1 / 45

The Psychology Behind Security (or Why Aren’t Users More Secure ?)

Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 12 April 2011. The Psychology Behind Security (or Why Aren’t Users More Secure ?). Agenda. Who am I? Security Frustrations User Frustrations “Risky” Thinking Heuristics Complicating Factors So What Does It Mean For Security?.

cais
Download Presentation

The Psychology Behind Security (or Why Aren’t Users More Secure ?)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 12 April 2011 The Psychology Behind Security(or Why Aren’t Users More Secure ?)

  2. Agenda • Who am I? • Security Frustrations • User Frustrations • “Risky” Thinking • Heuristics • Complicating Factors • So What Does It Mean For Security?

  3. A Bit About Myself In the beginning... Solutions/Security Architect @ Jeppesen (a Boeing Company) Security in aviation standards Security Community of Practice (CoP) Communication between security personal (‘real’ security, physical security, compliance, software) Selling security Integrating security into software engineering Military offerings ITAR, export, compliance issues Member of the Denver chapter of ISSA Author & presenter

  4. Social Engineering

  5. Still Crazy After All These Years During a breach at rockyou.com (#1) where 32 million passwords were stolen it was discovered: 30% of the passwords were six characters or smaller 60% were passwords created from a limited set of alphanumeric characters 50% of the users had used easily guessable names, common slang words, adjacent keyboard keys and consecutive digits as their passwords A study of password habits in 2007 (#2) found that users still choose the weakest they can get away with, much as they did three decades earlier

  6. We May All Speak English, But… Overheard: Security: “Your password is weak; you need to change it.” User: “My password isn’t ‘weak’; it’s my last name.” Security: “No, what I meant is your last name isn’t a good password because it doesn’t follow our password conventions.” User: But it has upper and lower case and it’s more then eight characters – how much more secure do I need to be?”

  7. Fun With Browsers Fun with Fonts: www.paypal.com www.paypa1.com www.paypaI.com Fun with URLs: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm http://www.usa.visa.com@3468664375/obscure.htm http://www.bankofamerica.com&service=accountlogin&sessionid=AxYghT809532AjAhklkjfldsl4380439053Xvgjy73099538309AngfldhgTYiHYojn43540538080985034LAAJKnhfdser6545342iuSA6feerhteh358fhds&accessip=@174.120.41.176/~inferno/exploits/obfusurl/index.htm Are http://www.bankofamerica.com and http://wwwui.global.bankofamerica.com and http://171.159.228.100 the same ?

  8. Chicken Marsala Isn’t This Complicated The following rules apply to all passwords: The password must be at least 8 characters long. The password must contain at least: one alpha character [a-zA-Z]; one numeric character [0-9]; one special character from this set:` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ? The password must not: contain spaces; begin with an exclamation [!] or a question mark [?]; contain your login ID; contain your first or last name; contain any dictionary word; contain a repeating pattern of characters The first 3 characters cannot be the same. The sequence of the first 3 characters cannot be in your login ID. The first 8 characters cannot be the same as in your previous password Passwords cannot be reused for a period of one year.. Passwords are treated as case sensitive. Passwords must be changed every 90 days Passwords cannot be written down

  9. Is This Something I Should Care About? The only text in this email was: ?

  10. When Theory And Practice Collide Users have an average of 25 password accounts to manage (#23) So if a user enters eight passwords a day and it takes them five seconds to recall what the password is this equates to a little over three hours of wasted time a year With 5000 people this equates to almost 700 days a year. Choosing secure memorable passwords proves a difficult task for most users (#23) So using a passphrase and substituting letters with a non-alphabetic character, mixing upper/lowercase, creatively using ‘special’ characters and numbers while avoiding common substitutions like @ for A/a, I would need to come up with 75 passwords like: 4pRte!ai@3, Tp4tci2s4U2g!, tDI"60Hs7Q, l52@36291QBs(, BBslwys90!, B1g bRother |$ alw4ys riGHt!?, So((erMama3pinions, 8eproactiveWin7, #golfbadlyM@c, W!!FamilyAbou7.com, etc…

