Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Infosec training / On phishing tests and deception

Infosec training / On phishing tests and deception

For LIS 510 "Human factors in information security"

Dorothea Salo

April 19, 2022
Tweet

More Decks by Dorothea Salo

Other Decks in Technology

Transcript

  1. A lot of you said “training!” in your “how to

    make it better” section of your news presentations. I’m about to question that advice.
  2. Why training? ✦ The%motivation%is%usually%not%improving%security.% Maybe%it%should%be,%but%it%isn’t.% ✦ The%motivation%for%workplace%infosec%training%is% usually%COMPLIANCE,%legal%or%standards-based.% ✦ Legal:%if%some%law%constrains%an%organization%to%meet%minimum%

    security%standards,%it%will%usually%stipulate%some%kind%of%employee% training.%HIPAA,%for%example,%requires%training%all%employees%as%part%of% the%hire/onboarding%process.%GDPR%also%has%training%requirements.% ✦ Standards:%PCI,%for%example,%requires%documentation%of%security% practices%and%procedures,%including%in%employee%manuals.% ✦ It%may%also%be%cleanup%after%an%incident.% ✦ With%all%the%hasty%ill-considered%panicky%flailing%that%implies.% ✦ And%the%one-person-messed-up-but-we’re-all-stuck-doing-this%problem.
  3. This has implications. ✦ Viewed%as%unimportant%check-the-box%exercise% ✦ Including%by%org-internal%infosec%folks!%They%could%treat%this%as%an% opportunity,%but%more%often%they%roll%their%eyes%at%it.% ✦ If%training%is%developed%internally,%it’s%often%done%

    by%people%who…%don’t%teach%well.% ✦ So%it’s%too%techie,%or%condescending,%or%communicated%ineptly,%or…% ✦ Teaching,%like%most%work,%is%a%set%of%learned%skills%not%present%at%birth.% ✦ If%training%is%outsourced%(as%it%often%is),%there’s%no% connection%to%the%local%environment.% ✦ Production%values%are%likely%higher,%but%it’ll%be%easy%to%scoff%at%because% the%examples%will%feel%farfetched%and%the%systems%discussed%won’t%be% familiar%(or%named%according%to%local%practice).
  4. No, really, terminology matters here! ✦ Generic,%non-localized%training%will%talk%about% “video-conferencing%apps.”%Ring%a%bell?% ✦ But%you%know%what%Zoom%is.%Of%course%you%do.%

    ✦ The%jargon%problem%is%exponentially%worse%with% infrastructure%most%folks%don’t%think%about.% ✦ Would%you%have%known%what%a%“multi-factor%authentication%system”% was%before%this%class?%(If%you%did,%go%you!)% ✦ Training%must%use%“Duo”%(or%whatever’s%actively%in%use%at%the%org)%to% be%even%minimally%understood.% ✦ (There%are%reasons%I%rely%on%UW-Madison%examples%in%this%class!)
  5. The eternal 101 ✦ I%have%never%taken%a%required%infosec%training%that% went%anywhere%close%to%the%richness%and%usefulness% of%the%CR%Security%Planner.% ✦ It’s%always%Infosec%101.%Passwords,%phishing,%yawn.% ✦

    While%I%understand%the%need%to%raise%the%floor,% repeated%101-level%training%does%not%help%people% learn%more%advanced%(and%useful!)%concepts,%tools,% or%behaviors.% ✦ It%sure%does%teach%them%to%despise%infosec,%though.% How%remarkably%counterproductive!% ✦ Moral:%let%people%“place%out”%of%basics% ✦ e.g.%through%quizzing%them%up-front%and%exempting%those%who%pass
  6. You all now know why because I talked about attacks

    and attackers in this class. Most people haven’t taken this class, though, or anything like it. They don’t know why.
  7. Without some kind of “why” — ideally in the form

    of a story — these rules look like pointless arbitrary nitpicking.
  8. I’m not saying I’m a master storyteller or anything, but

