LIS 510 "Human Factors in Information Security" course introduction

Transcript

1. Welcome to Human Factors in Information Security! Dorothea Salo

2. What is this course for? ✦ Your self-protection, and helping

   you contribute to a safer, more secure world for everyone% ✦ For some of you, a light on possible career paths% ✦ Safety engineering and perspective-taking% ✦ A lot of communication and workplace practice!% ✦ This is the major motive behind course assignments.% ✦ Work-appropriate communication styles have to be learnt; they are very di ff erent from academic communication. I will steep you in the di ff erences! (I will also try to teach you how best to communicate around tricky subjects—like errors and blame.)% ✦ Infosec has its own communication genres: bug/vulnerability reports, incident reports, training materials… so I’ll be acquainting you with those. It won’t be enough! But at least they won’t come as a surprise.

3. … safety engineering? ✦ Yeah. It’s kind of the origin

   of “human factors” in the name of this course.% ✦ JSYK, if you’re a nervous fl yer, you don’t want to read a lot of the human-factors literature. Most of its examples come from air safety.% ✦ We’ll talk more about this next week, but the basic ideas are:% ✦ When something goes wrong, there’s a very human tendency to fi nd an individual human being to SCAPEGOAT for it.% ✦ It’s NOT A PRODUCTIVE TENDENCY. It doesn’t lead us to the right answers—or more important, the right fi xes. We need to resist it.% ✦ When failures happen, there are always multiple causal factors.% ✦ When failures don’t happen, it’s because a whole lot of humans have DEFENDED against them! Humans are a STRENGTH, not a problem!

4. This course’s theme Information security is about PEOPLE or it

   is 🐂💩.

5. This course’s other theme Information security is about SYSTEMS or

   it is 🐂💩.

6. No comment. Many questions. (photo by [email protected], reproduced by kind

   permission)

7. Think through the system! ✦ How many people and o

   ff i ces got involved in the passcoded door latch being there?% ✦ What are some reasons it might be there?% ✦ What might be the reasoning behind the sticky note with the passcode?% ✦ Why hasn’t it been taken o ff and the passcode changed?

8. Sorry, what?! Training isn’t cybersecurity?!

9. Perspective-taking ✦ Based on what he said, what does Mark

   Lanterman think cybersecurity is?% ✦ What does he think it isn’t?% ✦ What does he think training will accomplish? What does this mean for how he thinks of the people he works with and for?% ✦ Now take a broader view: what does this mean for how he does his job (as CTO for a forensics company)?

10. Losing the ability to even… (reproduced by kind permission of

    Lea Kissner)

11. Perspective-taking ✦ Why would a salesperson be uninterested in the

    security of a tech product they’re selling?% ✦ Where might they have picked up this attitude?% ✦ What does the salesperson likely think is important?% ✦ Why would they think it’s okay to say that to an actual Chief Information Security O ff i cer at an actual security company?% ✦ Take a broader view: what do YOU think of the salesperson’s company right now? % ✦ If you were the salesperson’s boss, what kind of conversation might you have with them on seeing what Lea said?

12. Students who take 510… ✦ … typically come in a

    few di ff erent fl avors.% ✦ MA/LIS students, interested in privacy and/or information/data governance% ✦ MS/Info students: often responsible for securing data or systems% ✦ CS/SE, iSci, or Digital Studies undergrads interested in infosec careers% ✦ B-school students, often interested in risk management% ✦ (None of these may apply to you — and if so, GREAT! Welcome!)% ✦ If one of these is you, here is what I have for you!% ✦ MA/LIS, MS/Info folks: a little technology, a fair amount of pragmatic big-picture knowledge% ✦ CS/SE, iSci folks: Ethics, law, and communication likely won’t land you your fi rst infosec job. If you want to do well in that job and/or move up the ladder, though — they are absolutely, positively ESSENTIAL.% ✦ All of you: if you want to use your tech knowledge for good, 510 should give you avenues for that.

13. Former Uber CISO Joe Sullivan: That’s one kind of person

    I want to develop here.

