Module 3 Usability of Security and Privacy PoliciesAzene Zenebe and Lola Staplesazenebe@firstname.lastname@example.org
Usability of Security Policies Overview Module 3 introduces: • Concepts of usability, security policies and their roles • Need for Usable Security Policy • Challenges associated with usable security policies • Technologies for managing usable security policy
Usability of Security Policies - Module 3 Outline • Information Security Policies – Reviewed • Introduction • Policy, Standard, Guideline and Procedure • Elements of a Policy • Types of Policies • User Groups or Audiences of Security Policy • Information Security Policy: Characteristics and Roles
Introduction Security control measures include: • Policy & Law • Technology • Education ,Training and Awareness programs
Introduction (Con’t) • Computer and Information Security Policy: • provide the rules for the protection of computer and information assets of an organization or a business. • is the corner stone of any information security program of an organization
Protecting information assets requires securing the following: software hardware data/information/knowledge network and people resources Introduction (Con’t)
Introduction (Con’t) • Employees and users are required to understandthe rules and requirements specified in a policy and comply. • Network and security professionals need to implement the rules and requirements specified in a security policy.
Introduction (Con’t) • Security analysts, designers and programmers • need to work with security policies and • incorporate security requirements into software • There are associated usability challenges with security policies for thes different groups of users.
Introduction (Con’t) • ISO 9241-11 “Usability refers to the extent to which a product can be used by specified users to achieve specific goals with effectiveness, efficiency and satisfaction in a specific context of users.”
Introduction (Con’t) • Usability is not a single, one dimensional property of a system, rather… • Usability is a multi-dimensionalconcept.
Introduction - Usab.Measures Usability can be measured using the following combination of factors: • Ease of learning • How fast can a user who has never seen a security system before learn to accomplish basic tasks. • Efficiency of use • Once a user has learned to use the system, how fast can he or she accomplish tasks?
Introduction–Usab. Measures • Memorability • If a users has used the system before, can they remember enough to use it effectively the next time or do they have to start over again to re-learn everything? • Effectiveness • Quality or quantity of output or task completion
Introduction–Usab. Measures • Error frequency and severity • how often do users make errors while using the system, • how serious are these errors? • how do users recover from these errors? • Subjective satisfaction – How much does the user “like” using the system?
Information Security Policies - Reviewed • Information security policy is defined as “a document that states how an organization plans to protect the organization’s tangible and intangible information assets.” • This definition indicates that policy contains rules that guide • how things should operate • how people behave during the use of organization information systems and other information assets.
Policy, Standard, Guideline and Procedure SANS Institute describes the difference among the first three concepts as: • “A policyis typically a document that outlines specific requirements or rules that must be met.” • “A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone.” • “A guideline is typically a collection of system specific or procedural-specific “suggestions” for best practice. “
Elements of a Policy • Statement of Authority • Policy headings • Policy objectives • Policy statement of purpose • Policy audiences – who is the policy intended? • Employee groups based on: • job functions • Roles such as Information systems, owners, custodians, and users.
Elements of A Policy (Con’t) • Policy Statements • Enforcement Clause • Definition of Terms Example of security policy template: http://www.sans.org/resources/policies/#template
Quick Quiz • Explain the relationships among policy, guideline, standard and procedure. • Policies are all around you, find one at your work or school? • Which of the features of usability apply to Security Policy?
Types of Policy - Enterprise • Security Policy is a type of policy that consist of a series of specific security documents; for example: • password management policy • a firewall security policy
Types of Policies - NIST • The National Institute of Standards and Technology (NIST) – Publication 800-14 presents three types of policies as components of a complete information security policy: • Enterprise information security policies (EISP) • Issue-specific security policies (ISSP) • Systems-specific security policies (SSSP)
Types of Policies - EISP • Enterprise Information Security Policies (EISP) –Are similar to the security policy of Ciampa: • outline the strategic direction and scope for all of an organization’s security efforts • assign responsibilities for the various areas of information security. In addition… • EISP also guides… • the development • implementation • and management requirementsof the information security program
Types of Policies – EISP (Con’t) • EISP is a high level statement that provides: • An overview of corporate philosophy on security • Information on the structure of information security organization and individuals that fulfill the information security role • Fully articulated responsibilities for security
Types of Policies - ISSP • Issue-specific security policies (ISSP) –relate to the Acceptable Usepolicy of Ciampa. • It provides detailed andtargeted guidelines and expectations about how the technology-based system in question should be used • Examples of ISSP are: • Password policy • Use of a Company’s Electronic mail • Use of the Internet and World Wide Web
Types of Policies - SSSP • Systems-specific Security Policy (SSSP)states that we should: “specify and detail standards or procedures to be used when configuring or maintaining systems.” • Examples include configuring: • access controls • firewall rules • IDS rules
Usersof Security Policy • Users or Audiences of Security Policy could be: • A Group of employees based upon their departments or units • A Group of employees based upon roles such as system security officer • Information system owners, custodians, and end –users.
User Groups by Types of Policies Table 3-1:The relevance of security policies to the different group of users
User Groups by Types of Policies Table 3-1 (Continued)
User Groups by Types of Policies (Con’t) • Note that individuals often may fall in more than one user groups based upon their roles. For example an individual may be • an end-user • a system administrator …. depending on the tasks and types of information systems being accessed.
Information Security Policy Roles Policy roles include: • defining appropriate behavior for users • providing the foundation for action in response to inappropriate behavior • identifying needed tools and procedures • communicating a consensus of judgment
Information Security Policy Characteristics • Policy Characteristics include: • should never conflict with law • must be able to stand up in court, if challenged • must be properly supported and administered
Importance of Information Security Policies Information Policies: • Brings consistency in services, products and organization culture • Help to comply with government policies such as GLBA and HIPAA • Lead to more secured networks, systems and applications
Effective Policy • Security policy needs to take into account the following: • The audience or users • The tasks performed by the audience • The environment in which the audience operates
Effective Policy • Good Policy should be: • relevant • readable and understandable • properly disseminated • agreed to • uniformly applied and enforceable • has good style and organization
Quiz • Discuss the types of security policies. • What are the roles of an information security policy? • What are the characteristics of an effective information security policy?
Accessibility of Security Policy • Policy Accessibility - Policy does not matter unless it is accessible : • easily found • readily available to end users…
Accessibility of Security Policy • Policy accessibility questions include: • How easy is the policy to locate? • How easy is the policy to locate for users with physical or cognitive limitations?
Usability of Security Policy • Policy is usable when it is easy to: • read and understand • remember • apply • enforce • help minimize errors • help recover from errors • Policy comprehension is best when written… • at a reasonable level • with minimum technical and managerial jargon
Usable Security Policy - Challenges • Based on a study by Jensen and Potts, and others: • users do not have time or the inclination to read a lengthy policy • security and privacy policies are infrequently read • privacy policies are hard to read • policies do not support rational decision making • Examples of reported incidents due to usability problems of security policy are: • The “Memogate” scandal • Maxion and Reeder
Usable Security Policy – Challenges • How to convey security policy information without overwhelming users • How to overcome the great variation in policies from business to business, e.g., • the language used in the policies • the issues exist due to lack of standards
Usable Security Policy – Challenges • Users find it difficult to compare and contrast policies across competing organizations and businesses. • However, government Policy standards are helping, i.e., • Family Educational Rights and Privacy Act (FERPA) • Health Insurance Portability and Accountability Act (HIPAA), • Gramm-Leach-Bliley Act (GLBA) • Children’s Online Privacy Protection Act (COPPA)