Presentation is loading. Please wait.

Presentation is loading. Please wait.

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.

Published byLayton Dutt Modified over 10 years ago

Similar presentations

Presentation on theme: "Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile."— Presentation transcript:

1 Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University Co-Founder & Chief Scientist Wombat Security Technologies

2 Copyright © 2011-2012 Norman M. Sadeh The Smart Phone Invasion FISSEA 2012 - 2

3 Copyright © 2011-2012 Norman M. Sadeh BYOD: The New Frontier 48% of employees will buy their own devices – whether their organization approves that particular device or NOT! (Forrester Research) Blur between work life & private life FISSEA 2012 - 3 Unrealistic policies dont work – even if they look good If you cant fight them, join them …hopefully under your own terms…

4 Copyright © 2011-2012 Norman M. Sadeh The Problem is that… BYOD implies users who are: responsible knowledgeable accountable FISSEA 2012 - 4 Is this truly possible? Do we really have a choice?

5 Copyright © 2011-2012 Norman M. Sadeh Training has a Big Role to Play …But training has traditionally failed Security is a secondary task: employees are not motivated to learn Traditional delivery methods and content have not been very compelling Required knowledge is vast & continues to grow Practical strategies and tips are not always easy to articulate FISSEA 2012 - 5

6 Copyright © 2011-2012 Norman M. Sadeh Mobile Security & Privacy Training …at least as complex… Mediates a wide range of scenarios Phone calls, SMS, camera, location, email, apps and much more Lack of awareness: People do not think of their smart phone as a computer Variety of devices FISSEA 2012 - 6 ….and obviously they are mobile devices…

7 Copyright © 2011-2012 Norman M. SadehFISSEA 2012 - 7 P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall,A Conundrum of Permissions: Installing Applications on an Android Smartphone, USEC2012. Android Permissions: An Example of the Challenges We Face

8 Copyright © 2011-2012 Norman M. Sadeh What Are We Up Against? Misconceptions: Most users did not realize that apps were not vetted Unusable security: Most users do not understand Android permissions Bad habits & cognitive biases: Most users rely on word of mouth and star ratings Users always proceed with the download of apps, even though they dont understand the permissions FISSEA 2012 - 8 Where Do We Start?

9 Copyright © 2011-2012 Norman M. Sadeh Understanding the Risks: The Big Gap FISSEA 2012 - 9 Most people do not realize how sensitive their phones are © Wombat Security Technologies, 2011-2012

10 Copyright © 2011-2012 Norman M. Sadeh …and How Vulnerable They Are… Challenge them to take quizzes …or better: Motivate them via mock attacks Nothing beats showing a user how vulnerable (s)he is FISSEA 2012 - 10

11 Copyright © 2011-2012 Norman M. Sadeh Phishing as An Example Email phishing: Much worse on mobile phones Mobile users are first to arrive at phishing websites Mobile users 3x more likely to submit credentials than desktop users Source: Trusteer, Jan. 2011 – similar

12 Copyright © 2011-2012 Norman M. Sadeh Teach people in the context they would be attacked If a person falls for simulated phish, then pop up an intervention Unique teachable moment Training via Mock Attacks: PhishGuru

13 Copyright © 2011-2012 Norman M. Sadeh Select Target Employees Customize Fake Phishing Email Select Training Internal Test and Approval Process Hit Send Monitor & Analyze Employee Response

14 Copyright © 2011-2012 Norman M. Sadeh This really works! Reduces the chance of falling for an attack by more than 70% ! Actual Results percentage

15 Copyright © 2011-2012 Norman M. Sadeh Starting with the Most Common Threats FISSEA 2012 - 15 Source for image: http://www.malaysianwireless.com/2011/09/advice-how-to-protect-your-smartphone/ Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs

16 Copyright © 2011-2012 Norman M. Sadeh Learning by Doing is Critical Teach people to better appreciate the risks Create mock situations Force them to make decisions Provide them with feedback FISSEA 2012 - 16 © Wombat Security Technologies, 2011-2012

17 Copyright © 2011-2012 Norman M. Sadeh Gradually Move Towards More Complex Tasks Mobile Apps Location Social Networking FISSEA 2012 - 17

18 Copyright © 2011-2012 Norman M. Sadeh Mobile Apps Challenge: difficult to come up with full-proof rules Train people to be suspicious & look for possible red flags Emphasis on: Learning by doing Feedback Opportunities for reflection FISSEA 2012 - 18

19 Copyright © 2011-2012 Norman M. Sadeh From Simple to Increasingly Realistic FISSEA 2012 - 19 © Wombat Security Technologies, 2011-2012

20 Copyright © 2011-2012 Norman M. Sadeh Concluding Remarks BYOD trends make training critical Users have little awareness of the risks associated with smart phones Effective training requires adoption of learning science principles Creating realistic scenarios – including mock attacks Interactive training - Learning by doing Start with most common risks Training has to be part of an employees daily life – repetition & variations are critical FISSEA 2012 - 20

21 Copyright © 2011-2012 Norman M. Sadeh http://wombatsecurity.com http://mcom.cs.cmu.edu Q&A

Download ppt "Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile."

Similar presentations

ATK Space 9617 Distribution Avenue San Diego, California 92121 Tel: (858) 621-5700 Fax: (858) 621-5770 Website:

ATK Space 9617 Distribution Avenue San Diego, California Tel: (858) Fax: (858) Website:
User Authentication on Mobile Devices Google Two Factor Authentication OTP (One Time Password)

User Authentication on Mobile Devices Google Two Factor Authentication OTP (One Time Password)
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.

Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.

1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey

©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
Rider Universitys BYOD Story. First two short films…… Dilbert Humorous skit about an employee, desperate to get his work done more efficiently tries to.

Rider Universitys BYOD Story. First two short films…… Dilbert Humorous skit about an employee, desperate to get his work done more efficiently tries to.
MANAGING AND SECURING BYOD Legal ITs Next Great Challenge.

MANAGING AND SECURING BYOD Legal ITs Next Great Challenge.
Www.sophos.com/loveyourphone Mobile device security Practical advice on how to keep your mobile device and the data on it safe.

Mobile device security Practical advice on how to keep your mobile device and the data on it safe.
Security for Mobile Devices

Security for Mobile Devices
November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.

November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.
Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.

Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.

CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.
Www.redsealnetworks.com The Changing Communications Security Landscape Prem Iyer | VP of North America Channel Programs | 07/11/12.

The Changing Communications Security Landscape Prem Iyer | VP of North America Channel Programs | 07/11/12.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
International Relations and Security Network (ISN)

International Relations and Security Network (ISN)
The printing drain… 60% of SMBs rely on printing 50% say colour volumes growing 60% say consumables expenditure growing.

The printing drain… 60% of SMBs rely on printing 50% say colour volumes growing 60% say consumables expenditure growing.
Stages of Learning.

Stages of Learning.
1 Unit 1 Kinematics 09-15-2011 Chapter 1 Day 5 09-18-2012.

1 Unit 1 Kinematics Chapter 1 Day

Similar presentations

Ads by Google