arun vishwanath, ph.d., mba associate professor http ......human factors approach: cyber security...

ArunVishwanath,Ph.D.,MBAAssociateProfessor

http://arunvishwanath.us

Istudyhowhackers,cyberterrorists,hactivistsenternetworks…

Istudy…  Istudyhowhackers,cyberterrorists,hactivistsenterandcompromisenetworks

  Theproverbial“peopleproblem”ofcybersecurity

HABITS

COGN

ITIV

E PR

OCES

SING

PERSONALITY

EMPLOYEE

Brute Force Hacking

Spear phishing

External Email Provider

Organizational Email Provider

DEFENDED VULNERABLE UNSECURED INTERACTION

UnintentionalInsiders

Databreacheskeepgettingbigger…

Source:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Spearphishingistheattackvectorof

choice

Impactedeveryindustry

PerpetratedbyStateandNon-stateSponsors

YOU ARE THE WEAKEST LINK IN CYBERSPACE

Approachestodealingwiththe“peopleproblem”

  Firewalls,antivirus;Whitelistingapproaches

  EMET;Constrainaccess/adminprivileges

Howrealisticisthis…

Humanfactorsapproach:Cybersecuritytraining

1.  “Phish”peoplesimulations

2.  Showthemwhytheyfellforit

3.  Keeptellingthemtoshape-up

4.  AdmiralMikeRogers:“Weshouldcourt-martialthem!”

ThePEOPLEPROBLEM  TheProblemisNOTthePeople

  ItisinourUNDERSTANDINGofPEOPLE

  WeHavedevelopedahumanfactorsmodelthatexplainshowpeoplethink,act,behaveonline,andwhy.

Suspicion,Cognition,AutomaticityModel(SCAM)

(Vishwanath,Harrison,&Ng,2016)

SCAMexplainshowusersthink:

Scrooge:Iama

cognitivemiser

Iusecognitiveshortcutsa.k.a

Heuristics

Heuristics

SCAMexplainswhatusersbelieve:

CyberRiskBeliefsWHATISSAFER:

•  PDFvs.WordDocument

•  OSXvs.Windows•  iOSvs.Android•  Chromevs.Safari•  GoogleFibervs.Freewi-fi•  Browserbasedemailaccessvs.

usinganemailclient

SCAMexplainstheroleofhabitsanddevices

Habits

  Ritualisticallycheckingemail

  Textingwhiletalking,walking,driving

  Enteringlogin,password,authenticationcredentials

Smartphones,smartwatches…notsosmartpeople

  ThanksAppleandGoogle!

VictimizationSuspicion

HeuristicProcessing

Systematicprocessing

CyberRiskBeliefs

Work/EmailHabits

Personality,WorkRoutines,

Patterns

Suspicion,Cognition,AutomaticityModel(SCAM)(Vishwanath,Harrison,&Ng,2014)

©ArunVishwanath

Leveragingtheunderstandingof

people

DevelopaCyberRiskIndex(CRI)

  Anempiricaldatadrivenapproach

  Usesashort,40questionself-reportsurvey

  Canbedonewithinexisting“red-team”simulations

  Likecreditrating,itcanweaggregatedacrossdivision,organizations,sectors

©ArunVishwanath

Decidingwhogetstrainedandhow:

Cyberriskbeliefs

Heuristics

Systematicprocessing

Habits

No

BeliefChangeYes

No

Yes

No

Yes

No

Yes

BetterHeuristics

Education

HabitChange

faulty

poor

bad

inadequate

©ArunVishwanath

Decidingwhogetsaccess:

  Currentsystemofprovidingaccessisbasedonorganizationalroleandstatus

  UseCRItoidentifyindividualrisklevelsandchangesinriskbehaviorovertime

  ThisbecomesaquantitativescoreofINDIVIDUALCYBERHYGIENE

©ArunVishwanath

Referencestopublishedresearchandwritings:

SelectedAcademicResearch  Vishwanath,A.,Harrison,B.,&Ng,

Y.J.(2016).Suspicion,Cognition,AutomaticityModel(SCAM)ofPhishingSusceptibility.CommunicationResearch.

  Vishwanath,A.2016).MobileDeviceAffordance:ExplicatingHowSmartphonesInfluenceTheOutcomeOfPhishingAttacks.ComputersinHumanBehavior.

  Vishwanath,A.(2015).HabitualFacebookUseanditsImpactonGettingDeceivedonSocialMedia.JournalofComputer-MediatedCommunication,20(1),83-98.

SelectedpiecesinCNN  Whythecyberattackskeep

coming:http://www.cnn.com/2015/06/08/opinions/vishwanath-stopping-hacking/

  Whyweneedacyberwall:http://www.cnn.com/2016/05/02/opinions/build-cyber-wall-vishwanath/index.html

  Whenhackersturnyourlightsoff:http://www.cnn.com/2016/02/11/opinions/cyber-infrastructure-attacks-vishwanath/

ContactInformation

ArunVishwanath,Ph.D.,MBA

  Email:avishy001@gmail.com

  Web:http://arunvishwanath.us

  Mobile:716.508.0192