knowledgeable users are the best cyber security defense, for issa webinar sept2011

Copyright © Wombat Security Technologies, Inc. 2008-2011

Jason Hong, PhDAssoc. Prof, Carnegie Mellon University

CTO, Wombat Security Technologies

Knowledgeable Users are the Best Cyber Security Defense


About Wombat SecurityFounded in 2008 based on research on human

element of computer security at Carnegie MellonPasswords, access control, privacy policies, etcInitial products on anti-phishing

Article in Scientific American on protecting people from phishing scams

Have given multiple talks at RSA, ISSA about human element of security


Human Element of SecurityPeople are an important part of computer

security for every organizationKeeping passwords strong and secureAvoiding social engineeringAvoiding malwareAppropriate use of social networking toolsKeeping mobile devices secure

Overlooking human element is the most common mistake in computer security


Technology Alone Won’t WorkTempting to just buy some software or

hardware that promises to solve these problemsHowever, attackers are very resourceful,

constantly looking to circumvent your defensesAlso, technology alone can’t motivate people in

your organizationExamples

Recent breaches at RSA, Epsilon, Canadian and Australian government due to phishing emails

Malware infections because of social networking


Can We Educate End-Users?Users are not motivated to learn about securitySecurity is a secondary taskDifficult to teach people to make right decisions

without increasing false positives

“User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.”

Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html


Yes, End-Users Are TrainableOur research demonstrates that users can learn

techniques to protect themselves… if you can get them to pay attention to training

Problem is that today’s training often boring, time consuming, and ineffectiveAll day lecture, but no chance to practice skillsOr passively watching videosOr posters and mugs and calendarsRaise awareness, but little on what to actually do


How Do We Get People Trained?Create “teachable moments”: PhishGuruMake training engaging: Anti-Phishing PhilUse learning science principles throughout

PhishGuru Anti-Phishing Phil


PhishGuru Embedded TrainingSend emails that look like a phishing attackIf recipient falls for it, show intervention that

teaches what cues to look for in succinct and engaging formatUseful for people who don’t know that they don’t know

Multiple user studies have demonstrated that PhishGuru is effective

Delivering training via direct email not effective


Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information


Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information

Please login and enter your informationPlease login and enter your information


Evaluation of PhishGuruIs embedded training effective?

We’ve conducted 4 peer-reviewed studies showing embedded training works well

Studies showed significant decrease in falling for phish and ability to retain what they learned

P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007.

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.


Case Study #1: PhishGuruCanadian healthcare organizationThree-month embedded training campaign

190 employeesSecurity assessment and effective training in context


Simulated Phishing Email


Case Study


Measurable Reduction in Falling for Phish

Viewed Email Only %

Viewed Email and Clicked Link % Employees

Campaign 1 20 10.53% 35 18.42% 190

Campaign 2 37 19.47% 23 12.11% 190

Campaign 3 7 3.70% 10 5.29% 189


0 10 20 30 40

Campaign 3

Campaign 2

Campaign 1

Viewed Email and Clicked Link

Viewed Email Only


Case Study #2: PhishGuruTested with over 500 people in one month period

1 simulated phish at beginning of month, testing done at end of month

About 50% reduction in falling for phish68 out of 85 surveyed said they recommend

continuing doing this sort of training in the future“I really liked the idea of sending [organization] fake

phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful – here's how...”


Micro-Games for Cyber SecurityTraining doesn’t have to be boringTraining doesn’t have to take long either

Micro game format, play for short timeTwo-thirds of Americans played

a video game in past six months Not just young people

Average game player 35 years old25% of people over 50 play games

Not just males40% of casual gamers are women


Case Study 3: Anti-Phishing PhilTested Anti-Phishing Phil with ~4500 people

Huge improvement by novices in identifying phishing URLs

Also dramatically lowered false positives


False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.


False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.


Learning ScienceArea of research examining learning,

retention, and transfer of skillsExample principles

Learning by doingImmediate feedbackConceptual-proceduralReflection


Organizational PerspectiveChallenges:

People are stretched for timeLarge number of computer security topics

Effective training:Needs to respect people’s time (short, engaging)Be effectiveUp-to-date coverage of security topicsMeasurable – who is vulnerable, where


Example Topic: Email Security


Example Topic: Passwords


Other Training: Social Networks


Measurable


SummaryHuman element is critical but most often

overlooked aspect of computer securityEx. phishing scams, passwords, mobile devices

Security training can work, but only if done right!Training needs to respect time, engagingBroad coverage of topics, measurable

Wombat’s interactive cybersecurity training available for use


Cyber Security Awareness MonthWombat is offering a FREE Cyber Security

Vulnerability Assessment Limited time offer for your first campaign FREE*

October 2011

Contact Ralph Massaro at 412-621-1484 x 114 or [email protected]

*Up to 100 people


Thank you!

Thanks, where can I learn more?

Find more atwombatsecurity.com

Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks

PhishGuru white paper: An Empirical Evaluation of PhishGuru Training

knowledgeable users are the best cyber security defense, for issa webinar sept2011

Technology

security security

employees security assessment

phishguru embedded training

best cyber security

ibm security specialist

effective training

phishguru antiphishing

training engaging