Information Security (InfoSec) Surveys conducted worldwide show that the number and type of InfoSec attacks is expanding daily. This is verified and validated through a survey discussed in this paper. The paper asks a number of questions concerning InfoSec issues, outlines a survey designed to answer these questions, and then discusses the results obtained within the framework of those questions. The survey concludes that, although InfoSec awareness exists, best InfoSec practices are usually not being followed. Consequently InfoSec threats are increasing enormously despite the existence of tools designed to protect against them. Of particular concern is “human factors”, since user carelessness and negligence may contribute to the issue and may grant hacker’s access to sensitive assets.
Keywords: Information security survey, Hackers attacks, Hackers attacks countermeasures, Conventional InfoSec solutions status, Future recommendations for InfoSec solutions
Introduction
Information systems are facing an enormous increase in information security breaches as hackers always appear to be ahead in discovering system vulnerabilities and then generate attacks that bypass defense systems, Breach Security Labs (2009), Symantec (2009), PWC (2008) and Schryen (2007) discuss the this issue in greater details. Compromised security can impact organizations of many kinds, including governments, businesses, intelligence services, infrastructure, and education so forth. It can disrupt key operations, reduce productivity and inflict significant economic losses; Anderson (2008), Denning (2009) and Clarke and Knake (2010) show that governments have enacted laws to address this type of cybercrime. And indeed why shouldn’t they, Infoguard (2010) says “It can take a second to steal a national secret; and it will cost a high price. Ethical hacking brings the message home: If cybercrime is too easy, and the tools to do it are at anybody’s fingertips, then it pays to give more attention to the prevention of this new, often widely underestimated form of crime”.
Therefore, improving information security is critical to the operations, reputation, and economic stability of all information systems users. Many published reports show that hackers are becoming more proficient, and their attacks are becoming extremely destructive, while current InfoSec protection solutions are not effective against hacker’s attacks, which is the reason why these attacks are increasing as highlighted in Maynor et al (2007), Denning (2008) and Denning and Denning (2010). There must be no doubt that this challenges all organizations, since they will need to proactively combat the work of unprincipled hackers.
Brancik(2007) mentioned that many hacker’s attacks are caused by the insider which is as high as 80% compared to that from the outsider that is 20%; this is because of the contribution of human factor, where for instance, if legitimate users do not conduct systems risk and vulnerability analysis, do not use the right protective tools (and do not maintain them up-to-date), or do not use strong authentication, they may be granting attackers access to their critical assets emphasized in McNab (2004). This is verified and validated through a survey discussed in this paper. The paper asks a number of questions concerning InfoSec issues, outlines a survey designed to answer these questions, and then discusses the results obtained within the framework of those questions.
This paper is arranged to first give a brief (in section 2) on the information security survey conducted with respect to the purpose of the survey, the core issues and the anticipated recommendations; then the scope is given in section 2.1, followed by section 2.2 covering the survey evaluation using both quantitative and qualitative analysis. After that, the survey results are mapped with the core issues in section 2.3 and conclude in section 3.
InfoSec Survey and the Human Factor
Mohay et al (2003), Savage (2010) and OWASP (2010) show that InfoSec hacking threats are increasing, and hackers are finding new ways to bypass the wide range of conventional security tools and techniques available (Fire Walls (FW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), encryption, Virtual Private Networks (VPN), Network Address Translation (NAT), subnetting, anti-virus (AV) and anti-spy (AS) ware). Bratus (2007) said “To learn security skills, students and developers must be able to switch from their traditional conditioning to the attacker’s way of thinking”.
This InfoSec survey was conducted to directly look at:
1. Information security knowledge and daily practices,
2. How normal people handle InfoSec matters,
3. The level of InfoSec awareness,
4. How human factors lead to security breaches.
The aim was also to see whether implementing InfoSec solutions based on behavioral analysis and hacker’s countermeasures would give better protection against newly emerging InfoSec threats as compared with conventional tools. The survey was therefore designed to indirectly measure:
1. Whether the concept of a “total security solution” is realistic, and if a model driven InfoSec solution would prove to be more robust and more effective than conventional approaches;
2. The human factors issue, how it accounts for the success or failure of InfoSec solutions, and whether it has connections with reverse engineering hacking techniques;
3. Whether InfoSec protection solutions based on behavioral analysis and counter measures of hacker’s techniques form a base line for a total InfoSec protection.
