0
Copyright © Wombat Security Technologies, Inc. 2008-2010
ISSA Webinar May 2012
Jason Hong, PhD
Assoc. Prof, Carnegie Mello...
Copyright © Wombat Security Technologies, Inc. 2008-2012
About the Speaker
 Assoc. Professor
 Carnegie Mellon University...
Copyright © Wombat Security Technologies, Inc. 2008-2012
About this Talk
 Useful for people interested in:
 How to effec...
Copyright © Wombat Security Technologies, Inc. 2008-2012
What is Human-Computer
Interaction?
 Field that seeks to underst...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Interactions Can Be Successful
Copyright © Wombat Security Technologies, Inc. 2008-2012
Interactions Can Also Fail
Copyright © Wombat Security Technologies, Inc. 2008-2012
Design Principles in 5 Minutes
 How do people believe
how things...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Mental Models Example:
Refrigerator
Freezer
(temperature too cold...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Refrigerator Controls
What is a typical conceptual model?
Normal ...
Copyright © Wombat Security Technologies, Inc. 2008-2012
7 6 5 4 3
A B C D E
Most people think of
independent controls
Coo...
Copyright © Wombat Security Technologies, Inc. 2008-2012
 Two general solutions:
 make controls map to user’s mental mod...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Nissan Maxima Gear Shift
Copyright © Wombat Security Technologies, Inc. 2008-2012
 Users create a model from what they hear
from others, past expe...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Mental Models
 People inevitably build models of how
things work...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Example: Phishing Attacks
 Interviewed 40 people as part of an “...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Example: Phishing Attacks
 55% of participants reported being
ca...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Can We Educate End-Users?
 Users not motivated to learn
 Securi...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Yes, End-Users Are Trainable
 Our research demonstrates users ca...
Copyright © Wombat Security Technologies, Inc. 2008-2012
How Do We Get People Trained?
 Create “teachable moments”
 Micr...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Micro-Games for Cyber Security
 Training doesn’t have to be long...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Case Study: Anti-Phishing Phil
 Tested Anti-Phishing Phil with ~...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Summary
 Human element most overlooked
aspect of computer securi...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Thanks, where can
I learn more?
Find more at
wombatsecurity.com
i...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
False negatives for users who played Anti-Phishing Phil (“game co...
Copyright © Wombat Security Technologies, Inc. 2008-2012
False positives for users who played the Anti-Phishing Phil game....
Copyright © Wombat Security Technologies, Inc. 2008-2012
Copyright © Wombat Security Technologies, Inc. 2008-2012
Example Topic: Email
Security
Copyright © Wombat Security Technologies, Inc. 2008-2012
Example Topic: Passwords
Copyright © Wombat Security Technologies, Inc. 2008-2012
Other Training: Social
Networks
Copyright © Wombat Security Technologies, Inc. 2008-2012
Measurable
Copyright © Wombat Security Technologies, Inc. 2008-2012
Measurable
Copyright © Wombat Security Technologies, Inc. 2008-2012
Case Study #1: PhishGuru
 Canadian healthcare organization
 Thr...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Simulated Phishing Email
Copyright © Wombat Security Technologies, Inc. 2008-2012
Case Study
Copyright © Wombat Security Technologies, Inc. 2008-2012
Measurable Reduction in Falling
for Phish
Viewed
Email
Only %
Vie...
Copyright © Wombat Security Technologies, Inc. 2008-2012
0 10 20 30 40
Campaign3
Campaign2
Campaign1
ViewedEmail and Click...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Can We Educate End-Users?
 Users not motivated to learn
 Securi...
Copyright © Wombat Security Technologies, Inc. 2008-2012
Human Element of Security
 People are key part of computer
secur...
Upcoming SlideShare
Loading in...5
×

Leveraging Human Factors for Effective Security Training, for ISSA Webinar May 2012

84

Published on

Talk I gave for an ISSA Webinar on effective security training, looking at human factors issues.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
84
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Multiple choice questionsAudience questions too
  • These findings led us to think about how to educate and train people about phishing attacks…
  • http://news.cnet.com/21007350_361252132.html
  • These findings led us to think about how to educate and train people about phishing attacks…
  • http://news.cnet.com/21007350_361252132.html
  • Transcript of "Leveraging Human Factors for Effective Security Training, for ISSA Webinar May 2012"

