Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Education Baik Sangyong Cheng Zeng. Agenda Why Need User Education Examples of User Education Security-Reinforcing Application for User Education.

Published byBlaise Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "User Education Baik Sangyong Cheng Zeng. Agenda Why Need User Education Examples of User Education Security-Reinforcing Application for User Education."— Presentation transcript:

1 User Education Baik Sangyong Cheng Zeng

2 Agenda Why Need User Education Examples of User Education Security-Reinforcing Application for User Education Class Activity Anti-Phishing Phil Demo Fallacies of User Education

3 Why Need User Education User Education Teach users how to be safe online Protect people from security and privacy threats “Human In The Loop” Model User As Weakest Link in Security Activities "Given a choice between dancing pigs and security, users will pick dancing pigs every time.“ --Edward Felten and Gary McGraw

4 Examples of User Education Network Advertising Initiative (NAI) (http://www.networkadvertising.org)http://www.networkadvertising.org Digital Advertising Alliance (DAA) (http://www.aboutads.info/)http://www.aboutads.info/ DAA’s Education Principle: The DAA must maintain a central educational website and provide educational ads.

5 Network Advertising Initiative

6 Digital Advertising Alliance

7 Cookie Education

8

9

10 Cartoon about Spoofing [http://www.securitycartoon.com/]http://www.securitycartoon.com/

11 A Look At Cookies http://www.youtube.com/watch?v=TBR-xtJVq7E

12 Cookies http://www.youtube.com/watch?v=HC7CDqCrqnE

13 Got Cookies http://www.youtube.com/watch?v=JYCpiZKY30E

14 What They Know Advertising Cookies And You http://www.youtube.com/watch?v=O2wMVk10X0M

15 Which one do you like? 1 2 34

16 Staying Clear of Cyber Tricks http://www.youtube.com/watch?v=MrG061_Rm7E

17

18

19 Security Reinforcement Applications Vicarious Security Reinforcement “Using Reinforcement to Strengthen Users' Secure Behaviors” Security-Reinforcing Applications (SRA) Inspired by Operant Conditioning Model Reward users' secure behavior Vicarious Security Reinforcement (VSR) Inspired by Social Learning Theory Help accelerate SRA benefits Results SRA improves users' secure behaviors Not extinguish after several weeks VSR accelerates learning of desired security behaviors in SRA users. [Villamarín-Salomón et al., 2010]

20 Operant Conditioning (OC) Model Operant Conditioning A form of psychological learning An individual acquires or maintains a behavior as a result of the behavior's consequences to the individual Reinforcer Consequence that strengthen a behavior Positive Reinforcement Present something pleasing Negative Reinforcement Remove something displeasing Punishment Consequence that weaken a behavior Antecedent Stimuli present in the environment only immediately before behaviors that are reinforced

21 Security-Reinforcing Applications Reinforce users' secure behaviors Deploy within organizations Secure Behavior Rejection of unjustified risks (UR) Acceptance of justified risks (JR) Insecure Behaviors Acceptance of unjustified risks (UR) Rejection of justified risks (JR) Justified Risks primary tasks no other alternatives to accomplish such tasks no means to mitigate the risks

22 Example of UR and JR UR may be an email message containing an attachment that is unexpected, from an unknown sender, unnecessary to the user's job-related tasks, or of a type that may spread infections (e.g.,.exe). In this case, the user may mitigate the risk by, e.g., asking the sender to retransmit the attachment in a less risky file format (e.g.,.txt). JR may be represented by an email that (a) the user was expecting and contains an attachment useful to complete a work-related task, or (b) was sent by a known member of the user's organization, with wording not appearing out of character for such sender, and explaining clearly why the recipient needs the attachment for her work.

23 Security-Reinforcing Applications

24

25 Vicarious Security Reinforcement Problems when using SRA: Take time for users to understand association between secure behavior and reward Users handle some of risks, but may miss others “Vicarious security reinforcement (VSR) can model secure behaviors and present their desirable consequences without waiting for users to emit fortuitously such behaviors and stumble upon their consequences.”

