Apologies for taking so long to bring you Part Three of this series.  Like everyone else everyday life and client demands have crept into the time I usually like to spend researching and writing my blog posts. Let me begin by providing a brief review of the previous two posts. 

 

In Part One of this series we looked at the concepts of power within the workplace and how it relates to a organizations corporate culture.  Part Two continued this theme by examining some psychology and social science concepts.  In this post we will build further concepts upon the foundation we have already laid.  Part Four will put it all together and discuss how these concepts can be put into place to foster a risk aware organizational culture and thus improve information security.    

 

Practical Application

 

Understanding the fundamental principles and processes of Social Cognition can assist us in navigating the political process within our organizations. 

 

There are four processes of social cognition:

·         Cognitive Architecture;

·         Automaticity and Control;

·         Motivated Reasoning; and

·         Accessibility, Frames, and Expectations.

 

Bear with me while I build some key concepts on the foundations we have already build.

 

Cognitive Architecture

 

An individual’s view of the world is a constructive process based on abstract concepts learned from early childhood.  This early development is based on experience.  An individual’s understanding of abstract concepts (such as risk) is reinforced through their interaction with the world around them.  Both positive and negative feedback worked together to solidify the abstract concept.  An example of this would be the concept of sharing. 

 

Watch children playing and you can see this in action.  Typically one child will decide that they want to play with a toy that another child is playing with.  When they try to go and play with that toy an altercation will occur.  At this point an adult will step in and say instruct the children to share.  If they do then the adult leaves them to play and if they do not then the child who doesn’t share typically experiences some sort of negative consequence.  As the children age and have more and more of these experiences they learn that by sharing they receive positive feedback and by not sharing they receive negative feedback. (Granted some children learn this better than others.)  We can leverage this concept by ensuring that we strive to incorporate some sort of reward for appropriate information security-related behavior and “dis-incentivized” inappropriate behavior.

 

Automaticity and Control

 

Automatic processes are those processes, which are:

·         Highly efficient,

·         Feel effortless,

·         Require no intention to operate, and/or

·         Occur outside the conscious awareness of the individual. 

 

Controlled processes are:

·         Those that can be interrupted,

·         Feel effortful,

·         Require an intention to operate, and/or

·         Occur with conscious awareness.

 

These processes are presented jointly and suggest that certain information is processed automatically whereas other information is processed only if the individual is motivated to consider it carefully.

 

Now consider this.  When we learn a new skill we must put conscious effort into practicing it.  Let’s take the game of golf as an example.  Now I don’t play golf mostly because I just don’t have the time to devote to the game but I have taken lessons.  I know from experience that the more that I practice my swing, the better I get.  When I talk with friends who are very good golfers, they tell me that they don’t think much about their swing anymore.  When pressed they admit that they do concentrate on certain aspects of their swing such as club placement and the amount of backswing they use for a particular shot but if they already have a sound swing they don’t think much about the basics of their swing.  If you think about sports you will find similar circumstances.  Skills that are learned transfer from controlled processes to automatic processes. 

 

Automaticity and Control are the perfect explanation for the dichotomy that we see in many organizations today.  If asked a vast majority of the users in any environment will probably be able to relay to you the basics of information security such as using strong passwords, not opening email attachments, and not sharing their account information with others.  Why is it then that these very same users often do not practice what they know?  It is because for most people, information security is still a controlled process rather than an automatic process. 

 

Motivated Reasoning

 

Building upon the previous concepts is the concept of motivated reasoning.  Motivated reasoning describes a pattern of behavior by which individuals take actions that they perceive to be “self-enhancing.”  It isn’t really surprising that individuals would be motivated by those things that would enhance their own self image.  This seems to contradict the view that cognitive processes are designed to represent the world accurately.  Apparently, when it comes to the self, individuals want their view of themselves to be positive. 

 

Accessibility, Frames, and Expectations

 

In the simplest form, accessibility is the linking of abstract concepts where once concept activates (or provides access to) another which in turn activates another and so on.  This linkage of concepts then forms a framework of connected concepts and their associated behavior.  Looking back over what we have learned we can see that these concepts and behaviors are further interpreted by the individual based upon the context upon which they are taking place.  This explains why the same behavior can be construed as having another meaning if seen in a different context.  Since humans have the ability to recall events, context leads to expectation where a similar event in the same context lead to an expectation as to what is going to happen and how the individual will interpret it. 

 

With context playing such a role in the interpretation of concepts (and the resulting behavior) studies have shown that the inverse is also true.  Expectation can serve as a primer for behavior. 

