$30 off During Our Annual Pro Sale. View Details »

LIS 510 "Human Factors in Information Security" course introduction

LIS 510 "Human Factors in Information Security" course introduction

Dorothea Salo

August 28, 2023

More Decks by Dorothea Salo

Other Decks in Education


  1. Welcome to

    Human Factors

    in Information Security!
    Dorothea Salo

    View Slide

  2. What is this course for?
    ✦ Your self-protection, and helping you contribute
    to a safer, more secure world for everyone

    ✦ For some of you, a light on possible career paths

    ✦ A lot of communication and workplace practice!

    ✦ This is the major motive behind course assignments.

    ✦ Work-appropriate communication styles have to be learnt; they are
    very di
    erent from academic communication. I will steep you in the
    erences! (I will also try to teach you how best to communicate
    around tricky subjects—like errors and blame.)

    ✦ Infosec has its own communication genres: bug/vulnerability reports,
    incident reports, training materials… so I’ll be acquainting you with
    those. It won’t be enough! But at least they won’t come as a surprise.

    View Slide

  3. This course’s theme
    Information security

    is about PEOPLE

    or it is

    View Slide

  4. No comment.

    (photo by [email protected],

    reproduced by kind permission)

    View Slide

  5. Sorry, what?!

    Training isn’t cybersecurity?!

    View Slide

  6. Losing the ability to even…

    (reproduced by kind permission of Lea Kissner)

    View Slide

  7. Corollaries
    ✦ Infosec is about people because it has to be.

    ✦ There is no such thing as a technological system
    completely devoid of people.

    ✦ People design systems.

    ✦ People build them.

    ✦ People use them — and by using them, become part of them!

    ✦ People abuse them, often to harm other people.

    ✦ The people parts of systems work di
    from the tech parts. We’re not technologies!

    ✦ You can’t always use tech to
    x human behavior.
    We’ll see some reasons why not.

    View Slide

  8. Questions we’ll (start to)
    answer in this course
    ✦ What IS IT with people? Why are we (as a
    species) so bad at security?

    ✦ Spoiler: the answers have little or nothing to do with intelligence.

    ✦ Why do we make the security decisions we do?

    ✦ Where do we learn bad practices? How can we make better decisions?

    ✦ How can we make it easier for everyone to make better decisions?

    ✦ Can we make people who don’t give a 💩 about the impact of their
    💩-y practices on everybody else’s security… actually give a 💩?

    ✦ Who’s out to ruin our security, why, and how?

    ✦ The answers to this one are legion, and some will surprise you.

    ✦ How do the human and organizational processes
    around security work, in the Real World™?

    View Slide

  9. Students who take 510…
    ✦ … typically come in a few di

    ✦ MA/LIS students, interested in privacy and/or information/data

    ✦ MS/Info students: often responsible for securing data or systems

    ✦ CS/SE, iSci, or Digital Studies undergrads interested in infosec careers

    ✦ B-school students, often interested in risk management

    ✦ (None of these may apply to you — and if so, GREAT! Welcome!)

    ✦ If one of these is you, here is what I have for you!

    ✦ MA/LIS, MS/Info folks: a little technology, a fair amount of pragmatic
    big-picture knowledge

    ✦ CS/SE, iSci folks: Ethics, law, and communication likely won’t land you
    rst infosec job. If you want to do well in that job and/or move
    up the ladder, though — they are absolutely, positively ESSENTIAL.

    ✦ All of you: if you want to use your tech knowledge for good, 510
    should give you avenues for that.

    View Slide

  10. Cool? Cool. Thanks!
    This presentation is copyright 2023 by Dorothea Salo.

    It is available under a

    Creative Commons Attribution 4.0

    International license.

    View Slide

  11. Class logistics

    View Slide

  12. Ground rules
    ✦ Every one of you is welcome and wanted here. Every
    one of you can succeed here.

    ✦ It’s my job to help that happen. Help me do my job by telling me when I
    can make a di
    erence for you. I am not psychic! I don’t always realize.

    ✦ Grades in this course are not competitive. Everyone can get an A!

    ✦ But it’ll be easier if you support your classmates. So do that.

    ✦ We have widely varying levels of pre-existing tech
    knowledge in this class. I do my best to design the
    class around that, in fact.

    ✦ I will be Very Upset with you if you mess up my careful design work by
    being scornful or dismissive of classmates who didn’t come in with the
    same tech preparation you did. So don’t. Thanks.

    ✦ Some speci
    c things to avoid: “well actually,” “RTFM,” “how could you not
    know that?!” and sexist/racist/ageist/ableist words, phrases, and
    stereotypes (“so easy my grandma could…”) Not in my class, please.

    View Slide

  13. Foundational expectations
    ✦ You will be here. Physically. In class. Every week. On
    time and ready to work.

    ✦ This course does get taught online-asynchronous (usually spring) — I
    will not be o
    ended if you drop to take the online version.

    ✦ 36% of your grade comes from the “weekly huddles” I start class with,
    week 3 on. There is no makeup for these. Be here or lose points.

    ✦ You will do the readings for each week before you
    come to class.