26 Social Learning (SL) Theory Learning in social context Individuals can also acquire and maintain behaviors by observing their consequences in others (models) Vicarious reinforcement sub process Attention Retention Reproduction Motivation Difference to Imitation refrain from unwanted behavior by observing subsequent consequences

27 Vicarious Security Reinforcement

28

29 Experiment

30

31 Comparison with PhishGuru SRAs Embedded rewards Organization-specific security policies and targeted attacks With supervision Educate about complex policies PhishGuru Links to websites with educational cartoons Organization-specific security policies and targeted attacks Without supervision quicker apply simpler policies

32

33 Class Activity: User Education on SNS Phishing

34 Contextual Training Users are sent simulated phishing emails by the experimenter to test user’s vulnerability regarding phishing attacks At the end of the study, user is notified about phishing attacks No immediate feed-back

35 Embedded Training Teaches user about phishing during regular usage of the application, such as email

36 Reflection Principle Reflection is the process by which learners are made to stop and think about what they’re learning

37 Story-based Agent Environment Principle Agents are characters that help users regarding learning process

38 Conceptual-Procedural Principle Conceptual & Procedural knowledge influence one and another

39 Demo of Anti-Phishing Phil http://wombatsecurity.com/antiphishingphil

40 Another Form of Phishing Attack Full Screen API Demo

41 Ad-Click Demo http://www.yahoo.com/

42 User Should Reject Security Advice? User rejecting security advice is rational from an economic perspective 100% of certificate error warnings appear to be false positive Most security advices provide poor cost-benefit tradeoff to users and is rejected How can we blame users for not adhering to certificate warnings when vast majority of them are false positives?

43 Users are the Weakest Link in Security Why attack machines when users are so easy to target? Most large web-sites offer security tips to users Not so effective however Users are lazy

44 Why Do Users Disregard Security Warnings? Overwhelmed Benefits are moot or perceived as moot Strong password does nothing in presence of keylogger How often does user perceive a real attack?

45 Password Policies

46 Teaching Users to Identify Phishing Sites By Reading URL Phishers quickly evolve

47 Certificate Errors Type https://www.paypal.comhttps://www.paypal.com Type http://www.paypal.comhttp://www.paypal.com Type paypal control + enter Search Google for PayPal and click link Click bookmarked https://www.paypal.comhttps://www.paypal.com Click bookmarked http://www.paypal.comhttp://www.paypal.com Problems?

48 Discussion

Download ppt "User Education Baik Sangyong Cheng Zeng. Agenda Why Need User Education Examples of User Education Security-Reinforcing Application for User Education."

Similar presentations

Chapter 9 Motivation Explain what motivation is and why managers need to be concerned about it Describe from the perspectives of expectancy theory and.

Chapter 9 Motivation Explain what motivation is and why managers need to be concerned about it Describe from the perspectives of expectancy theory and.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
 Understand how safety behavior is shaped  Analyze employee behavior  Pinpoint, observe, and measure specific behaviors  Provide positive feedback.

 Understand how safety behavior is shaped  Analyze employee behavior  Pinpoint, observe, and measure specific behaviors  Provide positive feedback.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
James Sees Senior Network Administrator Management Analyst Cyber Protection Strategies White Hall Business Association - Cyber Security & Awareness Conference.

James Sees Senior Network Administrator Management Analyst Cyber Protection Strategies White Hall Business Association - Cyber Security & Awareness Conference.
Behavioral Theories Of Learning

Behavioral Theories Of Learning
Chapter 5 Motivation Theories

Chapter 5 Motivation Theories
MOTIVATION THAT WHICH CAUSES BEHAVIOR TO BEGIN SUSTAINED BEHAVIOR.

MOTIVATION THAT WHICH CAUSES BEHAVIOR TO BEGIN SUSTAINED BEHAVIOR.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.

October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Behaviorism Ed Tech Masters Program Summer 2003. What is behaviorism all about? Psychology is purely the study of external behavior Behavior is objective.

Behaviorism Ed Tech Masters Program Summer What is behaviorism all about? Psychology is purely the study of external behavior Behavior is objective.
Email June 2013. Email Email is an easy way to communicate. It costs nothing to send an email, but it does require a connection to the Internet. You can.

June is an easy way to communicate. It costs nothing to send an , but it does require a connection to the Internet. You can.
Teach a man (person) to Phish Recognizing email scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.

Teach a man (person) to Phish Recognizing scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.
Quiz Review.

Quiz Review.
Protecting Our Personal Space Security in a Virtual World.

Protecting Our Personal Space Security in a Virtual World.

Similar presentations

Ads by Google