More Related Content Similar to Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011 (20) Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept20111. Copyright © Wombat Security Technologies, Inc. 2008-2011
Jason Hong, PhD
Assoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Knowledgeable Users are the
Best Cyber Security Defense
2. Copyright © Wombat Security Technologies, Inc. 2008-2011
About Wombat Security
Founded in 2008 based on research on human
element of computer security at Carnegie Mellon
Passwords, access control, privacy policies, etc
Initial products on anti-phishing
Article in Scientific American on protecting
people from phishing scams
Have given multiple talks at RSA, ISSA
about human element of security
3. Copyright © Wombat Security Technologies, Inc. 2008-2011
Human Element of Security
People are an important part of computer
security for every organization
Keeping passwords strong and secure
Avoiding social engineering
Avoiding malware
Appropriate use of social networking tools
Keeping mobile devices secure
Overlooking human element is the most
common mistake in computer security
4. Copyright © Wombat Security Technologies, Inc. 2008-2011
Technology Alone Won’t Work
Tempting to just buy some software or
hardware that promises to solve these problems
However, attackers are very resourceful,
constantly looking to circumvent your defenses
Also, technology alone can’t motivate people in
your organization
Examples
Recent breaches at RSA, Epsilon, Canadian and
Australian government due to phishing emails
Malware infections because of social networking
5. Copyright © Wombat Security Technologies, Inc. 2008-2011
Can We Educate End-Users?
Users are not motivated to learn about security
Security is a secondary task
Difficult to teach people to make right decisions
without increasing false positives
“User education is a complete waste of time. It is
about as much use as nailing jelly to a wall….
They are not interested…they just want to do
their job.”
Martin Overton, IBM security specialist
http://news.cnet.com/21007350_361252132.html
6. Copyright © Wombat Security Technologies, Inc. 2008-2011
Yes, End-Users Are Trainable
Our research demonstrates that users can learn
techniques to protect themselves… if you can get
them to pay attention to training
Problem is that today’s training often boring,
time consuming, and ineffective
All day lecture, but no chance to practice skills
Or passively watching videos
Or posters and mugs and calendars
Raise awareness, but little on what to actually do
7. Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?
Create “teachable moments”: PhishGuru
Make training engaging: Anti-Phishing Phil
Use learning science principles throughout
PhishGuru Anti-Phishing Phil
8. Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?
Create “teachable moments”: PhishGuru
Make training engaging: Anti-Phishing Phil
Use learning science principles throughout
PhishGuru Anti-Phishing Phil
9. Copyright © Wombat Security Technologies, Inc. 2008-2011
PhishGuru Embedded Training
Send emails that look like a phishing attack
If recipient falls for it, show intervention that
teaches what cues to look for in succinct and
engaging format
Useful for people who don’t know that they don’t know
Multiple user studies have demonstrated
that PhishGuru is effective
Delivering training via direct email
not effective
10. Copyright © Wombat Security Technologies, Inc. 2008-2011
Subject: Revision to Your Amazon.com Information
11. Copyright © Wombat Security Technologies, Inc. 2008-2011
Subject: Revision to Your Amazon.com Information
Please login and enter your information
13. Copyright © Wombat Security Technologies, Inc. 2008-2011
Evaluation of PhishGuru
Is embedded training effective?
We’ve conducted 4 peer-reviewed studies
showing embedded training works well
Studies showed significant decrease in falling
for phish and ability to retain what they learned
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge.
Protecting People from Phishing: The Design and Evaluation of an
Embedded Training Email System. CHI 2007.
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair,
and T. Pham. School of Phish: A Real-Word Evaluation of Anti-
Phishing Training. SOUPS 2009.
14. Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study #1: PhishGuru
Canadian healthcare organization
Three-month embedded training campaign
190 employees
Security assessment and effective training in context
17. Copyright © Wombat Security Technologies, Inc. 2008-2011
Measurable Reduction in Falling for Phish
Viewed
Email
Only %
Viewed
Email and
Clicked
Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189
18. Copyright © Wombat Security Technologies, Inc. 2008-2011
0 10 20 30 40
Campaign3
Campaign2
Campaign1
ViewedEmail and Clicked
Link
ViewedEmail Only
19. Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study #2: PhishGuru
Tested with over 500 people in one month period
1 simulated phish at beginning of month,
testing done at end of month
About 50% reduction in falling for phish
68 out of 85 surveyed said they recommend continuing
doing this sort of training in the future
“I really liked the idea of sending *organization+ fake
phishing emails and then saying to them, essentially,
HEY! You could've just gotten scammed! You should
be more careful – here's how...”
20. Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?
Create “teachable moments”: PhishGuru
Make training engaging: Anti-Phishing Phil
Use learning science principles throughout
PhishGuru Anti-Phishing Phil
21. Copyright © Wombat Security Technologies, Inc. 2008-2011
Micro-Games for Cyber Security
Training doesn’t have to be boring
Training doesn’t have to take long either
Micro game format, play for short time
Two-thirds of Americans played
a video game in past six months
Not just young people
Average game player 35 years old
25% of people over 50 play games
Not just males
40% of casual gamers are women
22. Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study 3: Anti-Phishing Phil
Tested Anti-Phishing Phil with ~4500 people
Huge improvement by novices in identifying
phishing URLs
Also dramatically lowered false positives
29. Copyright © Wombat Security Technologies, Inc. 2008-2011
False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are
situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest
reduction in false negatives, and retained what they had learned.
30. Copyright © Wombat Security Technologies, Inc. 2008-2011
False positives for users who played the Anti-Phishing Phil game. False positives are situations
where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest
improvement in reducing false positives, and retained what they had learned.
31. Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?
Create “teachable moments”: PhishGuru
Make training engaging: Anti-Phishing Phil
Use learning science principles throughout
PhishGuru Anti-Phishing Phil
32. Copyright © Wombat Security Technologies, Inc. 2008-2011
Learning Science
Area of research examining learning,
retention, and transfer of skills
Example principles
Learning by doing
Immediate feedback
Conceptual-procedural
Reflection
33. Copyright © Wombat Security Technologies, Inc. 2008-2011
Organizational Perspective
Challenges:
People are stretched for time
Large number of computer security topics
Effective training:
Needs to respect people’s time (short, engaging)
Be effective
Up-to-date coverage of security topics
Measurable – who is vulnerable, where
35. Copyright © Wombat Security Technologies, Inc. 2008-2011
Example Topic: Email Security
37. Copyright © Wombat Security Technologies, Inc. 2008-2011
Other Training: Social Networks
40. Copyright © Wombat Security Technologies, Inc. 2008-2011
Summary
Human element is critical but most often
overlooked aspect of computer security
Ex. phishing scams, passwords, mobile devices
Security training can work, but only if done right!
Training needs to respect time, engaging
Broad coverage of topics, measurable
Wombat’s interactive cybersecurity training
available for use
41. Copyright © Wombat Security Technologies, Inc. 2008-2011
Cyber Security Awareness Month
Wombat is offering a FREE Cyber Security
Vulnerability Assessment
Limited time offer for your first campaign FREE*
October 2011
Contact Ralph Massaro at 412-621-1484 x 114 or
r.massaro@wombatsecurity.com
*Up to 100 people
42. Copyright © Wombat Security Technologies, Inc. 2008-2011
Thank you!
Thanks, where can
I learn more?
Find more at
wombatsecurity.com
Anti-Phishing Phil white paper:
Cyber Security Training Game
Teaches People to Avoid Phishing
Attacks
PhishGuru white paper:
An Empirical Evaluation of
PhishGuru Training