Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
In this position paper, we argue that usable privacy and security is a grand challenge that needs more attention from the HCI community. We also discuss benefits to and new challenges for HCI, and use our research experiences to provide a critique of HCI.
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009Jason Hong
An overview of our group's work on teaching people not to fall for phishing attacks, using simulated phish. The summary is that simulated phish work surprisingly well, in terms of learning and retention.
Presentation to young people at Highland Youth Voice Conference 2009. The slideshow included discussion break outs and the video clip of Joe can be found here..we also had guests from Sardinia.
http://www.digizen.org/cyberbullying/film.aspx
ET 509 Portfolio Assignment Internet Safety PPT Presentation for Staff Profes...mulingoh
This assignment has been submitted as part fulfillment for a Masters Degree in Educational Technology at The American College of Education.
Any comments, opinions or suggestions, to improve this assignment are highly welcome. Please feel free to contact through email, mulingoh@hotmail.com, or at yahoo.com.
Thank you.
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
In this position paper, we argue that usable privacy and security is a grand challenge that needs more attention from the HCI community. We also discuss benefits to and new challenges for HCI, and use our research experiences to provide a critique of HCI.
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009Jason Hong
An overview of our group's work on teaching people not to fall for phishing attacks, using simulated phish. The summary is that simulated phish work surprisingly well, in terms of learning and retention.
Presentation to young people at Highland Youth Voice Conference 2009. The slideshow included discussion break outs and the video clip of Joe can be found here..we also had guests from Sardinia.
http://www.digizen.org/cyberbullying/film.aspx
ET 509 Portfolio Assignment Internet Safety PPT Presentation for Staff Profes...mulingoh
This assignment has been submitted as part fulfillment for a Masters Degree in Educational Technology at The American College of Education.
Any comments, opinions or suggestions, to improve this assignment are highly welcome. Please feel free to contact through email, mulingoh@hotmail.com, or at yahoo.com.
Thank you.
Moreton Bay College is a P-12 Girls’ School on the eastern outskirts of Brisbane. Three years ago the decision was taken at executive level that filtering was not the solution to our students’ cybersafety. In fact, stringent filtering was proving counter productive, as many new and potentially useful Web 2.0 sites were being blocked. The proliferation of 3G devices and the constant battle against proxy bypass sites also meant that filtering as a solution was doomed to failure. This presentation will look at the steps the school has taken to foster a climate of digital citizenship with its students inpreparation for the schools’ 1-to-1 implementation that began this year.
NL NIS 2003 - Connecting the Home and School through Electronic DialogueMichael Barbour
Barbour, M. K. (2003, November). Connecting the home and school through electronic dialogue. Presentation at the annual Newfoundland Network of Innovative Schools Forum conference, Clarenville, NL.
Good Cybercitizens Make the Internet a Safer Place
Own your online presence. To keep yourself safe, set privacy and security settings on web services, apps, and devices to your comfort level. ...
Be a good digital citizen. ...
Respect yourself and others. ...
Practice good communications. ...
Protect yourself and your information.
Online abuse and safeguarding in higher educationJisc
A presentation at the Jisc security conference 2019 by Andy Phippen, professor of digital policy, University of Plymouth and
Emma Bond, director of research, head of the graduate school and professor of socio-technical research, University of Suffolk.
it expresses youths must follow the etiquette of social media, even facebook and twitter can disturbs the studies that can be healed by online counselling
Moreton Bay College is a P-12 Girls’ School on the eastern outskirts of Brisbane. Three years ago the decision was taken at executive level that filtering was not the solution to our students’ cybersafety. In fact, stringent filtering was proving counter productive, as many new and potentially useful Web 2.0 sites were being blocked. The proliferation of 3G devices and the constant battle against proxy bypass sites also meant that filtering as a solution was doomed to failure. This presentation will look at the steps the school has taken to foster a climate of digital citizenship with its students inpreparation for the schools’ 1-to-1 implementation that began this year.
NL NIS 2003 - Connecting the Home and School through Electronic DialogueMichael Barbour
Barbour, M. K. (2003, November). Connecting the home and school through electronic dialogue. Presentation at the annual Newfoundland Network of Innovative Schools Forum conference, Clarenville, NL.
Good Cybercitizens Make the Internet a Safer Place
Own your online presence. To keep yourself safe, set privacy and security settings on web services, apps, and devices to your comfort level. ...
Be a good digital citizen. ...
Respect yourself and others. ...
Practice good communications. ...
Protect yourself and your information.
