Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Upcoming SlideShare
Loading in...5
×
 

Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011

on

  • 288 views

I discuss some ways of changing people's behaviors with respect to cybersecurity, based on research we did at Carnegie Mellon University.

I discuss some ways of changing people's behaviors with respect to cybersecurity, based on research we did at Carnegie Mellon University.

Statistics

Views

Total Views
288
Views on SlideShare
288
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://www.nytimes.com/2008/04/16/technology/16whale.html
  • 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  • 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  • 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  • S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
  • ASSUME THAT THIS IS YOUR EMAIL INBOX AND AMONG OTHER EMAILS.. YOU THIS EMAIL FROM AMAZON THAT JUST LOOKS LIKE THE LEGITIMATE EMAIL FROM AMAZON. WHEN YOU OPEN THE EMAIL ….
  • YOU WILL SEE THIS.. WHICH LOOKS LEGITIMATE.. AND WITH THE DATA THAT WE HAVE .. WE KNOW THAT MOST OF THE USERS WILL CLICK ON THE LINK.. WHEN THEY CLICK ON THE LINK THEY WILL SEE ….
  • P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer . eCrime 2007.
  • TO ADDRESS SOME OF THE LIMITATIONS IN THIS STUDY, I AM CURRENTLY DOING THIS EXCITING STUDY AMONG CMU STUDENTS/FACULTY/STAFF WHERE I AM PHISHING THEM FOR THE LAST 4 WEEKS… I WAS INTERESTED IN STUDYING LONG TERM RETENTION .. MORE THAN 1 WEEK.. SO IN THIS STUDY WE ARE STUDYING 4 WEEK RETENTION.. IN PREVIOUS STUDY WE STUDIED 1 TRAINING MATERIAL… HERE WE ARE STUDYING 2 MESSAGES… THIS STUDY IS REALLY IN THE WILD AND WE ARE COLLECTING LOT OF DATA…. I M STILL IN THE DATA COLLECTION MODE IN A FEW WEEKS, I SHOULD HAVE SOME RESULTS FROM THIS STUDY…
  • Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
  • The idea in this slide is to show that training conditions did better than control conditions and it was significantdifferenc… There is an improvement of 50% among people in PhihsGuru training
  • Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
  • 200k people in past 20 months was in May 2010
  • http://www.washingtonpost.com/wp-dyn/content/article/2010/02/05/AR2010020501447.html
  • S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
  • Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
  • In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
  • THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  • THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  • THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  • THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  • THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  • Biz week http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.
  • 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245

Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011 Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011 Presentation Transcript

  • Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Achieving Behavioral Change
  • Usable Privacy and Security • We have done extensive research on usable privacy and security at Carnegie Mellon – Passwords, access control, privacy policies, etc – http://cups.cs.cmu.edu/trust.php • Today’s talk on behavioral change and phishing – Why do people fall for these attacks? – What demographics most vulnerable? – What are weaknesses in user interfaces? – Can we actually train people not to fall for phishing?
  • Some Results of Our Research • Startup – Customers of micro-games featured include governments, financials, universities – Our anti-phishing email filter is labeling several million emails per day • Study on browser warnings -> MSIE8 • Elements of our work adopted by Anti-Phishing Working Group (APWG) • Popular press article in Scientific American
  • Two Case Studies + Opportunity • How effective are web browser user interfaces in protecting us from phishing scams? • Can we actually train people to protect themselves? – What kinds of training effective? Ineffective? – Which demographics most vulnerable? • What do voting, saving energy, and re-using towels have in common?
  • Everyday Privacy and Security Problem
  • General Patton is retiring next week, click here to say whether you can attend his retirement party Phishing Increasing in Sophistication Targeting Your Organization • Spear-phishing targets specific groups or individuals • Type #1 – Uses info about your organization
  • Phishing Increasing in Sophistication Targeting Your Organization • Around 40% of people in our experiments would fall for emails like this (control condition)
  • Phishing Increasing in Sophistication Targeting You Specifically • Type #2 – Uses info specifically about you – Social phishing • Uses detailed information from social networking sites, corporate directories, and publicly available data • Ex. Fake emails from friends or co-workers • Ex. Fake colonel (instructor) at West Point • Ex. Fake videos of you and your friends – Past studies indicate social phishing ~4.5x more effective
  • Phishing Increasing in Sophistication Targeting You Specifically Here’s a video I took of your poster presentation.
  • Phishing Increasing in Sophistication Targeting You Specifically • Type #2 – Uses info specifically about you – Whaling – focusing on big targets Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. -- New York Times Apr16 2008
  • How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data
  • How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data – Loss of intellectual property
  • How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data – Loss of intellectual property – Fraud • Recent carbon trading incidents in EU partly due to phish • Indirect damage – Damage to reputation, lost sales, etc – Response costs (call centers, recovery) • One researcher half-joked that banks feared customer call center costs more than phishers
  • Phishing Increasing in Sophistication Combination with Malware • Malware and phishing are becoming combined – Poisoned attachments (Ex. custom PDF exploits) – Links to web sites with malware (web browser exploits) – Can install keyloggers or remote access software
  • Can Web Browser Interfaces Help? • Newer web browsers come with blacklists and special interfaces for identifying phish – Our evaluation of several blacklists show they catch ~80% of phish after 24 hours, not very good in first few hours – Also only catch “shotgun phish” rather than spear-phish • Are these browser interfaces effective?
  • Screenshots Internet Explorer 7 – Passive Warning
  • Screenshots Internet Explorer 7 – Active Block
  • Screenshots Mozilla Firefox – Active Block
  • How Effective are these Warnings? • Tested four conditions – FireFox Active Block – IE Active Block – IE Passive Warning – Control (no warnings or blocks) • “Shopping Study” – Setup some fake phishing pages and added to blacklists – We phished users after real purchases (2 phish/user) – Used real email accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
  • How Effective are these Warnings? Almost everyone clicked, even those with strong technical backgrounds
  • How Effective are these Warnings? • No one in Firefox condition fell for our phish • People in Firefox condition not more technically savvy
  • Discussion of Phish Warnings • Nearly everyone will fall for highly targeted and contextualized phish • Passive IE warning failed for many reasons – Didn’t interrupt the main task – Can be slow to appear (up to 5 seconds) – Not clear what the right action was – Looked too much like other ignorable warnings (habituation) – Bug in implementation, any keystroke dismissed
  • Screenshots Internet Explorer – Passive Warning
  • Discussion of Phish Warnings • Active IE warnings – Most saw the warning, but many did not believe it • “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” – Some element of habituation (looks like other warnings) – Saw two pathological cases
  • Screenshots Internet Explorer – Active Block
  • IE8 Re-designed Based on our Work
  • A Science of Warnings • C-HIP model for real- world warnings – See the warning? – Understand it? – Believe it? – Motivated? – Can and will act?
  • Designing for Path of Least Resistance • Where possible, make the default behavior the safe behavior – Ex. The two pathological cases – Assume people won’t see, read, believe, or be motivated by warnings • Active warnings over passive warnings – Interrupt people if warning is important – Need to balance this with habituation • Make important warnings look very different
  • Two Case Studies + Opportunity • How effective are web browser user interfaces in protecting us from phishing scams? • Can we actually train people to protect themselves? – What kinds of training effective? Ineffective? • What do voting, saving energy, and re-using towels have in common?
  • Can We Educate End-Users? • Users are not motivated to learn about security • Security is a secondary task • Difficult to teach people to make right online trust decision without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html
  • Yes, End-Users Are Trainable • Our research demonstrates that users can learn techniques to protect themselves from phishing… if you can get them to pay attention to training • Problem is that today’s training often boring, time consuming, and ineffective – All day lecture, but no chance to practice skills – Or read text online and take very basic quizzes – Or passively watching videos – Or posters and mugs and calendars – Raise awareness, but little on what to actually do P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMU CyLab07003, 2007.
  • How Do We Get People Trained? • Create “teachable moments”: PhishGuru • Make training fun: Anti-Phishing Phil • Use learning science principles throughout – Ex. Concrete-Abstract, Multimedia, Immediate Feedback PhishGuru Anti-Phishing Phil
  • PhishGuru Embedded Training • Send emails that look like a phishing attack • If recipient falls for it, show intervention that teaches what cues to look for in succinct and engaging format – Useful for people who don’t know that they don’t know • Multiple user studies have demonstrated that PhishGuru is effective • Delivering same training via direct email is not effective!
  • Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
  • Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information Please login and enter your informationPlease login and enter your information
  • Evaluation of PhishGuru • Is embedded training effective? – Study 1: Lab study, 30 participants – Study 2: Lab study, 42 participants – Study 3: Field trial at company, ~300 participants – Study 4: Field trial at CMU, ~500 participants • Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.
  • Study #4 at CMU • Investigate effectiveness and retention of training after 1 week, 2 weeks, and 4 weeks • Compare effectiveness of 2 training messages vs 1 training message • Examine demographics and phishing P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. 2009. SOUPS 2009.
  • Study design • Sent email to all CMU students, faculty and staff to recruit participants (opt-in) • 515 participants in three conditions – Control / One training message / Two messages • Emails sent over 28 day period – 7 simulated spear-phishing messages – 3 legitimate (cyber security scavenger hunt) • Campus help desks and IT departments notified before messages sent
  • Effect of PhishGuru Training Condition N % who clicked on Day 0 % who clicked on Day 28 Control 172 52.3 44.2 Trained 343 48.4 24.5
  • Pop Quiz • Which group most vulnerable to phishing attacks? – 18-25 – 26-35 – 36-45 – 45+
  • Surprisingly, Students Most Vulnerable • Students significantly more likely to fall for phish than staff before training • No significant differences based on student year, department, or gender • 18-25 age group most vulnerable Age group Day 0 Day 28 18-25 62% 36% 26-35 48% 16% 36-45 33% 18% 45 and older 43% 10%
  • Discussion of PhishGuru • PhishGuru can teach people to identify phish better – People retain the knowledge • People trained on first day less likely to be phished • Two training messages work better – People weren’t less likely to click on legitimate emails – People aren’t resentful, many happy to have learned • 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future • “I really liked the idea of sending CMU students fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”
  • APWG Landing Page • CMU and Wombat helped Anti-Phishing Working Group develop landing page for taken down sites – Already in use by several takedown companies – Seen by ~200,000 people in past 27 months
  • Two Case Studies + Opportunity • How effective are web browser user interfaces in protecting us from phishing scams? • Can we actually train people to protect themselves? – What kinds of training effective? Ineffective? • What do voting, saving energy, and re-using towels have in common?
  • Voting and Saving Energy • Many economists say that voting is completely irrational behavior – Odds of one vote making a difference is close to zero – But, strong predictor of whether someone votes or not is how many other people they know that vote • Many people say they conserve energy because – Environmental protection, benefit to society, saving money – But, strongest predictor is if you believe everyone else is too – And, strongest intervention is telling people all their neighbors are saving energy too – Similar results for recycling, reusing towels • Is there an opportunity here for improving security?
  • Prize-Linked Lotteries • Most Americans don’t save enough money • But average American household spends $500 on lottery tickets – Estimates are that 80% of lottery revenue comes from households of $50k and under • Prize-Linked Lottery – Every $25 you save, you get a lottery ticket from bank – Grand prize of $100k per year, smaller prizes throughout – Dramatically increased rates of savings • Better than a CD with 10% interest! • Is there an opportunity here for improving security?
  • Open Challenge for Computer Security • Incorporate more human behavioral science into how we operate – In terms of how security policies set – In terms of how products are designed – Hopefully, I’ve demonstrated (potential) utility – Lots of untapped potential with even simple approaches • Challenge here is “magic black box” mentality – At RSA, lots of technical and marketing people, all think alike – Not enough about user interfaces, incentives, how small groups work, how people make decisions, etc
  • Summary • Browser warnings – Focus on path of least resistance – See, understand, believe, motivated? • Anti-phishing training – Create teachable moments – Use learning science • Behavioral sciences offer many untapped opportunities • Can try PhishGuru, Phil, and Phyllis at: www.wombatsecurity.com
  • Acknowledgments • Ponnurangam Kumaraguru • Steve Sheng • Lorrie Cranor • Norman Sadeh Thanks Everyone!
  • Anti-Phishing Phil • A micro-game to teach people not to fall for phish – PhishGuru about email, this game about web browser – Also based on learning science principles • Goals – How to parse URLs – Where to look for URLs – Use search engines for help • Try the game! – Search for “phishing game” S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, 2007.
  • Anti-Phishing Phil
  • Evaluation of Anti-Phishing Phil • Is Phil effective? Yes! – Study 1: 56 people in lab study – Study 2: 4517 people in field trial • Brief results of Study 1 – Phil about as effective in helping people detect phishing web sites as paying people to read training material – But Phil has significantly fewer false positives overall • Suggests that existing training material making people paranoid about phish rather than differentiating
  • Evaluation of Anti-Phishing Phil • Study 2: 4517 participants in field trial – Randomly selected from 80000 people • Conditions – Control: Label 12 sites then play game – Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) • Participants – 2021 people in game condition, 674 did retention portion
  • Anti-Phishing Phil: Study 2 • Novices showed most improvement in false negatives (calling phish legitimate)
  • Anti-Phishing Phil: Study 2 • Improvement all around for false positives
  • Anti-Phishing Phyllis • New micro-game just released by Wombat Security • Focuses on teaching people about what cues to look for in emails – Some emails are legitimate, some fake – Have to identify cues as dangerous or harmless
  • Tells people why they are seeing this message, uses engaging character Tells people why they are seeing this message, uses engaging character
  • Tells a story about what happened and what the risks are Tells a story about what happened and what the risks are
  • Gives concrete examples of how to protect oneself Gives concrete examples of how to protect oneself
  • Explains how criminals conduct phishing attacks Explains how criminals conduct phishing attacks
  • How Bad Is Phishing? Consumer Perspective • Estimated ~0.5% of Internet users per year fall for phishing attacks • Conservative $1B+ direct losses a year to consumers – Bank accounts, credit card fraud – Doesn’t include time wasted on recovery of funds, restoring computers, emotional uncertainty • Growth rate of phishing – 30k+ reported unique emails / month – 45k+ reported unique sites / month • Social networking sites now major targets
  • This entire process known as phishing