14. CISO Alyssa Miller: https://www.securityweek.com/ rising-tides-alyssa-miller-on- do-better-be-better-and-see- past-the-technology-to- advance-cybersecurity/

15. A prior student: (by permission) That is exactly where I

    want to operate within the cybersecurity landscape. Almost a liaison between the policy side and the technology side, who can e ff ectively communicate with both sides. Not exactly a "jack of all trades, master of none," but something similar-ish. I also wanted to say thank you for a great semester and class. As someone passionate about cybersecurity WITHOUT A TECHNICAL BACKGROUND… having this class available to me was such an amazing experience. I'm very grateful I had the opportunity to learn so much about cybersecurity because all the other cybersecurity-related classes are only for computer science majors.

16. Corollaries ✦ Infosec is about people because it has to

    be.% ✦ There is no such thing as a technological system completely devoid of people.% ✦ People design systems.% ✦ People build them.% ✦ People use them — and by using them, become part of them!% ✦ People break them, accidentally or intentionally.% ✦ People abuse them, often to harm other people.% ✦ The people parts of systems work di ff erently from the tech parts. We’re not technologies!% ✦ You can’t always use tech to fi x human behavior. We’ll see some reasons why not.

17. Questions we’ll (start to) answer in this course ✦ What

    IS IT with people? Why are we (as a species) so bad at security?% ✦ Spoiler: the answers have little or nothing to do with intelligence.% ✦ Why do we make the security decisions we do? % ✦ Where do we learn bad practices? How can we make better decisions?% ✦ How can we make it easier for everyone to make better decisions?% ✦ Can we make people who don’t give a 💩 about the impact of their 💩-y practices on everybody else’s security… actually give a 💩?% ✦ Who’s out to ruin our security, why, and how?% ✦ The answers to this one are legion, and some will surprise you.% ✦ How do the human and organizational processes around security work, in the Real World™?

18. A note on course-exacerbated anxiety ✦ This class talks about

    a lot of sources of individual, organizational, and societal RISK.% ✦ For most of you, it will discuss risks you’ve never considered before. Possibly lots of them!% ✦ Consider whether you’re in a mental space where you can take these extra worries on.% ✦ I will not be upset if you drop the class because you’re not.% ✦ I will teach you defenses when they exist! That’s a promise.% ✦ It’s also important from a safety-engineering point of view. % ✦ Defending yourself defends the systems you’re part of… and the other people who are also part of those systems!

19. Cool? Cool. Thanks! This presentation is copyright 2023 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.

20. Class logistics

21. Ground rules ✦ Every one of you is welcome here.

    Every one of you belongs here. Every one of you can succeed here.% ✦ It’s my job to help that happen. Help me do my job by telling me when I can make a di ff erence for you. I am not psychic! I don’t always realize.% ✦ Grades in this course are not competitive. Everyone can get an A!% ✦ But it’ll be easier if y’all support one another. So do that.% ✦ We have widely varying levels of pre-existing tech knowledge in this class. I do my best to design the class around that, in fact.% ✦ I will be Very Upset with you if you mess up my careful design work by being scornful or dismissive of classmates who didn’t come in with the same tech preparation you did. So don’t. Thanks.% ✦ Some speci fi c things to avoid: “well actually,” “RTFM,” “how could you not know that?!” and sexist/racist/ageist/ableist words, phrases, and stereotypes (“so easy my grandma could…”) Not in my class, please.

22. Foundational expectations ✦ You will be here. Physically. In class.

    Every week. On time and ready to work.% ✦ This course does get taught online-asynchronous (usually spring) — I will not be hurt or o ff ended if you drop to take the online version.% ✦ 33% of your grade comes from the “weekly huddles” I start class with, week 3 on. THERE IS NO MAKEUP FOR THESE. I do drop one.% ✦ You will do the readings for each week before you come to class.% ✦ I use a textbook and another book for this class. The library has the textbook as an ebook! The other is readily available used.% ✦ A lot of the work of this class will happen right here in this classroom! And it won’t be passive!% ✦ What even is the point of an in-person class otherwise?!

