results from help us protect the carnegie mellon
play

Results from Help Us Protect the Carnegie Mellon Community from - PowerPoint PPT Presentation

Jan 25, 2023 •219 likes •964 views

Results from Help Us Protect the Carnegie Mellon Community from Identity Theft study A Real-Word Evaluation of Anti-Phishing Training Mary Ann Blair Lorrie Faith Cranor Ponnurangam Kumaraguru (PK) Joint work with Justin Cranshaw,

  1. Results from “Help Us Protect the Carnegie Mellon Community from Identity Theft” study A Real-Word Evaluation of Anti-Phishing Training Mary Ann Blair Lorrie Faith Cranor Ponnurangam Kumaraguru (PK) Joint work with Justin Cranshaw, Alessandro Acquisti, Jason Hong, and Theodore Pham C yLab U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 1

  2. Outline  Motivation for collaboration  Phishing 101  PhishGuru  CMU-PhishGuru study design and results  How to protect yourself  Lessons learned CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 2

  3. Motivation for collaboration Security Alert - Fraud Emails - CARNEGIE MELLON UNIVERSITY INTERNET USER (Posted September 29, 2008) Fraud emails have recently been sent to Carnegie Mellon email accounts claiming to be from Carnegie Mellon University <cmu@webmaster.com> . The fraud messages ask people to reply with their Full Name, User Id, and Password . PLEASE ENABLE SPAM FILTERING AND DO NOT REPLY! For What You Need To Do , see Security Alert - Fraud Emails - CARNEGIE MELLON UNIVERSITY INTERNET USE. www.cmu.edu/iso CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 3

  4. Motivation for collaboration Security Alert - Fraud Emails - andrew.cmu.edu Feature Release: Upgraded Search (Posted August 27, 2008) Fraud emails have recently been sent to Carnegie Mellon email accounts claiming to be from memberservice@andrew.cmu.edu . The fraud messages ask people to reply with their User ID and Password . PLEASE ENABLE SPAM FILTERING AND DO NOT REPLY! For What You Need To Do , see Security Alert - Fraud Emails - andrew.cmu.edu Feature Release: Upgraded Search. www.cmu.edu/iso CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 4

  5. Motivation for collaboration  Reduce risk – identity theft – credential stealing – data leakage  Improve operational effectiveness  Support research  Help individuals avoid being scammed CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 5

  6. Phishing 101 CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 6

  8. eBay: Urgent Notification From Billing Department

  9. We regret to inform you that your eBay account could be suspended if you don’t re-update your account information.

  10. https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&c o_partnerid=2&sidteid=0

  11. http://www.kusi.org/hcr/eBay/ws23/eBayISAPI.htm

  12. Phishing works  73 million US adults received more than 50 phishing emails each in the year 2005  Gartner estimated 3.6 million adults lost $3.2 billion in phishing attacks in 2007  Financial institutions and military are also victims  Corporate espionage CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 12

  13. Why phishing works  Phishers take advantage of Internet users’ trust in legitimate organizations  Lack of computer and security knowledge [Dhamija et al.]  People don’t use good strategies to protect themselves [Downs et al.] CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 13

  14. Anti-phishing strategies  Silently eliminate the threat – Find and take down phishing web sites – Detect and delete phishing emails  Warn users about the threat – Anti-phishing toolbars and web browser features  Train users not to fall for attacks CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 14

  15. User education is challenging  For most users, security is a secondary task  It is difficult to teach people to make the right online trust decision without increasing their false positive errors CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 15

  16. Is user education possible?  Security education “puts the burden on the wrong shoulder.” [Nielsen, J. 2004. User education is not the answer to security problems. http://www.useit.com/alertbox/20041025.html.]  “Security user education is a myth.” [Gorling, S. 2006. The myth of user education. In Proceedings of the 16th Virus Bulletin International Conference.]  “User education is a complete waste of time. 
 It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” [Martin Overton, a U.K.-based security specialist at IBM, quoted in http://news.cnet.com/2100-7350_3-6125213-2.html] CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 16

  18. 18

  19. Web site training study  Laboratory study of 28 non-expert computer users  Control group: evaluate 10 sites, 15 minute break to read email or play solitaire, evaluate 10 more sites  Experimental group: evaluate 10 sites, 15 minutes to read web-based training materials, evaluate 10 more sites  Experimental group performed significantly better identifying phish after training – But they had more false positives  People can learn from web-based training materials, if only we could get them to read them! P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMU-CyLab-07003, 2007. CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 19

