Infosec training / On phishing tests and deception

Transcript

1. Infosec training

2. A lot of you said “training!” in your “how to

   make it better” section of your news presentations. I’m about to question that advice.

3. Why training? ✦ The%motivation%is%usually%not%improving%security.% Maybe%it%should%be,%but%it%isn’t.% ✦ The%motivation%for%workplace%infosec%training%is% usually%COMPLIANCE,%legal%or%standards-based.% ✦ Legal:%if%some%law%constrains%an%organization%to%meet%minimum%

   security%standards,%it%will%usually%stipulate%some%kind%of%employee% training.%HIPAA,%for%example,%requires%training%all%employees%as%part%of% the%hire/onboarding%process.%GDPR%also%has%training%requirements.% ✦ Standards:%PCI,%for%example,%requires%documentation%of%security% practices%and%procedures,%including%in%employee%manuals.% ✦ It%may%also%be%cleanup%after%an%incident.% ✦ With%all%the%hasty%ill-considered%panicky%flailing%that%implies.% ✦ And%the%one-person-messed-up-but-we’re-all-stuck-doing-this%problem.

4. This has implications. ✦ Viewed%as%unimportant%check-the-box%exercise% ✦ Including%by%org-internal%infosec%folks!%They%could%treat%this%as%an% opportunity,%but%more%often%they%roll%their%eyes%at%it.% ✦ If%training%is%developed%internally,%it’s%often%done%

   by%people%who…%don’t%teach%well.% ✦ So%it’s%too%techie,%or%condescending,%or%communicated%ineptly,%or…% ✦ Teaching,%like%most%work,%is%a%set%of%learned%skills%not%present%at%birth.% ✦ If%training%is%outsourced%(as%it%often%is),%there’s%no% connection%to%the%local%environment.% ✦ Production%values%are%likely%higher,%but%it’ll%be%easy%to%scoff%at%because% the%examples%will%feel%farfetched%and%the%systems%discussed%won’t%be% familiar%(or%named%according%to%local%practice).

5. No, really, terminology matters here! ✦ Generic,%non-localized%training%will%talk%about% “video-conferencing%apps.”%Ring%a%bell?% ✦ But%you%know%what%Zoom%is.%Of%course%you%do.%

   ✦ The%jargon%problem%is%exponentially%worse%with% infrastructure%most%folks%don’t%think%about.% ✦ Would%you%have%known%what%a%“multi-factor%authentication%system”% was%before%this%class?%(If%you%did,%go%you!)% ✦ Training%must%use%“Duo”%(or%whatever’s%actively%in%use%at%the%org)%to% be%even%minimally%understood.% ✦ (There%are%reasons%I%rely%on%UW-Madison%examples%in%this%class!)

6. The eternal 101 ✦ I%have%never%taken%a%required%infosec%training%that% went%anywhere%close%to%the%richness%and%usefulness% of%the%CR%Security%Planner.% ✦ It’s%always%Infosec%101.%Passwords,%phishing,%yawn.% ✦

   While%I%understand%the%need%to%raise%the%floor,% repeated%101-level%training%does%not%help%people% learn%more%advanced%(and%useful!)%concepts,%tools,% or%behaviors.% ✦ It%sure%does%teach%them%to%despise%infosec,%though.% How%remarkably%counterproductive!% ✦ Moral:%let%people%“place%out”%of%basics% ✦ e.g.%through%quizzing%them%up-front%and%exempting%those%who%pass
7. None

8. Decontextualized rules

9. Why? Why are these rules important? Why are these even

   the rules?

10. You all now know why because I talked about attacks

    and attackers in this class. Most people haven’t taken this class, though, or anything like it. They don’t know why.

11. Without some kind of “why” — ideally in the form

    of a story — these rules look like pointless arbitrary nitpicking.

12. I’m not saying I’m a master storyteller or anything, but

    I’m TOTALLY saying that telling Alice/Bob/Eve stories was a deliberate choice I made. Human beings respond to “why” and to stories about why. Basic human thing! So why doesn’t infosec training tell stories?

