making security awareness measurable
play

Making Security Awareness Measurable Stefan Schumacher - PowerPoint PPT Presentation

May 08, 2023 •302 likes •586 views

Making Security Awareness Measurable Stefan Schumacher www.sicherheitsforschung-magdeburg.de Magdeburger Institut fr Sicherheitsforschung DeepSec 2017 Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 2 / 28 About

  1. Making Security Awareness Measurable Stefan Schumacher www.sicherheitsforschung-magdeburg.de Magdeburger Institut für Sicherheitsforschung DeepSec 2017 Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 2 / 28

  2. About Me Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 3 / 28

  3. About me President of the Magdeburg Institute for Security Research Editor of the Magdeburg Journal of Security Research Freelance Security Consultant Hacker for 20 years, ex-NetBSD developer Educational Science and Psychology, Research on Social Engineering Focus on Social Engineering, Security Awareness, Organizational Security memory falsification: DeepIntel 2017: Manipulating the Human Memory for Fun and Profit Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 4 / 28

  4. Definition (Outrage as a Svc @OaaSvc) Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014 Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 5 / 28

  5. Stand Back! Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 6 / 28

  6. Why? Security Awareness is a huge buzz word money can be made scientific foundation lacks fundamental research has to be done Awareness is not enough Evaluation lacks or is to simple measuring things is complicated Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 7 / 28

  7. Why measuring Security Awareness? to evaluate security awareness campaigns (What the Heck is Mr. Schumacher doing there?) evaluation in a psychological/pedagogical/didactical way, not financial to assess the capabilities of an individual to assess the capabilities of an organisation to identify weak spots to make security awareness training professional – no professionalisation without evaluation! where diving into the field of psychology and pedagogy measuring things there is fundamentally different from measuring things in natural and engineering sciences Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 8 / 28

  8. Psychology empirical and theoretical science describes, explains and predicts human behaviour and experiences human development and the internal and external causes and conditions Differential and Personality P., Social P., Industrial P., Organisational P., Pedagogical P. Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 9 / 28

  9. Psychology and IT-Security? Measurement is the assignment of scores to individuals so that the scores represent some characteristic of the individuals. How can we measure security? Can we mesure it directly? WTF is security? Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 10 / 28

  10. Psychology and IT-Security? Security is a latent social construct and has to be treated as such. Psychological and sociological methods and tools are required. If the security of a system should be enhanced, a diagnosis, prognosis and intervention is required. Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 11 / 28

  11. Latent Social Construct Construct: cannot be directly measured can only be measured by using manifest variables to estimate the latent variables examples: Intelligence: IQ-Tests security cannot be measured directly operationalisation of security required Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 12 / 28

  12. Security and Psychology Security is concluded by making Decisions Individuals make decisions based on their Biography, the Situation and how they perceive their Environment see: von Foerster, Luhmann, Spencer Brown, Baecker et.al. Psychology is the Science which researches these Topics. Therefore, Psychology is required to research Security. Psychology is the only Science able to research the basic fundamentals of Security. Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 13 / 28

  13. Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 14 / 28

  14. 1996: Ariane 5 Flight 501 64 Bit Float � 16 Bit signed Int � 320 000 000 Euro Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 15 / 28

  15. Awareness is not enough Awareness is not enough being aware of something does not mean you act accordingly most smokers know that smoking is bad for your health action is required theory of action cf: Soviet Psychology: Galperin, Wygotski, Leontjew, Leontiew; East German Psychology: Hacker, Volpert (psychological regulation of action) English language literature is scarce Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 16 / 28

  16. What is Security? Security is a latent social construct Operationalisation Security is what you define it to be Test test tests If you only have a hammer ... The whole measurements depends on the operationalisation! Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 17 / 28

  17. Operationalisation The Scientific Way Qualitiy criteria for tests/measurements: Realiability: do multiple test yield the same results? Objectivity: how dependent is the measurement upon the examiner? Validity: do we measure what we are supposed to measure? Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 18 / 28

  18. Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 19 / 28

  19. Operationalisation The Scientific Way identify a useful suitable measuring instrument (questionnaire, narrative interview, participant observation) identify the measurement parameter find a suitable survey methodology experiment: identify the dependent and independent variable Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 20 / 28

  20. Operationalisation The Practical Way WTF is Security for us? Identify roles for your organisation (sysadmin, developer, office clerks, management, trainee) Identify the decisions they have to make with regards to securityWhat freedom do they have? define capabilities to develop, learning outcomes etc. Identify way to measure their behaviour/actions and apply them Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 21 / 28

  21. Example Storing passwords in a DB lots of hacks and leaks, from Stratfor to Linkedin; Required Knowledge: don’t store Passwords in plain text encrypt or hash passwords which algorithm to use? ◮ your own implementation: very bad ◮ MD5: bad ◮ SHA1: bad ◮ SHA1 (MD5 + Salt): bad ◮ pkcs5 pbkdf2: better let the developers create a design or specific implementation and check it Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 22 / 28