23. How to get an A in this course ✦ Do

    the work. On time. Every single week.% ✦ Work = readings, coming to class, doing labs, major assignments% ✦ There is a strong correlation between FALLING BEHIND in the weekly work and poor grades… also between SKIPPING CLASS and poor grades.% ✦ Don’t fall into the “oh, it’s just this week” trap. It often doesn’t work out that way.% ✦ I’m very careful to put all assignments in the Canvas calendar. Use that to help you! PLAN YOUR ENTIRE SEMESTER NOW.% ✦ Don’t ghost. No, not even for a week.% ✦ Stu ff happens. The key for you when stu ff happens is to COMMUNICATE WITH ME.% ✦ I hold student hours. I have an email address ([email protected]). The quicker you communicate, the quicker issues get resolved.

24. Seniors! ✦ You have job interviews! Or grad school interviews!%

    ✦ This is a bad class to take if you have a lot of those! Absences WILL damage your grade!% ✦ I WILL NOT EXCUSE ABSENCES FOR INTERVIEWS.% ✦ I’m not mad at you. The system sucks. But I can’t and won’t distort my class to fi t around their crappy system.% ✦ Feel free to tell them I said so. Sheesh.% ✦ Consider the online-asynchronous version of this class. (Usually taught in spring.)

25. Assignments ✦ Are all described IN THE SYLLABUS. READ. THE.

    SYLLABUS.% ✦ (at least the fi rst few pages; the rest is readings)% ✦ If you ask me questions where the answer is obvious in the syllabus, I will not be best pleased.% ✦ If you turn in an assignment that omits speci fi c things I ask for in the syllabus, you will lose all the points for those things.% ✦ I do not want to hear “but I didn’t see that / didn’t understand it.” % ✦ If the assignment description is unclear (which is possible; I am human), the time to ask for clarity is well BEFORE the assignment is due.% ✦ Rubrics are high-school. I don’t do them. I expect you to READ THE SYLLABUS and ASK SUBSTANTIVE QUESTIONS.% ✦ “How long does it have to be?” is not a substantive question.

26. I repeat: READ. THE. SYLLABUS.

27. Late assignments ✦ Your assignments can be late. I don’t

    mind. You don’t have to email me for permission.% ✦ But there will be CONSEQUENCES TO YOUR GRADE for that. That’s the only way I can keep this fair.% ✦ I have a study-tips page in our Canvas. GUTS also has one, and they do individual study-skills appointments.% ✦ If this policy won’t work for you, again, I won’t be o ff ended if you drop the class.

28. How to calculate your current grade ✦ Canvas does not

    understand and cannot respect how I structure course grading. % ✦ Which is irritating, because it’s not complicated!% ✦ I don’t mess with weird assignment and assignment-combination percentages! My tiny addled brain breaks if I try!% ✦ Count up how many POINTS YOU HAVE LOST so far. SUBTRACT FROM 100. That’s your current course grade.% ✦ To translate to a letter grade, check the grading scale in the syllabus.

29. ChatGPT and its ilk: not in this class. ✦ No

    chatbots, no code generators, no image generators.% ✦ If I catch you, I will initiate academic-misconduct proceedings. I am serious. DO NOT.% ✦ I have class-related reasons why not:% ✦ Chatbots are trained on the open web… much of which is UTTERLY CRAPTASTIC about information security (especially incidents). % ✦ Chatbots do not know the di ff erence between truth and ba ff l egab. So they are quite likely to MUCK UP YOUR ASSIGNMENTS! You won’t know because you’re not expert (that’s why you’re in this class, right?).% ✦ Because training a model is so expensive, the Big Ones don’t retrain often, so their training corpus can be years out-of-date!% ✦ Chatbots typically ask for your personal information and retain your prompts inde fi nitely. That’s a form of SURVEILLANCE. I’m not a fan.

30. Prefer human help. There’s plenty on campus. ✦ I will

    grudgingly allow Grammarly, but I warn you, its privacy and security are a hot mess.% ✦ Prefer the Writing Center. Prefer GUTS. Prefer a friend or classmate who’s a good communicator.% ✦ If you’d like to volunteer as a good communicator, I’m here for it!% ✦ Infosec is often a communal endeavor. Let’s try to be a community in this class.% ✦ For my major assignments, I usually o ff er examples.% ✦ Especially if it’s a writing genre that may be unfamiliar to you.% ✦ I don’t like “term/research papers” and I don’t assign them! Even the book assignment isn’t really a term paper; it’s more of a review.

