arun vishwanath, ph.d., mba associate professor http ......human factors approach: cyber security...
TRANSCRIPT
ArunVishwanath,Ph.D.,MBAAssociateProfessor
http://arunvishwanath.us
Istudyhowhackers,cyberterrorists,hactivistsenternetworks…
Istudy… Istudyhowhackers,cyberterrorists,hactivistsenterandcompromisenetworks
Theproverbial“peopleproblem”ofcybersecurity
HABITS
COGN
ITIV
E PR
OCES
SING
PERSONALITY
EMPLOYEE
Brute Force Hacking
Spear phishing
External Email Provider
Organizational Email Provider
DEFENDED VULNERABLE UNSECURED INTERACTION
UnintentionalInsiders
Databreacheskeepgettingbigger…
Source:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Spearphishingistheattackvectorof
choice
Impactedeveryindustry
PerpetratedbyStateandNon-stateSponsors
YOU ARE THE WEAKEST LINK IN CYBERSPACE
Approachestodealingwiththe“peopleproblem”
Firewalls,antivirus;Whitelistingapproaches
EMET;Constrainaccess/adminprivileges
Howrealisticisthis…
Humanfactorsapproach:Cybersecuritytraining
1. “Phish”peoplesimulations
2. Showthemwhytheyfellforit
3. Keeptellingthemtoshape-up
4. AdmiralMikeRogers:“Weshouldcourt-martialthem!”
ThePEOPLEPROBLEM TheProblemisNOTthePeople
ItisinourUNDERSTANDINGofPEOPLE
WeHavedevelopedahumanfactorsmodelthatexplainshowpeoplethink,act,behaveonline,andwhy.
Suspicion,Cognition,AutomaticityModel(SCAM)
(Vishwanath,Harrison,&Ng,2016)
SCAMexplainshowusersthink:
Scrooge:Iama
cognitivemiser
Iusecognitiveshortcutsa.k.a
Heuristics
Heuristics
SCAMexplainswhatusersbelieve:
CyberRiskBeliefsWHATISSAFER:
• PDFvs.WordDocument
• OSXvs.Windows• iOSvs.Android• Chromevs.Safari• GoogleFibervs.Freewi-fi• Browserbasedemailaccessvs.
usinganemailclient
SCAMexplainstheroleofhabitsanddevices
Habits
Ritualisticallycheckingemail
Textingwhiletalking,walking,driving
Enteringlogin,password,authenticationcredentials
Smartphones,smartwatches…notsosmartpeople
ThanksAppleandGoogle!
VictimizationSuspicion
HeuristicProcessing
Systematicprocessing
CyberRiskBeliefs
Work/EmailHabits
Personality,WorkRoutines,
Patterns
Suspicion,Cognition,AutomaticityModel(SCAM)(Vishwanath,Harrison,&Ng,2014)
©ArunVishwanath
Leveragingtheunderstandingof
people
DevelopaCyberRiskIndex(CRI)
Anempiricaldatadrivenapproach
Usesashort,40questionself-reportsurvey
Canbedonewithinexisting“red-team”simulations
Likecreditrating,itcanweaggregatedacrossdivision,organizations,sectors
©ArunVishwanath
Decidingwhogetstrainedandhow:
Cyberriskbeliefs
Heuristics
Systematicprocessing
Habits
No
BeliefChangeYes
No
Yes
No
Yes
No
Yes
BetterHeuristics
Education
HabitChange
faulty
poor
bad
inadequate
©ArunVishwanath
Decidingwhogetsaccess:
Currentsystemofprovidingaccessisbasedonorganizationalroleandstatus
UseCRItoidentifyindividualrisklevelsandchangesinriskbehaviorovertime
ThisbecomesaquantitativescoreofINDIVIDUALCYBERHYGIENE
©ArunVishwanath
Referencestopublishedresearchandwritings:
SelectedAcademicResearch Vishwanath,A.,Harrison,B.,&Ng,
Y.J.(2016).Suspicion,Cognition,AutomaticityModel(SCAM)ofPhishingSusceptibility.CommunicationResearch.
Vishwanath,A.2016).MobileDeviceAffordance:ExplicatingHowSmartphonesInfluenceTheOutcomeOfPhishingAttacks.ComputersinHumanBehavior.
Vishwanath,A.(2015).HabitualFacebookUseanditsImpactonGettingDeceivedonSocialMedia.JournalofComputer-MediatedCommunication,20(1),83-98.
SelectedpiecesinCNN Whythecyberattackskeep
coming:http://www.cnn.com/2015/06/08/opinions/vishwanath-stopping-hacking/
Whyweneedacyberwall:http://www.cnn.com/2016/05/02/opinions/build-cyber-wall-vishwanath/index.html
Whenhackersturnyourlightsoff:http://www.cnn.com/2016/02/11/opinions/cyber-infrastructure-attacks-vishwanath/
ContactInformation
ArunVishwanath,Ph.D.,MBA
Email:[email protected]
Web:http://arunvishwanath.us
Mobile:716.508.0192