Norman M. Sadeh, Ph.D.

Smart Phone Security & Privacy:

What Should We Teach Our Users

…and How?

Professor, School of Computer ScienceDirector, Mobile Commerce Lab.Carnegie Mellon University

Co-Founder & Chief ScientistWombat Security Technologies

Copyright © 2011-2012 Norman M. Sadeh

The Smart Phone Invasion

FISSEA 2012 - 2

Copyright © 2011-2012 Norman M. Sadeh

BYOD: The New Frontier

48% of employees will buy their own devices – whether their organization approves that particular device or NOT! (Forrester Research)

Blur between work life & private life

FISSEA 2012 - 3

Unrealistic policies don’t work – even if they look good

“If you can’t fight them, join them”

…hopefully under your own terms…

Copyright © 2011-2012 Norman M. Sadeh

The Problem is that…

BYOD implies users who are:

responsible

knowledgeable

accountable

FISSEA 2012 - 4

Is this truly possible?Do we really have a choice?

Copyright © 2011-2012 Norman M. Sadeh

Training has a Big Role to Play

…But training has traditionally failed Security is a secondary task:

employees are not motivated to learn

Traditional delivery methods and content have not been very compelling

Required knowledge is vast & continues to grow

Practical strategies and tips are not always easy to articulate

FISSEA 2012 - 5

Copyright © 2011-2012 Norman M. Sadeh

Mobile Security & Privacy Training

…at least as complex… Mediates a wide range of scenarios

Phone calls, SMS, camera, location, email, apps and much more

Lack of awareness: People do not think of their smart phone as a computer

Variety of devices

FISSEA 2012 - 6

….and obviously they are mobile devices…

Copyright © 2011-2012 Norman M. Sadeh FISSEA 2012 - 7

P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall, “A Conundrum of Permissions: Installing Applications on an Android Smartphone”, USEC2012.

Android Permissions: An Example of the Challenges We Face

Copyright © 2011-2012 Norman M. Sadeh

What Are We Up Against?

Misconceptions: Most users did not realize that apps were not vetted

Unusable security: Most users do not understand Android permissions

Bad habits & cognitive biases: Most users rely on word of mouth and

star ratings

Users always proceed with the download of apps, even though they don’t understand the permissions

FISSEA 2012 - 8

Where Do We

Start?

Copyright © 2011-2012 Norman M. Sadeh

Understanding the Risks: The Big Gap

FISSEA 2012 - 9

Most people do not realize how sensitive their phones are

© Wombat Security Technologies, 2011-2012© Wombat Security Technologies, 2011-2012

Copyright © 2011-2012 Norman M. Sadeh

…and How Vulnerable They Are…

Challenge them to take quizzes

…or better: Motivate them via mock attacks

Nothing beats showing a user how vulnerable (s)he is

FISSEA 2012 - 10

Copyright © 2011-2012 Norman M. Sadeh

Phishing as An Example

Email phishing: Much worse on mobile phones Mobile users are first to arrive at

phishing websites

Mobile users 3x more likely to submit credentials than desktop users

Source: Trusteer, Jan. 2011 – similar

Copyright © 2011-2012 Norman M. Sadeh

Teach people in the context they would be attacked

If a person falls for simulated phish, then pop up an intervention

Unique “teachable moment”

Training via Mock Attacks: PhishGuru

Copyright © 2011-2012 Norman M. Sadeh

Select

Target

Employees

Customize

Fake

Phishing

Email

Select

Training

Internal

Test and

Approval

Process

Hit

Send

Monitor

& Analyze

Employee

Response

Copyright © 2011-2012 Norman M. Sadeh

This really works!

Reduces the chance of falling for an attack by more than 70% !

Actual Results

percentage0 10 20 30 40

Campaign 3

Campaign 2

Campaign 1

Viewed Email and Clicked Link

Copyright © 2011-2012 Norman M. Sadeh

Starting with the Most Common Threats

FISSEA 2012 - 15

Source for image: http://www.malaysianwireless.com/2011/09/advice-how-to-protect-your-smartphone/

Millions of cell phones lost or stolen each year

Majority of smart phone users still do not have PINs

Copyright © 2011-2012 Norman M. Sadeh

Learning by Doing is Critical

Teach people to better appreciate the risks

Create mock situations

Force them to make decisions

Provide them with feedbackFISSEA 2012 - 16

© Wombat Security Technologies, 2011-2012

Copyright © 2011-2012 Norman M. Sadeh

Gradually Move Towards More Complex Tasks

Mobile Apps

Location

Social Networking

FISSEA 2012 - 17

Copyright © 2011-2012 Norman M. Sadeh

Mobile Apps

Challenge: difficult to come up with full-proof rules

Train people to be suspicious & look for possible red flags

Emphasis on: Learning by doing

Feedback

Opportunities for reflection

FISSEA 2012 - 18

Copyright © 2011-2012 Norman M. Sadeh

From Simple to Increasingly Realistic

FISSEA 2012 - 19

© Wombat Security Technologies, 2011-2012

Copyright © 2011-2012 Norman M. Sadeh

Concluding Remarks

BYOD trends make training critical

Users have little awareness of the risks associated with smart phones

Effective training requires adoption of learning science principles

Creating realistic scenarios – including mock attacks

Interactive training - Learning by doing

Start with most common risks

Training has to be part of an employee’s daily life – repetition & variations are critical

FISSEA 2012 - 20

Copyright © 2011-2012 Norman M. Sadeh

http://wombatsecurity.com

http://mcom.cs.cmu.edu

Q&A