    1. 1. Copyright © Wombat Security Technologies, Inc. 2008-2010 ISSA Webinar May 2012 Jason Hong, PhD Assoc. Prof, Carnegie Mellon University CTO, Wombat Security Technologies
    2. 2. Copyright © Wombat Security Technologies, Inc. 2008-2012 About the Speaker  Assoc. Professor  Carnegie Mellon University, Human-Computer Interaction  Usable privacy and security, Mobile computing  Co-author  Co-founder of Wombat Security Technologies
    3. 3. Copyright © Wombat Security Technologies, Inc. 2008-2012 About this Talk  Useful for people interested in:  How to effectively train people?  How to effectively design better user interfaces for privacy and security?  One case study from my research Micro Games for Security Education
    4. 4. Copyright © Wombat Security Technologies, Inc. 2008-2012 What is Human-Computer Interaction?  Field that seeks to understand the relationship between people & computers  Designing useful, usable, desirable artifacts  Understanding how people use systems  Expanding the ways we can use computers  Combines behavioral sciences, interaction design, and computer science
    5. 5. Copyright © Wombat Security Technologies, Inc. 2008-2012 Interactions Can Be Successful
    6. 6. Copyright © Wombat Security Technologies, Inc. 2008-2012 Interactions Can Also Fail
    7. 7. Copyright © Wombat Security Technologies, Inc. 2008-2012 Design Principles in 5 Minutes  How do people believe how things work?  Mental models describe how a person thinks something works  Incorrect mental models can make things very hard to understand and use
    8. 8. Copyright © Wombat Security Technologies, Inc. 2008-2012 Mental Models Example: Refrigerator Freezer (temperature too cold) Fresh food (temperature just right)
    9. 9. Copyright © Wombat Security Technologies, Inc. 2008-2012 Refrigerator Controls What is a typical conceptual model? Normal Settings C and 5 Colder Fresh Food C and 6-7 Coldest Fresh Food B and 8-9 Colder Freezer D and 7-8 Warmer Fresh Food C and 4-1 OFF (both) 0 A B C D E 7 6 5 4 3
    10. 10. Copyright © Wombat Security Technologies, Inc. 2008-2012 7 6 5 4 3 A B C D E Most people think of independent controls Cooling Unit Cooling Unit A Common Conceptual Model
    11. 11. Copyright © Wombat Security Technologies, Inc. 2008-2012  Two general solutions:  make controls map to user’s mental model  foster a more accurate mental model 7 6 5 4 3 A B C D E Cooling Unit Actual Conceptual Model Controls amount of cold air Controls amount air vectored up and down
    12. 12. Copyright © Wombat Security Technologies, Inc. 2008-2012 Nissan Maxima Gear Shift
    13. 13. Copyright © Wombat Security Technologies, Inc. 2008-2012  Users create a model from what they hear from others, past experiences, and usage  interactions with system image Three Different Models System Image (Your implementation) User Interactions System feedback Design Model (How you intend the system to work) User Model (How users think the system works)
    14. 14. Copyright © Wombat Security Technologies, Inc. 2008-2012 Mental Models  People inevitably build models of how things work  Ex. children and computers  Ex. you and your car  Ex. how hackers work (and why)  Ex. visibility in social networking sites  Ex. app stores (all apps vetted by Google?)  Two options:  Make the system match people’s models  Foster a better mental model
    15. 15. Copyright © Wombat Security Technologies, Inc. 2008-2012 Example: Phishing Attacks  Interviewed 40 people as part of an “email study” (Downs et al, SOUPS 2006)  Only 55% of participants said they had ever noticed an unexpected or strange- looking URL  Most did not consider them to be suspicious
    16. 16. Copyright © Wombat Security Technologies, Inc. 2008-2012 Example: Phishing Attacks  55% of participants reported being cautious when email asks for sensitive financial info  But very few reported being suspicious of email asking for passwords  Knowledge of financial phish reduced likelihood of falling for these scams  But did not transfer to other scams, such as an amazon.com password phish
    17. 17. Copyright © Wombat Security Technologies, Inc. 2008-2012 Can We Educate End-Users?  Users not motivated to learn  Security is a secondary task  Difficult to teach people right decisions without increasing false positives  Basically, educating users is as hard as herding cats
