slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Module 3 Usability of Security and Privacy Policies Azene Zenebe and Lola Staples l stap les@bo PowerPoint Presentation
Download Presentation
Module 3 Usability of Security and Privacy Policies Azene Zenebe and Lola Staples l stap les@bo

Module 3 Usability of Security and Privacy Policies Azene Zenebe and Lola Staples l stap les@bo

163 Views Download Presentation
Download Presentation

Module 3 Usability of Security and Privacy Policies Azene Zenebe and Lola Staples l stap les@bo

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Module 3 Usability of Security and Privacy PoliciesAzene Zenebe and Lola

  2. Usability of Security Policies Overview Module 3 introduces: • Concepts of usability, security policies and their roles • Need for Usable Security Policy • Challenges associated with usable security policies • Technologies for managing usable security policy

  3. Usability of Security Policies - Module 3 Outline • Information Security Policies – Reviewed • Introduction • Policy, Standard, Guideline and Procedure • Elements of a Policy • Types of Policies • User Groups or Audiences of Security Policy • Information Security Policy: Characteristics and Roles

  4. Usability of Security Policies - Module 3 Outline • The roles of information security policies • Effective policy • Accessibility and Usability of Security Policy • Policy Accessibility • Policy Usability • Usability Challenges • Usability of Privacy Policy • Technology for Usable Privacy Policy • Initiatives • Web Slide Examples

  5. Learning Objectives and Outcomes After completing this module you will be able to: • Describe the concepts and different types of security policies. • Describe the importance of usability for security policies • Explain the needs for and challenges associated with creating usable security policies • Describe the technologies available for creating usable security and privacy policies • Assess a website’s privacy policy • Create usable privacy policy

  6. Introduction Security control measures include: • Policy & Law • Technology • Education ,Training and Awareness programs

  7. Introduction (Con’t) • Computer and Information Security Policy: • provide the rules for the protection of computer and information assets of an organization or a business. • is the corner stone of any information security program of an organization

  8. Protecting information assets requires securing the following: software hardware data/information/knowledge network and people resources Introduction (Con’t)

  9. Introduction (Con’t) • Employees and users are required to understandthe rules and requirements specified in a policy and comply. • Network and security professionals need to implement the rules and requirements specified in a security policy.

  10. Introduction (Con’t) • Security analysts, designers and programmers • need to work with security policies and • incorporate security requirements into software • There are associated usability challenges with security policies for thes different groups of users.

  11. Introduction (Con’t) • ISO 9241-11 “Usability refers to the extent to which a product can be used by specified users to achieve specific goals with effectiveness, efficiency and satisfaction in a specific context of users.”

  12. Introduction (Con’t) • Usability is not a single, one dimensional property of a system, rather… • Usability is a multi-dimensionalconcept.

  13. Introduction - Usab.Measures Usability can be measured using the following combination of factors: • Ease of learning • How fast can a user who has never seen a security system before learn to accomplish basic tasks. • Efficiency of use • Once a user has learned to use the system, how fast can he or she accomplish tasks?

  14. Introduction–Usab. Measures • Memorability • If a users has used the system before, can they remember enough to use it effectively the next time or do they have to start over again to re-learn everything? • Effectiveness • Quality or quantity of output or task completion

  15. Introduction–Usab. Measures • Error frequency and severity • how often do users make errors while using the system, • how serious are these errors? • how do users recover from these errors? • Subjective satisfaction – How much does the user “like” using the system?

  16. Information Security Policies - Reviewed • Information security policy is defined as “a document that states how an organization plans to protect the organization’s tangible and intangible information assets.” • This definition indicates that policy contains rules that guide • how things should operate • how people behave during the use of organization information systems and other information assets.

  17. Policy, Standard, Guideline and Procedure SANS Institute describes the difference among the first three concepts as: • “A policyis typically a document that outlines specific requirements or rules that must be met.” • “A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone.” • “A guideline is typically a collection of system specific or procedural-specific “suggestions” for best practice. “

  18. Elements of a Policy • Statement of Authority • Policy headings • Policy objectives • Policy statement of purpose • Policy audiences – who is the policy intended? • Employee groups based on: • job functions • Roles such as Information systems, owners, custodians, and users.

  19. Elements of A Policy (Con’t) • Policy Statements • Enforcement Clause • Definition of Terms Example of security policy template:

  20. Quick Quiz • Explain the relationships among policy, guideline, standard and procedure. • Policies are all around you, find one at your work or school? • Which of the features of usability apply to Security Policy?

  21. Types of Policies • There are different types of policies. • Ciampapresented three types of EnterprisePolicy: • Security policy • Acceptable use policy • Privacy policy

  22. Types of Policy - Enterprise • Security Policy is a type of policy that consist of a series of specific security documents; for example: • password management policy • a firewall security policy

  23. Types of Policies – Enterprise (Con’t) • Acceptable Use Policy - defines actions the users of a system may perform as well as provides explicitly prohibitions regarding security. • Privacy Policy- defines what and how an organization collects, uses and manages data about its customers, partners, employees, etc.

