Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011
Upcoming SlideShare
Loading in...5
×
 

Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011

on

  • 108 views

I discuss some ways of educating users about cybersecurity, based on research we did at Carnegie Mellon University

I discuss some ways of educating users about cybersecurity, based on research we did at Carnegie Mellon University

Statistics

Views

Total Views
108
Views on SlideShare
108
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011 Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011 Presentation Transcript

    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Jason Hong, PhD Assoc. Prof, Carnegie Mellon University CTO, Wombat Security Technologies Knowledgeable Users are the Best Cyber Security Defense
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 About Wombat Security  Founded in 2008 based on research on human element of computer security at Carnegie Mellon  Passwords, access control, privacy policies, etc  Initial products on anti-phishing  Article in Scientific American on protecting people from phishing scams  Have given multiple talks at RSA, ISSA about human element of security
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Human Element of Security  People are an important part of computer security for every organization  Keeping passwords strong and secure  Avoiding social engineering  Avoiding malware  Appropriate use of social networking tools  Keeping mobile devices secure  Overlooking human element is the most common mistake in computer security
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Technology Alone Won’t Work  Tempting to just buy some software or hardware that promises to solve these problems  However, attackers are very resourceful, constantly looking to circumvent your defenses  Also, technology alone can’t motivate people in your organization  Examples  Recent breaches at RSA, Epsilon, Canadian and Australian government due to phishing emails  Malware infections because of social networking
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Can We Educate End-Users?  Users are not motivated to learn about security  Security is a secondary task  Difficult to teach people to make right decisions without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Yes, End-Users Are Trainable  Our research demonstrates that users can learn techniques to protect themselves… if you can get them to pay attention to training  Problem is that today’s training often boring, time consuming, and ineffective  All day lecture, but no chance to practice skills  Or passively watching videos  Or posters and mugs and calendars  Raise awareness, but little on what to actually do
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 How Do We Get People Trained?  Create “teachable moments”: PhishGuru  Make training engaging: Anti-Phishing Phil  Use learning science principles throughout PhishGuru Anti-Phishing Phil
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 How Do We Get People Trained?  Create “teachable moments”: PhishGuru  Make training engaging: Anti-Phishing Phil  Use learning science principles throughout PhishGuru Anti-Phishing Phil
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 PhishGuru Embedded Training  Send emails that look like a phishing attack  If recipient falls for it, show intervention that teaches what cues to look for in succinct and engaging format  Useful for people who don’t know that they don’t know  Multiple user studies have demonstrated that PhishGuru is effective  Delivering training via direct email not effective
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Subject: Revision to Your Amazon.com Information
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Subject: Revision to Your Amazon.com Information Please login and enter your information
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Evaluation of PhishGuru  Is embedded training effective?  We’ve conducted 4 peer-reviewed studies showing embedded training works well  Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti- Phishing Training. SOUPS 2009.
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Case Study #1: PhishGuru  Canadian healthcare organization  Three-month embedded training campaign  190 employees  Security assessment and effective training in context
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Simulated Phishing Email
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Case Study
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Measurable Reduction in Falling for Phish Viewed Email Only % Viewed Email and Clicked Link % Employees Campaign 1 20 10.53% 35 18.42% 190 Campaign 2 37 19.47% 23 12.11% 190 Campaign 3 7 3.70% 10 5.29% 189
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 0 10 20 30 40 Campaign3 Campaign2 Campaign1 ViewedEmail and Clicked Link ViewedEmail Only
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Case Study #2: PhishGuru  Tested with over 500 people in one month period  1 simulated phish at beginning of month, testing done at end of month  About 50% reduction in falling for phish  68 out of 85 surveyed said they recommend continuing doing this sort of training in the future  “I really liked the idea of sending *organization+ fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful – here's how...”
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 How Do We Get People Trained?  Create “teachable moments”: PhishGuru  Make training engaging: Anti-Phishing Phil  Use learning science principles throughout PhishGuru Anti-Phishing Phil
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Micro-Games for Cyber Security  Training doesn’t have to be boring  Training doesn’t have to take long either  Micro game format, play for short time  Two-thirds of Americans played a video game in past six months  Not just young people  Average game player 35 years old  25% of people over 50 play games  Not just males  40% of casual gamers are women
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Case Study 3: Anti-Phishing Phil  Tested Anti-Phishing Phil with ~4500 people  Huge improvement by novices in identifying phishing URLs  Also dramatically lowered false positives
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 How Do We Get People Trained?  Create “teachable moments”: PhishGuru  Make training engaging: Anti-Phishing Phil  Use learning science principles throughout PhishGuru Anti-Phishing Phil
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Learning Science Area of research examining learning, retention, and transfer of skills Example principles  Learning by doing  Immediate feedback  Conceptual-procedural  Reflection
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Organizational Perspective Challenges:  People are stretched for time  Large number of computer security topics Effective training:  Needs to respect people’s time (short, engaging)  Be effective  Up-to-date coverage of security topics  Measurable – who is vulnerable, where
    • Copyright © Wombat Security Technologies, Inc. 2008-2011
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Example Topic: Email Security
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Example Topic: Passwords
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Other Training: Social Networks
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Measurable
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Measurable
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Summary  Human element is critical but most often overlooked aspect of computer security  Ex. phishing scams, passwords, mobile devices  Security training can work, but only if done right!  Training needs to respect time, engaging  Broad coverage of topics, measurable  Wombat’s interactive cybersecurity training available for use
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Cyber Security Awareness Month  Wombat is offering a FREE Cyber Security Vulnerability Assessment  Limited time offer for your first campaign FREE*  October 2011 Contact Ralph Massaro at 412-621-1484 x 114 or r.massaro@wombatsecurity.com *Up to 100 people
    • Copyright © Wombat Security Technologies, Inc. 2008-2011 Thank you! Thanks, where can I learn more? Find more at wombatsecurity.com Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks PhishGuru white paper: An Empirical Evaluation of PhishGuru Training