Humans, the weakest link in information security chain
Dr Marcus Butavicius of the National Security and ISR Division says that we can't ignore the role of people in information security. Until recently, information security has largely been all about the technology; however, there is a growing awareness of the importance of the human aspects.
Dr Butavicius and his team of Defence scientists recently joined with experts from the University of Adelaide's Business School to develop a method of assessing how an organisation's personnel are contributing to the level of security of the organisation's information and the systems that process it.
The Human Aspects of Information Security Questionnaire (HAIS-Q) allows management to examine, from a non-technical point of view, Information Security (InfoSec) culture and awareness among staff.
"The HAIS-Q focusses on human behaviour, knowledge and attitudes. It helps identify vulnerabilities in these human aspects that can result in problems such as sensitive and private information getting into the wrong hands," Dr Butavicius explains.
"Social media is a big issue. It's become so predominant and people don't appreciate the risk of putting certain types of information on the internet."
The HAIS-Q is deployed as an online survey and looks at a range of different behaviours associated with password management, information handling, reporting suspicious incidents and the usage of email, internet, social media and mobile devices. An organisation wishing to use the HAIS-Q can be provided with a link to the survey, to send to all staff. The results will highlight vulnerabilities that can be addressed through training or communication.
This collaboration with the University of Adelaide commenced in 2008 as the Human Aspects of Cyber Security (HACS) project. The HACS team comprises Dr Cate Jerram (co-lead) and Dr Malcolm Pattinson from the Business School, as well as contributions from Masters and Honours students from the School of Psychology at the University of Adelaide.
According to Dr Jerram, the collaboration makes for a rather powerful combination, with a lot of different angles to attack the problem.
The team has recognised that the immediate response is to go to hardware, software and communications systems to protect us. The study allows them to look at how and why people do risky and unsafe things and violate security protocols, and what we can do to address these problems.
"People generally overlook the fact that you might have the most sophisticated password and have spent billions on the most protected servers in the world but there is always the potential for one user to jot down their password on a sticky note and you now have no security," Cate says.
DST and the University of Adelaide own the HAIS-Q intellectual property jointly. To date, the HAIS-Q has been tested with staff from several public service organisations, a financial institution, members of the public and a university.
The team publicises its work widely through conferences and journal papers, building a profile to support funding applications from other bodies including the Australian Research Council (ARC).