    I’m TOTALLY saying that telling Alice/Bob/Eve stories was a deliberate choice I made. Human beings respond to “why” and to stories about why. Basic human thing! So why doesn’t infosec training tell stories?
  9. Because the current vocational turn in higher education treats storytelling

    as unimportant “liberal arts” stuff that’s not professionally useful? Yeah, I totally do think that’s part of it. And I think that thinking is MASSIVELY misguided.
  10. Humans tell stories! ✦ We%learned%that%already,%right?%Folk%models%of% security%are%basically%a%whisper%game,%people% passing%stories%around.% ✦ You%all%told%true%stories%in%your%news% presentations.%

    ✦ I%routinely%bookmark%good%infosec%stories%I%can%tell%in%class,%or%point% people%to.% ✦ Plus%you%all%analyzed%human-written%stories%for% what%they%say%(rightly%or%wrongly)%about%security.% ✦ You%know%stories%matter.%I%know%stories%matter.% Take%that%with%you%into%your%lives%as%citizens,% employees,%teachers/trainers,%and…%humans.
  11. TAKE YOUR COMM A AND COMM B COURSES SERIOUSLY, Y’ALL.

    They’re where you start to learn this kind of thing. A favorite word of mine: KAIROS. Means adapting communication to audience and situation.
  12. Okay, another moral: ✦ For%all%kinds%of%education%and%training,%not%only%infosec!% ✦ MEET%PEOPLE%WHERE%THEY%ARE.% ✦ This%is%an%ideal,%of%course.%Whenever%you’re%dealing%with%a%lot%of% people%(hi%there,%y’all!),%they’ll%be%in%lots%of%different%places.%

    ✦ But%you%can%still%be%explicit%about%the%audience(s)%you’re%aiming%at,% and%you%can%(and%should)%apologize%to%everyone%else.% ✦ A%much%better%structure%than%“lecture,%then%test”% is%“check,%then%teach%as%needed.”% ✦ If%I%were%in%charge%of%infosec%training,%I’d%start%with%a%pre-test,%divided% into%modules%(“email/phishing,”%“passwords,”%“BYOD,”%etc).% ✦ Pass%a%module?%You%either%get%to%skip%that%training%OR%(my% preference)%you%get%more%advanced%content.% ✦ You%view%only%the%101%modules%you%actually%need%to.
  13. This also means knowing people’s practices. ✦ As%we’ve%discussed,%people’s%approach%to%many% infosec%matters%falls%into%known%patterns.% ✦

    Infosec%training%rarely%takes%that%into%account.% ✦ “Choose%a%strong%password!”%instead%of%“Here%are%common%password% practices%that%are%easily%breached,%so%don’t:”%or%even%“here’s%why%the% system’s%password%tester%rejects%certain%kinds%of%passwords:”% ✦ “Don’t%click%on%links%in%emails!”%when%that’s%clearly%impractical%advice.% ✦ (I’ve%seen%“don’t%click%links!”%in%UW%trainings.%UW%constantly%sends% out%emails%with%clickable%links.%Sigh.)% ✦ Infosec%training%rarely%if%ever%starts%with% ethnographic-style%inquiry%into%the%org.% ✦ It%should,%though.%It%sure%should.
  14. One size fits no one ✦ Typically,%everybody%in%the%org%gets%the%same%old% Infosec%101%training.% ✦ This%completely%ignores%different%behaviors,%

    threats,%and%risks%associated%with%different%roles.% ✦ Example:%As%an%instructor%here,%I%don’t%need%to%know%about%infosec%in% hiring.%Not%my%problem!%I%don’t%do%hiring%paperwork!% ✦ Do%I%need%to%know%how%to%keep%student%emails%to%me%secure?%Heck% yeah%I%do;%if%I%don’t%do%that,%I%risk%harm%to%students%and%violating% federal%law%(FERPA).%Our%HR%folks%also%need%to%know%this,%because%we% hire%student%employees.% ✦ And%because%people%(wrongly)%think%that%the%same% old%Infosec%101%is%everything%they%ever%need%to% know…%they’re%vulnerable%to%role-based%attacks.
  15. Focusing too much on tech ✦ What%use%is%the%strongest%password%there%is,%if% people%aren’t%prepared%to%resist%attempts%by%social% engineers%to%get%them%to%reveal%it?% ✦

