In this presentation Dr. Margaret Cunningham, Principal Research Scientist, Forcepoint X-Labs, explores the topic of curiosity in cybersecurity.
Curiosity is a powerful catalyst for behavioral changes, but for the most part, curiosity has been used to exploit users rather than to motivate positive security behaviors. This session explores the science of curiosity, provides examples of how curiosity increases security risks, and discusses strategies for using curiosity to increase engagement and positive security behaviors. Through this session attendees can apply strategies learned for motivating positive security behaviors as a means to mitigate risk and decrease alert fatigue within an organization.
Presented at Black Hat USA 2019 on Wednesday August 7, 2019.
Related blog: https://www.forcepoint.com/blog/x-labs/sparking-curiosity-change-security-behaviors-bhusa-2019-slides-and-summary
Curiosity is a powerful catalyst for behavioral changes, but for the most part, curiosity has been used to exploit users rather than to motivate positive security behaviors. This session explores the science of curiosity, provides examples of how curiosity increases security risks, and discusses strategies for using curiosity to increase engagement and positive security behaviors. Through this session attendees can apply strategies learned for motivating positive security behaviors as a means to mitigate risk and decrease alert fatigue within an organization.
Location: Business Hall Theater A
Date: Wednesday, August 7 | 4:10pm-5:00pm
https://www.blackhat.com/us-19/sponsored-sessions/schedule/#sparking-curiosity-to-change-security-behaviors-17096
Hey Margaret,
Matt needs the final report for the special project that you just finished up – it’s pretty urgent – can you send it to him on his personal email address? He’s traveling and having some issues with his laptop.
Thanks!
Kate
when our users see such an email they want to keep the CEO happy, but they also wonder what file he wants
and what reward they may get for fulfilling the request.
this raises their curiosity. in this presentation we will ask the question "what is curiosity"
Curiosity motivates, engages, promotes insight, and often delights.
It embodies the intrinsic motivation to learn more, a motivation that often drives novel behaviors or changes in habit.
Curiosity is also heavily exploited; it can manifest as a never-ending state of distraction, vulnerability to social engineering and phishing, and as addictive behaviors.
Curiosity has multiple components, and is considered by some to be an emotion but to others as an inquisitive thinking style or personality trait.
It’s generally associated with seeking missing or interesting information
Curiosity stems from the human desire to close gaps in understanding. When we are missing information from our environment, we actually feel DEPRIVED of the information, and have an urge to solve, or cure the deprivation. This is similar to hunger – when we are hungry, we will do almost anything to grab a bite to eat to ”cure” ourselves.
Curiosity is also sparked when people are presented with, or experience, something that doesn’t make sense or that doesn’t fit with their understanding of the world.
Anticipation of solving or curing the “gap” of information, and the reward of learning something new
Today, we’ll talk about what sparks curiosity in the moment, and later, a bit more about curiosity as a behavioral trait. and both internal and external factors that spark curiosity
State curiosity is most closely aligned with information seeking or goal-directed information seeking and rewards
State curiosity
Heightened arousal due to environmental changes/stimuli
Associated with immediate rewards (excitement, finding out information, tasting something that looks good, seeing what’s around the corner = rewards!
State curiosity depends heavily on Attention & Memory…
Individuals tend to focus their energies on stimuli that are particularly stimulating or engaging
If curiosity is the desire to seek out and understand unfamiliar or novel stimuli, one's memory is important in determining if the stimuli is indeed unfamiliar.
How does curiosity impact security?
We get phished looking for a reward (Click Here for Your Free Gift Card!!)
We are tricked into paying attention to the wrong thing (ooo that looks interesting, I will visit that page/click that thing!)
We see something out of place and want to explore it -- “hmmm that’s odd!”
The bad guys have been capitalizing on human curiosity for a long time - and we need to catch up!
** audience engagement (if looks good…) ***
I have a list of 5 ways that the bad guys use curiosity – can you guess all five from my list??
How does curiosity impact security?
We get phished looking for a reward (Click Here for Your Free Gift Card!!)
Enter this quiz to claim $250
This stay-at-home parent earns $1000 a day
We are tricked into paying attention to the wrong thing
(ooo that looks interesting, I will visit that page/click that thing!)
Everyone is sharing this video and it is hilarious
We see something out of place and want to explore it -- “hmmm that’s odd!”
Mmmm, I've not seen that file in my directory before. Looks important. I wonder what it is....<opens file and triggers malicious macro>
That dialogue box sure is annoying. i wonder what Error it is trying to inform me of. <clicks button>
Why have my files been renamed? better open them to see what is going on <open files and spreads worm>
The bad guys have been capitalizing on human curiosity for a long time - and we need to catch up!