13. Because the current vocational turn in higher education treats storytelling

    as unimportant “liberal arts” stuff that’s not professionally useful? Yeah, I totally do think that’s part of it. And I think that thinking is MASSIVELY misguided.

14. Humans tell stories! ✦ We%learned%that%already,%right?%Folk%models%of% security%are%basically%a%whisper%game,%people% passing%stories%around.% ✦ You%all%told%true%stories%in%your%news% presentations.%

    ✦ I%routinely%bookmark%good%infosec%stories%I%can%tell%in%class,%or%point% people%to.% ✦ Plus%you%all%analyzed%human-written%stories%for% what%they%say%(rightly%or%wrongly)%about%security.% ✦ You%know%stories%matter.%I%know%stories%matter.% Take%that%with%you%into%your%lives%as%citizens,% employees,%teachers/trainers,%and…%humans.

15. TAKE YOUR COMM A AND COMM B COURSES SERIOUSLY, Y’ALL.

    They’re where you start to learn this kind of thing. A favorite word of mine: KAIROS. Means adapting communication to audience and situation.

16. Okay, another moral: ✦ For%all%kinds%of%education%and%training,%not%only%infosec!% ✦ MEET%PEOPLE%WHERE%THEY%ARE.% ✦ This%is%an%ideal,%of%course.%Whenever%you’re%dealing%with%a%lot%of% people%(hi%there,%y’all!),%they’ll%be%in%lots%of%different%places.%

    ✦ But%you%can%still%be%explicit%about%the%audience(s)%you’re%aiming%at,% and%you%can%(and%should)%apologize%to%everyone%else.% ✦ A%much%better%structure%than%“lecture,%then%test”% is%“check,%then%teach%as%needed.”% ✦ If%I%were%in%charge%of%infosec%training,%I’d%start%with%a%pre-test,%divided% into%modules%(“email/phishing,”%“passwords,”%“BYOD,”%etc).% ✦ Pass%a%module?%You%either%get%to%skip%that%training%OR%(my% preference)%you%get%more%advanced%content.% ✦ You%view%only%the%101%modules%you%actually%need%to.

17. This also means knowing people’s practices. ✦ As%we’ve%discussed,%people’s%approach%to%many% infosec%matters%falls%into%known%patterns.% ✦

    Infosec%training%rarely%takes%that%into%account.% ✦ “Choose%a%strong%password!”%instead%of%“Here%are%common%password% practices%that%are%easily%breached,%so%don’t:”%or%even%“here’s%why%the% system’s%password%tester%rejects%certain%kinds%of%passwords:”% ✦ “Don’t%click%on%links%in%emails!”%when%that’s%clearly%impractical%advice.% ✦ (I’ve%seen%“don’t%click%links!”%in%UW%trainings.%UW%constantly%sends% out%emails%with%clickable%links.%Sigh.)% ✦ Infosec%training%rarely%if%ever%starts%with% ethnographic-style%inquiry%into%the%org.% ✦ It%should,%though.%It%sure%should.

18. One size fits no one ✦ Typically,%everybody%in%the%org%gets%the%same%old% Infosec%101%training.% ✦ This%completely%ignores%different%behaviors,%

    threats,%and%risks%associated%with%different%roles.% ✦ Example:%As%an%instructor%here,%I%don’t%need%to%know%about%infosec%in% hiring.%Not%my%problem!%I%don’t%do%hiring%paperwork!% ✦ Do%I%need%to%know%how%to%keep%student%emails%to%me%secure?%Heck% yeah%I%do;%if%I%don’t%do%that,%I%risk%harm%to%students%and%violating% federal%law%(FERPA).%Our%HR%folks%also%need%to%know%this,%because%we% hire%student%employees.% ✦ And%because%people%(wrongly)%think%that%the%same% old%Infosec%101%is%everything%they%ever%need%to% know…%they’re%vulnerable%to%role-based%attacks.