31. Exams ✦ There aren’t any. There, that was easy.% ✦

    Yes, this means you can DISREGARD our fi nal-exam slot when making travel plans for December. WE HAVE NO FINAL.% ✦ I may occasionally use the Canvas quiz feature for something or other. But it won’t be anything as heavy as an exam.% ✦ Sometimes, for me, it’s a convenient way of structuring and pacing a step-by-step hands-on activity.% ✦ ONLINE EXAM PROCTORING SOFTWARE IS A RACIST, ABLEIST, PRIVACY-DESTROYING 🗑🔥 so I refuse to use it.% ✦ Happy to rec stu ff to read that’s shaped my thinking on this.

32. Many low-stakes assignments. Deliberately. ✦ Putting all the grade eggs

    in one or two baskets is really stressful for students, I fi nd.% ✦ So I haven’t.% ✦ My grading strategy is to have plenty of small pass/fail assignments, a couple of medium-size assignments, and one semesterlong assignment with pieces of it due throughout the semester (instead of semester-end all-nighters).

33. In-class logistics ✦ Food and drink: fi ne, just don’t

    make a mess% ✦ Liquids capped/lidded, please; there’s lots of expensive tech around!% ✦ Try to avoid crumbs, stains, strong smells, etc.% ✦ If there’s something foodish you absolutely can’t be around, let me know privately and I’ll announce in class without using your name.% ✦ Devices are fi ne, but honor system: don’t check out, don’t distract yourself or others.% ✦ Recording: fi ne, but I’m not sure it’ll help much.% ✦ Breaks: Yes, at least one, 10-15 minutes.% ✦ You can quietly slope out for a biobreak or whatever at other times if you need to. I totally don’t mind; this is a marathon for me too.

34. Student/office hours ✦ In my physical o ff i ce

    or via Zoom (see Canvas)% ✦ Can’t make my regular hours?% ✦ You can ADD AN APPOINTMENT to my O365 calendar directly. Meetings can start between 8 and 3; please don’t con fl ict with meetings already in my calendar. Let me know how we’re meeting: in-person, Zoom, or call (leave your number).% ✦ You can EMAIL ME WITH 3-5 TIMES that work for you. I’ll pick one or we’ll negotiate.% ✦ Doesn’t have to be class-related!% ✦ If you’re curious about something else I do, have a question about campus, or just want to shoot the breeze, that’s FINE.% ✦ During regular o ff i ce hours, I do of course have to prioritize class- related questions.

35. Anything I didn’t think of?

36. Cool? Cool. Thanks! This presentation is copyright 2021 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.

37. Course design run-through

38. Weekly huddles ✦ Start of class, starting our third meeting%

    ✦ (this should avoid the worst of drop/add chaos)% ✦ 3 fi nal-grade points each. A table-by-table activity derived from the readings due for that week.% ✦ Names of those at the table go on the sheet of paper.% ✦ Answers to the questions do too.% ✦ Closed book, no devices. No looking things up!% ✦ Not intended to be a gotcha! I am not out to trick, confuse, or bewilder you.% ✦ I’m out to get you to do the readings! I chose them for reasons!% ✦ There will be “sense of the table”-type opinion/re fl ection questions as well as more fact-based questions.

39. Crowdstrike analysis ✦ This is a trial run for your

    semesterlong project (the blameless post-mortem).% ✦ I will grade and give feedback accordingly.% ✦ Systems thinking is not easy, and it’s very di ff erent from how we instinctively tend to think about problems and failures.% ✦ So I want to give you a chance to practice it!% ✦ Parts: timeline, “crucial moments” analysis, “make the system better” analysis.% ✦ You will have guiding questions to work with for both analyses I’m asking for.% ✦ By the way: why shouldn’t you use a chatbot here?% ✦ Leaving aside academic ethics issues, I mean.

40. In the (Higher-Ed) News ✦ Current awareness is so important

    in infosec and privacy work. Stu ff changes! So this is partly a current-awareness exercise. % ✦ Use it to fi gure out your own ongoing current-awareness strategies!% ✦ Find news stories about a higher-ed security incident.% ✦ Make up a student involved. Tell the class their story. MAKE US CARE!% ✦ It’s curiously di ffi cult to get many people to care about security stu ff . This is your chance to work through how to change that!% ✦ Limiting to higher ed for two reasons:% ✦ Having a scope should make this less overwhelming.% ✦ Consciousness-raising. Too many students are… well, kinda overtrusting about security threats on and to campus.

