程序代写代做代考 Hive PoliciesMonday2

PoliciesMonday2

Security Policies

• Why have policies?
• Why they don’t work
• What we want to achieve
• Why it is hard
• How to analyse Policies
• How to produce evidence-based Policies

What we’re going to talk about

Why have policies?

• It’s all about risk management
• It’s like insurance

– You buy theft and travel insurance but you
seldom get anything back

– We need to start growing up when it comes to
security in the virtual world

• It will COST
• When an attack comes companies will lose
money and opportunities

Why Policies?

• Order
– Removing capricious and arbitrary decision
making

– Constraining courses of action
• Authority

– Writer needs to have legitimate authority
• Expertise

– Based on expert knowledge

Policy is about

• It will impact on the convenience of your
workers and your company’s functioning

• It will not be popular
• It is a matter of balancing inconvenience
against risk

• Not doing it is not an option
• Doing it poorly will cost you dearly

Why Security Policy?

Survey by Cisco and conducted by
InsightExpress

• 47% of employees and 77% of IT
professionals worldwide believe that their
companies’ security policies need
improvement and updating

• IT is not sufficiently educating and
communicating security policies to
employees, and that employees may not be
paying attention.

Why don’t they adhere to policy
rules?

Why?

The majority of IT professionals believe that
employees don’t always adhere to policies
because they don’t understand the risks
involved with their behaviour, because security
isn’t a top-of-mind priority or issue, or because
the employees just don’t care.

What do employees say?
• Lack of alignment between job activities that are
perceived as necessary and policy constraints
(Autonomy)

• 42% of employees worldwide knowingly disregard
security policies because they believe that the
policies limit their ability to perform their work
effectively (Goals)

• China (62%) and the United Kingdom (55%) featured
the highest percentages of employees expressing
this frustration. (Goals)

JUST Having a Policy doesn’t
work….

Insanity: doing the same thing
over and over again and
expecting different results

Albert Einstein

Because Knowledge (on its own)
doesn’t change behaviour!

• You should NOT do these things
• You should do these things
• Leave it to the professionals ???
• Also

– Too many
– Ambiguous
– Unrealistic

Mostly Security Policies look like
this:

• Policy is industry’s best attempt to deal with
insecure behaviour

• They are reacting to their understanding of
what the problems are

• Step back and apply a scientific approach
• Called “What’s the Problem Represented to
Be”

• Also Problematisation

Metric for Judging Policies

Steps in Problematisation
1. What is the problem?
2. What assumptions have been made?
3. How has this representation of the problem

come about?
4. How can the problem be thought about

differently?
5. What effects are produced by this

representation of the problem?
6. How could this representation be

questioned?

Child Care Policy

• A cash rebate is offered when both parents
are engaged in paid labour

• What is the representation?
– It is a labour market Problem
– Child care becomes difficult when both parents
work

Child Care Policy

• Means tested subsidies are made available to
assist with child care expenses

• What is the representation?
– It is a welfare Problem
– Parents with inadequate means are to be
assisted

Child Care Policy

• Vouchers are given to families to spend on
child care or as a subsidy for a parent who
stays home

• What is the representation?
– It is a family choice Problem
– Parents can now decide how their children are
cared for

Child Care Policy

• Child care centres funded from the public
purse

• What is the representation?
– It is a public responsibility Problem
– Exactly like primary and secondary education

Example

• 1997 Act of Australia
– Allow people to work for the Dole
– Establish a max number of hours to work
– Allow participants to receive $10 extra per week
to cover costs

• Applies to 18-24 year olds

What is the Problem?

• People getting the dole without working
• Look further

– “long-term idleness at the taxpayer’s expense” in
the legislation

• So problem is really
– Addressing reliance on welfare
– Dealing with dysfunctional adults
– Obligation-free welfare encourages dependency

Assumptions?

• Labour is necessary and valuable part of
character development

• Hard work is good
• Words “mutual obligation” and “welfare
dependency” are used

• Thus -> there are no rights without
responsibilities

• There is no such thing as a free lunch

How has this come about?

• The word “unemployment” has become an
emotive term

• Over the years the idea of citizen
responsibilities has become a popular
concept

• Those who don’t work are considered
irresponsible

• Blaming the unemployed is becoming more
common

How can it be thought about
differently?
• Are the unemployed really passive,
despairing, dependent?

• Are they deficient, or could there be other
explanations

• There might simply not be enough jobs
• Increasing automation might be contributing
to shrinking of the market

• They might lack resources to get to work, or
to dress properly

Continued…

• Is “work” really only “participation in the
workforce”?

• What about people working for themselves
or caring for relatives?

• Characterisations of dependency being BAD
need to be reconsidered
– The young and the very old are dependent too,
and that is not their fault

Consequences?

• Blaming the unemployed for their plight
• Doesn’t bring in the concept of
interdependence

• Assumption of lack of skills needs to be
questioned

• Assumed character flaws damaging to
everyone

• Putting unemployed on one side and
taxpayers on the other is damaging

How can it be questioned?

