The past 2 weeks I got way off my blogging schedule in between a home improvement project, a JP Big Band gig, babysitting grandchildren and .... work.
How to Get the Truth From Interviewees?
The Challenge:How to ask employees effective questions during a risk assessment.
You have the job to collect data for a risk assessment in client's business unit. You sit down with the security and compliance manager and schedule meetings with people in the unit. You figure you’re going to be less than thrilled with the quality of information you receive and the employee may not be excited by your standard checklist questions. However, you know that whistleblowing is innate in all of us and it's worth trying to get to first base.
Drop the compliance checklist and use an attack modeling approach instead.
Explain the notion of valuable company assets, vulnerabilities, threats that exploit vulnerabilities and security countermeasures. It will take a few minutes and every employee I've ever met will grok the concept immediately. For starters - just ask 4 questions:
1. What is the most important asset in your job?
2. What do you think is the single biggest threat to that asset?
3. How do attackers cause damage to the asset?
4. If you could give the security and compliance manager a single suggestion, what would it be?
