1 / 29

Security Awareness Training, Influence, and Personality Walk into a Bar…

Explore ways to create security awareness training programs that align employees' personality profiles and influence risks to resist social engineering techniques.

carrera
Download Presentation

Security Awareness Training, Influence, and Personality Walk into a Bar…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Awareness Training, Influence, and Personality Walk into a Bar… Karla Carter | @rptrpn | karla.carter@bellevue.edu

  2. “Social engineering techniques rely on influencing the victim to do something that is against their best interest, but different influence techniques work better on different victims, because everyone has different personalities, strengths and weaknesses. Research has shown a correlation between the five-factor personality measure (“The Big 5”) and cybersecurity behaviors. While it’s impractical to set up personalized security awareness training programs for each individual, it’s possible to create a program that will speak to multiple types of personalities and the influence risks those imply. Come explore ways to help users resist social engineering by designing security awareness training programs that align employees’ risk of influence factors (authority, social proof, scarcity, consistency/commitment, likability, and reciprocation) with their Big 5 personality profiles.”

  3. The audience is expected to participate! (Professor Karla says so)

  4. Warning! The content of this talk is not intended to be prescriptive. Any information presented here should not be used to keep someone out of a cybersecurity role if they truly want to be in cybersecurity…nor should users be let go for being agreeable.

  5. Why? • Personality • Influence • Security Awareness Training

  6. Why do we care?

  7. Verizon Data Breach Investigations Report (DBIR) • Nearly half of all incidents are related to human factors aka social engineering • Most incidents are attributable to human error – combination of social engineering with user error “miscellaneous errors” • Security awareness training is patching the human

  8. “Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites.” (Ars Technica)

  9. Actual page: http://www.equifax.com/help/data-breach-solutions/

  10. “The hacker compromised the firm’s global email server through an ‘administrator’s account’ that, in theory, gave them privileged, unrestricted ‘access to all areas’. The account required only a single password and did not have ‘two-step’ verification, sources said.”

  11. Personality • Traits • Behavior = intersection between traits and situational variables • Students in lecture hall sit quietly, regardless of personality • Students at social gathering likely to show personality • Predictive? • Temperament versus personality • Temperament is dynamic behavior, e.g. energy, emotionality • Personality is content-based, e.g. values, preferences • IPIP-NEO aka OCEAN aka Big 5 aka Five-Factor Model (FFM)

  12. IPIP-NEO aka OCEAN aka “Big 5” aka FFM • IPIP: International Personality Item Pool • http://ipip.ori.org/ • NEO: Neuroticism – Extraversion – Openness Inventory (“Big 3”) • http://personal.psu.edu/faculty/j/5/j5j/IPIP/ipipneo120.htm • Star Wars version (for fun): http://www.celebritytypes.com/star-wars/test.php • OCEAN: Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism • Continuum • Works across cultures • One measure most psychologists can agree on • Correlations, not causations

  13. A Note about Conscientiousness… • Motivated by different things • Higher Conscientiousness = internal • Lower Conscientiousness = external: people, deadlines • Benefits of Lower Conscientiousness • Higher life satisfaction outside work; able to handle unemployment or work setbacks much better • Faster to adapt to change; associated with higher creativity • Correlated with higher Openness • Workplace victim status highly correlated with higher Conscientiousness

  14. Freed Cybersecurity Professional Study • Ms. Freed is an HR specialist with an MS in Industrial Organizational Psychology • “Examination of Personality Characteristics Among Cybersecurity and Information Technology Professionals” by Sarah Freed, March 2014 • “… indicating the need for specialized training, assessment, and selection procedures for cybersecurity professionals”

  15. Freed Cybersecurity Professional Study • Openness – score higher • Score higher on Intellect • Score higher on Adventurousness • Conscientiousness • Score higher on Dutifulness • Score higher on Cautiousness • Extraversion • Score higher on Assertiveness • Agreeableness – score lower • Score lower in Trust • Score lower on Sympathy • Neuroticism • Score higher on Anxiety • Score lower in Vulnerability • Score lower in Self-consciousness

