Toi aussi amuses-toi avec les consignes de sécurité…

Les responsables sécurité ont rarement la réputation de joyeux lurons. En général, un « security officer » qui débarque dans une réunion est souvent perçu comme l’empêcheur de tourner en rond. Si c’est le cas, il a du travail à faire car, à mon humble avis, il devrait être perçu comme la personne qui va permettre de faire avancer l’entreprise et ses projets en les sécurisants et en les rendant pérenne.

On ne le répétera jamais assez, aucun plan de sécurité, aucune politique, n’a d’utilité si elle n’est pas communiquée, comprise et appliquée par toutes les personnes concernées. Dans la plupart des entreprises, la sécurité est l’affaire de tous. Trop fréquemment, malheureusement, les campagnes de sensibilisation à la sécurité sont peu imaginative, incompréhensible, peu attirante (pour ne pas dire moche) et certaines vont même jusqu’à favoriser des comportements opposé à ses objectifs grâce à une communication et à un message inadapté.

Les compagnies aériennes n’échappent pas à la règle. Afin d’assurer la sécurité de leurs passagers, ceux-ci sont priés d’écouter au début de chaque vol les consignes de sécurité leur rappelant de boucler leur ceinture, de ranger leurs bagage à main et de respirer dans le masque à oxygène si celui-ci venait soudainement à apparaître devant eux. Si vous avez un jour pris l’avion, vous vous en souvenez peut-être. Vous vous rappelez probablement aussi que c’est un moment légèrement barbant (surtout si vous voyagez souvent en avion). Je ne sais pas si certaines enquêtes ont montré que la plupart des passagers ne se souviennent pas de ces règles élémentaires mais il semble que certaines compagnies (ou parfois certaines hôtesses ou steward) investissent dans une communication plus agréable de leurs consignes.

Il serait intéressant d’évaluer si ces initiatives augmentent la mémorisation des règles de sécurité et surtout la concordance des comportements des passagers avec ces règles. Il est fort probable que le principal avantage de ces initiatives est de donner une meilleure image de l’entreprise, plus sympathique. Il y a cependant une leçon à tirer de cela, surtout pour les responsables sécurité qui sont perçus comme barbant (tout comme leurs règles): avec un peu de créativité, on peut changer l’image, la perception des règles et aussi, probablement, augmenter la « compliance » à celle-ci. Voici donc quelques exemples de créativité en la matière. Si les aspects de communication persuasive ne sont pas toujours pris en compte, au moins, c’est amusant et ça correspond déjà plus à l’une des règles essentielles: KISSS (Keep it Simple, Stupid & Sexy).

Information classification for dummies

Most companies serious about security have an information classification policy. Too often, this policy has been drafted based on common practice and don’t bring an added value to the business nor did it fit to the business reality. In fact, too often, security people don’t even understand what is the real purpose of classifying information and so, their users neither understand why they should classify information. When people don’t understand the meaning of an action, except if they have been well conditionned, it is likely they won’t repeat the action. As a consequence in this case, information classification policies are often not used or at best, badly applied.

Whatever you do in information security, it must have a meaning and even more, it must have an added value. The main purpose of classification is to foster adequate behaviour with information. If you want to change behaviour and even more if you want them to be appropriate, you better give a good understanding of the reason why you do things.

So here are two little examples that will make your users understand the rationale behind information classification. You can easily put images together with it or use it to make a story for a presentation.

First example

Let start with a non informational asset as it might be easier to understand the rationale.

Imagine you are moving to a new house and you prepare your boxes (It has most likely already happen to you).

 In your belongings (that we call Assets), there is a beautiful vase you received from your mother (or step-mother) at your wedding. Although the monetary value of the vase is high (Financial risk), it is mostly to avoid conflict with your (step-)mother (Reputational risk) that you don’t want it to break in pieces during transport (threat).

Your risk of loosing the vase integrity = probability of breaking it during the move (Highly probable) x the number of time you will likely hear your (step-)mother remind you you broke her beautiful gift (likely a high cost for your nerves, your self-esteem and your relationship). High probability multiply by a high impact (we call that a High risk), you will probably decide to put the vase alone in a box with a lot of bubble plastic and process the box with extra care.

Unfortunately, box movers are not famous for their carefulness with boxes and you won’t have time to watch the box during the entire day to prevent an incident (we call that mitigate the risk). So, you decide to warn the movers or any friend coming to help that the box contains a precious good.

You put a nice label on the package (FRAGILE) to inform people that the content of the box requires careful handling (we call that Classification) and expect that movers will behave accordingly…

 That’s exactly what we do with information and our Asset Classification and we also expect you will behave like our cautious and devoted box movers.

Another example

Let’s take another example, involving information and talk about your salary.

Your monthly salary is information. It is mentioned in your employment contract, on your monthly pay sheet, in the financial system and probably in your head if you know it by heart. You might have thought about it or not but this particular information is facing a number of threats. We can divide these threats in 3 main categories that we will call Confidentiality, Integrity and Availability.

The first type of threat only exists if you don’t want to share your salary with the rest of the world. Maybe did you put it on your LinkedIn profile or even on your Facebook personal details? It’s more likely you don’t want to share this information with everybody (like your colleagues, your neighbour, your ex-wife, any door-to-door salesman or any thief that would become more interested in your house). Nevertheless, disclosing this information to someone you don’t want to share it with might have a different impact depending of the circumstances (in some country, being wealthy increase the risk of having your relatives kidnapped).

Depending of the impact of unwanted disclosure for you, you will process this information with care or not. Let’s assume it is of a medium importance for you, you will probably put your pay sheet in your case or your bag and not leave it opens on your desk. You may even put the words “personal and confidential” on the envelope to ensure nobody dares to open it without asking you. Well, you just classify your salary in the Confidentiality dimension.

The second threat, Integrity, might have a greater impact on you, good or bad. Imagine someone succeed to change it (multiplying it by ten or dividing it by ten). In one case you might be quite happy, in the latter, quite annoyed. The impact of loosing what we call the integrity of that information might be quite high. You presume your employer will ensure the value remain the one you agreed with him (throughout the payment systems, employment contract and so on). Doing so, you classify your salary as information with a high Integrity requirement.

The latest threat to this information is its unavailability. Most of the time, you don’t care about your salary (The information, you are probably more interested in one of its consequence: the amount on your bank account). Nevertheless, a few days before you received the payment of this salary, this information is mandatory. If, by any chance, the system was not able to provide the information on that day, you would maybe be stressed. Should the company take 6 months to restore the system and pay your salary, you would likely be more than upset. You will then likely agree that this information’s availability is important for you and you might likely be able to define the number of days you could wait before it cause you huge financial problems. That’s exactly the purpose of classifying the information’s availability.

You now understand why we classify information: to create adequate protection behaviours to the information handler by communicating the impact of some type of incidents. The final goal being lowering risks to an acceptable and sustainable level. For instance, when we classify information to the level of confidentiality Confidential, we want you to understand that if someone unauthorized has access to this information, it might cost us a lot of money or severely damage our reputation.