41. Each one teach one! ✦ Intended to help you practice:%

    ✦ Understanding a new-to-you privacy/security threat% ✦ Once you understand it, helping others understand it too% ✦ Trust me, these are di ff erent skills!% ✦ Also intended to give you a chance to decode and rewrite poorly-communicated security incidents.% ✦ … which, frankly, many of them are.% ✦ And it’s good practice for work email.% ✦ I know, I know, email is an older-person thing. It still runs a whole lot of workplaces, so learning to use it well is a good idea.% ✦ Tip: BLUF (BOTTOM LINE UP FRONT). In fandom, this is sometimes known as tl;dr (too long; didn’t read). 1-2 sentence summary of what the person most needs to do at start of email! THEN you explain.

42. Language note! ✦ English isn’t everybody’s fi rst or only

    language.% ✦ If the fi rst language of the person you decide you’re writing to isn’t English, YOU MAY USE THEIR FIRST LANGUAGE!% ✦ If it’s not a language I know, I’ll use a translation app, and ask questions if I need to.% ✦ Code-switching and dialects are also fi ne.% ✦ I had a student in a prior run of this class code-switch between Spanish (which I read just fi ne) and English, and it was great.% ✦ If you want to translate the notice also, that’s fi ne… but it still needs to be clearer and better than the original (which is honestly really bad).

43. Book analysis ✦ I read this Really Cool Article, y’all!

    % ✦ (It’s in your readings for next week.)% ✦ Fulton et al. 2019. “The e ff ect of entertainment media on mental models of computer security.” % ✦ You’re going to reproduce (parts of) their analysis on a book you choose.% ✦ (I wanted to do movie nights, but rights clearance is too expensive. Sorry.)% ✦ One book list in syllabus; you may also choose anything in the “Fiction / Cyber Novel” category of Cybersecurity Canon.% ✦ It doesn’t have to be a good book. If you want to point and laugh at a terrible one, go right ahead. (Cybersec Canon has some freakin’ awful thrillers.)% ✦ Goals: better media literacy, better security awareness, and some fun with a book!

44. Semesterlong project: Blameless post-mortem ✦ You will pick a real-world

    security incident to read up on, analyze, and report out about.% ✦ There’s a list in the syllabus. If you have an incident in mind that’s not on there, email me. I will say yes if I think there’s enough information available about it to do the work I have in mind.% ✦ You will assess it using human-factors / safety- engineering analysis techniques.% ✦ At the end of the course you will turn in a blameless post-mortem report.

45. A what now? ✦ What are human-factors / safety engineering

    analysis techniques?% ✦ I show you them (with examples) in the assignment description. Which is where?% ✦ What is a post-mortem?% ✦ Written record of an incident or event that describes:% ✦ The incident from end to end (“TIMELINE”)% ✦ Impacts (internal and external)% ✦ Actions taken to mitigate or resolve the issues% ✦ Lessons and follow-ups to prevent the incident from happening again% ✦ What makes a post-mortem BLAMELESS?% ✦ It doesn’t seek to point fi ngers at or punish individuals. It’s a system- wide look at what went wrong and how to not have it go wrong again.

46. We are really good at blame (as a species). ✦

    Blaming others helps us feel safe. It’s a go-to whenever something goes wrong.% ✦ It can help us avoid having to examine our own conduct. Which isn’t great, honestly.% ✦ So it takes us real e ff ort to get out of a blame mindset. Expect this. % ✦ I encourage you to have classmates read your work to look for where you’re slipping into blame. (I do this routinely in my own research!)% ✦ We’ll be looking at techniques for this. Promise.

47. Working together ✦ I don’t mind if several of you

    choose the same incident so that you can share the research load. It’s not obligatory, but it’s fi ne!% ✦ I’m being explicit about this because some classes don’t allow it.% ✦ In the Real World™, though, it’s highly unlikely that you’d be working on a post-mortem all by yourself.% ✦ All your deliverables must be your own individual work, though.% ✦ However: It’s completely fi ne (and I encourage you) to seek feedback on your deliverables from classmates, the Writing Center, and/or the Design Lab.% ✦ JUST NOT GENERATIVE AI, OKAY?