Online abuse and safeguarding in higher educationJisc
A presentation at the Jisc security conference 2019 by Andy Phippen, professor of digital policy, University of Plymouth and
Emma Bond, director of research, head of the graduate school and professor of socio-technical research, University of Suffolk.
it expresses youths must follow the etiquette of social media, even facebook and twitter can disturbs the studies that can be healed by online counselling
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Jason Hong
I discuss a range of human factors issues for cybersecurity, in particular cybersecurity awareness and education. Topics include mental models, user interfaces, and simulated attacks.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
What is Social Engineering? An illustrated presentation.Pratum
Social engineering relies profoundly on human interaction and often involves the misleading of employees into violating their organization’s security procedures. Humans are naturally helpful, but when it comes to protecting an organization’s security, being helpful to an outsider can do more harm than good.
These slides discuss social engineering, the most common attack methods, and the best means for defending against a social engineering attack.
For more helpful cyber security blog articles, visit www.integritysrc.com/blog.
This interactive workshop looked at some of the approaches and strategies Vision West Notts have taken to co-ordinate and promote the key messages within this sensitive topic.
The presenters shared ideas and activities that they use to ensure consistency across the College.
Harnessing UEBA and Machine Learning technologies to protect enterprises from...ZoneFox
Cybersecurity trends come and go, but machine learning looks to be here to stay. According to a recent survey, 43% of of data breaches in recent years were caused by employees, contractors or suppliers, either negligently or maliciously. How can we harness UEBA and machine learning technologies to protect against the insider threat?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Beth Sallay
Why do certain users fall for phishing attacks? What's going on? Are they on auto-pilot, not fully engaged in their online activities? Are they lacking critical thinking abilities? The short answer is no, they are in fact fully aware of what they are doing and reading but lack the experience to know they are being scammed. There are also several personality traits that contribute to their increased likelihood of victimization.
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
Held February 2019
Annual Privacy and Security Conference
Workshop re: Cybersecurity, Ethics and Careers
Presentation Schedule: https://psv20th.sched.com/event/Jrtl/you-are-the-alpha-and-omega-of-a-secure-future-explore-understand-and-practice-your-role-in-advancing-a-positive-cybersecurity
Similar to Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011 (20)
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
1. Jason Hong, PhD
Carnegie Mellon University
Wombat Security Technologies
Achieving Behavioral
Change
2. Usable Privacy and Security
• We have done extensive research on usable
privacy and security at Carnegie Mellon
– Passwords, access control, privacy policies, etc
– http://cups.cs.cmu.edu/trust.php
• Today’s talk on behavioral change and phishing
– Why do people fall for these attacks?
– What demographics most vulnerable?
– What are weaknesses in user interfaces?
– Can we actually train people not to fall for phishing?
3. Some Results of Our Research
• Startup
– Customers of micro-games featured include
governments, financials, universities
– Our anti-phishing email filter is labeling several
million emails per day
• Study on browser warnings -> MSIE8
• Elements of our work adopted by
Anti-Phishing Working Group (APWG)
• Popular press article in
Scientific American
4. Two Case Studies + Opportunity
• How effective are web browser user interfaces
in protecting us from phishing scams?
• Can we actually train people to protect
themselves?
– What kinds of training effective? Ineffective?
– Which demographics most vulnerable?
• What do voting, saving energy, and re-using
towels have in common?
6. General Patton is retiring next week,
click here to say whether you can
attend his retirement party
Phishing Increasing in Sophistication
Targeting Your Organization
• Spear-phishing targets specific groups or individuals
• Type #1 – Uses info about your organization
7. Phishing Increasing in Sophistication
Targeting Your Organization
• Around 40% of people in our experiments would fall
for emails like this (control condition)
8. Phishing Increasing in Sophistication
Targeting You Specifically
• Type #2 – Uses info specifically about you
– Social phishing
• Uses detailed information from social networking sites,
corporate directories, and publicly available data
• Ex. Fake emails from friends or co-workers
• Ex. Fake colonel (instructor) at West Point
• Ex. Fake videos of you and your friends
– Past studies indicate social phishing ~4.5x more effective
9. Phishing Increasing in Sophistication
Targeting You Specifically
Here’s a video I took of your
poster presentation.
10. Phishing Increasing in Sophistication
Targeting You Specifically
• Type #2 – Uses info specifically about you
– Whaling – focusing on big targets
Thousands of high-ranking executives
across the country have been receiving
e-mail messages this week that appear
to be official subpoenas from the United
States District Court in San Diego. Each
message includes the executive’s name,
company and phone number, and
commands the recipient to appear before
a grand jury in a civil case.