19. Focusing too much on tech ✦ What%use%is%the%strongest%password%there%is,%if% people%aren’t%prepared%to%resist%attempts%by%social% engineers%to%get%them%to%reveal%it?% ✦

    PHISHING.%Phishing%phishing%phishing.% ✦ Did%you%know%that%business-email%compromise%(spearphishing%aimed% at%conning%people%into%various%kinds%of%false%payments)%is%collectively% the%most%expensive%infosec%fail%in%the%US?%Now%you%do.% ✦ Yet%most%Infosec%101%is%mostly%about%tech%stuff.% ✦ This%is%even%worse%because%social%engineering%is…% actually%hard%to%make%boring?!% ✦ And%it%sets%up%a%clear%us-against-the-world%feeling,%which%is%socially% useful%for%infosec%folks%and%the%org%in%general.% ✦ (Though%be%careful%to%discuss%insider%threat%also!)

20. In fact… ✦ …%in%my%experience,%it’s%a%lot%easier%for%people%to% understand%attacks%if%they%first%understand% attackERS,%and%their%techniques%and%motives.% ✦ Would%this%have%a%lot%to%do%with%the%topic%sequencing%in%this%course?% Yep,%you%betcha.% ✦

    Use%the%fluency%heuristic%(people%remember%and% repeat%what%they’re%familiar%with)%to%help.% ✦ Get%people%familiar%with%an%“attacker”%persona.% ✦ Would%this%be%why%I%teach%you%Alice/Bob/Eve%and%use%the%phrase% “garbage%human”%a%lot?%Yep,%you%betcha,%at%least%in%part.% ✦ (Alice/Bob/Eve%is%common%infosec%jargon;%that’s%another%reason%I%use%it.)% ✦ And%use%real-world%case%studies%(STORIES!),%ideally% from%peer%orgs%in%the%same%or%similar%industry.

21. Hard to make boring… but not impossible

22. SHOW REAL PHISH, for pity’s sake! You’re DoIT, you’ve got

    THOUSANDS of real phish you can show people and talk about the consequences of. Also, IMAGES. People like those!

23. Ask for help. Like, seriously. ✦ Reciprocity%and%kindness%are%major%forces%in% interpersonal%relations.% ✦ Instead%of%“we’re%the%Smart%People%telling%all%y’all%

    peons%what%to%do!”…% ✦ …%try%“attackers%are%everywhere,%we%need%your% help%to%keep%them%out,%please%help%us!”% ✦ signed%(and%ideally%written)%by%an%actual%human%being,%not%an%office% ✦ Anything%that%humanizes%IT/infosec%people%is%a% good%idea,%honestly.% ✦ Because,%again,%people%help%other%PEOPLE.

24. Dorothea tells the story of the CyberBob/CIO office visit. (or:

    how a CIO-office employee lost my friendship for good)

25. 2021 research on infosec training: ✦ “[E]mployee%perceptions%of%[training]%programs% relate%to%their%previously%held%beliefs%about:% ✦ “cybersecurity%threats,%

    ✦ “the%content%and%delivery%of%the%training%program,% ✦ “the%behaviour%of%others%around%them,%and% ✦ “features%of%their%organisation.”%(This%amounted%to%the%usability%of% security%measures%and%perceived%necessity%to%work%around%them…% which%should%sound%familiar%to%you%by%now!)% ✦ From: ✦ Reeves,%Calic,%and%Delfabbro.%“‘Get%a%red-hot%poker%and%open%up%my% eyes,%it's%so%boring’:%Employee%perceptions%of%cybersecurity%training”% Computers%&%Security%106%(2021),%https://doi.org/10.1016/ j.cose.2021.102281% ✦ Best%article%title%ever,%or%best%article%title%EVER?!

