SlideShare a Scribd company logo
©2009CarnegieMellonUniversity:1
Leveraging Human Factors
for Effective Security Training
ISSA CISO Forum 2013
Jason Hong
Associate Professor
Carnegie Mellon University
CTO and Co-Founder
Wombat Security Technologies
©2013CarnegieMellonUniversity:2
Interactions Can Be Successful
©2013CarnegieMellonUniversity:3
Interactions Can Also Fail
©2013CarnegieMellonUniversity:4
Human
Robot
Interaction
Social
Web
Cognitive
Tutors
New
Interaction
Techniques
©2013CarnegieMellonUniversity:5
Human Factors Issues
in Cybersecurity
• Studying human factors issues in
cybersecurity for 9+ years
– Why do people fall for phishing scams?
– How can we train people in a manner that
is fun, effective, and measurable?
– How can we build better user interfaces
and security warnings?
©2013CarnegieMellonUniversity:6
Influenced
MSIE
Warnings
Wombat
Security
Technologies
SciAm
&
CACM
APWG
Landing
Page
©2013CarnegieMellonUniversity:7
Today’s Talk
• Discuss some of our research findings
– Better user interfaces for avoiding attacks
– Teaching people effectively
• A model for thinking about
cybersecurity awareness and education
• Three cross-cutting strategies for
effective cybersecurity training
©2013CarnegieMellonUniversity:8
• Every browser now has basic
anti-phishing detection built in
• Are these user interfaces effective?
• Our 2008 study on warnings
• And what does it mean for training?
©2013CarnegieMellonUniversity:9
Screenshots
Internet Explorer 7 – Passive Warning
©2013CarnegieMellonUniversity:10
Screenshots
Internet Explorer 7 – Active Block
©2013CarnegieMellonUniversity:11
Screenshots
Mozilla Firefox – Active Block
©2013CarnegieMellonUniversity:12
Tested These Four Interfaces
• Shopping study
– IE Passive Warning
– IE Active Block
– FireFox Active Block
– Control (no warnings or blocks)
• Overall results
– Passive warning completely ineffective
– About half of people still fell for IE warning
– No one fell for FireFox warning
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical
Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
©2013CarnegieMellonUniversity:13
Analyzing the Results
• C-HIP model for
real-world warnings
– See the warning?
– Understand it?
– Believe it?
– Motivated?
– Can and will act?
©2013CarnegieMellonUniversity:14
Screenshots
• MSIE 7 Active Block
• Half still fell for phish
despite the warning (?)
• Habituation (similar warnings)
• Two pathological cases
• Most saw the warning, but
many did not believe it
• “Since it gave me the option of
still proceeding to the website, I
figured it couldn’t be that bad”
©2013CarnegieMellonUniversity:15
Two Takeaways
• Better interfaces can dramatically
reduce security problems
• Model for warnings also relevant for
cybersecurity in general
– See the warning?
– Understand it?
– Believe it?
– Motivated?
– Can and will act?
©2013CarnegieMellonUniversity:16
Basis for the Cybersecurity
Training Model
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
©2013CarnegieMellonUniversity:17
Cybersecurity Training Model
Example: Passwords
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
Don’t reuse passwords
Common security risk
How to change
Secure and memorable
Stories of breaches
Require changes
©2013CarnegieMellonUniversity:18
Cybersecurity Training Model
Example: Smartphone Security
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
Have a PIN on device
(about 50% don’t)
How to do it on device
Avoiding bad PINs
At end of training
Start with upper mgt
©2013CarnegieMellonUniversity:19
Cybersecurity Training Model
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
• Most training
starts with
awareness
• Unfortunately,
most training
also stops with
awareness
©2013CarnegieMellonUniversity:20
Most Posters not Effective
http://mindfulsecurity.com/2009/09/19/free-threats-security-awareness-posters/
©2013CarnegieMellonUniversity:21
Cybersecurity Training Model
• Effective training
needs to address
all these steps
• Strategy #1
– Foster better
mental models
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
©2013CarnegieMellonUniversity:22
©2013CarnegieMellonUniversity:23
Mental Models
• People inevitably build
models of how things work
– Ex. me and my car
– Ex. children & computers
– Ex. maps of New York
and Boston
©2013CarnegieMellonUniversity:24
Mental Models Impact Security
• Ex. visibility in Facebook
– Suppose you have a private
Facebook album, but tag
someone. Can that person
see it or not?
• Ex. app stores
– All apps are vetted by
Google, so they are all
safe to download. Correct?
©2013CarnegieMellonUniversity:25
So, we just have to foster
the right mental model
and then we’re done?
©2013CarnegieMellonUniversity:26
There’s not Always a “Right”
Mental Model
• Experts can disagree on
• We asked 10 experts about malware
©2013CarnegieMellonUniversity:27
Incomplete Mental Models
Can Still Be Useful
• Rick Wash’s work on folk models
– Hackers are technical geeks that do it for fun
– Hackers seek personal info
– Hackers only target big fish
– Hackers only look for big databases of info
– People took different precautions