    PHISHING.%Phishing%phishing%phishing.% ✦ Did%you%know%that%business-email%compromise%(spearphishing%aimed% at%conning%people%into%various%kinds%of%false%payments)%is%collectively% the%most%expensive%infosec%fail%in%the%US?%Now%you%do.% ✦ Yet%most%Infosec%101%is%mostly%about%tech%stuff.% ✦ This%is%even%worse%because%social%engineering%is…% actually%hard%to%make%boring?!% ✦ And%it%sets%up%a%clear%us-against-the-world%feeling,%which%is%socially% useful%for%infosec%folks%and%the%org%in%general.% ✦ (Though%be%careful%to%discuss%insider%threat%also!)
  16. In fact… ✦ …%in%my%experience,%it’s%a%lot%easier%for%people%to% understand%attacks%if%they%first%understand% attackERS,%and%their%techniques%and%motives.% ✦ Would%this%have%a%lot%to%do%with%the%topic%sequencing%in%this%course?% Yep,%you%betcha.% ✦

    Use%the%fluency%heuristic%(people%remember%and% repeat%what%they’re%familiar%with)%to%help.% ✦ Get%people%familiar%with%an%“attacker”%persona.% ✦ Would%this%be%why%I%teach%you%Alice/Bob/Eve%and%use%the%phrase% “garbage%human”%a%lot?%Yep,%you%betcha,%at%least%in%part.% ✦ (Alice/Bob/Eve%is%common%infosec%jargon;%that’s%another%reason%I%use%it.)% ✦ And%use%real-world%case%studies%(STORIES!),%ideally% from%peer%orgs%in%the%same%or%similar%industry.
  17. SHOW REAL PHISH, for pity’s sake! You’re DoIT, you’ve got

    THOUSANDS of real phish you can show people and talk about the consequences of. Also, IMAGES. People like those!
  18. Ask for help. Like, seriously. ✦ Reciprocity%and%kindness%are%major%forces%in% interpersonal%relations.% ✦ Instead%of%“we’re%the%Smart%People%telling%all%y’all%

    peons%what%to%do!”…% ✦ …%try%“attackers%are%everywhere,%we%need%your% help%to%keep%them%out,%please%help%us!”% ✦ signed%(and%ideally%written)%by%an%actual%human%being,%not%an%office% ✦ Anything%that%humanizes%IT/infosec%people%is%a% good%idea,%honestly.% ✦ Because,%again,%people%help%other%PEOPLE.
  19. Dorothea tells the story of the CyberBob/CIO office visit. (or:

    how a CIO-office employee lost my friendship for good)
  20. 2021 research on infosec training: ✦ “[E]mployee%perceptions%of%[training]%programs% relate%to%their%previously%held%beliefs%about:% ✦ “cybersecurity%threats,%

    ✦ “the%content%and%delivery%of%the%training%program,% ✦ “the%behaviour%of%others%around%them,%and% ✦ “features%of%their%organisation.”%(This%amounted%to%the%usability%of% security%measures%and%perceived%necessity%to%work%around%them…% which%should%sound%familiar%to%you%by%now!)% ✦ From: ✦ Reeves,%Calic,%and%Delfabbro.%“‘Get%a%red-hot%poker%and%open%up%my% eyes,%it's%so%boring’:%Employee%perceptions%of%cybersecurity%training”% Computers%&%Security%106%(2021),%https://doi.org/10.1016/ j.cose.2021.102281% ✦ Best%article%title%ever,%or%best%article%title%EVER?!
  21. What do people believe about infosec threats? ✦ We’ve%seen%a%lot%of%it%before.%But%for%the%record,% here%are%themes%the%article%found:%

