P.S: This is a reproduction of what I posted today at Linkedin.
Cyber Crimes is accepted as a big concern for all of us. When there is a phishing attack that wipes out the bank account of a victim or a cloned credit card is swiped to hoist a person with a crippling debt, we all bemoan about the risks of Cyber space. However, we the professionals think that we are immune to such attacks and think that it only affects our neighbor.
However a normal risk analysis indicates that since we the professionals use more of IT, app banking, app payments, e-retail purchases etc., we are more vulnerable than those who seldom use credit cards or e-banking and whom we dub as the digital illiterates who respond to phishing emails. Also with the growing use of malware to intrude our systems the traditional mode of stealing identity information by social engineering is only one method against which we may be immune. More breaches occur through simply being present on Cyber space…all of us are at higher risk on this account since we spend 18 hours of the day in Cyber space.
Further, in our professional environment, most of us have responsibilities to protect information of our company. We know that “Data Breach Risk” is very much present in our environment. Each day we feel lucky that yet another day has passed without a major information security issue in our midst. Many of us thank our stars that Indian public are unaware of their rights to demand compensation when their personal data is not protected by us as required under law. Otherwise incidents such as Anthem data breach can wipe out even our IT majors in a single data breach incident. Despite this, at the organizational level we have not factored “Potential Third party Liability Risk” as a part of our dashboard.
In these circumstances, a group of professionals like me thought it necessary to wake up the Cyber Insurance Industry in India and in the process have undertaken an India Cyber Insurance Survey 2015 .
The objective of this survey is to capture the perception of the user industry on what they expect from a Cyber Insurance product.
Information about this survey with a request for participation has been sent to most of the Information Security professionals in India. However the response to participating in the survey is pathetic. The survey which takes hardly 20 minutes to complete (More if one wants to understand the questions and the import of each question) has seen very few information security professionals responding.
This apathy amongst informed professionals who should be able to appreciate the importance of Cyber Insurance for their own profession and the community in general raises an important issue of human behaviour which is important for all Information Security professionals.
The key here is “Motivation”. Obviousy, our IS friends are not motivated enough to participate in the survey. I am trying to analyze why there is this reluctance to participate in the survey and here are some of my thoughts drawn from my earlier observations on the “Behavioral Aspects of Information Security” expressed at naavi.org.
In the “Theory of Information Security Motivation” that I have propounded, I have identified 5 elements to be managed for successful implementation of Cyber Security in an organization. I have also propounded that these five elements are like five walls of the security pentagon as shown below and have to be simultaneously managed for successful implementation of information security through management of people.
This theory may explain why our staff does not follow the policy guidelines even after a training (creating awareness) and what more needs to be done.
Applying this principle, I am trying to understand why the Information Security professionals are not responding to participating in the Insurance survey and would like to share my views in this forum so that readers can respond.
Through various forums such as email groups, and articles on naavi.org, enough awareness has been created on the survey, its purposes and benefits.
The next question is…Can this awareness be converted into “acceptance”?. In an organizational environment, “acceptance” can be achieved through “Ethical declarations”. But in a loosely connected social media network, “acceptance” has to come only out of self motivation. I however make an attempt by making this request to all my friends in this forum, at least those who are in India to take a vow today to complete the survey questionnaire during this week end and be part of the larger cause to start a national debate on Cyber Insurance. (More of my views on this can be seen at www.naavi.org)
The third element of the TISM pentagon is “Availability”. In the IS implementation context this represents the provision of technology tools to the employees by the organization. In the context of this survey, we have the tool as an online form easy to access through a single click.
Mandate represents the policy in the organizational context and cyber laws in the national context. Obviously, this cannot be used by us on the prospective survey respondents. Let’s agree to leave this wall open.
Inspiration represents the element which goes beyond the efforts of a CISO to push implementation and represents the self motivation instincts present in all professionals. Most of the members of this forum have an element of self motivation which has enabled them reach certain levels of professional excellence. Even those who have not yet reached professional high points, have come to this platform only to prepare themselves in the future.
I therefore see that out of the 5 elements of the pentagon, we have Awareness, Availability and Inspiration covered in our reach out to this forum. “Mandate” is out of the way and “Acceptance” is a shadow of “Inspiration”. With three and half walls covered, there is a interest leak in the other one and half walls that is perhaps delaying the professionals from responding to the survey.
I hope after reading this post, every one of this forum would complete the survey. I even invite my foreign friends to participate so that we do get a perspective different from the Indian friends.
So…the link to the survey form is : here: Click Now