• Incomplete models may still be an
improvement over current state
– Degrees of better and worse
©2013CarnegieMellonUniversity:28
Cybersecurity Training
• Cybersecurity
education should
foster better
mental models
– Awareness
– Who and why?
– Fixing common
misconceptions
– Actionable items
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
©2013CarnegieMellonUniversity:29
Case Study: Phishing Attacks
• Interviewed 40 people as part of an
“email study” (Downs et al, SOUPS 2006)
• Only 55% of participants said they had
ever noticed an unexpected or strange-
looking URL
– Most did not consider them to be suspicious
©2013CarnegieMellonUniversity:30
Example: Phishing Attacks
• 55% of participants reported being
cautious when email asks for sensitive
financial info
– But very few reported being suspicious of
email asking for passwords
• Knowledge of financial phish reduced
likelihood of falling for these scams
– But did not transfer to other scams, such
as an amazon.com password phish
©2013CarnegieMellonUniversity:31
• Strategy #2: Tailor delivery of training
for your audience
– We’re all busy
– A lot of training is boring (wall of text)
– Little chance to test what you just learned
Cybersecurity Training
Teachable Moments Micro-Games
©2013CarnegieMellonUniversity:32
PhishGuru Simulated Phishing
• Create teachable moments thru
simulated phishing emails
• If recipient falls for it, show intervention
that teaches what cues to look for
– Useful for people who don’t know what
they don’t know (low awareness)
©2013CarnegieMellonUniversity:33
Subject: Revision to Your Amazon.com Information
©2013CarnegieMellonUniversity:34
Subject: Revision to Your Amazon.com Information
Please login and enter your information
©2013CarnegieMellonUniversity:35
• Why am I seeing this?
• How was I tricked?
• How to protect myself?
• Who and how?
©2013CarnegieMellonUniversity:36
Evaluation of PhishGuru
• Is simulated phishing effective?
– We’ve done 4 peer-reviewed studies
showing embedded training works well
– About 50% decrease in falling for phish
after one training
P. Kumaraguru et al. Protecting People from Phishing:
The Design and Evaluation of an Embedded Training
Email System. CHI 2007.
P. Kumaraguru et al. School of Phish: A Real-Word
Evaluation of Anti-Phishing Training. SOUPS 2009.
©2013CarnegieMellonUniversity:37
Results of One Study
• Tested 500+ people in one month
– 1 simulated phish at beginning of month,
testing done at end of month
• ~50% reduction in falling for phish
– 68 out of 85 surveyed recommend continuing
doing this sort of training in the future
“I really liked the idea of sending [org] fake
phishing emails and then saying to
them, essentially, HEY! You could've just
gotten scammed! You should be more careful –
here's how...”
©2013CarnegieMellonUniversity:38
• Strategy #2: Tailor delivery of training
for audience
– Create “teachable moments”
– Micro-games for training
– Just sending training via email (ineffective)
– Attending all day classes (boring, can’t test
skills)
– Watching videos (can’t test skills)
Cybersecurity Training
©2013CarnegieMellonUniversity:39
Strategy #3: Use Concepts
from Learning Science
• Area of research examining learning,
retention, and transfer of skills
• Example principles
– Learning by doing
– Immediate feedback
– Conceptual-procedural
– Reflection
– … many others
©2013CarnegieMellonUniversity:40
What About Motivation?
Aware of the security issue?
Knowledge of what
actions to take?
Motivated to act?
• Training also
needs to
address
motivation
• Open question
as to best
approaches for
cybersecurity
©2013CarnegieMellonUniversity:41
What Motivates People?
• Extrinsic factors (outside factors)
– Pay
– Privilege, Reputation
– Certificates, trophies
– Punishment
• Can’t just slap it on,
has to be appropriate
and thought through
©2013CarnegieMellonUniversity:42
©2013CarnegieMellonUniversity:43
What Motivates People?
• Intrinsic value of task
– Fun
– Curiosity
– Challenge, mastery
• Same as before, can’t just slap it on
• Cybersecurity and intrinsic motivation
may be hard to reconcile
• Intrinsic and extrinsic may conflict
©2013CarnegieMellonUniversity:44
What Motivates People?
• Social factors
– Reciprocity (you help me, I help you)
– Altruism
– Norms
– Social proof
– Identification with group
• Large untapped potential, but open
question as to how to best leverage
©2013CarnegieMellonUniversity:45
©2013CarnegieMellonUniversity:46
Energy Consumption
©2013CarnegieMellonUniversity:47
Energy Consumption
©2013CarnegieMellonUniversity:48
Summary
• Better user interfaces
• Cybersecurity training
model
– Better mental models
– Tailor delivery
– Learning science
• Lots of opportunities
for motivating people,
but still open question
©2013CarnegieMellonUniversity:49
Thanks, where can
I learn more?
Find more at
wombatsecurity.com
jasonh@cs.cmu.edu
©2013CarnegieMellonUniversity:50
©2013CarnegieMellonUniversity:51
Timing Matters Too
• Teachable moments
• Right after training
• Repeat enough times, becomes habit
(don’t have to appeal directly to
individual motivation anymore)

