Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.

Slides:



Advertisements
Similar presentations
ATK Space 9617 Distribution Avenue San Diego, California Tel: (858) Fax: (858) Website:
Advertisements

User Authentication on Mobile Devices Google Two Factor Authentication OTP (One Time Password)
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
Rider Universitys BYOD Story. First two short films…… Dilbert Humorous skit about an employee, desperate to get his work done more efficiently tries to.
MANAGING AND SECURING BYOD Legal ITs Next Great Challenge.
Mobile device security Practical advice on how to keep your mobile device and the data on it safe.
Security for Mobile Devices
November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.
Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.
The Changing Communications Security Landscape Prem Iyer | VP of North America Channel Programs | 07/11/12.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
International Relations and Security Network (ISN)
The printing drain… 60% of SMBs rely on printing 50% say colour volumes growing 60% say consumables expenditure growing.
Stages of Learning.
1 Unit 1 Kinematics Chapter 1 Day
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Personal Guidance. Positive Change. SM Secure Access for Web-based Patient Portals and Applications Chris Brooks, Senior Vice President of Technology,
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Multimedia Communications Tejinder Judge Usable Security – CS 6204 – Fall, 2009.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
Personal Security on the Internet. Introduction What is InfoSec? Information Security (InfoSec) is: –Protection of information –Its critical elements.
Working group discussion 1 Cyber Risk Security, Privacy ?
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
1 ZIXCORP The Criticality of Security Dena Bauckman Director Product Management April 2015.
Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University Smart Phone Security.
Introduction Our Topic: Mobile Security Why is mobile security important?
Should We Believe the Hype? Stephen Fast Lead, Cyber Innovation Strategy Cyber Innovation Division Applied Research Laboratory The Pennsylvania State University.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
1 ZIXCORP The Criticality of Security Kevin Cloutier Oct 2015.
Semantic Web and Policy Workshop Panel Contribution Norman M. Sadeh School of Computer Science Carnegie Mellon University Director, e-Supply Chain Management.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.
Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.
Basics of testing mobile apps
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Usable Privacy and Security.
Chapter 11 Implementing Social Commerce Systems. Learning Objectives 1.Describe the major issues in the social commerce implementation landscape. 2.Discuss.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
© 2015 IBM Corporation John Guidone Account Executive IBM Security IBM MaaS360.
Šarūnas Končius Technology Strategist of Microsoft Microsoft Lithuania.
The internet is a place of both useful and bad information. It has both good and bad side- and it’s all too easy for kids to stray into it. And no parents/guardian.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Unit 2 GCSE Business Communication Systems
Information Security.
Challenges facing Enterprise Mobility
E 96 Introduction to Engineering Design Peter Reiher UCLA
Forensics Week 11.
© EIT, Author Gay Robertson, 2017
Call AVG Antivirus Support | Fix Your PC
CIS 560 Education for Service-- snaptutorial.com.
CIS 560 Teaching Effectively-- snaptutorial.com
New Media and Global Communication
Teaching you NOT to fall for Phish
Welcome… E-safety & Cyberbullying Parent Awareness Presentation.
16. Account Monitoring and Control
Technology Solutions Cybersecurity Report to the KCTCS Board of Regents March 14, 2019.
Security in mobile technologies
6. Application Software Security
Data Lost Prevention (DLP) © Copyright 2009 Technica All rights reserved. No part of this presentation in all its property may be used or reproduced in.
Individual ( and secure) PUPIL PROFILES
Presentation transcript:

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University Co-Founder & Chief Scientist Wombat Security Technologies

Copyright © Norman M. Sadeh The Smart Phone Invasion FISSEA

Copyright © Norman M. Sadeh BYOD: The New Frontier 48% of employees will buy their own devices – whether their organization approves that particular device or NOT! (Forrester Research) Blur between work life & private life FISSEA Unrealistic policies dont work – even if they look good If you cant fight them, join them …hopefully under your own terms…

Copyright © Norman M. Sadeh The Problem is that… BYOD implies users who are: responsible knowledgeable accountable FISSEA Is this truly possible? Do we really have a choice?

Copyright © Norman M. Sadeh Training has a Big Role to Play …But training has traditionally failed Security is a secondary task: employees are not motivated to learn Traditional delivery methods and content have not been very compelling Required knowledge is vast & continues to grow Practical strategies and tips are not always easy to articulate FISSEA

Copyright © Norman M. Sadeh Mobile Security & Privacy Training …at least as complex… Mediates a wide range of scenarios Phone calls, SMS, camera, location, , apps and much more Lack of awareness: People do not think of their smart phone as a computer Variety of devices FISSEA ….and obviously they are mobile devices…

Copyright © Norman M. SadehFISSEA P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall,A Conundrum of Permissions: Installing Applications on an Android Smartphone, USEC2012. Android Permissions: An Example of the Challenges We Face

Copyright © Norman M. Sadeh What Are We Up Against? Misconceptions: Most users did not realize that apps were not vetted Unusable security: Most users do not understand Android permissions Bad habits & cognitive biases: Most users rely on word of mouth and star ratings Users always proceed with the download of apps, even though they dont understand the permissions FISSEA Where Do We Start?

Copyright © Norman M. Sadeh Understanding the Risks: The Big Gap FISSEA Most people do not realize how sensitive their phones are © Wombat Security Technologies,

Copyright © Norman M. Sadeh …and How Vulnerable They Are… Challenge them to take quizzes …or better: Motivate them via mock attacks Nothing beats showing a user how vulnerable (s)he is FISSEA

Copyright © Norman M. Sadeh Phishing as An Example phishing: Much worse on mobile phones Mobile users are first to arrive at phishing websites Mobile users 3x more likely to submit credentials than desktop users Source: Trusteer, Jan – similar

Copyright © Norman M. Sadeh Teach people in the context they would be attacked If a person falls for simulated phish, then pop up an intervention Unique teachable moment Training via Mock Attacks: PhishGuru

Copyright © Norman M. Sadeh Select Target Employees Customize Fake Phishing Select Training Internal Test and Approval Process Hit Send Monitor & Analyze Employee Response

Copyright © Norman M. Sadeh This really works! Reduces the chance of falling for an attack by more than 70% ! Actual Results percentage

Copyright © Norman M. Sadeh Starting with the Most Common Threats FISSEA Source for image: Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs

Copyright © Norman M. Sadeh Learning by Doing is Critical Teach people to better appreciate the risks Create mock situations Force them to make decisions Provide them with feedback FISSEA © Wombat Security Technologies,

Copyright © Norman M. Sadeh Gradually Move Towards More Complex Tasks Mobile Apps Location Social Networking FISSEA

Copyright © Norman M. Sadeh Mobile Apps Challenge: difficult to come up with full-proof rules Train people to be suspicious & look for possible red flags Emphasis on: Learning by doing Feedback Opportunities for reflection FISSEA

Copyright © Norman M. Sadeh From Simple to Increasingly Realistic FISSEA © Wombat Security Technologies,

Copyright © Norman M. Sadeh Concluding Remarks BYOD trends make training critical Users have little awareness of the risks associated with smart phones Effective training requires adoption of learning science principles Creating realistic scenarios – including mock attacks Interactive training - Learning by doing Start with most common risks Training has to be part of an employees daily life – repetition & variations are critical FISSEA

Copyright © Norman M. Sadeh Q&A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.