LIS 510 "Human Factors in Information Security" course introduction

Transcript

1. Welcome to Human Factors in Information Security! Dorothea Salo

2. What is this course for? ✦ Your self-protection, and helping

   you contribute to a safer, more secure world for everyone ✦ For some of you, a light on possible career paths ✦ A lot of communication and workplace practice! ✦ This is the major motive behind course assignments. ✦ Work-appropriate communication styles have to be learnt; they are very di ff erent from academic communication. I will steep you in the di ff erences! (I will also try to teach you how best to communicate around tricky subjects—like errors and blame.) ✦ Infosec has its own communication genres: bug/vulnerability reports, incident reports, training materials… so I’ll be acquainting you with those. It won’t be enough! But at least they won’t come as a surprise.

3. This course’s theme Information security is about PEOPLE or it

   is 🐂💩.

4. No comment. (photo by [email protected], reproduced by kind permission)

5. Sorry, what?! Training isn’t cybersecurity?!

6. Losing the ability to even… (reproduced by kind permission of

   Lea Kissner)

7. Corollaries ✦ Infosec is about people because it has to

   be. ✦ There is no such thing as a technological system completely devoid of people. ✦ People design systems. ✦ People build them. ✦ People use them — and by using them, become part of them! ✦ People abuse them, often to harm other people. ✦ The people parts of systems work di ff erently from the tech parts. We’re not technologies! ✦ You can’t always use tech to fi x human behavior. We’ll see some reasons why not.

8. Questions we’ll (start to) answer in this course ✦ What

   IS IT with people? Why are we (as a species) so bad at security? ✦ Spoiler: the answers have little or nothing to do with intelligence. ✦ Why do we make the security decisions we do? ✦ Where do we learn bad practices? How can we make better decisions? ✦ How can we make it easier for everyone to make better decisions? ✦ Can we make people who don’t give a 💩 about the impact of their 💩-y practices on everybody else’s security… actually give a 💩? ✦ Who’s out to ruin our security, why, and how? ✦ The answers to this one are legion, and some will surprise you. ✦ How do the human and organizational processes around security work, in the Real World™?

9. Students who take 510… ✦ … typically come in a

   few di ff erent fl avors. ✦ MA/LIS students, interested in privacy and/or information/data governance ✦ MS/Info students: often responsible for securing data or systems ✦ CS/SE, iSci, or Digital Studies undergrads interested in infosec careers ✦ B-school students, often interested in risk management ✦ (None of these may apply to you — and if so, GREAT! Welcome!) ✦ If one of these is you, here is what I have for you! ✦ MA/LIS, MS/Info folks: a little technology, a fair amount of pragmatic big-picture knowledge ✦ CS/SE, iSci folks: Ethics, law, and communication likely won’t land you your fi rst infosec job. If you want to do well in that job and/or move up the ladder, though — they are absolutely, positively ESSENTIAL. ✦ All of you: if you want to use your tech knowledge for good, 510 should give you avenues for that.

10. Cool? Cool. Thanks! This presentation is copyright 2023 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.

11. Class logistics

12. Ground rules ✦ Every one of you is welcome and

    wanted here. Every one of you can succeed here. ✦ It’s my job to help that happen. Help me do my job by telling me when I can make a di ff erence for you. I am not psychic! I don’t always realize. ✦ Grades in this course are not competitive. Everyone can get an A! ✦ But it’ll be easier if you support your classmates. So do that. ✦ We have widely varying levels of pre-existing tech knowledge in this class. I do my best to design the class around that, in fact. ✦ I will be Very Upset with you if you mess up my careful design work by being scornful or dismissive of classmates who didn’t come in with the same tech preparation you did. So don’t. Thanks. ✦ Some speci fi c things to avoid: “well actually,” “RTFM,” “how could you not know that?!” and sexist/racist/ageist/ableist words, phrases, and stereotypes (“so easy my grandma could…”) Not in my class, please.