More Related Content

What's hot

Social Recruiting from 30,000 Feet
Social Recruiting from 30,000 FeetSocial Recruiting from 30,000 Feet
Social Recruiting from 30,000 Feet
Master Burnett
 

What's hot (20)

Intelligent Agents for Helping Humanity Reach Its Full Potential
Intelligent Agents for Helping Humanity Reach Its Full PotentialIntelligent Agents for Helping Humanity Reach Its Full Potential
Intelligent Agents for Helping Humanity Reach Its Full Potential
 
How to Analyze the Privacy of 1 Million Smartphone Apps
How to Analyze the Privacy of 1 Million Smartphone AppsHow to Analyze the Privacy of 1 Million Smartphone Apps
How to Analyze the Privacy of 1 Million Smartphone Apps
 
Digital technology impacts by 2020
Digital technology impacts by 2020Digital technology impacts by 2020
Digital technology impacts by 2020
 
Film project 2
Film project 2Film project 2
Film project 2
 
Adventures in Crowdsourcing : Toward Safer Content Moderation & Better Suppor...
Adventures in Crowdsourcing : Toward Safer Content Moderation & Better Suppor...Adventures in Crowdsourcing : Toward Safer Content Moderation & Better Suppor...
Adventures in Crowdsourcing : Toward Safer Content Moderation & Better Suppor...
 
Crates102009
Crates102009Crates102009
Crates102009
 
Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud
 
Exploring Emergent Consumer Experience: A Topological Data Analysis Approach
Exploring Emergent Consumer Experience: A Topological Data Analysis ApproachExploring Emergent Consumer Experience: A Topological Data Analysis Approach
Exploring Emergent Consumer Experience: A Topological Data Analysis Approach
 
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
Using Topological Data Analysis to Explore Emergent Consumer Experience from ...
 