    ✦ “I%already%know%all%this,%or%at%least%enough%to%make%my%own% decisions!”%(Another%pitfall%of%neverending%Infosec%101…%people%have% no%reason%to%realize%everything%they%don’t%know,%because%they’re% never%shown%anything%beyond%the%101%level!)% ✦ (This%is%another%reason%I%like%Backdoors%and%Breaches%in%this%class.%It% gives%you%a%sense%of%the%breadth%of%infosec%knowledge%that%there%is.)% ✦ “I%don’t%need%to%understand%this,%even%if%I%could!%The%system%needs%to% handle%its%own%security!%Usably!”%(Attributed%to%“younger%users.”%The% pitfall%here%is%that%no%tech%system%can%fix%social%engineering%attacks.)% ✦ Password%issues.%(Including%one%org%where%the%training%recommended% a%password%manager…%which%the%org%refused%to%let%employees%install% or%use.)
  22. Content and delivery ✦ As%we’ve%seen:%it%ain’t%great.%(I%critique%UW’s%trainings% because%I%genuinely%think%they’re%awful.)% ✦ People’s%mood%at%training%time%also%matters,%unsurprisingly.% ✦ Misery%loves%company:%group%training%preferred%to%individual.%

    ✦ I%have%sympathy!%Of%course%I%do.%High%production% values%take%a%lot%more%time%and%effort%than%I%have.% ✦ Add%in%internationalization%and%accessibility%requirements,%and%the% workload%multiplies%by…%a%lot.% ✦ I%don’t%have%sympathy%for:% ✦ Measures%that%try%to%force%attention%—%e.g.%online%trainings%that%won’t% advance%unless%they’re%the%topmost%window,%video%that%only%plays%at%1x% speed.%Get%over%yourselves,%trainers.% ✦ Irrelevancies.%Again,%know%the%context%and%work%within%it!% ✦ Unexplained%or%unnecessary%jargon.%Condescension.%Scare%tactics.
  23. The behavior of others ✦ We’re%social%animals,%we%humans.%We%behave%as%the% others%around%us%behave.% ✦ In%almost%all%organizations,%“the%others%around%us”% are%not%infosec%folks!%

    ✦ And%infosec%folks%tend%to%be%pretty%siloed.%Those%of%you%with%jobs:%do%you% know%who’s%securing%your%org’s%systems?%By%name?%I’d%be%surprised%if%you% did.%Who’s%the%current%UW-Madison%CISO,%for%that%matter?%I%don’t%think% I’ve%mentioned…% ✦ So%we%enable%each%others’%poor%infosec%hygiene.% ✦ Including%spreading%misunderstandings%and%broken%mental%models.% ✦ It’s%worse%if%the%poor%hygienist%is%our%boss.%They%can% demand%that%we%do%the%wrong%thing!% ✦ Where%training%conflicts%with%human%social% behaviors,%training%will%lose.%No%question%about%it.
  24. With one caveat: ✦ People%bring%infosec%dilemmas%to%someone%they% trust,%respect,%and%believe%is%knowledgeable.% ✦ I’ve%had%it%happen%a%fair%bit,%with%colleagues%as%well%as%students.% ✦ (Hey,%I%appreciate%the%trust%and%respect!%I’m%kind%of%proud%of%this.)%

