Weitere ähnliche Inhalte Ähnlich wie Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO Forum, in Pittsburgh July 2013 (20) Kürzlich hochgeladen (20) Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO Forum, in Pittsburgh July 20135. ©2013CarnegieMellonUniversity:5
Human Factors Issues
in Cybersecurity
• Studying human factors issues in
cybersecurity for 9+ years
– Why do people fall for phishing scams?
– How can we train people in a manner that
is fun, effective, and measurable?
– How can we build better user interfaces
and security warnings?
7. ©2013CarnegieMellonUniversity:7
Today’s Talk
• Discuss some of our research findings
– Better user interfaces for avoiding attacks
– Teaching people effectively
• A model for thinking about
cybersecurity awareness and education
• Three cross-cutting strategies for
effective cybersecurity training
12. ©2013CarnegieMellonUniversity:12
Tested These Four Interfaces
• Shopping study
– IE Passive Warning
– IE Active Block
– FireFox Active Block
– Control (no warnings or blocks)
• Overall results
– Passive warning completely ineffective
– About half of people still fell for IE warning
– No one fell for FireFox warning
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical
Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
14. ©2013CarnegieMellonUniversity:14
Screenshots
• MSIE 7 Active Block
• Half still fell for phish
despite the warning (?)
• Habituation (similar warnings)
• Two pathological cases
• Most saw the warning, but
many did not believe it
• “Since it gave me the option of
still proceeding to the website, I
figured it couldn’t be that bad”
24. ©2013CarnegieMellonUniversity:24
Mental Models Impact Security
• Ex. visibility in Facebook
– Suppose you have a private
Facebook album, but tag
someone. Can that person
see it or not?
• Ex. app stores
– All apps are vetted by
Google, so they are all
safe to download. Correct?
27. ©2013CarnegieMellonUniversity:27
Incomplete Mental Models
Can Still Be Useful
• Rick Wash’s work on folk models
– Hackers are technical geeks that do it for fun
– Hackers seek personal info
– Hackers only target big fish
– Hackers only look for big databases of info
– People took different precautions
• Incomplete models may still be an
improvement over current state
– Degrees of better and worse
29. ©2013CarnegieMellonUniversity:29
Case Study: Phishing Attacks
• Interviewed 40 people as part of an
“email study” (Downs et al, SOUPS 2006)
• Only 55% of participants said they had
ever noticed an unexpected or strange-
looking URL
– Most did not consider them to be suspicious
30. ©2013CarnegieMellonUniversity:30
Example: Phishing Attacks
• 55% of participants reported being
cautious when email asks for sensitive
financial info
– But very few reported being suspicious of
email asking for passwords
• Knowledge of financial phish reduced
likelihood of falling for these scams
– But did not transfer to other scams, such
as an amazon.com password phish
31. ©2013CarnegieMellonUniversity:31
• Strategy #2: Tailor delivery of training
for your audience
– We’re all busy
– A lot of training is boring (wall of text)
– Little chance to test what you just learned
Cybersecurity Training
Teachable Moments Micro-Games
36. ©2013CarnegieMellonUniversity:36
Evaluation of PhishGuru
• Is simulated phishing effective?
– We’ve done 4 peer-reviewed studies
showing embedded training works well
– About 50% decrease in falling for phish
after one training
P. Kumaraguru et al. Protecting People from Phishing:
The Design and Evaluation of an Embedded Training
Email System. CHI 2007.
P. Kumaraguru et al. School of Phish: A Real-Word
Evaluation of Anti-Phishing Training. SOUPS 2009.
37. ©2013CarnegieMellonUniversity:37
Results of One Study
• Tested 500+ people in one month
– 1 simulated phish at beginning of month,
testing done at end of month
• ~50% reduction in falling for phish
– 68 out of 85 surveyed recommend continuing
doing this sort of training in the future
“I really liked the idea of sending [org] fake
phishing emails and then saying to
them, essentially, HEY! You could've just
gotten scammed! You should be more careful –
here's how...”
38. ©2013CarnegieMellonUniversity:38
• Strategy #2: Tailor delivery of training
for audience
– Create “teachable moments”
– Micro-games for training
– Just sending training via email (ineffective)
– Attending all day classes (boring, can’t test
skills)
– Watching videos (can’t test skills)
Cybersecurity Training
39. ©2013CarnegieMellonUniversity:39
Strategy #3: Use Concepts
from Learning Science
• Area of research examining learning,
retention, and transfer of skills
• Example principles
– Learning by doing
– Immediate feedback
– Conceptual-procedural
– Reflection
– … many others
Hinweis der Redaktion 1 hour total Will first describe my background and where I’m coming from, so you can get a better understanding of the context of this talk.I work in a field called human-computer interaction. The main goal of human-computer interaction is to understand how to create effective and successful kinds of interactions, ones that are useful, usable, and desirable.Interactions can succeed, and we have lots of examples of successes. However, interactions can also fail, leading to inefficiencies, frustrations, and failures. My colleagues and I combine elements from computer science, psychology, learning science, and interaction design. Modern web browsers have special warnings for identifying phishOur evaluation of several blacklists show they catch ~80% of phish after 24 hours, but not very good in first few hoursAre these browser interfaces effective?What makes them work (or not)?After, step back and consider what this all means for training http://mindfulsecurity.com/2009/09/19/free-threats-security-awareness-posters/ So what can we do that goes beyond awareness? Not only can they see it, that person’s friends can see the tagged image toohttp://rickwash.com/papers/nspw06r-wash.pdf Our CCS 2012 paperOTO: Online Trust Oracle for User-Centric Trust Establishment See Folk models of home computer security by Rick Wash http://scholar.google.com/citations?view_op=view_citation&hl=en&user=ef0ApTwAAAAJ&citation_for_view=ef0ApTwAAAAJ:Tyk-4Ss8FVUC These findings led us to think about how to educate and train people about phishing attacks…Also shows some mental model weaknesses These findings led us to think about how to educate and train people about phishing attacks… Wikipedia Barnstar of Diligence http://opower.com/uploads/library/file/2/understanding_and_motivating_energy_conservation_via_social_norms.pdf http://opower.com/uploads/library/file/2/understanding_and_motivating_energy_conservation_via_social_norms.pdf