13. Foundational expectations ✦ You will be here. Physically. In class.

    Every week. On time and ready to work. ✦ This course does get taught online-asynchronous (usually spring) — I will not be o ff ended if you drop to take the online version. ✦ 36% of your grade comes from the “weekly huddles” I start class with, week 3 on. There is no makeup for these. Be here or lose points. ✦ You will do the readings for each week before you come to class. ✦ I do use a textbook and another book for this class. The library has the textbook as an ebook! The other is readily available used. ✦ A lot of the work of this class will happen right here in this classroom! And it won’t be passive! ✦ What even is the point of an in-person class otherwise?!

14. That said… ✦ I super do not love the current

    COVID numbers. ✦ I also had an exposure scare in late August, ugh. I did manage to dodge the ’vid. This time. ✦ Lots of reasons they’ll get worse, at least during the weeks after semester start. ✦ Look after yourselves. You’re young (mostly), but this thing’s sneaky and its e ff ects can compound over multiple infections. ✦ If you’re interested in my stylin’ duckbill n95 masks, let me know. ✦ DO NOT come to class contagious, please. Email me and we’ll work it out. ✦ (If I get sick despite precautions, we’ll survive — I can remote in or we can move online.)

15. Assignment aids ✦ Grammarly: if you must, but its data

    privacy is crap. ChatGPT: not in my class, please. ✦ There will be opportunities to work together and learn from each other. Infosec is social! ✦ I’ll try to remember to point out where collaboration is a good idea. If I don’t remember, you can always ask me. ✦ That said, please don’t be That Person who systematically leeches o ff other students. That Person doesn’t learn. Also it’s gross and dishonorable. Do better. ✦ I can’t always catch That Person. Sometimes I can. When I can, I have a lot of discretion under campus misconduct rules.

16. Exams ✦ There aren’t any. There, that was easy. ✦

    Yes, this means you can DISREGARD our fi nal-exam slot when making travel plans for December. WE HAVE NO FINAL. ✦ I may occasionally use the Canvas quiz feature for something or other. But it won’t be anything as heavy as an exam. ✦ Sometimes, for me, it’s a convenient way of structuring and pacing a step-by-step hands-on activity. ✦ ONLINE EXAM PROCTORING SOFTWARE IS A RACIST, ABLEIST, PRIVACY-DESTROYING DUMPSTER FIRE so I refuse to use it. ✦ We’ll read a thing or two about this that’s shaped my thinking.

17. Many low-stakes assignments. Deliberately. ✦ Putting all the grade eggs

    in one or two baskets is really stressful for students, I fi nd. ✦ So I haven’t. ✦ My grading strategy is to have plenty of small pass/fail assignments, a couple of medium-size assignments, and one semesterlong assignment with pieces of it due throughout the semester (instead of semester-end all-nighters).

18. Morning-class logistics ✦ Food and drink: fi ne, just don’t

    make a mess ✦ Liquids capped/lidded, please. ✦ Try to avoid crumbs, stains, strong smells, etc. ✦ If there’s something foodish you absolutely can’t be around, let me know privately and I’ll announce in class without using your name. ✦ Water-bottle station near elevators. Vending in College Library. ✦ Devices are fi ne, but honor system: don’t check out, don’t distract yourself or others. ✦ There are fl oor and wall outlets you can use. Try not to trip people! ✦ Recording: fi ne, but I’m not sure it’ll help much. ✦ Breaks: Yes, at least one, 10-15 minutes. ✦ You can quietly slope out for a biobreak at other times if you need to.

19. Student/office hours ✦ In my physical o ff i ce

    or via Zoom (see Canvas) ✦ If you come to my physical o ff i ce, I’d appreciate it if you masked. Thanks! ✦ Can’t make my regular hours? ✦ You can ADD AN APPOINTMENT to my O365 calendar directly. Meetings can start between 8 and 3; please don’t con fl ict with meetings already in my calendar. Let me know how we’re meeting: in-person, Zoom, or call (leave your number). ✦ You can EMAIL ME WITH 3-5 TIMES that work for you. I’ll pick one or we’ll negotiate. ✦ Doesn’t have to be class-related! ✦ If you’re curious about something else I do, have a question about campus, or just want to shoot the breeze, that’s FINE. ✦ During regular o ff i ce hours, I do of course have to prioritize class- related questions.