26. What do people believe about infosec threats? ✦ We’ve%seen%a%lot%of%it%before.%But%for%the%record,% here%are%themes%the%article%found:%

    ✦ “I%already%know%all%this,%or%at%least%enough%to%make%my%own% decisions!”%(Another%pitfall%of%neverending%Infosec%101…%people%have% no%reason%to%realize%everything%they%don’t%know,%because%they’re% never%shown%anything%beyond%the%101%level!)% ✦ (This%is%another%reason%I%like%Backdoors%and%Breaches%in%this%class.%It% gives%you%a%sense%of%the%breadth%of%infosec%knowledge%that%there%is.)% ✦ “I%don’t%need%to%understand%this,%even%if%I%could!%The%system%needs%to% handle%its%own%security!%Usably!”%(Attributed%to%“younger%users.”%The% pitfall%here%is%that%no%tech%system%can%fix%social%engineering%attacks.)% ✦ Password%issues.%(Including%one%org%where%the%training%recommended% a%password%manager…%which%the%org%refused%to%let%employees%install% or%use.)

27. Content and delivery ✦ As%we’ve%seen:%it%ain’t%great.%(I%critique%UW’s%trainings% because%I%genuinely%think%they’re%awful.)% ✦ People’s%mood%at%training%time%also%matters,%unsurprisingly.% ✦ Misery%loves%company:%group%training%preferred%to%individual.%

    ✦ I%have%sympathy!%Of%course%I%do.%High%production% values%take%a%lot%more%time%and%effort%than%I%have.% ✦ Add%in%internationalization%and%accessibility%requirements,%and%the% workload%multiplies%by…%a%lot.% ✦ I%don’t%have%sympathy%for:% ✦ Measures%that%try%to%force%attention%—%e.g.%online%trainings%that%won’t% advance%unless%they’re%the%topmost%window,%video%that%only%plays%at%1x% speed.%Get%over%yourselves,%trainers.% ✦ Irrelevancies.%Again,%know%the%context%and%work%within%it!% ✦ Unexplained%or%unnecessary%jargon.%Condescension.%Scare%tactics.

28. The behavior of others ✦ We’re%social%animals,%we%humans.%We%behave%as%the% others%around%us%behave.% ✦ In%almost%all%organizations,%“the%others%around%us”% are%not%infosec%folks!%

    ✦ And%infosec%folks%tend%to%be%pretty%siloed.%Those%of%you%with%jobs:%do%you% know%who’s%securing%your%org’s%systems?%By%name?%I’d%be%surprised%if%you% did.%Who’s%the%current%UW-Madison%CISO,%for%that%matter?%I%don’t%think% I’ve%mentioned…% ✦ So%we%enable%each%others’%poor%infosec%hygiene.% ✦ Including%spreading%misunderstandings%and%broken%mental%models.% ✦ It’s%worse%if%the%poor%hygienist%is%our%boss.%They%can% demand%that%we%do%the%wrong%thing!% ✦ Where%training%conflicts%with%human%social% behaviors,%training%will%lose.%No%question%about%it.

29. With one caveat: ✦ People%bring%infosec%dilemmas%to%someone%they% trust,%respect,%and%believe%is%knowledgeable.% ✦ I’ve%had%it%happen%a%fair%bit,%with%colleagues%as%well%as%students.% ✦ (Hey,%I%appreciate%the%trust%and%respect!%I’m%kind%of%proud%of%this.)%

    ✦ For%an%org%that’s%serious%about%security…% ✦ (rather%than%treating%it%as%a%pointless%compliance%exercise)% ✦ …%it%makes%a%lot%of%sense%to%locate%and%leverage% these%people!% ✦ Could%they%be%involved%in%training%somehow?% ✦ Can%they%be%recognized%for%their%efforts?

