Post on 27-Jan-2015
description
transcript
Copyright © Wombat Security Technologies, Inc. 2008-2011
Jason Hong, PhDAssoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Knowledgeable Users are the Best Cyber Security Defense
Copyright © Wombat Security Technologies, Inc. 2008-2011
About Wombat SecurityFounded in 2008 based on research on human
element of computer security at Carnegie MellonPasswords, access control, privacy policies, etcInitial products on anti-phishing
Article in Scientific American on protecting people from phishing scams
Have given multiple talks at RSA, ISSA about human element of security
Copyright © Wombat Security Technologies, Inc. 2008-2011
Human Element of SecurityPeople are an important part of computer
security for every organizationKeeping passwords strong and secureAvoiding social engineeringAvoiding malwareAppropriate use of social networking toolsKeeping mobile devices secure
Overlooking human element is the most common mistake in computer security
Copyright © Wombat Security Technologies, Inc. 2008-2011
Technology Alone Won’t WorkTempting to just buy some software or
hardware that promises to solve these problemsHowever, attackers are very resourceful,
constantly looking to circumvent your defensesAlso, technology alone can’t motivate people in
your organizationExamples
Recent breaches at RSA, Epsilon, Canadian and Australian government due to phishing emails
Malware infections because of social networking
Copyright © Wombat Security Technologies, Inc. 2008-2011
Can We Educate End-Users?Users are not motivated to learn about securitySecurity is a secondary taskDifficult to teach people to make right decisions
without increasing false positives
“User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.”
Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html
Copyright © Wombat Security Technologies, Inc. 2008-2011
Yes, End-Users Are TrainableOur research demonstrates that users can learn
techniques to protect themselves… if you can get them to pay attention to training
Problem is that today’s training often boring, time consuming, and ineffectiveAll day lecture, but no chance to practice skillsOr passively watching videosOr posters and mugs and calendarsRaise awareness, but little on what to actually do
Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?Create “teachable moments”: PhishGuruMake training engaging: Anti-Phishing PhilUse learning science principles throughout
PhishGuru Anti-Phishing Phil
Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?Create “teachable moments”: PhishGuruMake training engaging: Anti-Phishing PhilUse learning science principles throughout
PhishGuru Anti-Phishing Phil
Copyright © Wombat Security Technologies, Inc. 2008-2011
PhishGuru Embedded TrainingSend emails that look like a phishing attackIf recipient falls for it, show intervention that
teaches what cues to look for in succinct and engaging formatUseful for people who don’t know that they don’t know
Multiple user studies have demonstrated that PhishGuru is effective
Delivering training via direct email not effective
Copyright © Wombat Security Technologies, Inc. 2008-2011
Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
Copyright © Wombat Security Technologies, Inc. 2008-2011
Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
Please login and enter your informationPlease login and enter your information
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Evaluation of PhishGuruIs embedded training effective?
We’ve conducted 4 peer-reviewed studies showing embedded training works well
Studies showed significant decrease in falling for phish and ability to retain what they learned
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007.
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.
Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study #1: PhishGuruCanadian healthcare organizationThree-month embedded training campaign
190 employeesSecurity assessment and effective training in context
Copyright © Wombat Security Technologies, Inc. 2008-2011
Simulated Phishing Email
Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study
Copyright © Wombat Security Technologies, Inc. 2008-2011
Measurable Reduction in Falling for Phish
Viewed Email Only %
Viewed Email and Clicked Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189
Copyright © Wombat Security Technologies, Inc. 2008-2011
0 10 20 30 40
Campaign 3
Campaign 2
Campaign 1
Viewed Email and Clicked Link
Viewed Email Only
Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study #2: PhishGuruTested with over 500 people in one month period
1 simulated phish at beginning of month, testing done at end of month
About 50% reduction in falling for phish68 out of 85 surveyed said they recommend
continuing doing this sort of training in the future“I really liked the idea of sending [organization] fake
phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful – here's how...”
Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?Create “teachable moments”: PhishGuruMake training engaging: Anti-Phishing PhilUse learning science principles throughout
PhishGuru Anti-Phishing Phil
Copyright © Wombat Security Technologies, Inc. 2008-2011
Micro-Games for Cyber SecurityTraining doesn’t have to be boringTraining doesn’t have to take long either
Micro game format, play for short timeTwo-thirds of Americans played
a video game in past six months Not just young people
Average game player 35 years old25% of people over 50 play games
Not just males40% of casual gamers are women
Copyright © Wombat Security Technologies, Inc. 2008-2011
Case Study 3: Anti-Phishing PhilTested Anti-Phishing Phil with ~4500 people
Huge improvement by novices in identifying phishing URLs
Also dramatically lowered false positives
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.
Copyright © Wombat Security Technologies, Inc. 2008-2011
False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.
Copyright © Wombat Security Technologies, Inc. 2008-2011
How Do We Get People Trained?Create “teachable moments”: PhishGuruMake training engaging: Anti-Phishing PhilUse learning science principles throughout
PhishGuru Anti-Phishing Phil
Copyright © Wombat Security Technologies, Inc. 2008-2011
Learning ScienceArea of research examining learning,
retention, and transfer of skillsExample principles
Learning by doingImmediate feedbackConceptual-proceduralReflection
Copyright © Wombat Security Technologies, Inc. 2008-2011
Organizational PerspectiveChallenges:
People are stretched for timeLarge number of computer security topics
Effective training:Needs to respect people’s time (short, engaging)Be effectiveUp-to-date coverage of security topicsMeasurable – who is vulnerable, where
Copyright © Wombat Security Technologies, Inc. 2008-2011
Copyright © Wombat Security Technologies, Inc. 2008-2011
Example Topic: Email Security
Copyright © Wombat Security Technologies, Inc. 2008-2011
Example Topic: Passwords
Copyright © Wombat Security Technologies, Inc. 2008-2011
Other Training: Social Networks
Copyright © Wombat Security Technologies, Inc. 2008-2011
Measurable
Copyright © Wombat Security Technologies, Inc. 2008-2011
Measurable
Copyright © Wombat Security Technologies, Inc. 2008-2011
SummaryHuman element is critical but most often
overlooked aspect of computer securityEx. phishing scams, passwords, mobile devices
Security training can work, but only if done right!Training needs to respect time, engagingBroad coverage of topics, measurable
Wombat’s interactive cybersecurity training available for use
Copyright © Wombat Security Technologies, Inc. 2008-2011
Cyber Security Awareness MonthWombat is offering a FREE Cyber Security
Vulnerability Assessment Limited time offer for your first campaign FREE*
October 2011
Contact Ralph Massaro at 412-621-1484 x 114 or r.massaro@wombatsecurity.com
*Up to 100 people
Copyright © Wombat Security Technologies, Inc. 2008-2011
Thank you!
Thanks, where can I learn more?
Find more atwombatsecurity.com
Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks
PhishGuru white paper: An Empirical Evaluation of PhishGuru Training