Information Security Plans: A Psychology-based Approach (part 3 of 3) - Error Planning & Reduction

(This is part 3 of a 3-part series)

Error Planning and Handling

Irrespective of the time and effort expended creating and implementing a security plan, there is a universal truth to which all security professionals must acquiesce: an organization consists of people, and people make mistakes. While an effective plan can reduce the likelihood of many errors and inhibit the situations that lead to them, errors are an unfortunate reality for even the most successful organizations, touching all areas of day-to-day business –   and the area of information security is no exception. Thus it is imperative for organizations and particularly managers to understand the different types of errors and the common causes of each in order to put in place contingencies to handle them with the least possible damage to sensitive business information.

Types of Errors

The three basic error types that management should be aware are generally categorized as “skill-based”, “rule-based” and “knowledge based”. Characteristics of these types and suggestions for effective measures to reduce their occurrence with regards to a security plan are outlined below.

  1. Skill-based errors
  • Employee intention is in correct; that is,   there is a failure in attention to detail when security rules are being executed
    • Mitigation:
      • Frequent and consistent reinforcement of security policy, e.g.
        • Meetings
        • Training
        • Email reminders
  1. Rule-based errors
  • Employee intention is correct but the security rules are misinterpreted
    • Mitigation:
      • Provide proper up-to-date employee training of the security protocols
      • Clearly identify disaster scenarios and associated steps to be followed in the event of a security issue
  1. Knowledge-based errors
  • Result from an inaccurate/incomplete understanding of the security threats inherent in the computer systems they are using for day-to-day business activities; possibly augmented by an overconfidence in ability.
    • Mitigation:
      • Verify that employees fully understand vulnerabilities in systems
      • Explain the risks of specific software/hardware
      • Ensure employees are familiar with the warning signs of possible security issues

Moreover, there is a measurable link between an employee’s familiarity with a particular task in a security plan and attention to that task on its successful execution.   Employees at all levels of task attention/familiarity are vulnerable to security errors, so the ultimate responsibility for anticipation of these errors – and the associated contingency planning – falls squarely on the shoulders of management.

Systemic Methods of Error Reduction

In addition to the steps outlined above, organizations should perform routine analyses of the security plan in order to uncover any deficiencies. It is a common tendency for employees to fall victim to the same errors gain and again, so identifying these recurring errors can help the organization develop enhanced measures to avoid these traps. Another highly effective technique for contingency preparation is to run simulations of security issues and monitor the employee response. This involves periodically practicing disaster scenarios based on historical breaches or newly discovered industry threats to determine the reliability of an established security plan.

One of the chief duties of management is to ensure the successful protection of organizational information. This can be accomplished only through the use of an effective security plan – which takes into consideration employee behaviors – to accomplish the following objectives:

  1. Minimize exposure to risk
  2. Maximize employee adherence
  3. Promote the ability to recover from errors in a manner most conducive to preserving the integrity of critical data

Using security plan deployment methodologies such as those described above as well as in the previous posts – i.e. a methodology that is based on psychological models of known employee behaviors with regards to risk perceptions, motivation and errors – is the only way to truly enhance employee compliance and thus increase your organizations’ risk posture.

 

About the Author: Gary Braglia

Gary Braglia is a Security Specialist at GreyCastle Security with over 10 years of experience as an IT professional. Gary began his career as an application developer with the NYS Office of Information Technology Services (ITS), is a graduate of SUNY Albany with a Master’s degree in Information Science (M.S.I.S.) and the owner of industry-recognized certifications including Tenable Certified Network Auditor (TCNA) and CompTIA Security+.

At GreyCastle, Gary consults with clients in a wide range of security domains, including penetration testing, vulnerability assessments, security assessments, network security, application security and policy development.