  11. It’s All About Risk Determining actions based on risk evaluation is something we do constantly We are better at evaluating immediate risks (i.e. dodging a baseball) and not so good at evaluating delayed risks (i.e. global warming) (#5, #8, #9, #12) "Security is both a feeling and a reality. And they're not the same.“(#4) So what makes us feel secure ? If the effort needed to mitigate the risk is more then the realization of the risk then we are willing to feel secure !...But…! We are bad at evaluating risks

  12. Competing Risk Evaluation Systems • Information and sensory input is sent to both the amygdala and the neocortex (#4,5,6,19). • The amygdala reacts • The neocortex thinks • Both the amygdala and neocortex need data before they can evaluate the situation and both reference past events in coming to their conclusions • The amygdala references the emotional context • The neocortex references abstract concepts like how reliable the data is or how reasonable the initial response is

  13. Heuristics Fully and completely processing the information we receive is beyond the capabilities of either the amygdala or the neocortex so we have developed mental 'short-cuts‘, or heuristics, to keep up (#7) Heuristics are our way of handling the immensely complex world we live in. In fact, we use heuristics without even realizing it Here’s how heuristics can give you the wrong answers…

  14. The Wrong Answer How many letter f’s do you see in the following sentence? Finished files are the result of years of scientific study combined with the experience of years.

  15. The Wrong Answer How many letter f’s do you see in the following sentence? Finished files are the result of years of scientific study combined with the experience of years. How many animals of each type did Moses take on the Ark?

  16. "It Won't Happen To Me." • “Put on a happy face” • “I wouldn’t let it happen that way” • The more you know the less you think you know (#8) • The reverse is scary: The less you know the more you think you know

  17. The Trust Factor Trust is an action involving the voluntary placement of a trustee at the disposal of the person being trusted with no real commitment from the trustee People instinctively trust other people (#12, 13) If the person being trusted is trustworthy then the person doing the trusting is better off; conversely if the person being trusted is untrustworthy then the person doing the trusting is worse off (#8) Trust allows actions which are otherwise not possible

  18. Small Change Blindness As long as the changes in our environment occur slowly, we adapt to it, and are unlikely to detect the change (#10) Sitting in front of a computer we are blissfully unaware of what is happening 'behind the curtains' From a security forum: “…Telling the average computer user to look out for suspicions activity doesn't work because most of the time the haven't any idea what activity is considered suspicions. ‘My hard drive light went on - should I worry ?’ or ‘My game paused for a moment - should I worry ?’" “…if I'm running a quad core computer I probably wouldn't notice a bot running on my system”

  19. Risking Gains and Accepting Losses • When it comes to evaluating gains or losses people have a built in heuristic against risking gains or accepting losses • Put another way – it’s not whether you win or lose it’s how you frame the question • Called Prospect Theory, this is best demonstrated by an experiment put together by Daniel Kahneman and Amos Tversky (#9, #24)

  20. Risking Gains and Accepting Losses (the gain) Pick the alternative you’d prefer: Alternative A: A sure gain of $500 Alternative B: A 50% chance of gaining $1,000

  21. Risking Gains and Accepting Losses (the loss) Pick the alternative you’d prefer: Alternative A: A sure gain of $500 Alternative B: A 50% chance of gaining $1,000 Pick the alternative you’d prefer: Alternative C: A sure loss of $500 Alternative D: A 50% chance of losing $1,000

  22. Risking Gains and Accepting Losses Pick the alternative you’d prefer: Alternative A: A sure gain of $500 Alternative B: A 50% chance of gaining $1,000 Pick the alternative you’d prefer: Alternative C: A sure loss of $500 Alternative D: A 50% chance of losing $1,000 The results were: 84% chose the sure gain of A over the risky gain of B but when faced with loss only 30% chose the sure loss of C over the risky loss of D.