  20. PhishGuru CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 20

  21. PhishGuru Embedded Training  Can we “train” people during their normal use of email to avoid phishing attacks? – Periodically, people receive a training email – Training email looks like a phishing attack – If a person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format  Motivating users – “teachable moment”  Applies learning science principles for designing training interventions CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 21

  22. Subject: Revision to Your Amazon.com Information

  23. Subject: Revision to Your Amazon.com Information Please login and enter your information http://www.amazon.com/exec/obidos/sign-in.html

  25. Laboratory study results  Security notices are an ineffective medium for training users  Users educated with embedded training make better decisions than those sent security notices  Participants retained knowledge after 7 days  Training does not increase false positive error CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 25

  26. Real world study: Portuguese ISP  PhishGuru is effective in training people in the real world – Statistically significant difference between Day 0 and Day 2 in both generic and spear conditions (p-value < 0.05)  Trained participants retained knowledge after 7 days of training – No significant difference in generic or spear conditions between Day 2 and Day 7 Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. Lessons from a real world evaluation of anti-phishing training. e-Crime Researchers Summit, 2008 CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 26

  27. CMU-PhishGuru study design and results CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 27

  28. CMU study  Evaluate effectiveness of PhishGuru training in the real world  Investigate retention after 1 week, 2 weeks, and 4 weeks  Compare effectiveness of 2 training messages with effectiveness of 1 training message P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. 2009. Under review. http://www.cylab.cmu.edu/research/techreports/cmucylab09002.pdf CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 28

  29. Study design  Sent email to all CMU students, faculty and staff to recruit participants to opt-in to study  515 participants in three conditions – Control – One training message – Two training messages  Emails sent over 28 day period – 7 simulated spear-phishing messages – 3 legitimate messages from ISO (cyber security scavenger hunt)  Counterbalanced emails and interventions  Exit survey CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 29

  30. Implementation  Unique hash in the URL for each participant  Demographic and department/status data linked to each hash  Form does not POST login details  Websites fully functional  Campus help desks and all spoofed organizations were notified before messages were sent CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 30

  31. Study schedule Day of the Control One training Two training study message messages Day 0 Test and real Train and real Train and real Day 2 Test Day 7 Test and real Day 14 Test Test Train Day 16 Test Day 21 Test Day 28 Test and real Day 35 Post-study survey CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 31

  32. Simulated spear phishing message Plain text email without graphics URL is not hidden CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 32

  33. Simulated phishing website http://andrewwebmail.org/password/change.htm?ID=9009 CyLab Usable Privacy and Security Laboratory http://www.cups.cs.cmu.edu/ 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A First Look Franz Franchetti Carnegie Mellon University in collaboration with Daniele G.

A First Look Franz Franchetti Carnegie Mellon University in collaboration with Daniele G.

Carnegie Mellon Carnegie Mellon FFTX and SpectralPACK: A First Look Franz Franchetti Carnegie Mellon University in collaboration with Daniele G. Spampinato, Anuva Kulkarni, Tze Meng Low Carnegie Mellon University Doru Thom Popovici, Andrew

330 views • 19 slides
Brendan Meeder Carnegie Mellon University Christos Faloutsos Carnegie Mellon University Given a

Brendan Meeder Carnegie Mellon University Christos Faloutsos Carnegie Mellon University Given a

Leman Akoglu Carnegie Mellon University Hanghang Tong IBM T. J. Watson Brendan Meeder Carnegie Mellon University Christos Faloutsos Carnegie Mellon University Given a graph with node attributes (features) social networks + user interests

368 views • 22 slides
From Carnegie Mellon to Kyoto: How Far Can We Go? Project Courses at Carnegie Mellon Involve

From Carnegie Mellon to Kyoto: How Far Can We Go? Project Courses at Carnegie Mellon Involve

From Carnegie Mellon to Kyoto: How Far Can We Go? Project Courses at Carnegie Mellon Involve real-world, unstructured problems involving technology and public policy. Provide students with leadership experience in problem-solving environments.

