Talk by Dr Ciarán Mc Mahon at Facebook Dublin, as part of Cyber Security Month, October 2016.
Information security consciousness: What you need to know about the psychology of online defence
The aim of this talk is to deepdive the psychology of cybersecurity, in order to give attendees a more profound insight into their everday security routines. If you’d like to know how to re-wire your brain to make your cybersecurity habits more efficient and more enlightend, then this is the talk for you.
2. Today’s talk
• Introduction
• About me
• Elements of cybersecurity practice
• The psychology of everyday strife
• Moving slowly with unstable infrastructure
• Information security consciousness
3. Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
4. Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
5. Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
6. Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
7. About me
Dr Ciarán Mc Mahon is a director of the
Institute of Cyber Security and an award-
winning academic psychologist from Ireland. A
former Government of Ireland Scholar, he has
published research on the history of
psychological language, the psychology of
social media, digital wellness and the social
impact of cybercrime. Ciarán has worked at a
number of third level institutions, most
recently at the CyberPsychology Research
Centre at the Royal College of Surgeons in
Ireland. Ciarán also has extensive media
experience and regularly contributes on topics
relating to the human aspects of information
technology to national and international
outlets including Sky News, BBC Radio London,
USA Today, Fortune Magazine, and The
Guardian.
9. General advice
1. Use strong and unique passwords.
2. Think before you click. Don't fall for scams!
3. Don't plug in unknown USB keys.
4. Use only trusted and secure connections, devices,
sites and services.
5. Don’t let anyone look over your shoulder when
online, and log out once finished.
6. Report suspicious activities/cybercrimes to the
authorities
7. Always run the latest version of your OS and
software. Run your anti-virus regularly and keep
it updated too.
10. General advice
1. Use strong and unique passwords.
2. Think before you click. Don't fall for scams!
3. Don't plug in unknown USB keys.
4. Use only trusted and secure connections, devices,
sites and services.
5. Don’t let anyone look over your shoulder when
online, and log out once finished.
6. Report suspicious activities/cybercrimes to the
authorities
7. Always run the latest version of your OS and
software. Run your anti-virus regularly and keep
it updated too.
11. WHY DO WE FIND CYBER
SECURITY HARD?and how can we make it easier? and more efficient?
12. Passwords (Whitty, Doodson, Creese, & Hodges,
2015)
o Most likely to share
passwords:
o Younger people
o Low perseverance
o High self-monitoring
o Knowledge about
cybersecurity did not
distinguish between those
who did and did not share
passwords
13. Passwords (Pilar, Jaeger, Gomes, & Stein, 2012)
o Older adults no more memory
difficulties than younger
o Number of password uses was the
most influential factor on
memory performance
o limit for most people seems to
be 5 passwords
o recommend mnemonics and re-
using passwords by category of
use
14.
15. Passwords (Das, Hong, & Schechter, 2016)
o Microsoft research
o Participants assigned six
random words
o (∼56 bits of entropy)
o The trained to form into
a story
o Less training, better
recall, than rote
learning
16. Phishing (Parsons et al., 2013)
o Participants who knew they
were in a phishing study
performed significantly
better
o Participants who had formal
training in information
systems performed more
poorly overall.
o 42% of all emails were
incorrectly classified
17. Phishing (Vishwanath, Herath, Chen, Wang, & Rao, 2011)
o Most phishing emails are
peripherally processed and
individuals make decisions
based on simple cues embedded
in the email (e.g. Urgent!!)
o People far more likely to
respond to phishing emails
when they have large email
loads...
18. Phishing research
• Must recognise that the signal/noise ratio
is prohibitive here
• Strategies
– if you come across a phishing email, share
screenshots with colleagues
– if targeted/spearphishing, inform your security
team asap
19. USB keys (Tischer et al., 2016)
o 16% scanned drive with anti-
virus software; 8% believed
their OS would protect them
o Majority connected a drive in
order to locate its owner (68%)
o Study authors believe altruism
comes first, then curiosity
o “I was wondering why a jpeg
picture had an html address”
20. USB keys (Hornstein, Fisch, & Holmes, 1968)
o Famous social psychology study
o People more likely to return
lost wallet when primed to feel
good about it
o but 12% of people primed to
feel bad about returning the
wallet still did so
o what’s the moral of the story?