Ethics and Big Data
Ethics and Big Data Ethics and Big Data
Ethics and Big Data
 
Education in the age of fake news and disputed facts
Education in the age of fake news and disputed factsEducation in the age of fake news and disputed facts
Education in the age of fake news and disputed facts
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Detection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social NetworkDetection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social Network
 
Appreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information SecurityAppreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information Security
 
How to use Big Data to drive product strategy and adoption
How to use Big Data to drive product strategy and adoptionHow to use Big Data to drive product strategy and adoption
How to use Big Data to drive product strategy and adoption
 
Future of the Internet: Role of the Web and New Media in the Public Sector
Future of the Internet: Role of the Web and New Media in the Public SectorFuture of the Internet: Role of the Web and New Media in the Public Sector
Future of the Internet: Role of the Web and New Media in the Public Sector
 
Shuhanhui zhuang desma9_midterm
Shuhanhui zhuang desma9_midtermShuhanhui zhuang desma9_midterm
Shuhanhui zhuang desma9_midterm
 
Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001
 
Children, Technology, and the Evolution of Education
Children, Technology, and the Evolution of EducationChildren, Technology, and the Evolution of Education
Children, Technology, and the Evolution of Education
 
Social Recruiting from 30,000 Feet
Social Recruiting from 30,000 FeetSocial Recruiting from 30,000 Feet
Social Recruiting from 30,000 Feet
 

Similar to Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO Forum, in Pittsburgh July 2013

Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Jason Hong
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
Jason Hong
 

Similar to Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO Forum, in Pittsburgh July 2013 (20)

Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
 
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of ThingsHow We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
 
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
 
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
Are my Devices Spying on Me? Living in a World of Ubiquitous Computing
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
 
Introduction to User Experience and User Interface Design: A One-Hour Crash C...
Introduction to User Experience and User Interface Design: A One-Hour Crash C...Introduction to User Experience and User Interface Design: A One-Hour Crash C...
Introduction to User Experience and User Interface Design: A One-Hour Crash C...
 
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
 
The challenge of security awareness
The challenge of security awarenessThe challenge of security awareness
The challenge of security awareness
 
Training for Results Webinar 2016
Training for Results Webinar 2016Training for Results Webinar 2016
Training for Results Webinar 2016
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofit
 
Harnessing UEBA and Machine Learning technologies to protect enterprises from...
Harnessing UEBA and Machine Learning technologies to protect enterprises from...Harnessing UEBA and Machine Learning technologies to protect enterprises from...
Harnessing UEBA and Machine Learning technologies to protect enterprises from...
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarick
 
online identity & employability feb 2015
online identity & employability feb 2015online identity & employability feb 2015
online identity & employability feb 2015
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011   las vegas - session se31 - rothkeInterop 2011   las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Doc handout
Doc handoutDoc handout
Doc handout
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 

Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO Forum, in Pittsburgh July 2013

Editor's Notes

  1. 1 hour total
  2. Will first describe my background and where I’m coming from, so you can get a better understanding of the context of this talk.I work in a field called human-computer interaction. The main goal of human-computer interaction is to understand how to create effective and successful kinds of interactions, ones that are useful, usable, and desirable.Interactions can succeed, and we have lots of examples of successes.
  3. However, interactions can also fail, leading to inefficiencies, frustrations, and failures.
  4. My colleagues and I combine elements from computer science, psychology, learning science, and interaction design.
  5. Modern web browsers have special warnings for identifying phishOur evaluation of several blacklists show they catch ~80% of phish after 24 hours, but not very good in first few hoursAre these browser interfaces effective?What makes them work (or not)?After, step back and consider what this all means for training
  6. http://mindfulsecurity.com/2009/09/19/free-threats-security-awareness-posters/
  7. So what can we do that goes beyond awareness?
  8. Not only can they see it, that person’s friends can see the tagged image toohttp://rickwash.com/papers/nspw06r-wash.pdf
  9. Our CCS 2012 paperOTO: Online Trust Oracle for User-Centric Trust Establishment
  10. See Folk models of home computer security by Rick Wash http://scholar.google.com/citations?view_op=view_citation&hl=en&user=ef0ApTwAAAAJ&citation_for_view=ef0ApTwAAAAJ:Tyk-4Ss8FVUC
  11. These findings led us to think about how to educate and train people about phishing attacks…Also shows some mental model weaknesses
  12. These findings led us to think about how to educate and train people about phishing attacks…
  13. Wikipedia Barnstar of Diligence
  14. http://opower.com/uploads/library/file/2/understanding_and_motivating_energy_conservation_via_social_norms.pdf
  15. http://opower.com/uploads/library/file/2/understanding_and_motivating_energy_conservation_via_social_norms.pdf