1.32k views • 99 slides
for BlueGene/P Franz Franchetti 1 , Yevgen Voronenko 2 , Gheorghe Almasi 3 1 Carnegie Mellon

for BlueGene/P Franz Franchetti 1 , Yevgen Voronenko 2 , Gheorghe Almasi 3 1 Carnegie Mellon

Carnegie Mellon Carnegie Mellon Automatic Generation of the HPC Challenge's Global FFT Benchmark for BlueGene/P Franz Franchetti 1 , Yevgen Voronenko 2 , Gheorghe Almasi 3 1 Carnegie Mellon University and SpiralGen, Inc. 2 AccuRay, Inc., 3 IBM

588 views • 25 slides
Cache Lab Implementation and Blocking Slides courtesy of: Aditya Shah, CMU 1 Carnegie Mellon

Cache Lab Implementation and Blocking Slides courtesy of: Aditya Shah, CMU 1 Carnegie Mellon

Carnegie Mellon Cache Lab Implementation and Blocking Slides courtesy of: Aditya Shah, CMU 1 Carnegie Mellon Welcome to the World of Pointers ! 2 Carnegie Mellon Outline Schedule Memory organization Caching Different types

807 views • 34 slides
Carnegie Mellon University Search TRECVID 2004 Workshop November 2004 Mike Christel, Jun

Carnegie Mellon University Search TRECVID 2004 Workshop November 2004 Mike Christel, Jun

Carnegie Mellon University Search TRECVID 2004 Workshop November 2004 Mike Christel, Jun Yang, Rong Yan, and Alex Hauptmann Carnegie Mellon University christel@cs.cmu.edu Carnegie Mellon Carnegie Mellon Talk Outline CMU Informedia

719 views • 36 slides
A First Look Franz Franchetti, Daniele G. Spampinato, Anuva Kulkarni, Tze Meng Low Carnegie

A First Look Franz Franchetti, Daniele G. Spampinato, Anuva Kulkarni, Tze Meng Low Carnegie

Carnegie Mellon Carnegie Mellon FFTX and SpectralPACK: A First Look Franz Franchetti, Daniele G. Spampinato, Anuva Kulkarni, Tze Meng Low Carnegie Mellon University Doru Thom Popovici, Andrew Canning, Peter McCorquodale, Brian Van Straalen,

786 views • 24 slides
Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Michael Denkowski

Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Michael Denkowski

Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Michael Denkowski Language Technologies Institute School of Computer Science Carnegie Mellon University April 20, 2015 Thesis Committee: Alon Lavie (chair), Carnegie

1.63k views • 128 slides
Replication and Robust Results Jim Herbsleb School of Computer Science Carnegie Mellon

Replication and Robust Results Jim Herbsleb School of Computer Science Carnegie Mellon

Replication and Robust Results Jim Herbsleb School of Computer Science Carnegie Mellon University jdh@cs.cmu.edu http://conway.isri.cmu.edu/~jdh/ Science Is Based on a Peculiar Logic Experimental method Relationship =&gt; hypothesis

366 views • 24 slides
MSR: Mining for Scientific Results? Jim Herbsleb School of Computer Science Carnegie Mellon

MSR: Mining for Scientific Results? Jim Herbsleb School of Computer Science Carnegie Mellon

MSR: Mining for Scientific Results? Jim Herbsleb School of Computer Science Carnegie Mellon University jdh@cs.cmu.edu http://conway.isri.cmu.edu/~jdh/ The author gratefully acknowledge support by the National Science Foundation under Grants

600 views • 47 slides
Running Incomplete Programs Ian Voysey Carnegie Mellon University Cyrus Omar Carnegie Mellon

Running Incomplete Programs Ian Voysey Carnegie Mellon University Cyrus Omar Carnegie Mellon

Running Incomplete Programs Ian Voysey Carnegie Mellon University Cyrus Omar Carnegie Mellon University Matthew A. Hammer University of Colorado Boulder Hello everyone! Thank you all for coming to what I think is the last talk in the last

205 views • 19 slides
15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!! Carnegie Mellon Agenda Stack review Attack lab overview Phases

882 views • 19 slides
15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton DSouza Carnegie Mellon Agenda

15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton DSouza Carnegie Mellon Agenda

Carnegie Mellon 15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton DSouza Carnegie Mellon Agenda Bomb Lab Overview Assembly Refresher Introduction to GDB Unix Refresher Bomb Lab Demo Carnegie Mellon Downloading

804 views • 21 slides
Third Annual Carnegie Mellon Conference on the Electricity Industry Enhancing IGCC economics with

Third Annual Carnegie Mellon Conference on the Electricity Industry Enhancing IGCC economics with

Third Annual Carnegie Mellon Conference on the Electricity Industry Enhancing IGCC economics with a diurnal syngas storage scheme Adam Newcomer and Jay Apt Carnegie Mellon University March 14, 2007 1 Preliminary data. Do not cite or quote

408 views • 26 slides
SPIRAL, FFTX, and the Path to SpectralPACK Franz Franchetti Carnegie Mellon University

SPIRAL, FFTX, and the Path to SpectralPACK Franz Franchetti Carnegie Mellon University