• In this case the media has not helped
• Questioning this in the media might help
• The media can also correct and challenge
existing pre-conceptions

• We need to question how cooperation could
be encouraged

Example Policy
• It is Trust policy that only encrypted USB
memory sticks should be used in the Trust’s
PCs.

• This is to ensure patient confidentiality and
data security.

• These memory sticks are freely available form
the Trust’s libraries, on presentation of a
valid Trust ID card. There may be a charge for
replacing lost memory sticks.

What’s the Problem?

• Lost memory sticks being easy to read

What Assumptions have been
Made?
• That the problem results from the use of
insecure media

How has this representation come
about?
• Media?

How can it be thought about
differently?
• Is it the movable media that is the problem
• Or the reason for using them in the first place

What effects are produced?

• Delays as people have to apply for sticks
• Costs of replacement
• Passwords again?

– Use of weak passwords ignored

How could the representation be
disrupted?
• Gently introduce the flaws in the
understanding

• Suggest alternative solutions
– Eg. VPN access from home
– Find out *why* people are putting confidential
info on movable media

What policy is this?

– Security of our IT systems is of paramount importance.
We owe a duty to all of our [customers/clients] to
ensure that all of our business transactions are kept
confidential. If at any time we need to rely in court on
any information which has been stored or processed
using our IT systems it is essential that we are able to
demonstrate the integrity of those systems. Every time
you use the system you take responsibility for the
security implications of what you are doing.

– [XYZ CO’S] system or equipment must not be used in
any way which may cause damage, or overloading or
which may affect its performance or that of the
internal or external network.

What policy is this?

• Learn about Evidence-Based Policy
• Learn to Apply it

On Friday

?
Security Policies

Security Policies

• You have to write them
• Communicate them to staff
• Have an archive somewhere so they can be
consulted

• Enforce them – ensure that people remember
them

• What happens when people don’t comply?

Policies

Problems
1. The number of controls
2. The disorder – different documents,

different controls, confusion reigns
3. Compliance isn’t cool!
4. People miss the point
5. Legalese, Abstract, Inconsistent
6. Companies think everything can be encoded

into procedures and processes
a) But we need the user to think out of the box

Smartphone and Tablet security

Steps that should be taken to improve the
security of your smartphone:
• Set a PIN to protect the device from casual
unauthorised use (do this right now).

• Ensure the PIN is not guessable (not 0000,
1234 etc)

• Set a timeout to lock the device, such that the
PIN is always required after a period of
inactivity.

• Be careful which apps you install and what
permissions you give them.

• If you configure location services, be aware
what information is shared.

• Email security rules apply for smartphones
and tablets.

• Keep a copy of your IMEI number (if
applicable) in case of loss or theft.

• Backup the information on your devices.
• Ensure secure disposal of your devices at end
of life.

Simplicity
• Keep it Simple!

– Convince them that what you want them
to do is in their own interest
•NOT : Here are the rules, obey them or else….
•RATHER: If you obey these rules, here are the
benefits

• Display Empathy (Emotional Needs)
•NOT: Users are lazy and stupid
•RATHER: Yes, we know this is irritating but…

Rules for Writing Policies

• KISS – Keep It Simple, Stupid!
– There is a tension between making it so long that
people don’t read it, and including the essential
information

– Write using simple language – you want to meet
everyone where they are

– To the extent that an AUP is murky, confusing, or
belittling it will be less effective

How are they written?

How it is communicated

• 59% of employees and 68% of IT
professionals say they receive or send emails
on policy updates

• Problems with email
– Email overload!
– Easily missed
– Accidentally deleted
– Difficult to perceive importance of message

• They ignore them
• They subvert them
• They struggle to keep up with all the
different policies

• They are not constrained by them

• …. They do not COMPLY!
• IT says – users are lazy and obstinate

What do users do with Policies?

Impasse?

IT relationship to staff

• Dominance
• Cooperation
• Reciprocity
• Which one are you striving for?
• Which can you reasonably expect people to
be comfortable with?

• A — Attunement – take the other person’s
perspective

• B – Buoyancy – be able to deal with rejection
• C – Clarity – make things very clear

These three qualities are essential in
persuading people to do anything.

Daniel Pink

Influence Tactics
1. Personal Motivation – want to
2. Personal Ability – can do
3. Social Motivation – whether other people

encourage the right behaviors
4. Social Ability – whether other people provide

help, information or resources
5. Structural Motivation -whether the

environment encourages the right
behaviors.

6. Structural Ability – whether the environment
supports the right behaviors

So… It’s not all about the person!

Environment

Facts and Rules

http://www2.potsdam.edu/alcoh
ol/DrivingIssues/20060414152818.
html

Story/Norms

That�s the way things are done here

Structural

• Make it easy to do the wanted activity and
hard to do the unwanted activity

Most people
spend more
time and
energy going
around
problems than
in trying to
solve them.