    ✦ For%an%org%that’s%serious%about%security…% ✦ (rather%than%treating%it%as%a%pointless%compliance%exercise)% ✦ …%it%makes%a%lot%of%sense%to%locate%and%leverage% these%people!% ✦ Could%they%be%involved%in%training%somehow?% ✦ Can%they%be%recognized%for%their%efforts?
  25. Okay, two caveats: ✦ People%will%use%convenient,%available,%usually% informal%comms%channels%to%ask%infosec%questions.% ✦ They%come%up%not-infrequently%on%the%UW-Madison%subreddit.% ✦ It%can%make%sense%to%(discreetly%and%non-creepily)%

    keep%an%eye%on%those.% ✦ Setting%up%alerts%on%words%(e.g.%in%a%work%Slack)%may%make%sense.% ✦ If%there’s%an%infosec%person%(or%a%connector,%as%before)%with%very%good% social%judgment%and%skill%at%explaining,%answering%questions%or%weighing% in%on%situations%may%be%a%way%to%build%useful%social%trust.% ✦ But%the%good%social%judgment%is%vital!!!!%Just%horning%in%on%every% vaguely-relevant%conversation%(or%worse,%posting%canned%answers)%won’t% help%—%in%fact,%it’ll%hurt.% ✦ (When%I%was%on%Reddit,%I%answered%infosec%questions%on%the%sub.%My% answers%got%upvoted,%so%my%social%acumen%seems…%mostly%okay?)
  26. Summing up ✦ Infosec%training%sucks,%but%it%doesn’t%have%to.% ✦ Making%it%not%suck%involves:% ✦ taking%it%seriously,%and%having%goals%for%it%besides%compliance% ✦ not%putting%people%through%endless%rounds%of%the%same%old%Infosec%

    101%stuff;%letting%those%who%are%ready%learn%more!% ✦ understanding%and%working%with%local%context%and%human%habits% ✦ offering%workable%guidance,%avoiding%unreachable%“don’t%ever%click% links%in%email!”%ideals% ✦ using%STORIES,%explaining%WHY,%because%that…% ✦ …%helps%people%build%mental%models,%threat%models,%etc.%without% which%very%little%guidance%(even%when%it’s%workable)%makes%sense% ✦ leveraging%and%building%on%org-internal%social%relationships,%partly%to% hear%and%answer%point-of-need%questions
  27. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.
  28. I’ve changed my tune on phishing tests. ✦ I%used%to%be%just%eyerolly%about%phishing%tests.% ✦

    I%now%think%they%are%unethical,%and%not%only% ineffectual,%but%actively%dangerous%to%an% organization’s%overall%infosec%posture.% ✦ Don’t%do%them.%Don’t%pay%for%them.%Protest%them.
  29. How people are successfully phished ✦ Do%they%know/recall%that%phishing%is%a%thing?% ✦ Research:%this%is%the%big%stumbling%block,%actually!% ✦

    Experts%and%non-experts%use%most%of%the%same%cues%to%detect%phish.% Experts,%however,%always%have%the%possibility%of%phish%in%mind.% ✦ Do%they%know%what%to%do%about%it?% ✦ Is%there%an%easy%way%to%report?%Do%they%know%they%won’t%be%punished%if% they%report%a%false%positive?%Or%report%that%they%fell%for%a%phish?% ✦ Do%they%think%that%reporting%a%phish%actually% accomplishes%anything?% ✦ Around%here%they%disappear%into%a%black%box.%Bad%idea%—%people%are% curious!%Teach%them%by%satisfying%their%curiosity!% ✦ Does%the%phish%“hook”%them?% ✦ Urgency,%$$$,%authority%are%the%Big%Three%hooks.
  30. What’s good about this ✦ Ayça%is%a%human%being%and%a%colleague!% ✦ (She%was%always%the%one%to%send%out%those%emails.)% ✦ She%also%has%a%longstanding%reputation%for%expertise%and%helpfulness.%

    ✦ Point-of-need%and%point-of-curiosity%training% ✦ Not%once-a-year%yawnfests% ✦ Actual%real-world%example% ✦ Better%yet,%one%that%was%going%around%just%then% ✦ Conversational%tone% ✦ Again,%Ayça%is%writing%as%a%PERSON,%not%a%parrot%(stochastic%or% otherwise).% ✦ Kairos!%Helpful%navigation%for%a%lengthy%email.
  31. Why phish tests happen ✦ Compliance%and%“cover%our%butts,”%again.% ✦ Like%training,%phishing%tests%are%construed%as%Doing%Something.% ✦ “Number%go%up”%assessment%mentality%