-- New York Times Apr16 2008
11. How Bad Is Phishing?
Perspective of Corporations
• Direct damage
– Loss of sensitive customer data
12. How Bad Is Phishing?
Perspective of Corporations
• Direct damage
– Loss of sensitive customer data
– Loss of intellectual property
13. How Bad Is Phishing?
Perspective of Corporations
• Direct damage
– Loss of sensitive customer data
– Loss of intellectual property
– Fraud
• Recent carbon trading incidents in EU partly due to phish
• Indirect damage
– Damage to reputation, lost sales, etc
– Response costs (call centers, recovery)
• One researcher half-joked that banks feared customer
call center costs more than phishers
14. Phishing Increasing in Sophistication
Combination with Malware
• Malware and phishing are becoming combined
– Poisoned attachments (Ex. custom PDF exploits)
– Links to web sites with malware (web browser exploits)
– Can install keyloggers or remote access software
15. Can Web Browser Interfaces Help?
• Newer web browsers come with blacklists
and special interfaces for identifying phish
– Our evaluation of several blacklists show they catch ~80%
of phish after 24 hours, not very good in first few hours
– Also only catch “shotgun phish” rather than spear-phish
• Are these browser interfaces effective?
19. How Effective are these Warnings?
• Tested four conditions
– FireFox Active Block
– IE Active Block
– IE Passive Warning
– Control (no warnings or blocks)
• “Shopping Study”
– Setup some fake phishing pages and added to blacklists
– We phished users after real purchases (2 phish/user)
– Used real email accounts and personal information
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An
Empirical Study of the Effectiveness of Web Browser Phishing
Warnings. CHI 2008.
20. How Effective are these Warnings?
Almost everyone clicked, even those
with strong technical backgrounds
21. How Effective are these Warnings?
• No one in Firefox condition fell for our phish
• People in Firefox condition not more technically savvy
22. Discussion of Phish Warnings
• Nearly everyone will fall for highly targeted
and contextualized phish
• Passive IE warning failed for many reasons
– Didn’t interrupt the main task
– Can be slow to appear (up to 5 seconds)
– Not clear what the right action was
– Looked too much like other ignorable warnings
(habituation)
– Bug in implementation, any keystroke dismissed
24. Discussion of Phish Warnings
• Active IE warnings
– Most saw the warning, but many did not believe it
• “Since it gave me the option of still proceeding
to the website, I figured it couldn’t be that bad”
– Some element of habituation (looks like other
warnings)
– Saw two pathological cases
27. A Science of
Warnings
• C-HIP model for real-
world warnings
– See the warning?
– Understand it?
– Believe it?
– Motivated?
– Can and will act?
28. Designing for Path of Least Resistance
• Where possible, make the default
behavior the safe behavior
– Ex. The two pathological cases
– Assume people won’t see, read,
believe, or be motivated by warnings
• Active warnings over passive warnings
– Interrupt people if warning is important
– Need to balance this with habituation
• Make important warnings look very different
29. Two Case Studies + Opportunity
• How effective are web browser user interfaces
in protecting us from phishing scams?
• Can we actually train people to protect
themselves?
– What kinds of training effective? Ineffective?
• What do voting, saving energy, and re-using
towels have in common?
30. Can We Educate End-Users?
• Users are not motivated to learn about security
• Security is a secondary task
• Difficult to teach people to make right online trust
decision without increasing false positives
“User education is a complete waste of time. It is
about as much use as nailing jelly to a wall…. They
are not interested…they just want to do their job.”
Martin Overton, IBM security specialist
http://news.cnet.com/21007350_361252132.html
31. Yes, End-Users Are Trainable
• Our research demonstrates that users can learn
techniques to protect themselves from phishing…
if you can get them to pay attention to training
• Problem is that today’s training often boring,
time consuming, and ineffective
– All day lecture, but no chance to practice skills
– Or read text online and take very basic quizzes
– Or passively watching videos
– Or posters and mugs and calendars
– Raise awareness, but little on what to actually do
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong.
Teaching Johnny Not to Fall for Phish. CyLab Technical Report
CMU CyLab07003, 2007.
