Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO Forum, in Pittsburgh July 2013

  • 402 views
Uploaded on

Talk I gave at ISSA 2013 CISO forum, looking at some human factors issues in cybersecurity. I discuss some of our research in anti-phishing, user interfaces, mental models of cybersecurity, and ways …

Talk I gave at ISSA 2013 CISO forum, looking at some human factors issues in cybersecurity. I discuss some of our research in anti-phishing, user interfaces, mental models of cybersecurity, and ways of motivating people.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
402
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • 1 hour total
  • Will first describe my background and where I’m coming from, so you can get a better understanding of the context of this talk.I work in a field called human-computer interaction. The main goal of human-computer interaction is to understand how to create effective and successful kinds of interactions, ones that are useful, usable, and desirable.Interactions can succeed, and we have lots of examples of successes.
  • However, interactions can also fail, leading to inefficiencies, frustrations, and failures.
  • My colleagues and I combine elements from computer science, psychology, learning science, and interaction design.
  • Modern web browsers have special warnings for identifying phishOur evaluation of several blacklists show they catch ~80% of phish after 24 hours, but not very good in first few hoursAre these browser interfaces effective?What makes them work (or not)?After, step back and consider what this all means for training
  • http://mindfulsecurity.com/2009/09/19/free-threats-security-awareness-posters/
  • So what can we do that goes beyond awareness?
  • Not only can they see it, that person’s friends can see the tagged image toohttp://rickwash.com/papers/nspw06r-wash.pdf
  • Our CCS 2012 paperOTO: Online Trust Oracle for User-Centric Trust Establishment
  • See Folk models of home computer security by Rick Wash http://scholar.google.com/citations?view_op=view_citation&hl=en&user=ef0ApTwAAAAJ&citation_for_view=ef0ApTwAAAAJ:Tyk-4Ss8FVUC
  • These findings led us to think about how to educate and train people about phishing attacks…Also shows some mental model weaknesses
  • These findings led us to think about how to educate and train people about phishing attacks…
  • Wikipedia Barnstar of Diligence
  • http://opower.com/uploads/library/file/2/understanding_and_motivating_energy_conservation_via_social_norms.pdf
  • http://opower.com/uploads/library/file/2/understanding_and_motivating_energy_conservation_via_social_norms.pdf

