40
INFORMATION SECURITY CONSCIOUSNESS What you need to know about the psychology of online defence

Information security consciousness

Embed Size (px)

Citation preview

Page 1: Information security consciousness

INFORMATION SECURITY CONSCIOUSNESS

What you need to know about the

psychology of online defence

Page 2: Information security consciousness

Today’s talk

• Introduction

• About me

• Elements of cybersecurity practice

• The psychology of everyday strife

• Moving slowly with unstable infrastructure

• Information security consciousness

Page 3: Information security consciousness

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Page 4: Information security consciousness

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Page 5: Information security consciousness

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Page 6: Information security consciousness

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Page 7: Information security consciousness

About meDr Ciarán Mc Mahon is a director of theInstitute of Cyber Security and an award-winning academic psychologist from Ireland. Aformer Government of Ireland Scholar, he haspublished research on the history ofpsychological language, the psychology ofsocial media, digital wellness and the socialimpact of cybercrime. Ciarán has worked at anumber of third level institutions, mostrecently at the CyberPsychology ResearchCentre at the Royal College of Surgeons inIreland. Ciarán also has extensive mediaexperience and regularly contributes on topicsrelating to the human aspects of informationtechnology to national and internationaloutlets including Sky News, BBC Radio London,USA Today, Fortune Magazine, and TheGuardian.

Page 8: Information security consciousness

ELEMENTS OF CYBER

SECURITY

Page 9: Information security consciousness

General advice1. Use strong and unique passwords.

2. Think before you click. Don't fall for scams!

3. Don't plug in unknown USB keys.

4. Use only trusted and secure connections, devices, sites and services.

5. Don’t let anyone look over your shoulder when online, and log out once finished.

6. Report suspicious activities/cybercrimes to the authorities

7. Always run the latest version of your OS and software. Run your anti-virus regularly and keep it updated too.

Page 10: Information security consciousness

General advice1. Use strong and unique passwords.

2. Think before you click. Don't fall for scams!

3. Don't plug in unknown USB keys.

4. Use only trusted and secure connections, devices, sites and services.

5. Don’t let anyone look over your shoulder when online, and log out once finished.

6. Report suspicious activities/cybercrimes to the authorities

7. Always run the latest version of your OS and software. Run your anti-virus regularly and keep it updated too.

Page 11: Information security consciousness

WHY DO WE FIND CYBER

SECURITY HARD?and how can we make it easier? and more efficient?

Page 12: Information security consciousness

Passwords (Whitty, Doodson, Creese, & Hodges,

2015)

o Most likely to share passwords:

o Younger people

o Low perseverance

o High self-monitoring

o Knowledge about cybersecurity did not distinguish between those who did and did not share passwords

Page 13: Information security consciousness

Passwords (Pilar, Jaeger, Gomes, & Stein, 2012)

o Older adults no more memory

difficulties than younger

o Number of password uses was the

most influential factor on

memory performance

o limit for most people seems to

be 5 passwords

o recommend mnemonics and re-

using passwords by category of

use

Page 14: Information security consciousness
Page 15: Information security consciousness

Passwords (Das, Hong, & Schechter, 2016)

o Microsoft research

o Participants assigned six random words

o (∼56 bits of entropy)

o The trained to form into a story

o Less training, better recall, than rote learning

Page 16: Information security consciousness

Phishing (Parsons et al., 2013)

o Participants who knew they were in a phishing study performed significantly better

o Participants who had formal training in information systems performed more poorly overall.

o 42% of all emails were incorrectly classified

Page 17: Information security consciousness

Phishing (Vishwanath, Herath, Chen, Wang, & Rao, 2011)

o Most phishing emails are

peripherally processed and

individuals make decisions

based on simple cues embedded

in the email (e.g. Urgent!!)

o People far more likely to

respond to phishing emails

when they have large email

loads...

Page 18: Information security consciousness

Phishing research

• Must recognise that the signal/noise ratio

is prohibitive here

• Strategies

– if you come across a phishing email, share

screenshots with colleagues

– if targeted/spearphishing, inform your security

team asap

Page 19: Information security consciousness

USB keys (Tischer et al., 2016)

o 16% scanned drive with anti-

virus software; 8% believed

their OS would protect them

o Majority connected a drive in

order to locate its owner (68%)

o Study authors believe altruism

comes first, then curiosity

o “I was wondering why a jpeg

picture had an html address”

Page 20: Information security consciousness

USB keys (Hornstein, Fisch, & Holmes, 1968)

o Famous social psychology study

o People more likely to return

lost wallet when primed to feel

good about it

o but 12% of people primed to

feel bad about returning the

wallet still did so

o what’s the moral of the story?

Page 21: Information security consciousness

Anti-virus & updating

• Lurking (Nonnecke, East, & Preece, 2001)

• Pareto principle

– 90/9/1 rule

– 90 people watch

– 9 people talk

– 1 person creates

• Ergo, few expect to have to do maintenance

Page 22: Information security consciousness

Anti-virus & updating

• Telepresence (Lombard,

Ditton, & Media, 1997)

– IT is designed to be a

seamless interactive,

unobtrusive experience

– no awareness of actual

engineering

• Ergo, surprise when

required

Page 23: Information security consciousness

‘Everything is broken’• Quinn Norton

‘It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken.’

Page 24: Information security consciousness

‘Another flaw in the human character is

that everybody wants to build and nobody

wants to do maintenance’(Vonnegut)

Page 25: Information security consciousness
Page 26: Information security consciousness

What is the mind?

SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres

HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?

Page 27: Information security consciousness

What is the mind?

SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres

HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?

Page 28: Information security consciousness

What is the mind?

SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres

HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?

Page 29: Information security consciousness

‘Mind as machine’

memory cache

hard-wired

processing power

bootstrap

Page 30: Information security consciousness
Page 31: Information security consciousness

‘Security as

warfare’

attack/defence

firewall

weapons

threat model

Page 32: Information security consciousness

‘Security as

hygiene’

virus

infection

quarantine

code injection

Page 33: Information security consciousness

‘hyper cyber securitization’

Page 34: Information security consciousness

‘hyper cyber securitization’

because it’s essentially invisible,

like the mind, security is often

overhyped

Page 35: Information security consciousness

we need to transcend these

metaphors if we are to truly

incorporate cyber security into

our daily practices.

It has to be more meaningful

Page 36: Information security consciousness

What is information security

consciousness?

Page 37: Information security consciousness

information security consciousness

1. A refusal to sow fear and a pledge to conserve attention

2. An awareness of human limits, and a readiness to transcend them

3. An acknowledgement that ‘everything is broken’ and a willingness to fix it

Page 38: Information security consciousness

But above all

Page 39: Information security consciousness

practice loyalty

Page 40: Information security consciousness

practice loyalty

thank you