30. Okay, two caveats: ✦ People%will%use%convenient,%available,%usually% informal%comms%channels%to%ask%infosec%questions.% ✦ They%come%up%not-infrequently%on%the%UW-Madison%subreddit.% ✦ It%can%make%sense%to%(discreetly%and%non-creepily)%

    keep%an%eye%on%those.% ✦ Setting%up%alerts%on%words%(e.g.%in%a%work%Slack)%may%make%sense.% ✦ If%there’s%an%infosec%person%(or%a%connector,%as%before)%with%very%good% social%judgment%and%skill%at%explaining,%answering%questions%or%weighing% in%on%situations%may%be%a%way%to%build%useful%social%trust.% ✦ But%the%good%social%judgment%is%vital!!!!%Just%horning%in%on%every% vaguely-relevant%conversation%(or%worse,%posting%canned%answers)%won’t% help%—%in%fact,%it’ll%hurt.% ✦ (When%I%was%on%Reddit,%I%answered%infosec%questions%on%the%sub.%My% answers%got%upvoted,%so%my%social%acumen%seems…%mostly%okay?)

31. Summing up ✦ Infosec%training%sucks,%but%it%doesn’t%have%to.% ✦ Making%it%not%suck%involves:% ✦ taking%it%seriously,%and%having%goals%for%it%besides%compliance% ✦ not%putting%people%through%endless%rounds%of%the%same%old%Infosec%

    101%stuff;%letting%those%who%are%ready%learn%more!% ✦ understanding%and%working%with%local%context%and%human%habits% ✦ offering%workable%guidance,%avoiding%unreachable%“don’t%ever%click% links%in%email!”%ideals% ✦ using%STORIES,%explaining%WHY,%because%that…% ✦ …%helps%people%build%mental%models,%threat%models,%etc.%without% which%very%little%guidance%(even%when%it’s%workable)%makes%sense% ✦ leveraging%and%building%on%org-internal%social%relationships,%partly%to% hear%and%answer%point-of-need%questions

32. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.

33. On phishing tests and deception LIS 510

34. I’ve changed my tune on phishing tests. ✦ I%used%to%be%just%eyerolly%about%phishing%tests.% ✦

    I%now%think%they%are%unethical,%and%not%only% ineffectual,%but%actively%dangerous%to%an% organization’s%overall%infosec%posture.% ✦ Don’t%do%them.%Don’t%pay%for%them.%Protest%them.

35. How people are successfully phished ✦ Do%they%know/recall%that%phishing%is%a%thing?% ✦ Research:%this%is%the%big%stumbling%block,%actually!% ✦

    Experts%and%non-experts%use%most%of%the%same%cues%to%detect%phish.% Experts,%however,%always%have%the%possibility%of%phish%in%mind.% ✦ Do%they%know%what%to%do%about%it?% ✦ Is%there%an%easy%way%to%report?%Do%they%know%they%won’t%be%punished%if% they%report%a%false%positive?%Or%report%that%they%fell%for%a%phish?% ✦ Do%they%think%that%reporting%a%phish%actually% accomplishes%anything?% ✦ Around%here%they%disappear%into%a%black%box.%Bad%idea%—%people%are% curious!%Teach%them%by%satisfying%their%curiosity!% ✦ Does%the%phish%“hook”%them?% ✦ Urgency,%$$$,%authority%are%the%Big%Three%hooks.

36. Handling phishing right: UW-Madison’s library-IT folks (for%the%record,%I%got%Ayça’s%permission%to%show%you%her%email)%

37. What’s good about this ✦ Ayça%is%a%human%being%and%a%colleague!% ✦ (She%was%always%the%one%to%send%out%those%emails.)% ✦ She%also%has%a%longstanding%reputation%for%expertise%and%helpfulness.%

    ✦ Point-of-need%and%point-of-curiosity%training% ✦ Not%once-a-year%yawnfests% ✦ Actual%real-world%example% ✦ Better%yet,%one%that%was%going%around%just%then% ✦ Conversational%tone% ✦ Again,%Ayça%is%writing%as%a%PERSON,%not%a%parrot%(stochastic%or% otherwise).% ✦ Kairos!%Helpful%navigation%for%a%lengthy%email.