Transcript

  • 1. ©2009CarnegieMellonUniversity:1 Leveraging Human Factors for Effective Security Training ISSA CISO Forum 2013 Jason Hong Associate Professor Carnegie Mellon University CTO and Co-Founder Wombat Security Technologies
  • 2. ©2013CarnegieMellonUniversity:2 Interactions Can Be Successful
  • 3. ©2013CarnegieMellonUniversity:3 Interactions Can Also Fail
  • 4. ©2013CarnegieMellonUniversity:4 Human Robot Interaction Social Web Cognitive Tutors New Interaction Techniques
  • 5. ©2013CarnegieMellonUniversity:5 Human Factors Issues in Cybersecurity • Studying human factors issues in cybersecurity for 9+ years – Why do people fall for phishing scams? – How can we train people in a manner that is fun, effective, and measurable? – How can we build better user interfaces and security warnings?
  • 6. ©2013CarnegieMellonUniversity:6 Influenced MSIE Warnings Wombat Security Technologies SciAm & CACM APWG Landing Page
  • 7. ©2013CarnegieMellonUniversity:7 Today’s Talk • Discuss some of our research findings – Better user interfaces for avoiding attacks – Teaching people effectively • A model for thinking about cybersecurity awareness and education • Three cross-cutting strategies for effective cybersecurity training
  • 8. ©2013CarnegieMellonUniversity:8 • Every browser now has basic anti-phishing detection built in • Are these user interfaces effective? • Our 2008 study on warnings • And what does it mean for training?
  • 9. ©2013CarnegieMellonUniversity:9 Screenshots Internet Explorer 7 – Passive Warning
  • 10. ©2013CarnegieMellonUniversity:10 Screenshots Internet Explorer 7 – Active Block
  • 11. ©2013CarnegieMellonUniversity:11 Screenshots Mozilla Firefox – Active Block
  • 12. ©2013CarnegieMellonUniversity:12 Tested These Four Interfaces • Shopping study – IE Passive Warning – IE Active Block – FireFox Active Block – Control (no warnings or blocks) • Overall results – Passive warning completely ineffective – About half of people still fell for IE warning – No one fell for FireFox warning S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
  • 13. ©2013CarnegieMellonUniversity:13 Analyzing the Results • C-HIP model for real-world warnings – See the warning? – Understand it? – Believe it? – Motivated? – Can and will act?
  • 14. ©2013CarnegieMellonUniversity:14 Screenshots • MSIE 7 Active Block • Half still fell for phish despite the warning (?) • Habituation (similar warnings) • Two pathological cases • Most saw the warning, but many did not believe it • “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad”
  • 15. ©2013CarnegieMellonUniversity:15 Two Takeaways • Better interfaces can dramatically reduce security problems • Model for warnings also relevant for cybersecurity in general – See the warning? – Understand it? – Believe it? – Motivated? – Can and will act?
  • 16. ©2013CarnegieMellonUniversity:16 Basis for the Cybersecurity Training Model Aware of the security issue? Knowledge of what actions to take? Motivated to act?
  • 17. ©2013CarnegieMellonUniversity:17 Cybersecurity Training Model Example: Passwords Aware of the security issue? Knowledge of what actions to take? Motivated to act? Don’t reuse passwords Common security risk How to change Secure and memorable Stories of breaches Require changes
  • 18. ©2013CarnegieMellonUniversity:18 Cybersecurity Training Model Example: Smartphone Security Aware of the security issue? Knowledge of what actions to take? Motivated to act? Have a PIN on device (about 50% don’t) How to do it on device Avoiding bad PINs At end of training Start with upper mgt
  • 19. ©2013CarnegieMellonUniversity:19 Cybersecurity Training Model Aware of the security issue? Knowledge of what actions to take? Motivated to act? • Most training starts with awareness • Unfortunately, most training also stops with awareness
  • 20. ©2013CarnegieMellonUniversity:20 Most Posters not Effective http://mindfulsecurity.com/2009/09/19/free-threats-security-awareness-posters/
  • 21. ©2013CarnegieMellonUniversity:21 Cybersecurity Training Model • Effective training needs to address all these steps • Strategy #1 – Foster better mental models Aware of the security issue? Knowledge of what actions to take? Motivated to act?
  • 22. ©2013CarnegieMellonUniversity:22
  • 23. ©2013CarnegieMellonUniversity:23 Mental Models • People inevitably build models of how things work – Ex. me and my car – Ex. children & computers – Ex. maps of New York and Boston
  • 24. ©2013CarnegieMellonUniversity:24 Mental Models Impact Security • Ex. visibility in Facebook – Suppose you have a private Facebook album, but tag someone. Can that person see it or not? • Ex. app stores – All apps are vetted by Google, so they are all safe to download. Correct?
  • 25. ©2013CarnegieMellonUniversity:25 So, we just have to foster the right mental model and then we’re done?
  • 26. ©2013CarnegieMellonUniversity:26 There’s not Always a “Right” Mental Model • Experts can disagree on • We asked 10 experts about malware