20. Anything I didn’t think of?

21. Cool? Cool. Thanks! This presentation is copyright 2021 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.

22. Course design run-through

23. Weekly huddles ✦ Start of class, starting our third meeting

    ✦ (this should avoid the worst of drop/add chaos) ✦ 3 fi nal-grade points each. A table-by-table activity derived from the readings due for that week. ✦ Names of those at the table go on the sheet of paper. ✦ Answers to the questions do too. ✦ Closed book, no devices. No looking things up! ✦ Not intended to be a gotcha! I am not out to trick, confuse, or bewilder you. ✦ I’m out to get you to do the readings! I chose them for reasons! ✦ There will be “sense of the table”-type opinion/re fl ection questions as well as more fact-based questions.

24. In the (Higher-Ed) News ✦ Current awareness is so important

    in infosec and privacy work. Stu ff changes! So this is a current- awareness exercise. ✦ Use it to fi gure out your own ongoing current-awareness strategies! ✦ Find news stories. Three-minute in-class summary of the HUMAN ASPECTS of the story. ✦ Whodunnit? Who’s been harmed (actually or potentially)? How did people respond when it happened? ✦ Limiting to higher ed for two reasons: ✦ Having a scope should make this less overwhelming. ✦ Consciousness-raising. Too many students are… well, kinda overtrusting about security threats on and to campus.

25. Each one teach one! ✦ Intended to help you practice:

    ✦ Understanding a new-to-you privacy/security threat ✦ Once you understand it, helping others understand it too ✦ Trust me, these are di ff erent skills! ✦ Also intended to give you a chance to decode poorly-communicated security incidents. ✦ … which, frankly, many of them are. ✦ And it’s good practice for work email. ✦ I know, I know, email is an older-person thing. It still runs a whole lot of workplaces, so learning to use it well is a good idea. ✦ Tip: BLUF (BOTTOM LINE UP FRONT). In fandom, this is sometimes known as tl;dr (too long; didn’t read). 1-2 sentence summary of what the person most needs to do at start of email! THEN you explain.

26. Book analysis ✦ I read this Really Cool Article, y’all!

    ✦ (It’s in your readings for next week.) ✦ Fulton et al. 2019. “The e ff ect of entertainment media on mental models of computer security.” https://www.usenix.org/system/ fi les/soups2019- fulton.pdf ✦ You’re going to reproduce (parts of) their analysis on a book you choose. ✦ (I wanted to do movie nights, but rights clearance is too expensive. Sorry.) ✦ One book list in syllabus; you may also choose anything in the “Fiction / Cyber Novel” category of Cybersecurity Canon. ✦ It doesn’t have to be a good book. If you want to point and laugh at a terrible one, go right ahead. ✦ Goals: better media literacy, better security awareness, and some fun with a book!

27. Semesterlong project: Incident analysis ✦ You will pick a real-world

    security incident (grads: incident type) to read up on, analyze, and report out about. ✦ There’s a list in the syllabus. If you have an incident [class] in mind that’s not on there, email me. Usually I say yes! ✦ You will explain it to others in three ways: ✦ “Communication artifact” helping people protect themselves ✦ Slides and script for an incident presentation (such as you’d give to organization leadership) ✦ Incident report

28. Really? Three times? ✦ Yes, because each type of explanation

    happens in the real world, and each has di ff erent constraints. ✦ Length and detail (which are inversely correlated, of course) ✦ Audience ✦ Goals ✦ Meta-reason: putting briefer explanations fi rst gives you more time to accumulate and assimilate information for the lengthier fi nal report. ✦ It also helps you not procrastinate on info-gathering. ✦ I’ll explain more in the syllabus and the Canvas assignment descriptions!