21. Anti-virus & updating
• Lurking (Nonnecke, East,
& Preece, 2001)
• Pareto principle
– 90/9/1 rule
– 90 people watch
– 9 people talk
– 1 person creates
• Ergo, few expect to have
to do maintenance
22. Anti-virus & updating
• Telepresence (Lombard,
Ditton, & Media, 1997)
– IT is designed to be a
seamless interactive,
unobtrusive experience
– no awareness of actual
engineering
• Ergo, surprise when
required
23. ‘Everything is broken’
• Quinn Norton
‘It’s hard to explain to
regular people how much
technology barely works, how
much the infrastructure of
our lives is held together
by the IT equivalent of
baling wire.
Computers, and computing,
are broken.’
24. ‘Another flaw in the human character is
that everybody wants to build and nobody
wants to do maintenance’(Vonnegut)
25.
26. What is the mind?
SHEN HSIU
The body is the Bodhi tree
The mind a bright mirror stand
Cleanse it with daily diligence
See to it that no dust adheres
HUI-NENG.
There is no Boddhi-tree,
Nor stand of a mirror bright.
Since all is void,
Where can the dust alight?
27. What is the mind?
SHEN HSIU
The body is the Bodhi tree
The mind a bright mirror stand
Cleanse it with daily diligence
See to it that no dust adheres
HUI-NENG.
There is no Boddhi-tree,
Nor stand of a mirror bright.
Since all is void,
Where can the dust alight?
28. What is the mind?
SHEN HSIU
The body is the Bodhi tree
The mind a bright mirror stand
Cleanse it with daily diligence
See to it that no dust adheres
HUI-NENG.
There is no Boddhi-tree,
Nor stand of a mirror bright.
Since all is void,
Where can the dust alight?
37. information security consciousness
1. A refusal to sow fear and a pledge to
conserve attention
2. An awareness of human limits, and a
readiness to transcend them
3. An acknowledgement that ‘everything is
broken’ and a willingness to fix it
If Apple IDs are worth €20k, how much for Facebook IDs?
http://uk.businessinsider.com/hackers-offering-apple-employees-in-ireland-euros-login-details-2016-2
Image: Ciarán Mc Mahon
See: National Cyber Security Alliance https://staysafeonline.org/stay-safe-online/resources/stc-tips-and-advice
Also: Coventry, L., Briggs, P., Blythe, J., & Tran, M. (2014). Using behavioural insights to improve the public’s use of cyber security best practices. https://www.gov.uk/government/publications/cyber-security-using-behavioural-insights-to-keep-people-safe-online
according to one of your colleagues, security engineers are taking several months longer to find than regular engineers.
this is a skills gap that won't be solved any time soon. the cavalry is not coming any time soon
so you're going to have to hack security yourself
http://qz.com/681792/theres-a-hacker-shortage-so-facebooks-turning-to-middle-schools/
Image: https://upload.wikimedia.org/wikipedia/commons/thumb/b/b2/Steal_password.jpg/1280px-Steal_password.jpg
Whitty, M. T., Doodson, J., Creese, S., & Hodges, D. (2015). Individual differences in cyber security behaviors: An examination of who is sharing passwords. Cyberpsychology, Behavior, and Social Networking, 18, 3–7. http://doi.org/10.1089/cyber.2014.0179
Pilar, D. R., Jaeger, A., Gomes, C. F. A., & Stein, L. M. (2012). Passwords usage and human memory limitations: a survey across age and educational background. PloS One, 7(12), e51067. http://doi.org/10.1371/journal.pone.0051067
Image: https://xkcd.com/936/
Das, S., Hong, J., & Schechter, S. (2016). Testing Computer-Aided Mnemonics and Feedback for Fast Memorization of High-Value Secrets. USEC (NDSS Workshop), (February). http://doi.org/10.14722/usec.2016.23010
Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2013). Phishing for the truth: A scenario-based experiment of users’ behavioural response to emails. IFIP Advances in Information and Communication Technology, 405, 366–378. http://doi.org/10.1007/978-3-642-39218-4_27
Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3), 576–586. http://doi.org/10.1016/j.dss.2011.03.002
Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users really do plug in USB drives they find. IEEE Symposium on Security and Privacy, 1–14. http://doi.org/10.1109/SP.2016.26
Image: https://en.wikipedia.org/wiki/Wallet#/media/File:WalletMpegMan.jpg
Hornstein, H. A., Fisch, E., & Holmes, M. (1968). Influence of a model’s feeling about his behavior and his relevance as a comparison other on observers’ helping behavior. Journal of Personality and Social Psychology, 10(3), 222–226. http://doi.org/10.1037/h0026568
Nonnecke, B., East, K. S., & Preece, J. (2001). Why lurkers lurk. In Americas Conference on Information Systems (pp. 1–10).
Lombard, M., Ditton, T., & Media, M. (1997). At the heart of it all: The concept of presence. Journal of Computer-Mediated Communication, 3(2), 1–23.