Henry Ford

• Keep it simple
• Write it clearly
• Remember to consider the social
aspects/norms

• Use stories where you can
• Design to make security easy
• Establish Norms

Summary

Things to bear in mind
1. Don’t prohibit what you cannot prevent
2. Don�t make rules impossible to obey
3. Keep it Simple, Keep it Reasonable
4. NEVER blame – think about the relationship

with staff
5. Consequences don’t work
6. Don’t prohibit what you can’t prevent
7. Be Realistic

– Don’t write passwords down?
– Don’t share passwords
– Aye, right!

• Question
– Someone finds that providing people with a
password strength meter encourages them
choose stronger passwords

• Does that mean you should issue one of
these to your staff?

• It depends….

Evidence-Based Policies?

Evidence-Based Policy

It
w

or
ke

d
so

m
ew

he
re

• Someone carried out a WELL-DESIGNED
random controlled trial, and showed that it
worked
– People MUST have been allocated randomly to
conditions

– There should be no confounding factors
– The right data must be collected
– The data must have been analysed correctly

Evidence

• What is the cause, and what the effect?
• Ashtray ownership is correlated with lung
cancer
– Does the ashtray cause the cancer?

• Coughing is correlated with TB
– Does coughing cause TB?

• If you don’t address the cause with your
policy, you cannot hope to change the
outcome

Causal Role

• Causatives might differ from place to place
– It might work in London but not in Glasgow

• Causes are seldom solo causes
– Many causes often work together
– If any are missing, the effect will not happen
– Eg. You need flour, sugar and Baking Powder to
make pancakes. Leave any out and they won’t be
very good

• It depends on the people who provide
support

Causatives

• What factors made the effect happen in the
random controlled trial?

• Are they present here?
• EG – in the West we get an increase in hand
washing when midwives are trained to do so

• In India this did not happen
• The support factor that was missing:

– Availability of soap

Support Factors

• In the mid 1990s California had problems
with academic achievement in early grades

• They wondered whether reducing class sizes
would help

• STAR project in Tennessee in 1985 had
provided that students in smaller classes
performed better

• California put the funding in place for smaller
classes in earlier grades

Example

• Problem:
– Student performance due to large class sizes

• Assumption
– Student performance is improved when teachers
have more time to interact with them

• Can it be thought about differently?
• What effects are produced?

– Blaming teachers?

Problematization

• In 2002 they reviewed the situation and did
not find the expected improvement

• They had
– Evidence from Tennessee
– Their causative was:

• more teacher time -> better performance
– Support?

• Enough teachers
• Enough classrooms

California

• In Tennessee they only trialled the smaller
class sizes where there were free classrooms

• Tennessee had enough qualified teachers
• So

– They had a RCT with good evidence
– They had identified causatives
– BUT – what about the support – that California
did not have
• They did not have enough classrooms for the smaller
classes

• California had to find 1200 teachers overnight

California

Smaller
Classes

Other

Qualified
Teachers

Space

Evidence
From
RCT Causatives

Identified

Support
Factors
Same

Cost &
Benefit

Politics

Side
Effects

Legal
Require-

ments

Resources

• No Evidence Provided (as far as I can see)
• Causatives?

– Do they think teachers are currently not
committed?

– And that an oath would make the difference?
• Support Factors?

– Good leadership
– Not being tired from frequent govt policy
changes

– Teachers feeling valued

New Policy Critique

Evidence to bear in mind

• People will not change passwords unless
forced to do so

• People will reuse passwords (most people
will have 5-6 passwords)

• People working in teams share passwords
• Strong passwords are easier to observe than
weak passwords

• People have a compliance budget – so be
careful how much you ask for

First

• Carry out problematisation for this policy
• Now think about how you would write a
password policy for nurses in a hospital
environment
– Nurses are assigned to a group of co-located
wards

– They work as a team
– They share a computer per ward

Influence Tactics
1. Personal Motivation – want to
2. Personal Ability – can do
3. Social Motivation – whether other people

encourage the right behaviors
4. Social Ability – whether other people provide

help, information or resources
5. Structural Motivation -whether the

environment encourages the right
behaviors.

6. Structural Ability – whether the environment
supports the right behaviors

Solutions?

• “For every problem there is one solution which
is simple, neat and wrong” — H.L. Mencken

• Managing User Behaviour is COMPLEX!
• You cannot FORCE them to comply
• What will help: a touch of realism

– The user is NOT the enemy
– Be realistic about what you ask
– Use the evidence

• Be careful

Activity

• Universities have began to explore the use of
technology enhanced active spaces.

• Courses are designed around preparation and
activities with students to use their own
devices within the spaces.

• Concerns surround the challenges of
preserving privacy in such spaces.

• Teams create three questions, but ask one via
YACRS. Teams will then consider the
responses for subsequent session.