  16. Domain/Facet............ Score • OPENNESS TO EXPERIENCE.....88 • ..Imagination..............83 • ..Artistic Interests.......88 • ..Emotionality.............3..Adventurousness..........88 • ..Intellect................91 • ..Liberalism...............78 • -------------------- • Domain/Facet............ Score • CONSCIENTIOUSNESS.....13 • ..Self-Efficacy............34 • ..Orderliness..............2 • ..Dutifulness..............1 • ..Achievement-Striving.....26 • ..Self-Discipline..........33 • ..Cautiousness.............75 • Domain/Facet............ Score EXTRAVERSION...............29 ..Friendliness.............14   ..Gregariousness...........2..Assertiveness............66 ..Activity Level...........63 ..Excitement-Seeking.......51 ..Cheerfulness.............39 -------------------- Domain/Facet............ Score AGREEABLENESS..............0 ..Trust....................13 ..Morality.................10 ..Altruism.................5 ..Cooperation..............24 ..Modesty..................7 ..Sympathy.................11 Domain/Facet............ Score NEUROTICISM................38 ..Anxiety..................76 ..Anger....................60 ..Depression...............7 ..Self-Consciousness.......66 ..Immoderation.............9 ..Vulnerability............43

  17. Influence • Robert Cialdini Influence • Six Principles • Reciprocity – “I’ll scratch your back…” • Commitment and consistency – “It is easier to resist at the beginning than at the end” – attributed to Leonardo da Vinci • Social proof – “monkey see, monkey do”, standing ovation, Amazon ratings • Authority – titles and trappings • Liking – physical attractiveness, similarity, compliments, cooperation, familiarity • Scarcity – “The way to love anything is to realize that it might be lost” – G.K. Chesterton

  18. Generalizations (research-based) • Reciprocity – higher Conscientiousness • Commitment and consistency – lower Openness, higher Conscientiousness, higher Agreeableness • Social proof – lower Openness, higher Neuroticism, • Authority – men, lower Openness, higher Agreeableness • Liking – lower Openness, lower Conscientiousness, higher Agreeableness • Scarcity – women

  19. So, then, we just don’t hire people with low Openness and high Agreeableness? NO!!!! You train them, using their trait vulnerabilities to appeal to them

  20. Security Awareness Training • Security Awareness Maturity Model – Lance Spitzner for SANS Securing the Human • Non-Existent – 7.6% • Compliance Focused – 27.1% • Compliance or audit requirements • Annual or ad-hoc • No attempt to change behavior • False sense of security; just as vulnerable as non-existent program • Promoting Awareness & Behavior Change 54.6% • Long-Term Sustainment & Culture Change 9.8% • Metrics Framework .85%

  21. Security Awareness Training • Over time the investment in cybersecurity tools has gone up, but investment in human awareness has not – usually lack of people and time • Most security expects know the human risks, but don’t communicate in a way they are heard • Not engaging vs CDC Zombie Apocalypse https://www.cdc.gov/phpr/zombie/index.htm • Not in users’ terms • Too much content at once • Focus on “no” • Multi-prong approach • Play to their personality • Let users pick the materials that appeal to them

  22. [Insert Audience brainstorming Here]

  23. Domain/Facet............ Score • OPENNESS TO EXPERIENCE.....88 • ..Imagination..............83 • ..Artistic Interests.......88 • ..Emotionality.............3..Adventurousness..........88 • ..Intellect................91 • ..Liberalism...............78 • -------------------- • Domain/Facet............ Score • CONSCIENTIOUSNESS.....13 • ..Self-Efficacy............34 • ..Orderliness..............2 • ..Dutifulness..............1 • ..Achievement-Striving.....26 • ..Self-Discipline..........33 • ..Cautiousness.............75 • Gender: Female • Domain/Facet............ Score EXTRAVERSION...............29 ..Friendliness.............14   ..Gregariousness...........2..Assertiveness............66 ..Activity Level...........63 ..Excitement-Seeking.......51 ..Cheerfulness.............39 -------------------- Domain/Facet............ Score AGREEABLENESS..............0 ..Trust....................13 ..Morality.................10 ..Altruism.................5 ..Cooperation..............24 ..Modesty..................7 ..Sympathy.................11 Domain/Facet............ Score NEUROTICISM................38 ..Anxiety..................76 ..Anger....................60 ..Depression...............7 ..Self-Consciousness.......66 ..Immoderation.............9 ..Vulnerability............43

  24. Questions?

  25. October is National Cybersecurity Awareness Month (NCSAM)!

More Related