48. I don’t give a flip about citation styles in this

    class. Most workplaces don’t. If you formally cite, you may use whichever style you prefer. For most of your deliverables, a link to the source is enough.

49. How to get started ✦ Pick your incident.% ✦ Start

    piling up sources that look possibly-useful.% ✦ You don’t have to read it all thoroughly at fi rst—just make that pile.% ✦ You CERTAINLY don’t have to understand it all yet! You’ll likely run into plenty of tech-talk and policy-talk you don’t have the background for. That’s perfectly fi ne. What the course itself doesn’t answer, ask about in class!% ✦ For now, just FIND INFORMATION… and be able to fi nd it again!% ✦ ESPECIALLY LOOK FOR AN INCIDENT REPORT.% ✦ Suggestion: annotated linklist% ✦ Google Doc, Raindrop, Zotero, whatever.% ✦ Copy-paste the title. Paste the link.% ✦ When you get a chance to read it, take what notes seem good to you.

50. My linklist for this class: linkspam.dsalo.info/?searchtags=510

51. Other semi-random possibly-useful stuff

52. About me ✦ “Professor Salo” is fi ne. (I’m not

    “Dr.” anything.)% ✦ Librarian (UW-Madison MA/LIS class of 2005!)% ✦ Which gives me a professional obsession with privacy, which I leveraged into an interest in infosec% ✦ iSchool instructor since 2007; full-time since 2011% ✦ Main professional interests: student and library-patron privacy, data/ information rescue (from obsolete media) and preservation, scholarly communication, metadata% ✦ Feral techie, jack-of-all-trades-master-of-none% ✦ Almost no formal CS or software-engineering education; what I know I mostly picked up from solving problems for myself or others% ✦ In any tech-ish class I teach, one or more students knows more than I do about something I’m teaching. It’s cool. Often it’s helpful!% ✦ https://dsalo.info/ and https://speakerdeck.com/dsalo and https://github.com/dsalo

53. My surveillance practices ✦ We’ll be looking at Canvas’s surveillance

    capacity.% ✦ Because in my informed opinion, SURVEILLANCE IS A THREAT TO INDIVIDUAL SECURITY! The best way I know to drive this home to you is to use Canvas as an example.% ✦ I owe it to you to tell you how I use it.% ✦ Mostly I don’t. Assignments aside, I never grade (much less discipline) based on what you do in Canvas or how long you spend doing it. I don’t even LOOK at this except…% ✦ … if it looks like you’ve GHOSTED ON THE CLASS, I will look at when you last logged in and how much time you’ve spent in the class lately.% ✦ If it looks like a ghosting, I then email you to ask what’s going on and whether/how I can help. Usually that solves things. If I don’t hear back, I may involve other people (your advisor, McBurney if appropriate, etc). % ✦ My goal is ALWAYS to get you through the course successfully.

54. My mandatory-reporter responsibilities ✦ I am a mandatory reporter under

    the Clery Act and Title IX.% ✦ That means that if you tell me about certain actual real-world crimes, I am NOT ALLOWED TO KEEP IT CONFIDENTIAL. I have to report to the U.% ✦ That includes domestic or dating abuse. Which can include incursions on people’s information security!% ✦ (This is the way it is to keep the U from trying to sweep campus crime under the rug. I understand that, but I also understand it removes agency from people. There is no perfect solution here.)% ✦ I don’t have to report anything phrased to me as hypothetical. Just sayin’.

55. UW Cybersecurity Club ✦ Exists! And is pretty great!% ✦

    You are all welcome, obviously. % ✦ https://win.wisc.edu/organization/csec % ✦ https://www.cybersecurityuw.com/ % ✦ I’ve put a link to the Discord server in Canvas.% ✦ Discord: a voice and text/web chat application, a bit like Slack crossed with Zoom% ✦ The club mostly uses chat, not voice.% ✦ The link times out, so if it doesn’t work, let me know.% ✦ Disclaimer: I’m one of the club’s faculty advisors.% ✦ But it’s student-run! I only hang around to cut red tape!

56. That’s it. The rest is in the syllabus and on

    Canvas. Go to it!

57. Cool? Cool. Thanks! This presentation is copyright 2021 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.