Question

Describe the basic elements of human nature and how they affect information security policy development and impact information security policy implementation issues.

Propose at least three ways that organizations can overcome these policy development and implementation issues.

Answer 1

Human Nature has become the weakest link in Information Security.There are multiple ways a attacker exploits the human nature.

First let us look at what are human nature or behaviour which is useful in exploiting the information security.

1.Fear:This is the common human nature which every attacker uses to steal information from the victim.

lets say an example:To get access to your Credit card /Debit Card PIN one can call you by saying we have seen a latest transaction in your credit or debit card with $10000 which directly creates fear in you and you are more tend to give the information to avoid more loses.

2 Trust: same example holds good for Trust also.

3 Emotions:This is easiest way one can easily exploit .

lets say an example:Even a Educated Person uses Password which is either a DOB of his/her child mobile number etc.

which hacker can get info easily from the social networking sites which he uses to gains access to your important account.

Now lets discuss Information Security:

Any organization or people who use computers requires a Information security in the form of three major Pillars.

1.confidentiality:means keeping sensitive information without disclosing it.

2. Integrity:means making sure the sensitive information is not tampered

3. Availability:means making sure only authorized person has access to it.

you can call this as 3 pillars of Information Security.

All these 3 Pillar get easily affected By the above Human Nature.

Confidentiality,Integrity and Availability is easily affected by Emotion.if your Confidential data has a password which is your child DOB.

Organization can Implement Information security Policy by taking below 3 major things into consideration.

1.Individual accountability

2.Auditing

3.Separation of Duty

Individual accountability:This is very important to handle the responsibility of the action.

to keep track of individual action who is authorized to that information? who is asking for that information etc.

Auditing:supports accountability therefore it is valuable to do regular auditing to check whether the system is comprised or vulnerable to get comprise etc.

Separation of Duty:it directly relates to authorization as it is an example of broader class of controls who is authorized to access the specific information and whether he is trusted for that operation etc.