Upload
ciaran-mc-mahon
View
59
Download
0
Embed Size (px)
Citation preview
INFORMATION SECURITY CONSCIOUSNESS
What you need to know about the
psychology of online defence
Today’s talk
• Introduction
• About me
• Elements of cybersecurity practice
• The psychology of everyday strife
• Moving slowly with unstable infrastructure
• Information security consciousness
Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
Today’s Talk
• The aim of this talk is to deepdive the
psychology of cybersecurity, in order to
give attendees a more profound insight
into their everyday security routines. If
you’d like to know how to re-wire your
mind to make cybersecurity more efficient
and easier to achieve, this is the talk
for you.
About meDr Ciarán Mc Mahon is a director of theInstitute of Cyber Security and an award-winning academic psychologist from Ireland. Aformer Government of Ireland Scholar, he haspublished research on the history ofpsychological language, the psychology ofsocial media, digital wellness and the socialimpact of cybercrime. Ciarán has worked at anumber of third level institutions, mostrecently at the CyberPsychology ResearchCentre at the Royal College of Surgeons inIreland. Ciarán also has extensive mediaexperience and regularly contributes on topicsrelating to the human aspects of informationtechnology to national and internationaloutlets including Sky News, BBC Radio London,USA Today, Fortune Magazine, and TheGuardian.
ELEMENTS OF CYBER
SECURITY
General advice1. Use strong and unique passwords.
2. Think before you click. Don't fall for scams!
3. Don't plug in unknown USB keys.
4. Use only trusted and secure connections, devices, sites and services.
5. Don’t let anyone look over your shoulder when online, and log out once finished.
6. Report suspicious activities/cybercrimes to the authorities
7. Always run the latest version of your OS and software. Run your anti-virus regularly and keep it updated too.
General advice1. Use strong and unique passwords.
2. Think before you click. Don't fall for scams!
3. Don't plug in unknown USB keys.
4. Use only trusted and secure connections, devices, sites and services.
5. Don’t let anyone look over your shoulder when online, and log out once finished.
6. Report suspicious activities/cybercrimes to the authorities
7. Always run the latest version of your OS and software. Run your anti-virus regularly and keep it updated too.
WHY DO WE FIND CYBER
SECURITY HARD?and how can we make it easier? and more efficient?
Passwords (Whitty, Doodson, Creese, & Hodges,
2015)
o Most likely to share passwords:
o Younger people
o Low perseverance
o High self-monitoring
o Knowledge about cybersecurity did not distinguish between those who did and did not share passwords
Passwords (Pilar, Jaeger, Gomes, & Stein, 2012)
o Older adults no more memory
difficulties than younger
o Number of password uses was the
most influential factor on
memory performance
o limit for most people seems to
be 5 passwords
o recommend mnemonics and re-
using passwords by category of
use
Passwords (Das, Hong, & Schechter, 2016)
o Microsoft research
o Participants assigned six random words
o (∼56 bits of entropy)
o The trained to form into a story
o Less training, better recall, than rote learning
Phishing (Parsons et al., 2013)
o Participants who knew they were in a phishing study performed significantly better
o Participants who had formal training in information systems performed more poorly overall.
o 42% of all emails were incorrectly classified
Phishing (Vishwanath, Herath, Chen, Wang, & Rao, 2011)
o Most phishing emails are
peripherally processed and
individuals make decisions
based on simple cues embedded
in the email (e.g. Urgent!!)
o People far more likely to
respond to phishing emails
when they have large email
loads...
Phishing research
• Must recognise that the signal/noise ratio
is prohibitive here
• Strategies
– if you come across a phishing email, share
screenshots with colleagues
– if targeted/spearphishing, inform your security
team asap
USB keys (Tischer et al., 2016)
o 16% scanned drive with anti-
virus software; 8% believed
their OS would protect them
o Majority connected a drive in
order to locate its owner (68%)
o Study authors believe altruism
comes first, then curiosity
o “I was wondering why a jpeg
picture had an html address”
USB keys (Hornstein, Fisch, & Holmes, 1968)
o Famous social psychology study
o People more likely to return
lost wallet when primed to feel
good about it
o but 12% of people primed to
feel bad about returning the
wallet still did so
o what’s the moral of the story?
Anti-virus & updating
• Lurking (Nonnecke, East, & Preece, 2001)
• Pareto principle
– 90/9/1 rule
– 90 people watch
– 9 people talk
– 1 person creates
• Ergo, few expect to have to do maintenance
Anti-virus & updating
• Telepresence (Lombard,
Ditton, & Media, 1997)
– IT is designed to be a
seamless interactive,
unobtrusive experience
– no awareness of actual
engineering
• Ergo, surprise when
required
‘Everything is broken’• Quinn Norton
‘It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.
Computers, and computing, are broken.’
‘Another flaw in the human character is
that everybody wants to build and nobody
wants to do maintenance’(Vonnegut)
What is the mind?
SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres
HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?
What is the mind?
SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres
HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?
What is the mind?
SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres
HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?
‘Mind as machine’
memory cache
hard-wired
processing power
bootstrap
‘Security as
warfare’
attack/defence
firewall
weapons
threat model
‘Security as
hygiene’
virus
infection
quarantine
code injection
‘hyper cyber securitization’
‘hyper cyber securitization’
because it’s essentially invisible,
like the mind, security is often
overhyped
we need to transcend these
metaphors if we are to truly
incorporate cyber security into
our daily practices.
It has to be more meaningful
What is information security
consciousness?
information security consciousness
1. A refusal to sow fear and a pledge to conserve attention
2. An awareness of human limits, and a readiness to transcend them
3. An acknowledgement that ‘everything is broken’ and a willingness to fix it
But above all
practice loyalty
practice loyalty
thank you