Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011

Copyright © Wombat Security Technologies, Inc. 2008-2011
Jason Hong, PhD
Assoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Knowledgeable Users are the
Best Cyber Security Defense

About Wombat Security
 Founded in 2008 based on research on human
element of computer security at Carnegie Mellon
 Passwords, access control, privacy policies, etc
 Initial products on anti-phishing
 Article in Scientific American on protecting
people from phishing scams
 Have given multiple talks at RSA, ISSA
about human element of security

Human Element of Security
 People are an important part of computer
security for every organization
 Keeping passwords strong and secure
 Avoiding social engineering
 Avoiding malware
 Appropriate use of social networking tools
 Keeping mobile devices secure
 Overlooking human element is the most
common mistake in computer security

Technology Alone Won’t Work
 Tempting to just buy some software or
hardware that promises to solve these problems
 However, attackers are very resourceful,
constantly looking to circumvent your defenses
 Also, technology alone can’t motivate people in
your organization
 Examples
 Recent breaches at RSA, Epsilon, Canadian and
Australian government due to phishing emails
 Malware infections because of social networking

Can We Educate End-Users?
 Users are not motivated to learn about security
 Security is a secondary task
 Difficult to teach people to make right decisions
without increasing false positives
“User education is a complete waste of time. It is
about as much use as nailing jelly to a wall….
They are not interested…they just want to do
their job.”
Martin Overton, IBM security specialist
http://news.cnet.com/21007350_361252132.html

Yes, End-Users Are Trainable
 Our research demonstrates that users can learn
techniques to protect themselves… if you can get
them to pay attention to training
 Problem is that today’s training often boring,
time consuming, and ineffective
 All day lecture, but no chance to practice skills
 Or passively watching videos
 Or posters and mugs and calendars
 Raise awareness, but little on what to actually do

How Do We Get People Trained?
 Create “teachable moments”: PhishGuru
 Make training engaging: Anti-Phishing Phil
 Use learning science principles throughout
PhishGuru Anti-Phishing Phil

PhishGuru Embedded Training
 Send emails that look like a phishing attack
 If recipient falls for it, show intervention that
teaches what cues to look for in succinct and
engaging format
 Useful for people who don’t know that they don’t know
 Multiple user studies have demonstrated
that PhishGuru is effective
 Delivering training via direct email
not effective

Subject: Revision to Your Amazon.com Information

Subject: Revision to Your Amazon.com Information
Please login and enter your information

Evaluation of PhishGuru
 Is embedded training effective?
 We’ve conducted 4 peer-reviewed studies
showing embedded training works well
 Studies showed significant decrease in falling
for phish and ability to retain what they learned
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge.
Protecting People from Phishing: The Design and Evaluation of an
Embedded Training Email System. CHI 2007.
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair,
and T. Pham. School of Phish: A Real-Word Evaluation of Anti-
Phishing Training. SOUPS 2009.

Case Study #1: PhishGuru
 Canadian healthcare organization
 Three-month embedded training campaign
 190 employees
 Security assessment and effective training in context

Simulated Phishing Email

Case Study

Measurable Reduction in Falling for Phish
Viewed
Email
Only %
Viewed
Email and
Clicked
Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189

0 10 20 30 40
Campaign3
Campaign2
Campaign1
ViewedEmail and Clicked
Link
ViewedEmail Only

Case Study #2: PhishGuru
 Tested with over 500 people in one month period
 1 simulated phish at beginning of month,
testing done at end of month
 About 50% reduction in falling for phish
 68 out of 85 surveyed said they recommend continuing
doing this sort of training in the future
 “I really liked the idea of sending *organization+ fake
phishing emails and then saying to them, essentially,
HEY! You could've just gotten scammed! You should
be more careful – here's how...”

Micro-Games for Cyber Security
 Training doesn’t have to be boring
 Training doesn’t have to take long either
 Micro game format, play for short time
 Two-thirds of Americans played
a video game in past six months
 Not just young people
 Average game player 35 years old
 25% of people over 50 play games
 Not just males
 40% of casual gamers are women

Case Study 3: Anti-Phishing Phil
 Tested Anti-Phishing Phil with ~4500 people
 Huge improvement by novices in identifying
phishing URLs
 Also dramatically lowered false positives

False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are
situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest
reduction in false negatives, and retained what they had learned.

False positives for users who played the Anti-Phishing Phil game. False positives are situations
where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest
improvement in reducing false positives, and retained what they had learned.

Learning Science
Area of research examining learning,
retention, and transfer of skills
Example principles
 Learning by doing
 Immediate feedback
 Conceptual-procedural
 Reflection

Organizational Perspective
Challenges:
 People are stretched for time
 Large number of computer security topics
Effective training:
 Needs to respect people’s time (short, engaging)
 Be effective
 Up-to-date coverage of security topics
 Measurable – who is vulnerable, where

Example Topic: Email Security

Example Topic: Passwords

Other Training: Social Networks

Measurable

Summary
 Human element is critical but most often
overlooked aspect of computer security
 Ex. phishing scams, passwords, mobile devices
 Security training can work, but only if done right!
 Training needs to respect time, engaging
 Broad coverage of topics, measurable
 Wombat’s interactive cybersecurity training
available for use

Cyber Security Awareness Month
 Wombat is offering a FREE Cyber Security
Vulnerability Assessment
 Limited time offer for your first campaign FREE*
 October 2011
Contact Ralph Massaro at 412-621-1484 x 114 or
r.massaro@wombatsecurity.com
*Up to 100 people

Thank you!
Thanks, where can
I learn more?
Find more at
wombatsecurity.com
Anti-Phishing Phil white paper:
Cyber Security Training Game
Teaches People to Avoid Phishing
Attacks
PhishGuru white paper:
An Empirical Evaluation of
PhishGuru Training

Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011

Ähnlich wie Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011 (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Knowledgeable Users are the Best Cyber Security Defense, for ISSA webinar Sept2011