Their tactics that “spark” curiosity and emotional intensity include:
Using emotional language, or emotional subject matter
Using time pressure “you must do this quickly or else!”
Using threats -- “you’ll be sued!”
FOMO!
Example Message from Spear Phishing Study (Benenson, Gassmann, & Landwirth, Unpacking Spear Phishing Susceptibility)
https://www.cl.cam.ac.uk/~rja14/shb17/benenson.pdf
Hey!
The New Year’s Eve party was awesome!
Here are the pictures: http:///photocloud/page.php?h= But please don’t share them with people who have not been there!
See you next time!
34.2% of the participants who clicked the spear phishing message said that they were “curious” about the pictures, wanted to see the content, intrigued by something funny or private
NOTE:
Do we care about using the word Profile? This is to link to Adaptive Trust Profile concept, and identifying risky behaviors… If we don’t want to use “profile” easy swap to something else!
Honeypots –
Prime example of using curiosity against the bad guys –
There are a lot of different types of honeypots, but generally speaking, this would be “luring” attackers to data or assets that appear to be of interest or valuable (sparking curiosity, and using the observed behavior of the attackers to protect!)
also "Cybersecurity Deception Technology". alluring data, topology that looks like the actual network - to sidetrack and confuse
While honeypots deal with curiosity quite well, the number of events generated by someone touching or visiting the honeypot can create an entirely new set of issues.
Using a risk-centric rather than an event-centric approach, we can cope with events more efficiently.
Why profile user behavior? Well, traditional approaches that focus on events do not capture everything – and as we know, they aren’t always very effective for protecting people and data, which are major assets to any organization.
Shifting away from detecting events, and towards understanding entities and entity risk – such as an individual person’s risk that can be calculated based on their behavior over time, and within specific contexts – can be shaped by our understanding of how and why people do what they do, for instance – curiosity.
Understanding motivated behavior, such as behavior driven by curiosity, helps provide context for what we know about human behavior and what we can explain about human behavior
Let’s think about how this might work and why we’d care to go about understanding behavior in this way…
Some people are explorers, data gatherers, and often poke around to see what’s out there… and this may be non-malicious. However, it’s still risky for your organization! Why is Carol in Finance looking at the HR records, including payroll?
Other people are exploring for malicious reasons – perhaps they are leaving or planning to leave your organization and want to find high value assets?
There are many different types of people – boundary pushers, explorers, leavers – and we can understand the types of people that they are, in part by things like their file access patterns, organizational roles, etc.
How can we do this? (this is why we are different, this is our approach that deviates from our competitors)
Thinking again about how useful it can be to create an entity-centric view of the world, and how different aspects of an entity can be captured in different ways… we can also consider curiosity to be an attribute.
If we develop “curiosity” as an attribute, for instance, and associate curiosity with specific types of behavioral models, we can then infer whether or not a curious person has malicious intent or if they are just exploring. We can also work toward quantifying the risk associated with their curiosity driven behavior.
Now let’s anchor curiosity into a concrete example – to show how even minor changes in how our products are designed can impact engagement and drive better security behaviors through principles associated with curiosity.
Everything is presented at once, with little consideration for progressive disclosure of information.
The flow is clunky and unintuitive – the user is asked to provide a reason for overriding the block before we explain why the block occurred in the first place (operation details).
The user is unlikely to select a different reason using the dropdown menu, which is not helpful to organizational efforts to understand rationale for engaging in behaviors that violate policy.
This dialog uses a more narrative flow in presenting the information:
Something happened that requires an action
Here's why it happened (policy violations)
How do you, the user, want to proceed?
Also, here's a link that will educate you on corporate policy.
This dialogue also makes the user select why they are continuing with their action, which provides better information to organizations.
Talk about the #’s associated with using this dialogue box (report from Ben T)
Let’s walk through how this simple dialogue box uses principles of sparking curiosity
attention grabbing phrase, outside of the norm for a security dialogue box (so many options, and we CAN have fun with security)
Personal – use of the person’s name is also unique, and engaging. This is relevant TO ME, so I immediately pay more attention to it. Who responds to form letters?
Ability to answer questions and seek answers – information gap – “why is this happening?” in PLAIN LANGUAGE
Curiosity drives humans to seek new and exciting information, whether it’s good for them or not
Memory and attention play a key role in sparking curiosity, and in motivating behaviors.
Adversaries are skilled at manipulating emotions and curiosity for their gain
Understanding curiosity contextualizes user behavior, and can help us identify risky users
By piquing curiosity, we can promote better security behaviors that benefit both end users and corporations
I am the source of tremendous innovation.
I am the source of catastrophic breach.