 

Part Four of this series will take this theory and show how it can be applied within any organization to foster a risk-aware organizational culture and improve efficiency of all information security activities.   

Tags: accessibility, automatic processes, automaticity, children, cognitive architecture, Company Politics, control, controlled processes, corporate culture, expectations, frames, golf, motivated reasoning, psychology, Self Perception, self-enhancing, social cognition, social science

Every now and then you run across a blog post that is just extraordinary.  One such post is Andy Willingham’s A Skeet Shooters Guide to Information Security.  In it Andy (aka Andy the IT Guy) makes an analogy between a round of sporting clays (a variation of Skeet Shooting) and information security.  I won’t spoil the effect by giving anything else away.  If you have a moment and don’t already read Andy’s blog, check it out. 

Tags: analogy, Andy the IT Guy, Andy Wilingham, Skeet Shooting

I wanted to let everyone know about two upcoming classes that I recommend. 

The first one is on the 30^th and 31^st of March 2009 (that’s next week) and is a Certification and Accreditation (C&A) Training workshop.  I am teaching it and it covers an approach to C&A that will make it relevant and a valuable risk decision tool rather than a simple compliance exercise.  If you work for or support the federal government, why not get some use out of something that you have to do anyway.    We’ve been putting this class on now for over 5 years and have been fortunate enough to have it rated as EXCELLENT by the students consistantly over that time.  We constantly update the material and try to make what can be a pretty dry topic interesting.  You can find out more information and sign up at: The Potomac Forum C&A Training Workshop.

The second is on Continuity of Operations (COOP) and Emergency Planning in the Government.   If you’re in the federal government or supporting the federal government and will be participating for the June National Level Exercise (NLE-09) then this is a training course that you will want to be at.  It will be held on April 21^st and 22^nd 2009 at the Willard InterContinental Hotel in Washington D.C.  It is being presented by Richard Gillies CBCP and Joe Douglas ABCP both friends of mine.  Rich is the Director of the Unisys Continuity of Operations and Continuity of Government Program within the Unisys Federal Enterprise Security Group.  He has over 25 years experience to share and this includes both government and commercial experience.  Rich has supported the Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP), AT&T Broadband Business Continuity and Disaster Recovery effort (where he coordinated response strategies used in New York City during the September 11^th attacks) and served in the United States Coast Guard.  Joe Douglas is the Director of the Unisys Continuity of Operations Tactical Programs and has executed continuity efforts for CBP, the U.S. Coast Guard, and the Department of Justice.   He has served as a trusted agent in both Forward Challenge 04 and 06 and has been instrumental in Sensitive Compartmented Information Facility (SCIF) outfitting and accreditation.  He has also served as an officer in the United States Coast Guard.  You can find out more information and sign up at: The Potomac Forum COOP and Emergency Planning in the Government Environment – Training Workshop IV.

Drop me a line and let me know if anyone out there will be attending either of these training events.  I’m trying to clear my schedule to attend the COOP training and of course I’m teaching the C&A course next week.  I’d love to try and connect with you if you are in DC for these events.  See you there. 

Tags: C&A, COOP, Emergency Management, Joe Douglas, Potomac Forum, Rich Gillies, Seminar

Okay, things have settled down a bit here and I have time to breath.  That means that I have to go back through all of those news articles and blog posts that I wanted to comment on but just didn’t have the time.  I do try to read a lot of news as it comes out as well as other blogs but just like everyone else there is only so much time in the day.  What I do try to do every day is scan the headlines and blog aggregator listings for articles that I can come back to.  In the past few weeks to such listings caught my attention enough to warrant me coming back to them.  The first was about how the healthcare industry was releasing their own “common security framework.” The second was an article by Matt Hines over at eWeek Security Watch entitled PCI Chiefs Defend Standard(s), Plans. 

Let’s start with the healthcare industry.  At the beginning of the month (March 2nd 2009) the Health Information Trust Alliance (HITRUST) announced the release of their Common Security Framework (CSF).  This framework is reported to be a control framework developed for the healthcare industry.  HITRUST (according to their press release of 12/5/2007) is “a private, independent company … created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information.”  Expanding further the press release indicates that “major organizations from across the healthcare and employer spectrum have united to participate in the development of the first ever common security framework for the protection of health information.” 

When I went on their website to find out more about the framework I found that I couldn’t access it unless I was willing to pay their $1,800 subscription fee.  They did have a sample of their Security Implementation Manual.  I looked this over and read the accompanying brochure and came to the conclusion that this was basically ISO 27002 rehashed with some cross references in there to other pertinent regulations.  In other words this is the healthcare industry’s answer to PCI. 