32. How Do We Get People Trained?
• Create “teachable moments”: PhishGuru
• Make training fun: Anti-Phishing Phil
• Use learning science principles throughout
– Ex. Concrete-Abstract, Multimedia, Immediate Feedback
PhishGuru Anti-Phishing Phil
33. PhishGuru Embedded Training
• Send emails that look like a phishing attack
• If recipient falls for it, show intervention that teaches
what cues to look for in succinct and engaging format
– Useful for people who don’t know that they don’t know
• Multiple user studies have demonstrated
that PhishGuru is effective
• Delivering same training via direct email is
not effective!
34. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
35. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
Please login and enter your informationPlease login and enter your information
36.
37. Evaluation of PhishGuru
• Is embedded training effective?
– Study 1: Lab study, 30 participants
– Study 2: Lab study, 42 participants
– Study 3: Field trial at company, ~300 participants
– Study 4: Field trial at CMU, ~500 participants
• Studies showed significant decrease in falling for
phish and ability to retain what they learned
P. Kumaraguru et al. Protecting People from Phishing: The Design and
Evaluation of an Embedded Training Email System. CHI 2007.
P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing
Education: Evaluation of Retention and Transfer. eCrime 2007.
38. Study #4 at CMU
• Investigate effectiveness and retention of
training after 1 week, 2 weeks, and 4 weeks
• Compare effectiveness of 2 training
messages vs 1 training message
• Examine demographics and phishing
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong,
M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation
of Anti-Phishing Training. 2009. SOUPS 2009.
39. Study design
• Sent email to all CMU students, faculty
and staff to recruit participants (opt-in)
• 515 participants in three conditions
– Control / One training message / Two messages
• Emails sent over 28 day period
– 7 simulated spear-phishing messages
– 3 legitimate (cyber security scavenger hunt)
• Campus help desks and IT departments
notified before messages sent
40. Effect of PhishGuru Training
Condition N % who clicked
on Day 0
% who
clicked on
Day 28
Control 172 52.3 44.2
Trained 343 48.4 24.5
41. Pop Quiz
• Which group most vulnerable to phishing attacks?
– 18-25
– 26-35
– 36-45
– 45+
42. Surprisingly, Students Most Vulnerable
• Students significantly more likely to fall for phish
than staff before training
• No significant differences based on student year,
department, or gender
• 18-25 age group most vulnerable
Age group Day 0 Day 28
18-25 62% 36%
26-35 48% 16%
36-45 33% 18%
45 and older 43% 10%
43. Discussion of PhishGuru
• PhishGuru can teach people to identify phish better
– People retain the knowledge
• People trained on first day less likely to be phished
• Two training messages work better
– People weren’t less likely to click on legitimate emails
– People aren’t resentful, many happy to have learned
• 68 out of 85 surveyed said they recommend CMU
continue doing this sort of training in future
• “I really liked the idea of sending CMU students fake
phishing emails and then saying to them, essentially,
HEY! You could've just gotten scammed! You should
be more careful -- here's how....”
44. APWG Landing Page
• CMU and Wombat helped Anti-Phishing Working
Group develop landing page for taken down sites
– Already in use by several takedown companies
– Seen by ~200,000 people in past 27 months
45. Two Case Studies + Opportunity
• How effective are web browser user interfaces
in protecting us from phishing scams?
• Can we actually train people to protect
themselves?
– What kinds of training effective? Ineffective?
• What do voting, saving energy, and re-using
towels have in common?
46. Voting and Saving Energy
• Many economists say that voting is completely
irrational behavior
– Odds of one vote making a difference is close to zero
– But, strong predictor of whether someone votes or not is
how many other people they know that vote
• Many people say they conserve energy because
– Environmental protection, benefit to society, saving money
– But, strongest predictor is if you believe everyone else is too
– And, strongest intervention is telling people all their
neighbors are saving energy too
– Similar results for recycling, reusing towels
• Is there an opportunity here for improving security?
47. Prize-Linked Lotteries
• Most Americans don’t save enough money
• But average American household spends $500 on
lottery tickets
– Estimates are that 80% of lottery revenue comes
from households of $50k and under
• Prize-Linked Lottery
– Every $25 you save, you get a lottery ticket from bank
– Grand prize of $100k per year, smaller prizes throughout
– Dramatically increased rates of savings
• Better than a CD with 10% interest!
• Is there an opportunity here for improving security?
48. Open Challenge for Computer Security
• Incorporate more human behavioral science into
how we operate
– In terms of how security policies set
– In terms of how products are designed
– Hopefully, I’ve demonstrated (potential) utility
– Lots of untapped potential with even simple approaches
• Challenge here is “magic black box” mentality
– At RSA, lots of technical and marketing people, all think alike
– Not enough about user interfaces, incentives, how small
groups work, how people make decisions, etc
49. Summary
• Browser warnings
– Focus on path of least resistance
– See, understand, believe, motivated?