    ✦ If%90%%of%employees%pass%the%first%phish%test%and%95%%pass%the% second,%NUMBER%WENT%UP,%so%everything’s%cool%in%infosecland,% right?%RIGHT?!% ✦ Superficial,%erroneous%“they%must%be%ignorant/ stupid”%belief%about%why%people%fall%for%phishes% ✦ If%you%actually%ask%people%(what%a%concept,%I%know!),%it’s%because% they’re%overworked%and%rushed.%Or%they%don’t%care,%screw%IT.% ✦ Who%has%time%to%thoughtfully%consider%each%and%every%link%in%an% email?!%Their%boss%would%just%yell%at%them%for%being%unproductive.% ✦ Phishing%tests%cannot%fix%this%root%cause!!!!!!!!
  32. The “gotcha” motive ✦ A%lot%of%infosec%people%enjoy%puzzles,%games,% especially%in%competitive%contexts.%Nothing% necessarily%wrong%with%that,%okay?% ✦ Though%I%do%think%it’s%a%limiter%for%the%broader%infosec%workforce.% ✦

    It%becomes%a%problem%when%it%turns%into%the%wish% to%trick/con,%embarrass,%trash-talk,%or%laugh%at% other%people.%That’s%garbage-human%territory.% ✦ Do%I%think%phishing%tests%happen%partly%because% some%infosec%folks%get%their%jollies%out%of%feeling% superior%to%others?% ✦ And%build%phish%tests%that%give%them%maximum%jollies?% ✦ Yeah.%I%do.%And%that’s%a%bad,%bad%problem.
  33. (a digression) ✦ My%dad%was%a%university%professor.%Anthropology.% ✦ He%hated%his%students.%HATED.%Despised%them.% Genuinely%loved%putting%trick%questions%on%exams% and%laughing%when%his%students%fell%for%them.% ✦ He%also%used%students%as%pawns%in%fights%with%his%department.%

    ✦ This%is%horrific%pedagogy.%When%I%accidentally% ended%up%teaching,%I%swore%to%myself%that%I%would% do%things%differently.%I%hope%I%have.% ✦ It%may%seem%obvious%that%instructors%actually%have%to%want%their% students%to%learn,%but…%my%dad%never%did.% ✦ …%A%lot%of%infosec%trainers%(infosec%people%in% general,%really)%remind%me%of%my%dad.%Not%good.
  34. If I just speared you over schadenfreude… ✦ …%yeah,%sorry.%I%have%Feelings%about%all%this.% ✦

    But%we%all%need%you%to%fix%your%heart,%okay?% ✦ A%world%where%folks%are%all%out%to%con%and%laugh% at%and%despise%other%folks%is…%not%a%good%world.% ✦ Also,%making%people%feel%special%via%inviting%them%to%despise%others%is% an%enormously%common%con/grift%tactic.%Resist%it%for%your%OWN%sake.% ✦ It’s%possible%to%change.%It’s%possible%to%do%and%be% better.%You%don’t%win%by%shoving%others%down.% ✦ I’ve%had%to%struggle%with%my%own%character%defects%too.%I%lived% through%it%and%did%better.%If%I%can,%you%can.% ✦ Take%joy%in%other%people.%Celebrate%them!% ✦ As%a%teacher/trainer,%celebrate%their%learning.
  35. How phish tests work ✦ Internal%infosec%office%or%external%contractor% designs%test,%including%the%pretext(s)%it%will%use.% ✦ Links%in%the%email%usually%lead%to%some%kind%of%“you%got%phished,%you% big%silly!%don’t%do%that!”%gotcha/training%page.%

