Using Data from Breaches What is the User Level of Comfort? - - PowerPoint PPT Presentation

using data from breaches
SMART_READER_LITE
LIVE PREVIEW

Using Data from Breaches What is the User Level of Comfort? - - PowerPoint PPT Presentation

Jul 07, 2023 363 likes •560 views

Using Data from Breaches What is the User Level of Comfort? Yingquan Yu My story Source: https://infosecurity.cathaypacific.com/ How many online accounts compromised through data breach? 5,575,703,782 Source: https://haveibeenpwned.com

slide-1
SLIDE 1

Using Data from Breaches

What is the User Level of Comfort? Yingquan Yu

slide-2
SLIDE 2

My story

Source: https://infosecurity.cathaypacific.com/

slide-3
SLIDE 3

How many online accounts compromised through data breach?

5,575,703,782

Source: https://haveibeenpwned.com

slide-4
SLIDE 4

What happen to the data that was compromised during the breach?

Most of the times become available in the black market for free/paid download

slide-5
SLIDE 5

Several Use for Data from Breach

Research Look up service Proactive Security Investigate Journalism

slide-6
SLIDE 6

Research Questions

  • Do user understand breaches ?
  • What are acceptable uses for breached data ?
slide-7
SLIDE 7

User understand risk of breaches

93%

Understand the meaning of data breach

Identity Theft Personal Data Loss Monetary Loss

What is their level of comfort with various uses of breached data?

slide-8
SLIDE 8

Scenario based assessment

  • N = 10,000
  • US, IN, DE, UK, AU, CA
  • 8 scenario total, 2 scenario per participant
slide-9
SLIDE 9

Sample Scenario Background

  • Global Inc
  • Email, Chat, Blogs, Profile Page
  • Username and password stolen
  • Sold on black market for $$$
  • Example:
  • A researcher from UIUC
  • Investigate online security (password strength)
  • Buy a copy from black market for research
slide-10
SLIDE 10

Scenarios

Look Up Service: Have I been pwned Proactive Protection: Process Password Dump Treat Intelligence: Notify Payment Service Treat Intelligence: Notify Social Network Service Revealing a Tax Evasion Scam Revealing Dating Site Private Profiles Competitor use breached data to advertise their service Researcher use breached data for security research

Security Investigate Journalism Marketing Researcher

slide-11
SLIDE 11

Scenario: Threat Intelligence Comfort Level: 40% Comfortable, 20% Neutral “I don’t have any issue with hacked

firm contacting them. It is probably the best thing to do. They can reset my password before anyone has a chance to try and hack my account”

“Global Inc has already failed

in securing my data, and I do not trust them to make any effort to secure my data elsewhere in the future”

slide-12
SLIDE 12

Scenario: Security Research Comfort Level: 15% Comfortable, 10% Neutral

“I have faith that this action will ultimately contribute to research that will make the general population less vulnerable in the long run.” “It’s incredibly unethical for the researcher to buy passwords from

  • hackers. It’s no different than someone

buying a car that was stolen.”

Scenario: Security Research Comfort Level: 15% Comfortable, 10% Neutral “I have faith that this action

will ultimately contribute to research that will make the general population less vulnerable in the long run.”

“It’s incredibly unethical for the

researcher to buy passwords from hackers. It’s no different than someone buying a car that was stolen.”

slide-13
SLIDE 13

Level of comfort highest for scenarios with direct security benefit

Threat Intelligence sharing Proactive Scanning and Protection Journalism (Tax Scam) Hacked Or Not Service Competitor/ Marketing Journalism (Dating) Research Most Comfortable Comfort Spectrum Least Comfortable Direct Security Benefit

slide-14
SLIDE 14

Order Preserved Regardless of buy vs free download

Proactive Scanning and Protection Journalism (Tax Scam) Hacked Or Not Service Competitor/ Marketing Journalism (Dating) Research Most Comfortable Comfort Spectrum Least Comfortable

slide-15
SLIDE 15

Comfort Spectrum consistent across countries

slide-16
SLIDE 16

Prior victims of data breach expressed significantly higher level of comfort

Victims more comfortable on

  • Proactive Measures (No matter data is purchased or free)
  • Damage Control Measure (Both financial and social network data)
  • Hacked or not Service (Only if data is free)
slide-17
SLIDE 17

Implications for company

Breached company need to be transparent and notify victims Proactively reset password And lock down accounts From further damage Articulate how any security service can provide a direct benefit to the victims

I think it’s imperative for the company to tell people whose data has been

  • accessed. Companies should

not control but rather empower

” “

This is a proactive step from the company, and one that they are not obligated to do. This makes me feel like the company cares about protecting my identify

” “

I have faith this action will ultimately contribute to making the general population less vulnerable in the long run

slide-18
SLIDE 18

Back to my story

Source: https://infosecurity.cathaypacific.com/