IAEA International Atomic Energy Agency Computer Security Culture and Capacity Building Overview Presented by: May 2016

IAEA Content The Human element in computer security Description of security culture and its role in nuclear security Developing a culture of awareness for computer security 2

IAEA Lecture Objectives At the completion of this lecture, the participants will be able to: Describe the human role in computer security Recognize the elements of a security culture Discuss ways an organization can build awareness culture for computer security 3

IAEA Security is a people issue, not just a technical issue Without good training, technology cannot be effective Attacks against organizational staff including directed attacks are a common tactic by adversaries Over half of all computer security breaches result from or are complicated by human error People can be the strongest asset or your weakest link in security Security Culture 4 Cyber Dude

IAEA 5 “The thickness of a wall is less important than the will to defend it” - Thucydides, Greek historian from the 5 th Century B.C. The Human Factor of Nuclear Security

IAEA Two-Tiered Architecture Security Culture National Macro-Level National leadership Adherence to international legal framework and compliance National strategies and policies Industry commitment Involvement of the public Principles Beliefs (There is a threat. Nuclear security is necessary) Management Systems Leadership and Behavior Facility-based Micro-Level Culture 6

IAEA Enhanced security level Improved safety in synergy Enhanced management systems Improved personal performance, shared commitment to nuclear security Enhanced employee satisfaction Decreased costs Benefits of Effective Security Culture 7 Regional workshop on nuclear security culture Budapest, Hungary, February

IAEA ”All Organizations involved in implementing Physical Protection should give due priority to the Security Culture; to its development and maintenance necessary to ensure its Effective Implementation in the Entire Organization.” International Legal Instruments 8 Amendment to the Convention on the Physical Protection of Nuclear Material: FUNDAMENTAL PRINCIPLE F

IAEA Nuclear Security Series 9 NSS No 20 Nuclear Security Fundamentals Sustaining A Nuclear Security Regime (c) Developing, fostering and maintaining a robust Nuclear Security Culture ; NSS No 13 INFCIRC/225/ Rev. 5 “A Nuclear Security Culture should be pervasive in all elements of the physical protection regime” NSS No 14 “Recommendations on Radioactive Material and Associated Facilities” “All organizations and individuals involved in implementing security should give due priority to the Nuclear Security Culture with regard to radioactive material” NSS No 15 “Recommendations on Nuclear and Other Radioactive material Out of Regulatory Control” “The State should implement relevant elements of the Nuclear Security Culture for the trustworthiness program”

IAEA Cyber Security Culture - Foundations Nuclear Security Series No 7: Security Culture defines nuclear security culture as: The assembly of characteristics, attitudes and behaviours of individuals, organizations and institutions which serves as a means to support and enhance nuclear security. Establishing a robust and well integrated computer security culture as a component of the overall security culture is an essential component in any effective security plan 10

IAEA Cyber Security Culture - Characteristics Characteristics of a security culture are: beliefs attitudes knowledge behaviours competences management systems The correct and balanced assembly of these elements leads to a more effective security programme 11

IAEA Security Culture - Awareness Security awareness is developed through a collection of activities in an organization designed to inform personnel and increase awareness. Activities, besides training: - Seminars and presentations - Posters and notices - Management discussions - Security newsletters and notifications - Publishing lessons learned - Warnings, disciplinary measures - Regular tests 12

IAEA Cyber Security Culture - Indicators The following indicators can be used to evaluate information security culture in an organization: 1. Computer security requirements are clearly documented and well- understood by staff 2. Clear and effective processes, protocols and procedures exist for operating computer systems both inside and outside the organization; 3. Staff members understand and are aware of the importance of adhering to the controls within the computer security programme; 4. Computer systems are maintained secure and operated in accordance with computer security baseline and procedures 5. Breaches are regarded by all as serious and undesirable 6. Management are fully committed to and supportive of security initiatives. 13

IAEA Programme Inhibitors What are some of the road blocks for implementing and effective security culture? Insufficient Budget Employees Non seriousness Lack of right people to run the awareness activities in house Lack of management support Organization culture Fear and resistance to change from employees Lack of understanding by employees Lack of designated responsibility for implementation Others? 14

IAEA Training – Developing Human Capital 15

IAEA Awareness and Training Computer Security Awareness Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize information and computer security concerns and respond accordingly. Computer Security Training The purpose of training is to teach and instil relevant and needed security skills and competencies by practitioners of specific functions. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues. 16 Ref: NIST SP : Building an Information Technology Security Awareness and Training Program

IAEA Awareness and Training Metrics Implementation Metrics: 1. Have employees received adequate training to fulfil their security responsibilities? 2. Are employee training and professional development documented and monitored? 3. The percentage of employees with significant security responsibilities who have received specialized training 4. Are significant security responsibilities defined, with qualifications criteria, and documented? 5. Are records kept of which employees have specialized security responsibilities? 6. How many employees in your agency (or agency component, as applicable) have significant security responsibilities? 17

IAEA Awareness and Training Metrics Implementation Metrics: 7. Are training records maintained? (Training records indicate the training that specific employees have received.) 8. Do training plans state that specialized training is necessary? 9. How many of those with significant security responsibilities have received the required training stated in their training plan? 10. If all personnel have not received training, what are the reasons (Insufficient funding, Insufficient time, Courses unavailable, Employee has not registered for course) 11. Ratio of the number of employees with significant security responsibilities who have received required training to the number of employees with significant security responsibilities. 18

IAEA Awareness and Training Metrics Effectiveness Metrics: 1. ….A much harder evaluation – what are some items 2. Awareness tests 3. Metrics relating number of system compromises/breaches 4. Metrics on employees asking questions – identifying suspicious activities 5. Number of human errors in security 6. What are some other ones? 19

IAEA Summary Computer Security Culture Computer security should be part of the overall site security plan and operational requirements Awareness is needed by all Directed training needed by key personnel – including senior management and decision makers A security programme without a strong human element is an open door for compromise 20

IAEA Questions? 21