  22. Example Passwords define rules for secure passwords min length of 12 characters min 1 special character, number, lower case, upper case no word from a dictionary no former password no patterns (secret1; secret2; secret3) check the passwords with PAM etc. Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 23 / 28

  23. Example Passwords offer a training explain how passwords work that all computers are connected in your company (everyone is important!) how hashes work � live hacking offer a way to create a strong password in an easy way (eg. Initials): I shall create a strong password with at least 12 letters! � Iscaspwal12l! Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 24 / 28

  24. Example Passwords compare the used passwords before and after the training congratulations, you made a scientific pre/post testing :-) Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 25 / 28

  25. Example Social Engineering Oh dear How do I prevent Social Engineering? break it down to eg. phishing mails send out fake phishing mails and measure how many of your coworkers click on the included link you have a nice number and even a percentage can be presented in colourful Powerpoints but only measures one very specific form of Social Engineering test design for human based SE is very, very complicated Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 26 / 28

  26. Know your bias Why we need Psychology pt. 31337 Often ignored problem: Person - Organisation - Situation Motivation is fundamental for human actions the same person behaves different in the same situations (humans are no Turing machines!) Motivation is very volatile (ever tried to diet or quit smoking?) if you have a hammer ... statistical bias: selection bias, reporting bias, attrition bias ... Hawthorne effect: people change their behaviour when they (assume they) are watched Teaching to the Test cultural differences (error management culture) Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 27 / 28

  27. sicherheitsforschung-magdeburg.de stefan.schumacher@sicherheitsforschung-magdeburg.de sicherheitsforschung-magdeburg.de/publikationen/journal.html youtube.de/Sicherheitsforschung Twitter: 0xKaishakunin LinkedIn / Xing: Stefan Schumacher ZRTP: 0xKaishakunin@ostel.co GnuPG: 9475 1687 4218 026F 6ACF 89EE 8B63 6058 D015 B8EF Stefan Schumacher Making Security Awareness Measurable 22nd November 2017 28 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Toll Free No : 1800 425 6235 Ministry of

291 views • 10 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Toll Free No : 1800 425 6235 Ministry of

460 views • 8 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Free No : 1 1800 0 425 6 6235 Toll F

264 views • 24 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Free No : 1 1800 0 425 6 6235 Toll F

357 views • 12 slides
eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY

eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY

eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY AWARENESS MODEL (ESAM) IS A SELF-ASSESSMENT TOOL GOAL OF THE EDOCUMENT SECURITY AWARENESS MODEL: Help governments with their secure document

579 views • 28 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Ministry of Electronics & Information

510 views • 11 slides
Security Awareness Training This communication is printed, published or produced and disseminated

Security Awareness Training This communication is printed, published or produced and disseminated

Security Awareness Training This communication is printed, published or produced and disseminated at U.S. taxpayer expense. 2 Security Awareness Training Completing Security Awareness Training Similar to last year, Security Awareness

388 views • 18 slides
Security Awareness Office of Informa(on Technology Informa5on

Security Awareness Office of Informa(on Technology Informa5on

Security Awareness Office of Informa(on Technology Informa5on Security Department 2011-2012 Top Security Issues BE CYBER SAFE 1 Security Awareness Top

383 views • 13 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Measurable What? Adult Educations Measurable Skill Gains Performance Metric COABE,

Measurable What? Adult Educations Measurable Skill Gains Performance Metric COABE,

Anna Cielinski Senior Policy Analyst Measurable What? Adult Educations Measurable Skill Gains Performance Metric COABE, March 2018 Measurable Skill Gain WIOAs Measurable Skill Gain (MSG) performance measure includes pre-test,

652 views • 26 slides
www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage,

www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage,

INFORMATION SECURITY AWARENESS keeping yourself and your family safe in a tech driven world www.isea.gov.in www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage, security and Guidelines Insta loan

604 views • 29 slides
Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu

Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu

Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Todays Topics Impact on Universities

936 views • 59 slides
Radical Uncertainty Decision-making for an unknowable future John Kay A measurable

Radical Uncertainty Decision-making for an unknowable future John Kay A measurable

Radical Uncertainty Decision-making for an unknowable future John Kay A measurable uncertainty, or risk proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at

240 views • 10 slides
Security Awareness on a Budget FISSEA 2011 Security Awareness on a Budget (or even with NO

Security Awareness on a Budget FISSEA 2011 Security Awareness on a Budget (or even with NO

Security Awareness on a Budget FISSEA 2011 Security Awareness on a Budget (or even with NO budget!) FISSEA 2011 Introduction FISSEA =The Federal Information System Security Educators Association We are EDUCATORS, first and foremost

747 views • 38 slides
U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

ISSLOB SSC CYBERSECURITY AWARENESS U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST SP 800-50 A proven, reliable solution that verifies retention of material and concepts A well

344 views • 17 slides
Computably measurable sets and computably measurable functions in terms of algorithmic

Computably measurable sets and computably measurable functions in terms of algorithmic

Computably measurable sets and computably measurable functions in terms of algorithmic randomness Tokyo Institute of Technology 20 Feb 2013 Kenshi Miyabe RIMS, Kyoto University 1 Motivation Measure (Probability) theory everywhere(!)

