norman m. sadeh, ph.d. smart phone security & privacy: what should we teach our users …and...
TRANSCRIPT
Norman M. Sadeh, Ph.D.
Smart Phone Security & Privacy:
What Should We Teach Our Users
…and How?
Professor, School of Computer ScienceDirector, Mobile Commerce Lab.Carnegie Mellon University
Co-Founder & Chief ScientistWombat Security Technologies
Copyright © 2011-2012 Norman M. Sadeh
The Smart Phone Invasion
FISSEA 2012 - 2
Copyright © 2011-2012 Norman M. Sadeh
BYOD: The New Frontier
48% of employees will buy their own devices – whether their organization approves that particular device or NOT! (Forrester Research)
Blur between work life & private life
FISSEA 2012 - 3
Unrealistic policies don’t work – even if they look good
“If you can’t fight them, join them”
…hopefully under your own terms…
Copyright © 2011-2012 Norman M. Sadeh
The Problem is that…
BYOD implies users who are:
responsible
knowledgeable
accountable
FISSEA 2012 - 4
Is this truly possible?Do we really have a choice?
Copyright © 2011-2012 Norman M. Sadeh
Training has a Big Role to Play
…But training has traditionally failed Security is a secondary task:
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast & continues to grow
Practical strategies and tips are not always easy to articulate
FISSEA 2012 - 5
Copyright © 2011-2012 Norman M. Sadeh
Mobile Security & Privacy Training
…at least as complex… Mediates a wide range of scenarios
Phone calls, SMS, camera, location, email, apps and much more
Lack of awareness: People do not think of their smart phone as a computer
Variety of devices
FISSEA 2012 - 6
….and obviously they are mobile devices…
Copyright © 2011-2012 Norman M. Sadeh FISSEA 2012 - 7
P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall, “A Conundrum of Permissions: Installing Applications on an Android Smartphone”, USEC2012.
Android Permissions: An Example of the Challenges We Face
Copyright © 2011-2012 Norman M. Sadeh
What Are We Up Against?
Misconceptions: Most users did not realize that apps were not vetted
Unusable security: Most users do not understand Android permissions
Bad habits & cognitive biases: Most users rely on word of mouth and
star ratings
Users always proceed with the download of apps, even though they don’t understand the permissions
FISSEA 2012 - 8
Where Do We
Start?
Copyright © 2011-2012 Norman M. Sadeh
Understanding the Risks: The Big Gap
FISSEA 2012 - 9
Most people do not realize how sensitive their phones are
© Wombat Security Technologies, 2011-2012© Wombat Security Technologies, 2011-2012
Copyright © 2011-2012 Norman M. Sadeh
…and How Vulnerable They Are…
Challenge them to take quizzes
…or better: Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
FISSEA 2012 - 10
Copyright © 2011-2012 Norman M. Sadeh
Phishing as An Example
Email phishing: Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source: Trusteer, Jan. 2011 – similar
Copyright © 2011-2012 Norman M. Sadeh
Teach people in the context they would be attacked
If a person falls for simulated phish, then pop up an intervention
Unique “teachable moment”
Training via Mock Attacks: PhishGuru
Copyright © 2011-2012 Norman M. Sadeh
Select
Target
Employees
Customize
Fake
Phishing
Select
Training
Internal
Test and
Approval
Process
Hit
Send
Monitor
& Analyze
Employee
Response
Copyright © 2011-2012 Norman M. Sadeh
This really works!
Reduces the chance of falling for an attack by more than 70% !
Actual Results
percentage0 10 20 30 40
Campaign 3
Campaign 2
Campaign 1
Viewed Email and Clicked Link
Copyright © 2011-2012 Norman M. Sadeh
Starting with the Most Common Threats
FISSEA 2012 - 15
Source for image: http://www.malaysianwireless.com/2011/09/advice-how-to-protect-your-smartphone/
Millions of cell phones lost or stolen each year
Majority of smart phone users still do not have PINs
Copyright © 2011-2012 Norman M. Sadeh
Learning by Doing is Critical
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
Provide them with feedbackFISSEA 2012 - 16
© Wombat Security Technologies, 2011-2012
Copyright © 2011-2012 Norman M. Sadeh
Gradually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
FISSEA 2012 - 17
Copyright © 2011-2012 Norman M. Sadeh
Mobile Apps
Challenge: difficult to come up with full-proof rules
Train people to be suspicious & look for possible red flags
Emphasis on: Learning by doing
Feedback
Opportunities for reflection
FISSEA 2012 - 18
Copyright © 2011-2012 Norman M. Sadeh
From Simple to Increasingly Realistic
FISSEA 2012 - 19
© Wombat Security Technologies, 2011-2012
Copyright © 2011-2012 Norman M. Sadeh
Concluding Remarks
BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios – including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employee’s daily life – repetition & variations are critical
FISSEA 2012 - 20
Copyright © 2011-2012 Norman M. Sadeh
http://wombatsecurity.com
http://mcom.cs.cmu.edu
Q&A