38. Why phish tests happen ✦ Compliance%and%“cover%our%butts,”%again.% ✦ Like%training,%phishing%tests%are%construed%as%Doing%Something.% ✦ “Number%go%up”%assessment%mentality%

    ✦ If%90%%of%employees%pass%the%first%phish%test%and%95%%pass%the% second,%NUMBER%WENT%UP,%so%everything’s%cool%in%infosecland,% right?%RIGHT?!% ✦ Superficial,%erroneous%“they%must%be%ignorant/ stupid”%belief%about%why%people%fall%for%phishes% ✦ If%you%actually%ask%people%(what%a%concept,%I%know!),%it’s%because% they’re%overworked%and%rushed.%Or%they%don’t%care,%screw%IT.% ✦ Who%has%time%to%thoughtfully%consider%each%and%every%link%in%an% email?!%Their%boss%would%just%yell%at%them%for%being%unproductive.% ✦ Phishing%tests%cannot%fix%this%root%cause!!!!!!!!

39. The “gotcha” motive ✦ A%lot%of%infosec%people%enjoy%puzzles,%games,% especially%in%competitive%contexts.%Nothing% necessarily%wrong%with%that,%okay?% ✦ Though%I%do%think%it’s%a%limiter%for%the%broader%infosec%workforce.% ✦

    It%becomes%a%problem%when%it%turns%into%the%wish% to%trick/con,%embarrass,%trash-talk,%or%laugh%at% other%people.%That’s%garbage-human%territory.% ✦ Do%I%think%phishing%tests%happen%partly%because% some%infosec%folks%get%their%jollies%out%of%feeling% superior%to%others?% ✦ And%build%phish%tests%that%give%them%maximum%jollies?% ✦ Yeah.%I%do.%And%that’s%a%bad,%bad%problem.

40. (a digression) ✦ My%dad%was%a%university%professor.%Anthropology.% ✦ He%hated%his%students.%HATED.%Despised%them.% Genuinely%loved%putting%trick%questions%on%exams% and%laughing%when%his%students%fell%for%them.% ✦ He%also%used%students%as%pawns%in%fights%with%his%department.%

    ✦ This%is%horrific%pedagogy.%When%I%accidentally% ended%up%teaching,%I%swore%to%myself%that%I%would% do%things%differently.%I%hope%I%have.% ✦ It%may%seem%obvious%that%instructors%actually%have%to%want%their% students%to%learn,%but…%my%dad%never%did.% ✦ …%A%lot%of%infosec%trainers%(infosec%people%in% general,%really)%remind%me%of%my%dad.%Not%good.

41. If I just speared you over schadenfreude… ✦ …%yeah,%sorry.%I%have%Feelings%about%all%this.% ✦

    But%we%all%need%you%to%fix%your%heart,%okay?% ✦ A%world%where%folks%are%all%out%to%con%and%laugh% at%and%despise%other%folks%is…%not%a%good%world.% ✦ Also,%making%people%feel%special%via%inviting%them%to%despise%others%is% an%enormously%common%con/grift%tactic.%Resist%it%for%your%OWN%sake.% ✦ It’s%possible%to%change.%It’s%possible%to%do%and%be% better.%You%don’t%win%by%shoving%others%down.% ✦ I’ve%had%to%struggle%with%my%own%character%defects%too.%I%lived% through%it%and%did%better.%If%I%can,%you%can.% ✦ Take%joy%in%other%people.%Celebrate%them!% ✦ As%a%teacher/trainer,%celebrate%their%learning.