Survey Scope
The survey was conducted using a questionnaire, which comprised 15 questions. The questions covered training, risk assessments and security policy, applying this policy (if it exists), best InfoSec practices, verifying the effectiveness of current InfoSec tools, and users’ future solution recommendations.
The surveyed sample comprised 100 Information Technology respondents from different organizations (government 30%, private sector 30% and military 40%); respondents came from different backgrounds, levels of education and job responsibilities. Of those surveyed, 10 were face to face interviews with senior IT/InfoSec staff, and 90 were sent by email and hard copy to other staff.
Responses were accumulated and classified by scoring one point for each check received for each given question. Thus the maximum score possible for any one question (given one reply per question and one reply per respondent) was 100.
Statistical analysis software (SPSS) was used to analyze the data collected, see Figure 1 for summary statistical results. This showed that the majority of responses scored between 10 and 35 with a mean of 25.16, a standard deviation of 16.37, and a variance of 268.141. Table 1 (below) shows response frequencies, there being a maximum of 64 for Q14 (Yes), and a minimum of zero for Q1 and Q4 (Don’t care).
Table 1: InfoSec Survey Results
Comprehensive Results
Percentages
Q1. Have you attended special InfoSec courses to improve your security skills?
Yes
28
28%
No
40
40%
Maybe in Future
32
32%
Don’t care
0
0%
Q2. Do you update your knowledge on the latest InfoSec threats and risks?
Always
15
15%
Some times
41
41%
Rarely
22
22%
Never
22
22%
Q3. Do you conduct risk assessment/vulnerability checks or penetration testing?
Always
12
12%
Some times
54
54%
Rarely
22
22%
Never
22
22%
Q4. Do you follow some kind of security policy?
Yes
46
46%
No
22
22%
Little
32
32%
Don’t care
0
0%
Q5. Do you use strong passwords or strong authentication/access control technology to help protect your personal information?
Always
52
52%
Some times
18
18%
Rarely
5
5%
Never
25
25%
Q6. Do you use protection tools (AV, AS, FW, IDS, IPS, Encryption, VPN, NAT) to protect your information system?
Always
24
24%
Some times
34
34%
Rarely
20
20%
Never
22
22%
Q7. Do you make sure to set up properly your operating system, Web browser and firewall, and update your tools regularly?
Yes
10
10%
No
51
51%
Don’t know
34
34%
Don’t care
5
5%
Q8. Do you surf or download from unknown sites or untrusted storage media?
Always
8
8%
Some times
18
18%
Rarely
20
20%
Never
54
54%
Q9. Do you open attachments from unknowns or reply to hoaxes?
Always
3
3%
Some times
24
24%
Rarely
22
22%
Never
51
51%
Q10. Do you encrypt your data and outgoing emails?
Always
3
3%
Some times
30
30%
Rarely
28
28%
Never
39
39%
Q11. Do you scan outgoing e-mail for data leakage?
Always
6
6%
Some times
17
17%
Rarely
28
28%
Never
49
49%
Q12. Do have a disaster recovery plan?
Always
28
28%
Some times
53
53%
Rarely
8
8%
Never
11
11%
Q13. Are you still experiencing an increase in InfoSec threats?
Yes
54
54%
No
8
8%
Maybe
27
27%
Don’t know
11
11%
Q14. Do you think implementing InfoSec solutions based on behavioral analysis and hacker’s countermeasures would give better protection than current tools?
Yes
64
64%
Maybe
25
25%
No
6
6%
Don’t know
5
5%
Q15. How do you describe your spending on securing your information system?
High
8
8%
Medium
44
44%
Low
30
30%
None
18
18%
Survey Evaluation
The results in Figure 1 and Table 1 reveal interesting information concerning how InfoSec is understood and used in the organizations surveyed.
It was noted that 72% of surveyed respondents have had no InfoSec training, 15% of respondents update their InfoSec knowledge regularly, and 22% never update their knowledge at all. Systems risk assessment and vulnerability checks were always performed by only 12% of the surveyed respondents. Security policies were defined for and followed by 46% of respondents, 22% did not have a security policy.
From Q1 & Q4 respectively it was noticed that the “Don’t care” choice scored 0% on the training and the InfoSec policy questions. This suggested that users do care, and have the intention of improving their InfoSec capabilities, if they get the chance.
Fifty two percent of respondents said they had good authentication and access controls, whereas 22% didn’t have strong authentication. Q6 and Q7 showed that 24% had multiple protection tools active all the time, but only 10% actually set up and updated their systems regularly.
