cyber summit 2016: understanding users' (in)secure behaviour
TRANSCRIPT
![Page 1: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/1.jpg)
Understanding Users’ (In)Secure behaviour
Prof. Sonia ChiassonCanada Research Chair in Human Oriented Computer Security
Cyber SummitBanff, October 2016
![Page 2: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/2.jpg)
2
![Page 3: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/3.jpg)
are the weakest link
3
Users
![Page 4: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/4.jpg)
are the weakest link
4
Users
Security system designs
![Page 5: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/5.jpg)
WHY PHISHING STILL WORKSTo understand how and why users decide whether a site is legitimate
5
M. Alsharnouby, F. Alaca, & S. Chiasson. Why phishing still works: User strategies for combating phishing attacks. Int. Jour. of Human-Computer Studies (Elsevier), 2015.
![Page 6: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/6.jpg)
6
Still falling for phishFirst phishing attack: AOL, 1996
![Page 7: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/7.jpg)
User study
7
best-case scenario, detecting ability rather than usual practice
is this a phishing site? how certain are you?
Chrome browser
10 legit sites 14 phishing
eye tracking
21 participants
![Page 8: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/8.jpg)
Websites
• Hosted sites, set up own certificate authority and modified browser host files, purchased domain/SSL certificate, HTTrack to copy sites
• Tricks:– Incorrect URLs (with all links to legitimate site)– IP address instead of URL– Fake chrome (double URL bars)– Fake, suspicious content – “credit card checker”
8
![Page 9: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/9.jpg)
Results
9
Success rate: 53% for phishing, 78% for legitConfidence: 4.25/5 regardless of whether choice was correctTime: 87s to decide, no difference for legit/phish sitesEye-tracking: 6% time on security indicators, 85% on page content
No effect of gender, age, tech expertise
52% did not recognize
phishing of their own
bank
Quick to judge
familiar sites
![Page 10: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/10.jpg)
Misunderstandings
10
Look for ‘simple’ urls but missed misspellings or
fabricated urls
48% said https was important, but 80% had no
idea why
19% thought green EV box was important, no one knew
why
Only 1 participant understood sub-domains:
paypal.evil.com
![Page 11: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/11.jpg)
Insights• Detecting phishing is still really hard for users
• Users don’t know how to accurately detect, but are confident in their abilities
• Shallow, brittle understanding – is simple advice doing more harm than good?
• Really, humans aren’t meant to do this!
11
![Page 12: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/12.jpg)
PASSWORDSAre we doing more harm than good?
12
Leah Zhang-Kennedy, Sonia Chiasson, and P. C. van Oorschot. Revisiting Password Rules: Facilitating Human Management of Passwords. In APWG eCrime. IEEE, 2016
![Page 13: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/13.jpg)
Existing password rules
13
creation rules
mandatory password changes
no sharing
no writing down
no reuse
![Page 14: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/14.jpg)
Unreasonable usability?• Human memory limitations
• Incompatible work practices/demands
• Poor cost-benefit tradeoffs
14
![Page 15: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/15.jpg)
For little added security?
15
Social engineering
Offline guessing Password capture
Online guessing
![Page 16: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/16.jpg)
Reconsidering the ruleshttp://www.versipass.com/edusec/
16
![Page 17: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/17.jpg)
Reconsidering the rules (2)
17
Strategically re-use passwords
Keep written passwords well hidden Share with caution
Change your password as-needed
![Page 18: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/18.jpg)
WRAP UPSo what do we do?
18
![Page 19: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/19.jpg)
Rethinking strategy• Consider policies/demands in context
– Adding rule, which one is being removed?– How does this impact real work?
• Consider human capabilities– Your employees don’t have wings
• What are the side-effects?
• Need realistic, actionable advice– Users understand why and how security action is beneficial
![Page 20: Cyber Summit 2016: Understanding Users' (In)Secure Behaviour](https://reader035.vdocuments.mx/reader035/viewer/2022070601/58878c391a28ab5b1a8b472b/html5/thumbnails/20.jpg)
Our lab: http://chorus.scs.carleton.caComics: http://www.versipass.com/edusec/
SERENE-RISC cybersecurity network: http://www.serene-risc.ca/
20