Larry HowardSr. Research Scientist

larry.howard@vanderbilt.edu

www.prototus.org

Eric Imsand1, Larry Howard2, Ken Pence2, Mike Byers3, Dipankar Dasgupta1

Center for Information Assurance University of Memphis

Institute for Software Integrated SystemsVanderbilt University

SPARTA, Inc.Huntsville, AL

1 2 3

TRUST Autumn Conference 2008

TRUST Autumn Conference 2008

Source: Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May , ‘Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the “insecurity iceberg”’

“Long game”– More trustworthy technologies– Fail-safe deployment models

“Short game”– Increase awareness of threats among users– Make training on responses more readily

available and valuable

TRUST Autumn Conference 2008

TRUST Autumn Conference 2008

Fire Safety Training

In the event of fire, move quickly to the nearest exit, avoiding elevators.

Fire Safety Training

In the event of fire, move quickly to the nearest exit, avoiding elevators.

In the event of fire, you shoulda)Put out the fireb)Find the nearest elevatorc)Move quickly to the nearest exitd)None of the above

In the event of fire, you shoulda)Put out the fireb)Find the nearest elevatorc)Move quickly to the nearest exitd)None of the above

NextNext

Hmm.a?

Hmm.a?

TRUST Autumn Conference 2008

Thanks for using the Online Training System

This morning you have completed the following training:

Sexual HarassmentFire SafetyNeurosurgery

Thanks for using the Online Training System

This morning you have completed the following training:

Sexual HarassmentFire SafetyNeurosurgery

Glad that’s over.What’s for lunch?Glad that’s over.

What’s for lunch?

Despite the potential to reach large numbers of users, most online training is currently perceived as a bad joke.

• FEMA sponsored free online training

– for IT professionals, risk managers, and general users

• University of Memphis Center for Information Assurance (CfIA)

– with Vanderbilt University (ISIS) and SPARTA, Inc.

TRUST Autumn Conference 2008

www.act-online.net

TRUST Autumn Conference 2008

Level/Track Technical(Track 1)

General(Track 2)

Business Continuity(Track 3)

Beginner/Introductory Information SecurityBasics(TEI: AWR-173-W)

Information Security for Everyone(TEI: AWR-175-W)

Business InformationContinuity(TEI: AWR-176-W)

Intermediate Secure Software and Network Assurance(In development)

Cyber Ethics(TEI: AWR-174-W)

Information Risk Management(Pending approval)

Advanced Digital Forensics(Q1-2009)

Cyber Law andWhite Collar Crime(Q3-2009)

Cyber IncidentAnalysis andResponse(Q1-2009)

TRUST Autumn Conference 2008

ACT Online courses consist of modules anchored on authentic problem-solving situations with a common macro-structure.

TRUST Autumn Conference 2008

ACT Online learning resources can be freely explored by trainees to address the overarching challenge.

TRUST Autumn Conference 2008

Like the web, assisted search features of ACT Online help trainees use learning resources and self-assessments.

TRUST Autumn Conference 2008

ACT Online self-assessments enable trainees to confirm their understanding of resources with progressive feedback.

Clarify the question Criticize the response Provide resource(s)

11 22 33

TRUST Autumn Conference 2008

ACT Online gives trainees credit for what they already know through pre-qualification, adapting the training in response.

• Attackers increasingly target vulnerabilities widely distributed among user population

• Lack of awareness and response by computer users is a serious near-term problem

• Online training holds potential to reach large populations, but currently viewed as ineffective

• ACT Online is using modern instructional techniques and features to change perception

Visit us today at www.act-online.net

TRUST Autumn Conference 2008

• ACT Online is supported by Cooperative Agreement Number 2006-GT-T6-K009 administered by the Federal Emergency Management Agency, National Preparedness Directorate, National Integration Center, Training and Exercise Integration.

• Points of view and opinions in this presentation are those of the author(s) and do not necessarily represent the position or policies of the United States Government.

TRUST Autumn Conference 2008