Q7 to Q12 showed human factor shave a major impact on the number and type of hacker’s attacks, because of careless or unknowledgeable users. Examples of dangerous practices are highlighted by 8% of respondents, who surf or download from unknown or distrusted sites/storage media, and 3%, who open attachments from unknowns or reply to hoaxes (showing poor awareness of the issues). Examples of good practices are shown by 3%,who encrypt their information and outgoing emails, and 6%,who scan outgoing emails for information leakage. The survey also showed that 28% have a disaster recovery plan, test it regularly, and back up their important information.
Financial issues are illustrated by Q15, responses showing that those surveyed think their corporate InfoSec spend is in the low to medium range, it is clearly not much better than those of Q8 to Q12, in fact, it complements those answers. It is important to note that this result is consistent with the results of a 2008 UK Government Survey on Security Breaches on IC3 ( 2009) ].
Another significant survey finding was indicated by Q13 and Q14, which showed that 54% of respondents have experienced an increase in InfoSec threats, despite their use of the latest protective tools (that is the second highest value). Sixty four percent of respondents think implementing InfoSec solutions based on behavioral analysis and hacker’s countermeasures would give better protection than current protection tools (the highest value in the survey), compared to 6% who said they would not (No). Both of these two values were marked by SPSS as the highest and the lowest values respectively.
Figure 1: Descriptive Statistics of the InfoSec Survey Using SPSS
Mapping Core Issues to Survey Questions
In this section, the four core issues above are mapped with the survey question results, to give the final and the most important findings of the survey.
The first issue was the status of conventional InfoSec solutions and their effectiveness. This relates to survey questions Q5 to Q7, Q10, and Q13 to Q15. From these it was concluded that conventional InfoSec solutions are not effective against hacker’s attacks.
The second issue was whether the concept of a “total security solution” is realistic, and whether a model driven InfoSec solution would prove to be more robust and more effective than conventional approaches. This issue relates to the questions Q5 to Q7 and Q10 to Q14. Responses indicate that the concept of a “total security solution” is not feasible, however, a model driven InfoSec solution would prove more effective and efficient than conventional solutions.
The third issue concerns human factors, how they impact the success or failure of InfoSec solutions, and whether there is any connection with reverse engineering hacking techniques. This issue maps to all questions (Q1 to Q15). These showed that human factors have a significant impact on the success or failure of InfoSec solutions. This is because conventional solutions rely on the users’ “good will”, which is never achieved fully. On the other hand, reverse engineering hacking techniques, including behavioral analysis, reduce human factors.
The final issue concerns whether Info Sec protection solutions based on behavioral analysis and counter measures of hackers techniques form a base line for a total InfoSec protection. This issue was mapped to questions Q5 to Q7 and Q10 to Q14. Here there was a positive answer, because countermeasure hacker’s techniques would analyze and determine hacking processes and behaviors, which is the core of detection and blocking of breaches. But, not fully a total InfoSec protection as the second survey question denied its existence.
Survey Summary
The survey showed that people have experienced an increase in InfoSec threats, despite the fact that they often exercise good InfoSec practices and behavior. The top most information security threat comes from hacker’s attacks for whatever the reason is. This implies that there is a research need for more effective InfoSec solutions against hacker’s attacks. Answers on the survey question number 14 gave a recommendation for InfoSec countermeasures solutions based on hacker’s behavioral analysis; this answer got the highest score on the survey. There are studies and references that give good guidelines for anti-hacker solution with respect to the type of tools and counter hacker techniques and policies as covered in Fadia (2006), Erickson (2008) and Lockhart (2004). InfoSec awareness is a dominating part in overcoming the human factor and the insider issue as stressed by Brancik(2007); that is dealing with human error whatever the reason is, while the best practices gathers past experience from all sources and utilize it in the best possible way to countermeasure hacker’s attacks, Jones and Gallo (2007) and Yuill et al (2006) give good counter hacking approaches. Counter hacker tools should be carefully identified and selected to fit for purpose such as access control, Fire Wall, Intrusion Detection Systems, Intrusion Prevention Systems, encryption (files, storage media, mails and links using SSL, SSH, IPsec, SET), Virtual Private Networks, Network Address Translation, anti-virus and anti-malware knowing that there exist security unit that combine number of security tools into one unit; these tools are detailed in Kanneganti (2008), McClure et al (2005), Shema et al (2006) and Smith and Marchesini (2008).