  • 27. ©2013CarnegieMellonUniversity:27 Incomplete Mental Models Can Still Be Useful • Rick Wash’s work on folk models – Hackers are technical geeks that do it for fun – Hackers seek personal info – Hackers only target big fish – Hackers only look for big databases of info – People took different precautions • Incomplete models may still be an improvement over current state – Degrees of better and worse
  • 28. ©2013CarnegieMellonUniversity:28 Cybersecurity Training • Cybersecurity education should foster better mental models – Awareness – Who and why? – Fixing common misconceptions – Actionable items Aware of the security issue? Knowledge of what actions to take? Motivated to act?
  • 29. ©2013CarnegieMellonUniversity:29 Case Study: Phishing Attacks • Interviewed 40 people as part of an “email study” (Downs et al, SOUPS 2006) • Only 55% of participants said they had ever noticed an unexpected or strange- looking URL – Most did not consider them to be suspicious
  • 30. ©2013CarnegieMellonUniversity:30 Example: Phishing Attacks • 55% of participants reported being cautious when email asks for sensitive financial info – But very few reported being suspicious of email asking for passwords • Knowledge of financial phish reduced likelihood of falling for these scams – But did not transfer to other scams, such as an amazon.com password phish
  • 31. ©2013CarnegieMellonUniversity:31 • Strategy #2: Tailor delivery of training for your audience – We’re all busy – A lot of training is boring (wall of text) – Little chance to test what you just learned Cybersecurity Training Teachable Moments Micro-Games
  • 32. ©2013CarnegieMellonUniversity:32 PhishGuru Simulated Phishing • Create teachable moments thru simulated phishing emails • If recipient falls for it, show intervention that teaches what cues to look for – Useful for people who don’t know what they don’t know (low awareness)
  • 33. ©2013CarnegieMellonUniversity:33 Subject: Revision to Your Amazon.com Information
  • 34. ©2013CarnegieMellonUniversity:34 Subject: Revision to Your Amazon.com Information Please login and enter your information
  • 35. ©2013CarnegieMellonUniversity:35 • Why am I seeing this? • How was I tricked? • How to protect myself? • Who and how?
  • 36. ©2013CarnegieMellonUniversity:36 Evaluation of PhishGuru • Is simulated phishing effective? – We’ve done 4 peer-reviewed studies showing embedded training works well – About 50% decrease in falling for phish after one training P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.
  • 37. ©2013CarnegieMellonUniversity:37 Results of One Study • Tested 500+ people in one month – 1 simulated phish at beginning of month, testing done at end of month • ~50% reduction in falling for phish – 68 out of 85 surveyed recommend continuing doing this sort of training in the future “I really liked the idea of sending [org] fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful – here's how...”
  • 38. ©2013CarnegieMellonUniversity:38 • Strategy #2: Tailor delivery of training for audience – Create “teachable moments” – Micro-games for training – Just sending training via email (ineffective) – Attending all day classes (boring, can’t test skills) – Watching videos (can’t test skills) Cybersecurity Training
  • 39. ©2013CarnegieMellonUniversity:39 Strategy #3: Use Concepts from Learning Science • Area of research examining learning, retention, and transfer of skills • Example principles – Learning by doing – Immediate feedback – Conceptual-procedural – Reflection – … many others
  • 40. ©2013CarnegieMellonUniversity:40 What About Motivation? Aware of the security issue? Knowledge of what actions to take? Motivated to act? • Training also needs to address motivation • Open question as to best approaches for cybersecurity
  • 41. ©2013CarnegieMellonUniversity:41 What Motivates People? • Extrinsic factors (outside factors) – Pay – Privilege, Reputation – Certificates, trophies – Punishment • Can’t just slap it on, has to be appropriate and thought through
  • 42. ©2013CarnegieMellonUniversity:42
  • 43. ©2013CarnegieMellonUniversity:43 What Motivates People? • Intrinsic value of task – Fun – Curiosity – Challenge, mastery • Same as before, can’t just slap it on • Cybersecurity and intrinsic motivation may be hard to reconcile • Intrinsic and extrinsic may conflict
  • 44. ©2013CarnegieMellonUniversity:44 What Motivates People? • Social factors – Reciprocity (you help me, I help you) – Altruism – Norms – Social proof – Identification with group • Large untapped potential, but open question as to how to best leverage
  • 45. ©2013CarnegieMellonUniversity:45
  • 46. ©2013CarnegieMellonUniversity:46 Energy Consumption
  • 47. ©2013CarnegieMellonUniversity:47 Energy Consumption
  • 48. ©2013CarnegieMellonUniversity:48 Summary • Better user interfaces • Cybersecurity training model – Better mental models – Tailor delivery – Learning science • Lots of opportunities for motivating people, but still open question
  • 49. ©2013CarnegieMellonUniversity:49 Thanks, where can I learn more? Find more at wombatsecurity.com jasonh@cs.cmu.edu
  • 50. ©2013CarnegieMellonUniversity:50
  • 51. ©2013CarnegieMellonUniversity:51 Timing Matters Too • Teachable moments • Right after training • Repeat enough times, becomes habit (don’t have to appeal directly to individual motivation anymore)