  23. “I’ve Always Done It This Way” • Habitual thinking and behavior are a result of powerful neural pathways in our brains and memories that are automatically and unconsciously accessed • Unconscious thought processes can predetermine, without an individual's awareness, decision-making bias and actual decision-making • Emotions are the key driver to decision-making, not logical, analytical thought; our logical processes are often only rational justifications for emotional decisions (#19)

  24. Hype • Failure to adhere to security dictates is usually described in severe and broad terms like, identity theft, huge financial penalties or loss of reputation • Scarcely a day goes by without a disclosure, article or notice about a theft of credit card numbers • However, the likelihood of someone actually being affected is low • There are about 1.08 billion credit and debit cards in the U.S. and according to the Privacy Rights Clearinghouse some 137 million records were stolen in 2009 • However, Visa estimates only 2% of compromised credit card numbers are used fraudulently (#11)

  25. Job #1 For A User Isn’t Security • Security looks at the risk of someone breaking into a system, stealing data or company secrets and the impact to the company • For our users their primary job function is not to protect the company • Users ‘get’ security and want to do the right thing

  26. Economies of Scale Think of users as consultants who bill @ $50/hour Consider an exploit that: Affected 1% of your company of 5000 users They spent 4 hours clearing up when they become victims You spent 4 hours cleaning up This cost $10,200 to fix However, if the prevention (say, better passwords): Takes each user in your company of 5000 users an additional two seconds to enter a password Each user averages four passwords a day Every year this prevention costs $23,111

  27. Bring Security Out Of The Closet(The Art Of Communication) • People should be naturally and constantly aware of security • Like the annoying relative • Celebrate security successes but don’t forget to talk about the failures. • Failure is the mother of success - Chinese proverb • Communication should be frequent, interesting and pertinent to the user • Users can understand the ‘why’ • Communication must be two way

  28. Communication Involves Meeting People Security, by it's very nature is secretive Malware doesn't tell us when it infects a system Users shouldn't to give out their passwords This rubs off on us – we have trouble talking to each other too The medium should be appropriate Mobile and social sites vs. e-mail vs. paper documents The message should be applicable A salesman doesn't care about cross-site scripting A programmer doesn't care about government compliance edicts Older people are “experience rich, but theory poor” (#25) Younger people are “theory rich, but experience poor” (#25) It should be two-way and interesting “[Today's teenager] wants to socialize instead of communicate. They want to do things together and get things done – and they really want to meet new people” - Tammy Savage, group manager of Microsoft's NextGen divison Emotion gets attention and creates memory

  29. Accidental Learning • Apply learning immediately (i.e. make it relevant) • Without emotion learning doesn’t occur (#19) • Education must entertain • Education is only one part of a behavior change program (#18) • We should focus on desired new patterns of thinking and behavior (#15) • Don’t try to fix the old patterns because that will only reinforce the problems. • People aren’t inherently suspicious and will, when pressured, revert to trusting because it’s the most natural thing to do • “People can do similar things repeatedly, but never the same thing. With a step-by-step process we expect the same set of outputs from identical inputs, but people's reactions to inputs may vary considerably from day-to-day based on a wide variety of conditions, many of them unrelated to the task at hand.” (#22)

  30. Informal Learning CapitalWorks (www.capworks.com) surveyed hundreds of knowledge workers about how they really learned to do their jobs and determined the following: Workers reported that informal learning was three times more important in becoming proficient on the job than company-provided training. Workers learn as much during breaks and lunch as during on- and off-site meetings. Most workers report that they often need to work around formal procedures and processes to get their jobs done. Most workers developed many of their skills by modeling the behavior of co-workers. Approximately 70% of respondents want more interactions with co-workers when their work changes.

  31. Where The Rubber Hits The Road Security should not be something we do; rather it should come from our users and be guided by us Security is a state of mind and a way of life; not something imposed from the outside Security requires one of the hardest behaviors; that of changing a habit Security should be participation and social interaction Saying “because it is secure” invokes the “It won't happen to me” heuristic because we said it; if the user says it then it might happen Security policies should come from the active participation of users, guided by security “We learn by doing.” - Artistotle Positive reinforcement lasts until the user leaves; negative reinforcement lasts until you leave

  32. Questions, Comments, Suggestions, …

  33. Supporting Slides

  34. Security’s Perception Security is often viewed as the corporate police – i.e. “You’re the ones who add time and money to projects. By the way, you do some security/safety stuff too.” “Ask not what security do for you; rather ask what you can do for security.” Everyone needs motivation but not everyone’s motivation is the same Negative reinforcement is faster; positive reinforcement is lasting Create an environment where mistakes, accidents and slipups are not punished but encouraged to be brought into the open. Which is worse – giving sensitive information to a phisher and helping security reduce the breach or not giving security any warning they’ve been breached ? “Security should not be viewed as your spouse; rather it should be viewed as the annoying relative.”