    ✦ Test%is%fielded%against%all%employees,%with%little%or% no%notice%beforehand.% ✦ Here%there’s%usually%some%kind%of%announcement,%but%it’s%buried%and% easy%to%miss.% ✦ Those%who%fall%for%the%phish%are%individually% identified%and%reported%on.% ✦ There’ll%be%an%identifier%in%the%link%in%the%fake-phish%email,%tied%to% each%email%address%the%fake%phish%is%sent%to.
  36. Cost in time, productivity, and trust ✦ UW-Madison%employs%over%20,000%people.% ✦ Imagine%that%each%person%spends%just%one%minute%

    considering%that%fake%phish.%That’s%over%20,000% minutes%of%work%time,%or%333%hours.% ✦ I%don’t%have%an%average%salary%to%hand%(median%would%be%better% anyway),%but%let’s%assume%it’s%something%like%$50/hour.%That’s%$16,650% plus%the%cost%to%build%and%field%the%test%and%analyze%the%results,%just% for%one%dang%phishing%test.% ✦ Notice%that%I’m%not%even%counting%(re)training%time%here.%It%adds%up.% ✦ Nobody%likes%phish%tests.%(I%actively%resent%UW% System%for%doing%them.)%Does%your%org%need% more%reasons%for%employees%to%be%mad%at%it?
  37. Is it worth it? ✦ No%training%or%testing%has%been%shown%to% eliminate%successful%phishes%altogether.% ✦ Counterintuitively,%repeated%phishing%tests%plus% non-mandatory%training%can%make%people%MORE%

    likely%to%click%on%real%phish.% ✦ Lain,%Kostiainen%&%Čapkun%2021% ✦ Why?%Not%clear,%but%it%seems%the%affected%folks%think%the%“you%failed% the%phish%test”%page%means%the%org%detects%and%handles%phishing…% ✦ …%so%they%don’t%actually%have%to%worry%about%phish%as%individuals.% ✦ In%other%words,%folks%completely%misunderstood%the%point%of%the%test!% That…%doesn’t%bode%well%for%their%infosec%hygiene%generally,%and%it% also%doesn’t%say%much%for%any%training%they’ve%gotten.
  38. Cruel pretexts ✦ Money,%sometimes%life-changing%money,%aimed%at% folks%who%are%poor%and/or%poorly%paid% ✦ Real-life%examples:%COVID%benefits,%bonuses,%health-care%promises,% discounts%—%that%didn’t%exist.% ✦ I%saw%an%infosec%pro%on%Twitter%point%out%that%the%root%cause%here%is%

    actually%lousy%pay%and%benefits.%That’s%absolutely%correct;%treating%people% poorly%and%underpaying%them%creates%a%lot%of%infosec%risk.% ✦ Higher%ed:%grade-%or%disciplinary-action-related%scare% tactics% ✦ Phishes%ostensibly%from%the%[Big]%Boss,%often% designed%to%make%person%think%they%might%be%(or%get)% in%trouble% ✦ I’m%waiting%for%somebody%with%anxiety%to%sue%under%the%ADA%over%this.%I% am%not%a%lawyer,%but%I%have%to%think%it’d%be%a%workable%case.
  39. Defense from phish testers: “But garbage humans are using these

    tactics to phish!” ✦ Yeah.%They%are.% ✦ So%what%does%that%make%you,%exactly,%O%Phish% Tester?% ✦ Look.%Infosec%is%not%a%get-out-of-garbage-human- stuff-free%card.%Cruelty%is%cruelty.%Lying%is%lying.% ✦ Phish%testers%deserve%every%bit%of%the%pushback% they%get%over%phishing%tests.%And%more,%frankly.
  40. Punishment over phishing-test results ✦ It’s%happened.%It%shouldn’t.% ✦ It’s%an%absolutely%sordid%and%unethical%idea.% ✦ One%reason:%phish%people%often%enough,%and%everyone%will%eventually%