42. Randall Munroe, “Ten Thousand” https://xkcd.com/1053/ CC-BY-NC

43. How phish tests work ✦ Internal%infosec%office%or%external%contractor% designs%test,%including%the%pretext(s)%it%will%use.% ✦ Links%in%the%email%usually%lead%to%some%kind%of%“you%got%phished,%you% big%silly!%don’t%do%that!”%gotcha/training%page.%

    ✦ Test%is%fielded%against%all%employees,%with%little%or% no%notice%beforehand.% ✦ Here%there’s%usually%some%kind%of%announcement,%but%it’s%buried%and% easy%to%miss.% ✦ Those%who%fall%for%the%phish%are%individually% identified%and%reported%on.% ✦ There’ll%be%an%identifier%in%the%link%in%the%fake-phish%email,%tied%to% each%email%address%the%fake%phish%is%sent%to.

44. Cost in time, productivity, and trust ✦ UW-Madison%employs%over%20,000%people.% ✦ Imagine%that%each%person%spends%just%one%minute%

    considering%that%fake%phish.%That’s%over%20,000% minutes%of%work%time,%or%333%hours.% ✦ I%don’t%have%an%average%salary%to%hand%(median%would%be%better% anyway),%but%let’s%assume%it’s%something%like%$50/hour.%That’s%$16,650% plus%the%cost%to%build%and%field%the%test%and%analyze%the%results,%just% for%one%dang%phishing%test.% ✦ Notice%that%I’m%not%even%counting%(re)training%time%here.%It%adds%up.% ✦ Nobody%likes%phish%tests.%(I%actively%resent%UW% System%for%doing%them.)%Does%your%org%need% more%reasons%for%employees%to%be%mad%at%it?

45. Is it worth it? ✦ No%training%or%testing%has%been%shown%to% eliminate%successful%phishes%altogether.% ✦ Counterintuitively,%repeated%phishing%tests%plus% non-mandatory%training%can%make%people%MORE%

    likely%to%click%on%real%phish.% ✦ Lain,%Kostiainen%&%Čapkun%2021% ✦ Why?%Not%clear,%but%it%seems%the%affected%folks%think%the%“you%failed% the%phish%test”%page%means%the%org%detects%and%handles%phishing…% ✦ …%so%they%don’t%actually%have%to%worry%about%phish%as%individuals.% ✦ In%other%words,%folks%completely%misunderstood%the%point%of%the%test!% That…%doesn’t%bode%well%for%their%infosec%hygiene%generally,%and%it% also%doesn’t%say%much%for%any%training%they’ve%gotten.

46. Cruel pretexts ✦ Money,%sometimes%life-changing%money,%aimed%at% folks%who%are%poor%and/or%poorly%paid% ✦ Real-life%examples:%COVID%benefits,%bonuses,%health-care%promises,% discounts%—%that%didn’t%exist.% ✦ I%saw%an%infosec%pro%on%Twitter%point%out%that%the%root%cause%here%is%

    actually%lousy%pay%and%benefits.%That’s%absolutely%correct;%treating%people% poorly%and%underpaying%them%creates%a%lot%of%infosec%risk.% ✦ Higher%ed:%grade-%or%disciplinary-action-related%scare% tactics% ✦ Phishes%ostensibly%from%the%[Big]%Boss,%often% designed%to%make%person%think%they%might%be%(or%get)% in%trouble% ✦ I’m%waiting%for%somebody%with%anxiety%to%sue%under%the%ADA%over%this.%I% am%not%a%lawyer,%but%I%have%to%think%it’d%be%a%workable%case.

47. Seriously don’t do this. It’s evil.

48. Defense from phish testers: “But garbage humans are using these

    tactics to phish!” ✦ Yeah.%They%are.% ✦ So%what%does%that%make%you,%exactly,%O%Phish% Tester?% ✦ Look.%Infosec%is%not%a%get-out-of-garbage-human- stuff-free%card.%Cruelty%is%cruelty.%Lying%is%lying.% ✦ Phish%testers%deserve%every%bit%of%the%pushback% they%get%over%phishing%tests.%And%more,%frankly.