665 views • 25 slides
CSC 484 Lecture Notes Week 8 Chapters 13, 14, and 15 of the Book CSC484-S08-L8 Slide 2 I.

CSC 484 Lecture Notes Week 8 Chapters 13, 14, and 15 of the Book CSC484-S08-L8 Slide 2 I.

CSC484-S08-L8 Slide 1 CSC 484 Lecture Notes Week 8 Chapters 13, 14, and 15 of the Book CSC484-S08-L8 Slide 2 I. Relevant reading -- See title slide. CSC484-S08-L8 Slide 3 II. Intro to Ch 13 (Sec 13.1). A. Largely a recap. B. Presents eval

796 views • 65 slides
Clean Care Conversations Webinar STOP! Clean Your Hands Day May 6, 2019

Clean Care Conversations Webinar STOP! Clean Your Hands Day May 6, 2019

Clean Care Conversations Webinar STOP! Clean Your Hands Day May 6, 2019 patientsafetyinstitute.ca securitedespatients.ca Your moderator, host and presenters Carmen Stephens Dr. Greg German Jason Tetro Christopher Thrall Patient Partner

479 views • 24 slides
MARK2052 MR3 Quantitative Research (T3-2019) 1 Lecture structure for this lecture Course

MARK2052 MR3 Quantitative Research (T3-2019) 1 Lecture structure for this lecture Course

29/09/2019 MARK2052 MR3 Quantitative Research (T3-2019) 1 Lecture structure for this lecture Course issues and questions Last topic: MR2: qualitative research Survey Experiment Lecture summary Next topic: MR4:

397 views • 25 slides
Pitfalls and Countermeasures in Software Quality Measurements and Evaluations Hironori Washizaki

Pitfalls and Countermeasures in Software Quality Measurements and Evaluations Hironori Washizaki

5th International Workshop on Quantitative Approaches to Software Quality (QuASoQ) Nanjing, Dec 4, 2017 Pitfalls and Countermeasures in Software Quality Measurements and Evaluations Hironori Washizaki washizaki@waseda.jp Prof., Global Software

543 views • 38 slides
Gov 51: Randomized Experiments Matthew Blackwell Harvard University 1 / 10 Changing minds on

Gov 51: Randomized Experiments Matthew Blackwell Harvard University 1 / 10 Changing minds on

Gov 51: Randomized Experiments Matthew Blackwell Harvard University 1 / 10 Changing minds on gay marriage Question: can we efgectively persuade people to change their minds? Hugely important question for political campaigns,

525 views • 10 slides
Various Design Issues Nahomi Ichino 13 June 2019 Ichino Design Issues 13 June 2019 0 / 28

Various Design Issues Nahomi Ichino 13 June 2019 Ichino Design Issues 13 June 2019 0 / 28

Various Design Issues Nahomi Ichino 13 June 2019 Ichino Design Issues 13 June 2019 0 / 28 Some Additional Issues for Design 1. Review: Different types of randomization Simple and complete Block Cluster 2. Encouragement design

1.26k views • 29 slides
A86012 Management and Principles of Accoun:ng (2016/2017) Session 12 Human Resources Paul G.

A86012 Management and Principles of Accoun:ng (2016/2017) Session 12 Human Resources Paul G.

A86012 Management and Principles of Accoun:ng (2016/2017) Session 12 Human Resources Paul G. Smith B.A., F.C.A SESSION OBJECTIVES & OVERVIEW A 86012 Management and Principles of 2 Accoun:ng Course Overview 1. What is business 14.

520 views • 28 slides
SOCI 210: Sociological Perspectives Sept. 15 1. Administrative 2. Methods of inquiry 3. Three

SOCI 210: Sociological Perspectives Sept. 15 1. Administrative 2. Methods of inquiry 3. Three

SOCI 210: Sociological Perspectives Sept. 15 1. Administrative 2. Methods of inquiry 3. Three theoretical lenses 1 Administrative Groups If you have a group or partial group organized , you may pick a group on MyCourses to join

396 views • 36 slides

More recommend