bias Into These Measurements? I Don't Think So.

Even trying to be very careful not to "put devices in people's hands", it doesn't seem to matter. The typical locations I place devices are in office elevators, public hallways, stairwells, parking garages and on public sidewalks (when the weather is good). I often fear that I've put devices in places they will never be found, or will get swept up, or thrown away. So, I'm actually surprised the numbers are so high.

In fact, if you follow the global news stories on data breaches, the bad news is escalating daily. I can hardly keep up with stories from The Breach Blog and SC Magazine's Breach Blog. The news is just as bad from these sources.

Why are people so unaware of risks? ...and what can we do about this complete state of ignorance about information security risks?

My view on why the level of awareness is so poor is that managers still think The Best Defense is a Good Offence - in other words, "If we can just get More revenues, we can compensate for losses due to security breaches". I don't think this is a viable business philosophy now, if it ever was. The reason is that business is much more complicated than any organized game where that philosophy can work.

I'm doing what I can to change the status quo of awareness by publishing these blogs and podcasts, and developing some other innovative tools and a new type of security awareness training course. I also offer free Honey Stick Trials for people to run their own safe tests. How well would your staff do in similar situations?

Do you have any ideas on what the causes might be, and what we can do to improve awareness among the general public about how to avoid these risks? Improved technology safeguards can certainly help in some areas, but I think we will always depend on human risk decisions.

What do you think?

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

ScottWright
Group Administrator		ScottWright said on Saturday, February 14th 2009 @ 8:01 AM:

OK, I have another theory on why there is such a big disconnect.  In the book "Made to Stick" by Chip and Dan Heath, they reference some research that is easy to demonstrate.  The research shows that once you have information about something - anything at all - it's very hard to imagine what it is like to "not have that information".

For example, once you know what it's like to be stopped by a police officer for a traffic infraction, or any other reason, it's pretty hard to imagine how somebody who has never been stopped by police might expect the situation to unfold. They can't possibly imagine the nervousness, loss of memory as to where the ownership and insurance papers are, etc.

So, here's a demonstration they use in "Made to Stick", which you can also replicate. Show somebody a list of nursery rhyme songs that most people know. Ask them to estimate what percentage of the time they could correctly name the song by only hearing its "clapped rhythm".

The research shows that people estimate they will be correct in a very high percentage of the cases (I think it was about 80%), when in fact, they were only correct about 20% of the time.

If you don't know the name of the actual tune that's being clapped to start with, it's quite challenging. But if you know the name, it seems blatantly obvious when it is clapped.

So, my application of this theory is that IT staff, Security and Risk Management Professionals who understand the technology and how it can be abused or compromised are completely unable to understand why non-technical individuals can not predict the outcome of a risky situation.

Therefore, when you we tell non-technical people who have not been thinking about risk management that 58% of people pick up devices and put them into their computers, they say "So what?"  They can't make the connection between a situation they can easily visualize - because USB Devices are meant to be put into USB Ports - and the consequences of having a virus take over control of their computer or network.

So, we have a big gap in understanding of the consequences of these types of risky situations. That's the gap we need to demonstrate and work to resolve.


ScottWright
Group Administrator		ScottWright said on Saturday, February 14th 2009 @ 11:55 PM:

On behalf of Gary Hinson...

Hi Scott.

You've mentioned or hinted at a whole bunch of issues.  Rather than try to
tackle them all, I'll focus on just one for now: why is it that (some)
people don't appreciate the risk of loading memory sticks?  Here are ten
possible answers:

1.  They don't know there is a risk at all.  They have missed or ignored
what little advice they may have been given on this, or they have never been
told, at least not in terms they can actually understand.  They are unaware,
clueless even. 

2.  They know there is some sort of risk but don't appreciate how serious it
is.  They are miscalculating the risk. 

3.  They are literally incompetent to make what you and I would say are
perfectly rational risk-based decisions with technology.  They are one bit
short of a byte.

4.  They know there is some sort of risk but just don't care.  They are
careless, crazy, foolhardy, reckless or fans of extreme sports (take your
pick).

5.  The risk slips their mind.  They once knew there was a risk but don't
recall or consider it properly in the heat of the moment.  They are simply
forgetful. 

6.  They see a nice shiny toy and their desire to play with it exceeds their
appreciation of the risk.  They are greedy. 

7.  They understand the threat but not the vulnerabilities and/or impacts.
They might even feel protected or invulnerable thanks to their belief that
their technical "antivirus solutions" solve this problem.  They are sadly
mistaken..

8.  They are kind people who just want to find out what is on the stick in
order to return it.  This desire overrides their appreciation of the risk.
They are trying to be helpful.

9.  They are not thinking, just acting autonomously or habitually - it's
what you do with memory sticks, isn't it?  They are on auto-pilot.

10.  They are in full command of the facts but they have the wherewithal to
minimize the risk.  They have a test lab, virtual system or forensic setup
with which to explore the stick.  They are confident in their own abilities
and able to deal with the risks.  They are hackers.

So, even though we are looking at one very specific or narrow risky
situation (installing potentially dangerous USB memory sticks), there are
many possibilities.  Widen your perspective to consider that infected USB
sticks is just one of a huge range of potential information security risks,
and they in turn are just one area of risks in general, and you see that
while we could takle this specific issue through a massive publicity
campaign, training program, educational activities or whatever, not only
would it not resolve all 10 categories above but it would detract from
equally and often more important areas of education, training and awareness.
In the grand scheme of things, memory sticks are nowhere near as important
as, say, the risk of drunk driving.

Don't get me wrong, I fully support and appreciate the work you are doing to
spread the word about the dangers of USB sticks but please don't be
unrealistic in your expectations.  You *are* helping to address the problem
but none of us is capable of fully solving it.

Kind regards,
Gary Hinson

Passionately curious, curiously passionate
www.NoticeBored.com  Creative awareness materials
www.ISO27001security.com  ISO/IEC 27000 standards
www.isect.com/html/environmental_policy.html  Going green


ScottWright
Group Administrator		ScottWright said on Sunday, February 15th 2009 @ 12:57 AM:

Thanks Gary. I appreciate you taking the time to make these detailed comments, and I have a lot of respect for all the great work you've done, especially in security awareness - many times more than what I've managed to scrape together. (See Gary's site at http://www.noticebored.com)

To clarify myself, I agree with most of your points, and I admit that my editorializing on the subject of awareness around memory sticks is glossing over a lot of the detail that most security professionals feel should be handled more thoroughly.

I also admit that the Honey Stick tests are only a rough proxy for measuring security awareness; albeit I believe the tests actually do measure real risk decisions, while capturing some people's interest. These risk decisions just happen to be influenced by any number of the factors you mention above.

I certainly agree with you that solving the USB device's awareness problem does not solve the more general security awareness problems. In fact, those many problems are what I'm hoping to give us all a chance to address, if I can get the attention of the wayward masses with this single issue.

While I understand the need for us to look at all angles in detail, I feel that if we don't start simplifying the initial message down to something that grabs the average non-technical, non-risk management person's attention long enough to engage their interest, they will turn off hours before we get to the larger group of lessons they need to learn from us. I know it's a different approach, but the gap is so great, I think it calls for this kind of radical departure.

Thanks for giving me the opportutnity to clarify my intent. I'm sure I'll get blasted in The Security Catalyst Forums for being such a heretic. Wink