Don't just talk about security - do something!

In the previous article in this two-part series, I reviewed disheartening research commissioned by Cisco showing that in general, our security-awareness efforts don't work. Most people seem to blame poor communications or the obtuseness of users.

In contrast with this standard view of the failure of compliance with sensible advice, scientists at Carnegie Mellon University (CMU) have been studying why people fail to follow perfectly good advice on how to avoid phishing scams. Several of their research reports are available on the PhishGuru site. Lorrie Faith Cranor, DSc, associate professor of computer science and also of engineering and public policy at CMU has also written a popular article on phishing for the December 2008 issue of Scientific American which discusses how ineffective acquisition of information has been in changing people’s resistance to phishing attacks. She writes:

“With some of these insights in mind, members of my team, Ponnurangam Kumaraguru, Alessandro Acquisti and others, developed a training system called PhishGuru, which delivers antiphishing information after users have fallen for simulated phishing messages. The program incorporates a set of succinct and actionable messages about phishing into short cartoons, wherein a character named PhishGuru teaches would-be victims how to protect themselves. In a series of studies, we demonstrated that when people read the cartoons after falling for the simulated phishing e-mails that we sent to them, they were much less likely to fall for subsequent attacks. Even a week later our test subjects retained what they had learned. In contrast, those who read the PhishGuru cartoons sent to them by e-mail, without experiencing a simulated attack, were very likely to fall for subsequent attacks.”

In addition to the cartoons, the scientists created an interactive game involving worms (annelids, not computer programs) representing Web sites that a cute little fish can either eat or not. A wise older fish explains the failures and successes in a friendly way. Playing this simple cartoon-based game for a few minutes “makes a significant difference in users’ ability to identify phishing sites. Comparing their performance before and after the training, we saw a drop in the number of false negatives, phishing sites mistakenly deemed to be legitimate, and false positives, legitimate sites judged to be phishing sites. The game players also outperformed participants who trained with a tutorial or with materials from other sources.”

I’m not surprised.

In 1994, I published the first edition of “Totem and Taboo in Cyberspace: Integrating Cyberspace into our Moral Universe”. Based on well-established principles of learning and the psychology of behavior change, I wrote:

“To learn new habits, it is useful to address the conflict directly: acknowledging that the policy will be uncomfortable at first is a good step to making it less uncomfortable. For example, employees should participate in role-playing exercises. First, they can practice refusing access to colleagues who accept the policies graciously, then move on to arguments with less friendly colleagues. Finally they can learn to deal with confrontations with colleagues who pretend to be higher rank and hostile.”

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.