  35. (Lack of) Critical Thinking From CSO magazine on May 24, 2010 – “Social Engineering Stories” by Winn Schwartau We sent a letter, on company letterhead, through regular mail to about 30 percent (1200) of the employees. The letter said essentially: "Hi, we're from corporate information security. The reason you are receiving this letter is because we know social engineering occurs at work and we are going to upgrade our systems.” It went on to say "We know you're concerned about security and that is the reason for this letter. We don't want you to communicate any of this information over anything but mail, because that is the only secure way to do this. We need your personal details on the following things so we can transfer them into the system and verify them for accuracy because we've been having trouble with databases in this transition." We told recipients: "Please do not email or fax this information. Use ONLY the self-addressed, stamped envelope," which we addressed to an address that was not the company's address. We told them we had done that because we did not want anyone at work intercepting this in the office. We also told them we had set up a special, secure P.O. box that only the security department had access to. After it was sent out, we received about a 28 percent response.

  36. Teacups & Fire Hoses • We are flooded with so much information (some 3.6 zettabytes worth in 2008) from a host of sources such as TV, radio, Internet, newspapers, books, blogs, Twitter, movies, Facebook, other people, etc... that we have trouble remembering where we heard a particular piece of information and how reputable the source was • Fully and completely processing the information we receive is beyond the capabilities of either the amygdala or the neocortex so we have developed mental 'short-cuts‘, or heuristics, to keep up. (#7)

  37. When Theory And Practice Collide (contradictions) Users should update whenever a security patch is released But often the patches adversely affect the system or require rebooting/interruption And they are so frequent it’s hard to keep up Users should have anti-virus software and keep it up-to-date But they don’t prevent zero-day attacks or social engineering But don’t take advantage of the popup dialogs offering to do that for you Keep in touch with friends and family But don’t trust unsolicited email (Makes some people’s habit of calling the person they just sent email to a smart thing…) Buying over the internet is cheap and convenient But you could have your credit card number stolen Online banking is convenient But don’t trust anything your bank sends you But you might suffer identity theft Use the Internet to find the best deals But people could sell you counterfeit or hazardous products

  38. Risking Gains and Accepting Losses (the ‘gain’) Imagine a disease outbreak that is expected to kill 600 people, and then to choose between two alternative treatment programs. One group is asked to choose between these two programs for the 600 people: Program A: "200 people will be saved." Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved."

  39. Risking Gains and Accepting Losses (the ‘loss’) Imagine a disease outbreak that is expected to kill 600 people, and then to choose between two alternative treatment programs. One group is asked to choose between these two programs for the 600 people: Program A: "200 people will be saved." Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved." The second group of subjects were asked to choose between these two programs: Program C: "400 people will die." Program D: "There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die."

  40. Security is From Mars; Users are from Venus We need to make users understand the risks But users have a different set of risks then we do One risk is not following security procedures May get a reprimand Company may suffer a breach (but that's not a big deal) Another risk is not getting their job done Could loose job Could be demoted But “bad things will happen...” They happen to the company; not a user Are very abstract and hard to qualify or quantify Security is everyone's job No, actually it's only security's job; users jobs are something else (finance, development, sorting mail, etc...)

  41. Frequency Of Change • We are inundated on a daily, if not hourly basis, by software updates, malware releases, new threats and vulnerabilities • But when things change too frequently we become overwhelmed. Every piece of advice a person gets is fitted into their mental model (#15) • If we are changing advice faster then our users can process it they will start to ignore the advice or simply give up

  42. Risking Gains and Accepting Losses – Take 2 Imagine a disease outbreak that is expected to kill 600 people, and then to choose between two alternative treatment programs. One group is asked to choose between these two programs for the 600 people: Program A: "200 people will be saved." Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved." The second group of subjects were asked to choose between these two programs: Program C: "400 people will die." Program D: "There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die." Most people (72%) choose A over B, and most people (78%) choose D over C.