    click.%Yes,%pretty%much%everyone.%(Lain,%Kostiainen%&%Čapkun%2021)% Different%people%fall%for%different%pretexts,%but%everybody’s%vulnerable% to%something.% ✦ Another%reason:%disincentivizing%reporting,%again%—%if%people%are% afraid%to%report%infosec%issues%because%they%fear%punishment,% incidents%are%more%likely,%higher-severity,%and%longer-lasting.% ✦ A%third:%disciplining%people%you%intentionally%deceived%is%just%gross.% It’s%a%garbage-humanny,%unethical%way%to%treat%people.% ✦ Keep%in%mind%also%that%people%perceive%“you% failed;%go%take%another%training”%as%punishment.
  41. Public blame-and-shame ✦ Are%you%kidding%me?!?!?!%I%didn’t%want%to%believe% this%even%happens.% ✦ Management%101:%never,%ever,%EVER%shame% employees%in%public.% ✦ Any%conversation%involving%critique%(much%less%discipline)%must%be%

    held%in%private!%And%kept%as%confidential%as%possible!% ✦ Anything%else%creates%an%organizational%culture%of%terror%and%secrecy% over%mistakes…%which%is%terrible%for%the%org’s%infosec%posture.% ✦ Public%shaming%is%also%(one%more%time!)%just%an% awful%way%to%treat%people.%It%won’t%help%them% learn…%but%will%make%them%leave!
  42. Lost trust in infosec people ✦ You%DO%NOT%want%the%top%association%people% have%with%infosec%folks%to%be%phishing%tests.% ✦ Like,%this%is%actually%super-dangerous!!!!!%

    ✦ Will%someone%who%associates%infosec%with% deception%and%cruelty%report%infosec%problems?% ✦ Will%they%do%what%infosec%says?%% ✦ What%if%it’s%mid-incident,%and%really%important%that%they%do?% ✦ Will%they%feel%morally/ethically%justified%doing% end-runs%around%those%liars%in%infosec?% ✦ Will%they%write%off%everything%infosec-related% because%“those%people%are%just%JERKS”?
  43. Better ideas ✦ (mostly%from%the%Lain%et%al.%piece)% ✦ Make%it%easy%to%report%suspected%phish.%Then%take% people’s%reports%seriously!% ✦ It%turns%out%that%if%reporting%is%easy%enough,%people%will%get%in%the%habit% of%doing%it%(habituation%for%the%win,%for%once!),%and%won’t%get%sick%of%it.%

    ✦ Averaged%over%the%organization,%these%reports%are%indeed%good%advance% indicators%of%phishing%campaigns.%(I%think%it’s%likely%possible%to%improve% on%this,%by%evaluating%who’s%a%good%phish%reporter,%then%paying%extra% attention%to%their%reports.%Future%research!)% ✦ Positive%reinforcement:%reward%phish-finders!% ✦ Including%those%who%initially%fall%for%a%phish,%but%report%it%quickly%anyway.% ✦ Tell%them%when%they%detected%real%phish,%so%their%phish-radar%improves.% ✦ Detect%phish%technically,%and%stop%delivery.
  44. Address root causes ✦ Starvation%wages%and%benefits% ✦ Poor%financial%controls% ✦ I%cannot%get%over%how%long%it%takes%organizations%(of%all%sizes,%small%to% gargantuan)%to%notice%fake%invoices!!!!!%%

    ✦ There%are%supposed%to%be%PROCESSES%for%knowing%who%your%vendors% are,%and%that%a%given%invoice%is%legitimate!% ✦ Rushed%workers,%understaffing% ✦ Crappy%systems%that%get%in%people’s%way%and%force% them%to%come%up%with%workarounds% ✦ Jerk%bosses,%intimidation%at%work% ✦ (Notice%how%only%one%of%these%is%technological?% Yeah.%Infosec%is%about%people%or%it’s%garbage.)
  45. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.