    18. 18. Copyright © Wombat Security Technologies, Inc. 2008-2012 Yes, End-Users Are Trainable  Our research demonstrates users can learn how to protect themselves… if you can get them to pay attention to training  Problem is that today’s training often boring, time consuming, and ineffective  All day lecture, no chance to practice skills  Or passively watching videos  Or posters and mugs and calendars  Raise awareness, but little on what to actually do
    19. 19. Copyright © Wombat Security Technologies, Inc. 2008-2012 How Do We Get People Trained?  Create “teachable moments”  Micro-games for training (fun)  Use learning science principles throughout PhishGuru Embedded Training Micro-Game on Phishing
    20. 20. Copyright © Wombat Security Technologies, Inc. 2008-2012 Micro-Games for Cyber Security  Training doesn’t have to be long & boring  Micro game format, play for short time  Two-thirds of Americans played a video game in past six months  Not just young people  Average game player 35 years old  25% of people over 50 play games  Not just males  40% of casual gamers are women
    21. 21. Copyright © Wombat Security Technologies, Inc. 2008-2012 Case Study: Anti-Phishing Phil  Tested Anti-Phishing Phil with ~4500 people  Huge improvement by novices in identifying phishing URLs  Also dramatically lowered false positives
    22. 22. Copyright © Wombat Security Technologies, Inc. 2008-2012
    23. 23. Copyright © Wombat Security Technologies, Inc. 2008-2012
    24. 24. Copyright © Wombat Security Technologies, Inc. 2008-2012
    25. 25. Copyright © Wombat Security Technologies, Inc. 2008-2012
    26. 26. Copyright © Wombat Security Technologies, Inc. 2008-2012
    27. 27. Copyright © Wombat Security Technologies, Inc. 2008-2012
    28. 28. Copyright © Wombat Security Technologies, Inc. 2008-2012 Summary  Human element most overlooked aspect of computer security  Ex. phishing scams, passwords, mobile  Mental models important to design  Mismatched models can cause failures  Micro games one strategy for training people about computer security
    29. 29. Copyright © Wombat Security Technologies, Inc. 2008-2012 Thanks, where can I learn more? Find more at wombatsecurity.com info@wombatsecurity.com
    30. 30. Copyright © Wombat Security Technologies, Inc. 2008-2012
    31. 31. Copyright © Wombat Security Technologies, Inc. 2008-2012 False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.
    32. 32. Copyright © Wombat Security Technologies, Inc. 2008-2012 False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.
    33. 33. Copyright © Wombat Security Technologies, Inc. 2008-2012
    34. 34. Copyright © Wombat Security Technologies, Inc. 2008-2012 Example Topic: Email Security
    35. 35. Copyright © Wombat Security Technologies, Inc. 2008-2012 Example Topic: Passwords
    36. 36. Copyright © Wombat Security Technologies, Inc. 2008-2012 Other Training: Social Networks
    37. 37. Copyright © Wombat Security Technologies, Inc. 2008-2012 Measurable
    38. 38. Copyright © Wombat Security Technologies, Inc. 2008-2012 Measurable
    39. 39. Copyright © Wombat Security Technologies, Inc. 2008-2012 Case Study #1: PhishGuru  Canadian healthcare organization  Three-month embedded training campaign  190 employees  Security assessment and effective training in context
    40. 40. Copyright © Wombat Security Technologies, Inc. 2008-2012 Simulated Phishing Email
    41. 41. Copyright © Wombat Security Technologies, Inc. 2008-2012 Case Study
    42. 42. Copyright © Wombat Security Technologies, Inc. 2008-2012 Measurable Reduction in Falling for Phish Viewed Email Only % Viewed Email and Clicked Link % Employees Campaign 1 20 10.53% 35 18.42% 190 Campaign 2 37 19.47% 23 12.11% 190 Campaign 3 7 3.70% 10 5.29% 189
    43. 43. Copyright © Wombat Security Technologies, Inc. 2008-2012 0 10 20 30 40 Campaign3 Campaign2 Campaign1 ViewedEmail and Clicked Link ViewedEmail Only
    44. 44. Copyright © Wombat Security Technologies, Inc. 2008-2012 Can We Educate End-Users?  Users not motivated to learn  Security is a secondary task  Difficult to teach people right decisions without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall… They are not interested…they just want to do their job.” -- An IBM security specialist
    45. 45. Copyright © Wombat Security Technologies, Inc. 2008-2012 Human Element of Security  People are key part of computer security for every organization  Keeping passwords strong and secure  Avoiding social engineering  Avoiding malware  Appropriate use of social networking  Keeping mobile devices secure  Overlooking human element is most common mistake in computer security
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×