• Anti-phishing training
– Create teachable moments
– Use learning science
• Behavioral sciences offer many untapped
opportunities
• Can try PhishGuru, Phil, and Phyllis at:
www.wombatsecurity.com
53. Anti-Phishing Phil
• A micro-game to teach people not to fall for phish
– PhishGuru about email, this game about web browser
– Also based on learning science principles
• Goals
– How to parse URLs
– Where to look for URLs
– Use search engines for help
• Try the game!
– Search for “phishing game”
S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a
Game That Teaches People Not to Fall for Phish. In SOUPS 2007,
Pittsburgh, PA, 2007.
60. Evaluation of Anti-Phishing Phil
• Is Phil effective? Yes!
– Study 1: 56 people in lab study
– Study 2: 4517 people in field trial
• Brief results of Study 1
– Phil about as effective in helping people detect phishing
web sites as paying people to read training material
– But Phil has significantly fewer false positives overall
• Suggests that existing training material making people
paranoid about phish rather than differentiating
61. Evaluation of Anti-Phishing Phil
• Study 2: 4517 participants in field trial
– Randomly selected from 80000 people
• Conditions
– Control: Label 12 sites then play game
– Game: Label 6 sites, play game, then label 6 more,
then after 7 days, label 6 more (18 total)
• Participants
– 2021 people in game condition, 674 did retention portion
62. Anti-Phishing Phil: Study 2
• Novices showed most improvement in false negatives
(calling phish legitimate)
64. Anti-Phishing Phyllis
• New micro-game just released by Wombat Security
• Focuses on teaching people about what cues
to look for in emails
– Some emails are legitimate, some fake
– Have to identify cues as dangerous or harmless
65. Tells people why they are
seeing this message, uses
engaging character
Tells people why they are
seeing this message, uses
engaging character
66. Tells a story about what
happened and what the
risks are
Tells a story about what
happened and what the
risks are
67. Gives concrete examples of
how to protect oneself
Gives concrete examples of
how to protect oneself
68. Explains how criminals conduct
phishing attacks
Explains how criminals conduct
phishing attacks
69.
70.
71. How Bad Is Phishing?
Consumer Perspective
• Estimated ~0.5% of Internet users per year
fall for phishing attacks
• Conservative $1B+ direct losses a year to consumers
– Bank accounts, credit card fraud
– Doesn’t include time wasted on recovery of funds,
restoring computers, emotional uncertainty
• Growth rate of phishing
– 30k+ reported unique emails / month
– 45k+ reported unique sites / month
• Social networking sites now major targets
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
ASSUME THAT THIS IS YOUR EMAIL INBOX AND AMONG OTHER EMAILS.. YOU THIS EMAIL FROM AMAZON THAT JUST LOOKS LIKE THE LEGITIMATE EMAIL FROM AMAZON. WHEN YOU OPEN THE EMAIL ….
YOU WILL SEE THIS.. WHICH LOOKS LEGITIMATE.. AND WITH THE DATA THAT WE HAVE .. WE KNOW THAT MOST OF THE USERS WILL CLICK ON THE LINK.. WHEN THEY CLICK ON THE LINK THEY WILL SEE ….
P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer . eCrime 2007.
TO ADDRESS SOME OF THE LIMITATIONS IN THIS STUDY, I AM CURRENTLY DOING THIS EXCITING STUDY AMONG CMU STUDENTS/FACULTY/STAFF WHERE I AM PHISHING THEM FOR THE LAST 4 WEEKS… I WAS INTERESTED IN STUDYING LONG TERM RETENTION .. MORE THAN 1 WEEK.. SO IN THIS STUDY WE ARE STUDYING 4 WEEK RETENTION.. IN PREVIOUS STUDY WE STUDIED 1 TRAINING MATERIAL… HERE WE ARE STUDYING 2 MESSAGES… THIS STUDY IS REALLY IN THE WILD AND WE ARE COLLECTING LOT OF DATA…. I M STILL IN THE DATA COLLECTION MODE IN A FEW WEEKS, I SHOULD HAVE SOME RESULTS FROM THIS STUDY…
Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
The idea in this slide is to show that training conditions did better than control conditions and it was significantdifferenc… There is an improvement of 50% among people in PhihsGuru training
Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
Biz week http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.