29. Working together ✦ I don’t mind if several of you

    choose the same (class of) incident so that you can share the research load. It’s not obligatory, but it’s fi ne! ✦ I’m being explicit about this because some classes don’t allow it. ✦ In the Real World™, though, it’s somewhat unlikely that you’d be working on threat intelligence or incident response all by yourself. ✦ All your deliverables must be your own individual work, though. ✦ Caveat: It’s completely fi ne (and I encourage you) to seek feedback on your deliverables from classmates, the Writing Center, and/or the Design Lab.

30. I don’t give a flip about citation styles in this

    class. Most workplaces don’t. If you formally cite, you may use whichever style you prefer. For most of your deliverables, a title linked to the source is enough.

31. How to get started ✦ Pick your incident (class). ✦

    Start piling up sources that look possibly-useful. ✦ You don’t have to read it all thoroughly at fi rst—just make that pile. ✦ You CERTAINLY don’t have to understand it all yet! You’ll likely run into plenty of tech-talk and policy-talk you don’t have the background for. That’s perfectly fi ne. What the course itself doesn’t answer, ask about in class! ✦ For now, just FIND INFORMATION… and be able to fi nd it again! ✦ Suggestion: annotated linklist ✦ Google Doc, Raindrop, Zotero, whatever. ✦ Copy-paste the title. Paste the link. ✦ When you get a chance to read it, take what notes seem good to you.

32. My linklist for this class: linkspam.dsalo.info/?searchtags=510

33. That’s it. The rest is in the syllabus and on

    Canvas. Go to it!

34. Other semi-random possibly-useful stuff

35. About me ✦ “Professor Salo” is fi ne. (I’m not

    “Dr.” anything.) ✦ Librarian (UW-Madison MA/LIS class of 2005!) ✦ Which gives me a professional obsession with privacy, which I leveraged into an interest in infosec ✦ iSchool instructor since 2007; full-time since 2011 ✦ Main professional interests: student and library-patron privacy, data/ information rescue (from obsolete media) and preservation, scholarly communication, metadata ✦ Feral techie, jack-of-all-trades-master-of-none ✦ Almost no formal CS or software-engineering education; what I know I mostly picked up from solving problems for myself or others ✦ In any tech-ish class I teach, one or more students knows more than I do about something I’m teaching. It’s cool. Often it’s helpful! ✦ https://dsalo.info/ and https://speakerdeck.com/dsalo and https://github.com/dsalo

36. My surveillance practices ✦ We’ll be looking at Canvas’s surveillance

    capacity. ✦ Because in my informed opinion, SURVEILLANCE IS A THREAT TO INDIVIDUAL SECURITY! The best way I know to drive this home to you is to use Canvas as an example. ✦ I owe it to you to tell you how I use it. ✦ Mostly I don’t. Assignments aside, I never grade (much less discipline) based on what you do in Canvas or how long you spend doing it. I don’t even LOOK at this except… ✦ … if it looks like you’ve GHOSTED ON THE CLASS, I will look at when you last logged in and how much time you’ve spent in the class lately. ✦ If it looks like a ghosting, I then email you to ask what’s going on and whether/how I can help. Usually that solves things. If I don’t hear back, I may involve other people (your advisor, McBurney if appropriate, etc). ✦ My goal is ALWAYS to get you through the course successfully.

37. UW Cybersecurity Club ✦ Exists! And is pretty great! ✦

    You are all welcome, obviously. ✦ https://win.wisc.edu/organization/csec ✦ https://www.cybersecurityuw.com/ ✦ I’ll put a link to the Discord server in Canvas. ✦ Discord: a voice and text/web chat application, a bit like Slack crossed with Zoom ✦ The club mostly uses chat, not voice. ✦ Disclaimer: I’m one of the club’s faculty advisors. ✦ But it’s student-run! I only hang around to cut red tape!

38. Cool? Cool. Thanks! This presentation is copyright 2021 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.