Carnegie Mellon Carnegie Mellon SPIRAL, FFTX, and the Path to SpectralPACK Franz Franchetti Carnegie Mellon University www.spiral.net In collaboration with the SPIRAL and FFTX team @ CMU and LBL This work was supported by DOE ECP and DARPA

319 views • 13 slides
More is Less? Non-parametric Language Models and Efficiency Graham Neubig Carnegie Mellon

More is Less? Non-parametric Language Models and Efficiency Graham Neubig Carnegie Mellon

Carnegie Mellon University More is Less? Non-parametric Language Models and Efficiency Graham Neubig Carnegie Mellon University Based on Work by Junxian He w/ Taylor Berg-Kirkpatrick 1 Carnegie Mellon University Parametric Language Models

833 views • 68 slides
Webinar: Does Your Foundation Take Cybersecurity Seriously? Presenter: John Ansbach, Vice

Webinar: Does Your Foundation Take Cybersecurity Seriously? Presenter: John Ansbach, Vice

Webinar: Does Your Foundation Take Cybersecurity Seriously? Presenter: John Ansbach, Vice President, Stroz Friedberg Sponsored by: CYBER Cybersecurity Webinar John Ansbach, JD, CIPP-US @johnansbach jansbach@strozfriedberg.com 3 4

830 views • 54 slides
Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require? How does an Australian business comply? Action Plan Section 1: GDPR is here Privacy in the digital age Historically, privacy was almost

513 views • 40 slides
Bioimaging Bank: Linking Medical Imaging and Biobanking Data for Cancer Research Daniel Moses

Bioimaging Bank: Linking Medical Imaging and Biobanking Data for Cancer Research Daniel Moses

Bioimaging Bank: Linking Medical Imaging and Biobanking Data for Cancer Research Daniel Moses BSc(Hons) MBBS Hons MEngSc PhD FRANZCR DABR Medical Director Research Imaging NSW Level 1 Building 3, Prince of Wales Hospital.

335 views • 5 slides
Pokemon: Real Time Battle Atom Raiff, Wisdom Chen, Cameron Smith Video Youtube link here. What

Pokemon: Real Time Battle Atom Raiff, Wisdom Chen, Cameron Smith Video Youtube link here. What

Pokemon: Real Time Battle Atom Raiff, Wisdom Chen, Cameron Smith Video Youtube link here. What Worked and What Did Not Worked using free models good old fashioned couch gaming cooperative gameplay Didnt work

332 views • 6 slides
UNSAFE AT ANY SPEED: CYBERSECURITY FOR LAWYERS MICHAEL P. HANNIGAN KONICEK &amp; DILLON, P.C.

UNSAFE AT ANY SPEED: CYBERSECURITY FOR LAWYERS MICHAEL P. HANNIGAN KONICEK &amp; DILLON, P.C.

9/19/2018 UNSAFE AT ANY SPEED: CYBERSECURITY FOR LAWYERS MICHAEL P. HANNIGAN KONICEK &amp; DILLON, P.C. UNDERSTANDING THE PROBLEM Insecure Communications vs. Insecure Credentials 1 9/19/2018 IMPORTANT TERMS Phishing Spear

293 views • 6 slides
Cyber Essentia ials and IS ISO27001 Visit: www.pgitl.com Visit: www.pgitl.com Steve Mair

Cyber Essentia ials and IS ISO27001 Visit: www.pgitl.com Visit: www.pgitl.com Steve Mair

Cyber Essentia ials and IS ISO27001 Visit: www.pgitl.com Visit: www.pgitl.com Steve Mair Senior Cyber Security Consultant @PGICyber and @SteveMair13 Visit: www.pgitl.com 3 Questions to Start Visit: www.pgitl.com Do you know What

776 views • 29 slides
Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some context Daily Mail online, April 2017 52 % the number of small businesses that had a security breach in 2016 UK Government Cyber Security

619 views • 39 slides
ASBMT Pharmacy Special Interest Group (SIG) Update 2014 2015 Jamie F Shapiro, Pharm.D, BCOP

ASBMT Pharmacy Special Interest Group (SIG) Update 2014 2015 Jamie F Shapiro, Pharm.D, BCOP

1/21/2015 ASBMT Pharmacy Special Interest Group (SIG) Update 2014 2015 Jamie F Shapiro, Pharm.D, BCOP Clinical Pharmacy Coordinator, Stem Cell Transplant Chair, ASBMT Pharmacy SIG February 13, 2015 Disclosures I have no relevant disclosures

395 views • 12 slides

More recommend