  43. References (1/3) Jaikumar Vijayan, "Users still make hacking easy with weak passwords", ComputerWorld, January 21, 2010 - http://www.computerworld.com/s/article/9147138/Users_still_make_hacking_easy_with_weak_passwords Robert Morris and Ken Thompson, “Password Security: A Case History”, Communications of the ACM, 1979, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.128.1635&rep=rep1&type=pdf Serge Egelman, Lorrie Faith Cranor, and Jason Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings”, Proceeding of the SIGCHI Conference on Human Factors in Computing Systems, pages 1065–1074, New York, NY, USA, http://www.guanotronic.com/~serge/chi1210-egelman.pdf Bruce Schneier, "The Psychology of Security", Janurary 21, 2008 - http://www.schneier.com/essay-155.html Daniel Kahnemann, "A Perspective on Judgment and Choice.", 2003, American Psychologist Amos Tversky and Daniel Kahneman, "Judgement under Uncertanity: Heuristics and Biases", Science, 1974 Norman, D., The invisible computer. 2007, Cambridge, MA: MIT Press. Retrieved from http://www.jnd.org/dn.mss/being_analog.html David Dunning and Justin Kruger, “Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments”, Journal of Personality and Social Psychology”, 1999 - http://www.scirp.org/Journal/PaperDownload.aspx?paperID=883&fileName=Psych.20090100004_39584049.pdf Daniel Kahneman and Amos Tversky, "Prospect Theory: An Analysis of Decision Under Risk.", Econometrica, 1979 Ronald Rensink, J. Kevin O’Regan & James Clark, “To See or Not To See”, Psychological Science”, 1997 - http://www.psych.ubc.ca/~rensink/publications/download/PsychSci97-RR.pdf Jeffrey Carr, "Under attack from invisible enemies", The Independent, 2010 James Coleman, "Foundations of Social Theory", Belknap Press, Cambridge, MA, 1990

  44. References (2/3) Niklas Luhmann, "Trust: A Mechanism For the Reduction of Social Complexity.", Trust and Power: Two Works by Niklas Luhmann, New York. John Wiley & Sons, 1979 Brian Prince, “Security Vulnerabilities Old and New Plague Users in June”, eWeek, 7 Jun 2009, http://www.eweek.com/c/a/Security/Security-Vulnerabilities-Old-and-New-Plague-Users-in-June-345417/ Francis M. Duffy, “I think, therefore I am resistant to change”, Journal of Staff Development, 2003, http://www.indiana.edu/~syschang/decatur/2007_fall/documents/6-3_i-think_duffy.pdf Robin Sidel and Mitchell Pacelle, “Credit Card Breach Tests Banking Industry’s Defenses”, Wall Street Journal, June 21, 2005 Thomas M. Lenard & Paul H. Rubin, “An Economic Analysis of Notification Requirements for Data Security Breaches”, Progress on Point, 12 July 2005 Fleminga, S., Thomasa, C., Dolana, R. “Overcoming status quo bias in the human brain”, Proceedings of the National Academy of Sciences, 15 Mar 2010, http://www.pnas.org/content/early/2010/03/02/0910380107.full.pdf Ledoux, J., The Emotional Brain: The Mysterious Underpinnings of Emotional Life, Simon & Schuster, 1998 Goodchild, J. Social Engineering Stories, CSO Magizine, 24 May 2010, http://www.csoonline.com/article/print/594924 Highsmith, J., Adaptive Software Development, Dorset House, 1999 Herley, C., So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, 2009, Microsoft Research Dinei Florêncio and Cormac Herley, “A Large-Scale Study of Web Password Habits”, Microsoft Research,http://research.microsoft.com/pubs/74164/www2007.pdf Amos Tversky and Daniel Kahneman, "The Framing of Decisions and the Psychology of Choice," Science, http://www.columbia.edu/cu/psychology/courses/2235/articles/4.pdf

  45. References (3/3) Elinor Greenberg, “The university without walls (UWW) program at Loretto Heights College: Individualization for adults”. New Directions for Higher Education, 1980

More Related