The second article about the PCI chief’s defending PCI DSS.  I’ll let you read the article but I’ll pull some selected quotes for effect (and I’ll try to retain their original context.)

“…it’s hard to argue with PCI Security Standards Council General Manager Bob Russo’s assertion that when it comes to improving electronic data security and related matters of individual privacy, “something is much better than nothing.””

“they (the PCI Council) firmly recognized the reality that no standard is perfect and that DSS as it exists is only a first step in a long evolutionary process.”

“No standard is ever going to completely stop what we’re seeing right now with cyber-crime, but the reaction we’ve seen to PCI after some of these incidents like Heartland has been absolutely unfair, because we don’t even know if they were compliant,” Russo said.

“You can sit there and look at it from one side and say, you have this standard but these incidents have still happened, and that proves something isn’t working,” Russo said. “But what you don’t know at the same time is, If we didn’t have DSS as it stands in place, how many more of these incidents might we have had?”

(I think that gives you the general gist of it – as least for the points that I’d like to address.)

I’m sitting here resisting the urge to respond to each of these quotes.  While I could I think it would derail the point that I really want to make.  That point is that everyone is missing the point – security is not about compliance.  Security is about making realistic risk-based decisions on how information is protected.  Standards and regulations are merely waypoints that must be crossed along the way.  Security is a journey and not a destination.  The problem that I see is that everyone wants to approach compliance as a task; once it is accomplished they move on to other things. 

Think about it this way.  Standards and regulations, like PCI, theHITRUST CSF, HIPAA, FISMA, etc., only get you to the minimal passing grade when it comes to security.  On the traditional U.S. A-F grading scale that grade would be a “C.”  If you aren’t compliant then you have either a “D” or an “F” (when I was on my way up they didn’t have “E”) If you move past compliance and onto really addressing risks then you can get a higher grade.  Here is the kicker – no one can get a perfect score.  Why – because there is no truly 100% secure system.  (If you want to argue that point then add a comment or send me an email.  We can argue in a separate post.)

No matter how well intentioned these industry-standards and government regulations are, they cannot force a real change in behavior if they are going to be treated as “something else we need to comply with before we can focus on business.”  Corporations need to realize that they are still vulnerable to data breaches and security incidents even after they achieve compliance.  The more they address risk the less they will be vulnerable and they, and the public, must come to grips with the fact that there will always be some level of risk. 

Are standards and regulations useful – I have to grudgingly say that yes they are but they will never be the panacea or silver bullet that is being sought.  They are useful as waypoints or mile-posts along the road of our journey but they are not, nor should they be our destination.  The only way to truly come as close as possible to a 100% secure system is to foster a risk aware culture within your environment.  And as that opens another can of worms, I’ll leave that to another day. 

Tags: Compliance, healthcare industry, HIPAA, PCI

For those of you who are either working for or supporting the U.S. Federal Government, I wanted to let you know that I’m teaching a seminar/workshop on the FISMA Certification and Accreditation process at the end of this month (30-31 March).  This is an overview of the entire process with a lot of lessons learned.  Anyone can read the NIST documents so what we teach is an approach to the process that will make it relevant in your environment as opposed to some checklist/massive documentation approach.    What it is not is a typical vendor seminar – you won’t get any sales pitch and we don’t push any products.   

We are delighted to have several government speakers at this two day event as well.  Marianne Swanson from the Computer Security Division of NIST will be our keynote speaker on the morning of the first day.  We will also have a panel of government experts to share their experience in making C&A relevant.  They will be Tim Ruland – CISO of the U.S. Census Bureau, Porter Davis – Information Security Officer with the Department of Housing and Urban Development (HUD), and Paul Rickets – Senior Information Security Officer, Nuclear Regulatory Commission (NRC). 

All of this will be taking place as I said on the 30^th and 31^st of March 2009 at the beautiful Willard InterContinental Hotel in Washington DC.  The event is being put on by the Potomac Forum, Ltd. a non-profit educational organization founded in 1982.   The team of individuals who put this on with me has a pretty wide base of experience and we try to instill the lessons we’ve learned over the years in what we teach.  This is very much a team event where everyone contributes material and instruction.  We have been honored to keep getting asked back to teach this seminar.  It’s been over 5 years now. 

Anyway if it is something you’re interested in, you can find out more at the Potomac Forum website. 

Tags: Accreditation, C&A, Certification, FISMA, HUD, Marianne Swanson, NIST, NRC, Paul Rickets, Porter Davis, Potomac Forum, Tim Ruland, U.S. Census Bureau