  24. Types of Policies - NIST • The National Institute of Standards and Technology (NIST) – Publication 800-14 presents three types of policies as components of a complete information security policy: • Enterprise information security policies (EISP) • Issue-specific security policies (ISSP) • Systems-specific security policies (SSSP)

  25. Types of Policies - EISP • Enterprise Information Security Policies (EISP) –Are similar to the security policy of Ciampa: • outline the strategic direction and scope for all of an organization’s security efforts • assign responsibilities for the various areas of information security. In addition… • EISP also guides… • the development • implementation • and management requirementsof the information security program

  26. Types of Policies – EISP (Con’t) • EISP is a high level statement that provides: • An overview of corporate philosophy on security • Information on the structure of information security organization and individuals that fulfill the information security role • Fully articulated responsibilities for security

  27. Types of Policies - ISSP • Issue-specific security policies (ISSP) –relate to the Acceptable Usepolicy of Ciampa. • It provides detailed andtargeted guidelines and expectations about how the technology-based system in question should be used • Examples of ISSP are: • Password policy • Use of a Company’s Electronic mail • Use of the Internet and World Wide Web

  28. Types of Policies - SSSP • Systems-specific Security Policy (SSSP)states that we should: “specify and detail standards or procedures to be used when configuring or maintaining systems.” • Examples include configuring: • access controls • firewall rules • IDS rules

  29. Usersof Security Policy • Users or Audiences of Security Policy could be: • A Group of employees based upon their departments or units • A Group of employees based upon roles such as system security officer • Information system owners, custodians, and end –users.

  30. User Groups by Types of Policies Table 3-1:The relevance of security policies to the different group of users

  31. User Groups by Types of Policies Table 3-1 (Continued)

  32. User Groups by Types of Policies (Con’t) • Note that individuals often may fall in more than one user groups based upon their roles. For example an individual may be • an end-user • a system administrator …. depending on the tasks and types of information systems being accessed.

  33. Information Security Policy Roles Policy roles include: • defining appropriate behavior for users • providing the foundation for action in response to inappropriate behavior • identifying needed tools and procedures • communicating a consensus of judgment

  34. Information Security Policy Characteristics • Policy Characteristics include: • should never conflict with law • must be able to stand up in court, if challenged • must be properly supported and administered

  35. Importance of Information Security Policies Information Policies: • Brings consistency in services, products and organization culture • Help to comply with government policies such as GLBA and HIPAA • Lead to more secured networks, systems and applications

  36. Effective Policy • Security policy needs to take into account the following: • The audience or users • The tasks performed by the audience • The environment in which the audience operates

  37. Effective Policy • Good Policy should be: • relevant • readable and understandable • properly disseminated • agreed to • uniformly applied and enforceable • has good style and organization

  38. Quiz • Discuss the types of security policies. • What are the roles of an information security policy? • What are the characteristics of an effective information security policy?

  39. Accessibility of Security Policy • Policy Accessibility - Policy does not matter unless it is accessible : • easily found • readily available to end users…

  40. Accessibility of Security Policy • Policy accessibility questions include: • How easy is the policy to locate? • How easy is the policy to locate for users with physical or cognitive limitations?

  41. Usability of Security Policy • Policy is usable when it is easy to: • read and understand • remember • apply • enforce • help minimize errors • help recover from errors • Policy comprehension is best when written… • at a reasonable level • with minimum technical and managerial jargon

  42. Usable Security Policy - Challenges • Based on a study by Jensen and Potts, and others: • users do not have time or the inclination to read a lengthy policy • security and privacy policies are infrequently read • privacy policies are hard to read • policies do not support rational decision making • Examples of reported incidents due to usability problems of security policy are: • The “Memogate” scandal • Maxion and Reeder

  43. Usable Security Policy – Challenges • How to convey security policy information without overwhelming users • How to overcome the great variation in policies from business to business, e.g., • the language used in the policies • the issues exist due to lack of standards

  44. Usable Security Policy – Challenges • Users find it difficult to compare and contrast policies across competing organizations and businesses. • However, government Policy standards are helping, i.e., • Family Educational Rights and Privacy Act (FERPA) • Health Insurance Portability and Accountability Act (HIPAA), • Gramm-Leach-Bliley Act (GLBA) • Children’s Online Privacy Protection Act (COPPA)

  45. Usability of Privacy Policy • “Privacy policy” may be defined as what and how an organization • collects data • uses data and • manages data… about its customers,partners, employees,etc.

  46. Usability of Privacy Policy • A study by Proctor found • That “80% or more of respondents were comfortable with providing preference information, such as their favorite television show, or snack… • less than 20% were comfortable with providing medical information, income, phone number, credit card number, and social security number.”

  47. Usability of Privacy Policy • Theoretically, privacy policy is an important source of information that presents the organization’s principles and practices regarding: • what kind of data is collected • how is data collected, used and managed for customers, partners and employees, etc. • this data collectively is referred to as, “personally identifiable information.”

  48. Usability of Privacy Policy - Examples • Examples of Privacy Policy • CLab @ CMU • Online Privacy Policy for Adobe @

  49. Usability of Privacy Policy - Jensen & Potts (2004) Study • Evaluated the privacy policies 47 high-traffic web sites. • The study found: • the policies were typically complicated and written to address company issues rather than consumers’ concerns. • for high traffic sites and health sites, the average readability was 14 years of education.

  50. Usability of Privacy Policy - Jensen & Potts Study (Con’t) • Less than 1% of website registrants visited the privacy policy page. • Reasons are: • Considerable time and effort is required to locate, read, and analyze the policies. • Study estimates about eight to twelve minutes to read privacy policies on the most popular sites,