49. Punishment over phishing-test results ✦ It’s%happened.%It%shouldn’t.% ✦ It’s%an%absolutely%sordid%and%unethical%idea.% ✦ One%reason:%phish%people%often%enough,%and%everyone%will%eventually%

    click.%Yes,%pretty%much%everyone.%(Lain,%Kostiainen%&%Čapkun%2021)% Different%people%fall%for%different%pretexts,%but%everybody’s%vulnerable% to%something.% ✦ Another%reason:%disincentivizing%reporting,%again%—%if%people%are% afraid%to%report%infosec%issues%because%they%fear%punishment,% incidents%are%more%likely,%higher-severity,%and%longer-lasting.% ✦ A%third:%disciplining%people%you%intentionally%deceived%is%just%gross.% It’s%a%garbage-humanny,%unethical%way%to%treat%people.% ✦ Keep%in%mind%also%that%people%perceive%“you% failed;%go%take%another%training”%as%punishment.

50. Public blame-and-shame ✦ Are%you%kidding%me?!?!?!%I%didn’t%want%to%believe% this%even%happens.% ✦ Management%101:%never,%ever,%EVER%shame% employees%in%public.% ✦ Any%conversation%involving%critique%(much%less%discipline)%must%be%

    held%in%private!%And%kept%as%confidential%as%possible!% ✦ Anything%else%creates%an%organizational%culture%of%terror%and%secrecy% over%mistakes…%which%is%terrible%for%the%org’s%infosec%posture.% ✦ Public%shaming%is%also%(one%more%time!)%just%an% awful%way%to%treat%people.%It%won’t%help%them% learn…%but%will%make%them%leave!

51. Lost trust in infosec people ✦ You%DO%NOT%want%the%top%association%people% have%with%infosec%folks%to%be%phishing%tests.% ✦ Like,%this%is%actually%super-dangerous!!!!!%

    ✦ Will%someone%who%associates%infosec%with% deception%and%cruelty%report%infosec%problems?% ✦ Will%they%do%what%infosec%says?%% ✦ What%if%it’s%mid-incident,%and%really%important%that%they%do?% ✦ Will%they%feel%morally/ethically%justified%doing% end-runs%around%those%liars%in%infosec?% ✦ Will%they%write%off%everything%infosec-related% because%“those%people%are%just%JERKS”?

52. Malicious “compliance” and lost productivity

53. Better ideas ✦ (mostly%from%the%Lain%et%al.%piece)% ✦ Make%it%easy%to%report%suspected%phish.%Then%take% people’s%reports%seriously!% ✦ It%turns%out%that%if%reporting%is%easy%enough,%people%will%get%in%the%habit% of%doing%it%(habituation%for%the%win,%for%once!),%and%won’t%get%sick%of%it.%

    ✦ Averaged%over%the%organization,%these%reports%are%indeed%good%advance% indicators%of%phishing%campaigns.%(I%think%it’s%likely%possible%to%improve% on%this,%by%evaluating%who’s%a%good%phish%reporter,%then%paying%extra% attention%to%their%reports.%Future%research!)% ✦ Positive%reinforcement:%reward%phish-finders!% ✦ Including%those%who%initially%fall%for%a%phish,%but%report%it%quickly%anyway.% ✦ Tell%them%when%they%detected%real%phish,%so%their%phish-radar%improves.% ✦ Detect%phish%technically,%and%stop%delivery.

54. Address root causes ✦ Starvation%wages%and%benefits% ✦ Poor%financial%controls% ✦ I%cannot%get%over%how%long%it%takes%organizations%(of%all%sizes,%small%to% gargantuan)%to%notice%fake%invoices!!!!!%%

    ✦ There%are%supposed%to%be%PROCESSES%for%knowing%who%your%vendors% are,%and%that%a%given%invoice%is%legitimate!% ✦ Rushed%workers,%understaffing% ✦ Crappy%systems%that%get%in%people’s%way%and%force% them%to%come%up%with%workarounds% ✦ Jerk%bosses,%intimidation%at%work% ✦ (Notice%how%only%one%of%these%is%technological?% Yeah.%Infosec%is%about%people%or%it’s%garbage.)

55. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.