    ✦ I do use a textbook and another book for this class. The library has the
    textbook as an ebook! The other is readily available used.

    ✦ A lot of the work of this class will happen right
    here in this classroom! And it won’t be passive!

    ✦ What even is the point of an in-person class otherwise?!

    View Slide

  14. That said…
    ✦ I super do not love the current COVID numbers.

    ✦ I also had an exposure scare in late August, ugh. I did manage to
    dodge the ’vid. This time.

    ✦ Lots of reasons they’ll get worse, at least during
    the weeks after semester start.

    ✦ Look after yourselves. You’re young (mostly), but this thing’s sneaky
    and its e
    ects can compound over multiple infections.

    ✦ If you’re interested in my stylin’ duckbill n95 masks, let me know.

    ✦ DO NOT come to class contagious, please. Email
    me and we’ll work it out.

    ✦ (If I get sick despite precautions, we’ll survive — I can remote in or
    we can move online.)

    View Slide

  15. Assignment aids
    ✦ Grammarly: if you must, but its data privacy is
    crap. ChatGPT: not in my class, please.

    ✦ There will be opportunities to work together and
    learn from each other. Infosec is social!

    ✦ I’ll try to remember to point out where collaboration is a good idea. If
    I don’t remember, you can always ask me.

    ✦ That said, please don’t be That Person who
    systematically leeches o
    other students. That
    Person doesn’t learn. Also it’s gross and
    dishonorable. Do better.

    ✦ I can’t always catch That Person. Sometimes I can. When I can, I have
    a lot of discretion under campus misconduct rules.

    View Slide

  16. Exams
    ✦ There aren’t any. There, that was easy.

    ✦ Yes, this means you can DISREGARD our
    nal-exam slot when
    making travel plans for December. WE HAVE NO FINAL.

    ✦ I may occasionally use the Canvas quiz feature
    for something or other. But it won’t be anything
    as heavy as an exam.

    ✦ Sometimes, for me, it’s a convenient way of structuring and pacing a
    step-by-step hands-on activity.

    DUMPSTER FIRE so I refuse to use it.

    ✦ We’ll read a thing or two about this that’s shaped my thinking.

    View Slide

  17. Many low-stakes
    assignments. Deliberately.
    ✦ Putting all the grade eggs in one or two baskets is
    really stressful for students, I

    ✦ So I haven’t.

    ✦ My grading strategy is to have plenty of small
    pass/fail assignments, a couple of medium-size
    assignments, and one semesterlong assignment
    with pieces of it due throughout the semester
    (instead of semester-end all-nighters).

    View Slide

  18. Morning-class logistics
    ✦ Food and drink:
    ne, just don’t make a mess

    ✦ Liquids capped/lidded, please.

    ✦ Try to avoid crumbs, stains, strong smells, etc.

    ✦ If there’s something foodish you absolutely can’t be around, let me
    know privately and I’ll announce in class without using your name.

    ✦ Water-bottle station near elevators. Vending in College Library.

    ✦ Devices are
    ne, but honor system: don’t check
    out, don’t distract yourself or others.

    ✦ There are
    oor and wall outlets you can use. Try not to trip people!

    ✦ Recording:
    ne, but I’m not sure it’ll help much.

    ✦ Breaks: Yes, at least one, 10-15 minutes.

    ✦ You can quietly slope out for a biobreak at other times if you need to.

    View Slide

  19. Student/office hours
    ✦ In my physical o
    ce or via Zoom (see Canvas)

    ✦ If you come to my physical o
    ce, I’d appreciate it if you masked. Thanks!

    ✦ Can’t make my regular hours?

    ✦ You can ADD AN APPOINTMENT to my O365 calendar directly. Meetings
    can start between 8 and 3; please don’t con
    ict with meetings already in
    my calendar. Let me know how we’re meeting: in-person, Zoom, or call
    (leave your number).

    ✦ You can EMAIL ME WITH 3-5 TIMES that work for you. I’ll pick one or we’ll

    ✦ Doesn’t have to be class-related!

    ✦ If you’re curious about something else I do, have a question about
    campus, or just want to shoot the breeze, that’s FINE.

    ✦ During regular o
    ff i
    ce hours, I do of course have to prioritize class-
    related questions.

    View Slide

  20. Anything I didn’t think of?

    View Slide

  21. Cool? Cool. Thanks!
    This presentation is copyright 2021 by Dorothea Salo.

    It is available under a

    Creative Commons Attribution 4.0

    International license.

    View Slide

  22. Course design


    View Slide

  23. Weekly huddles
    ✦ Start of class, starting our third meeting

    ✦ (this should avoid the worst of drop/add chaos)

    ✦ 3
    nal-grade points each. A table-by-table activity
    derived from the readings due for that week.

    ✦ Names of those at the table go on the sheet of paper.

    ✦ Answers to the questions do too.

    ✦ Closed book, no devices. No looking things up!

    ✦ Not intended to be a gotcha! I am not out to
    trick, confuse, or bewilder you.

    ✦ I’m out to get you to do the readings! I chose them for reasons!

    ✦ There will be “sense of the table”-type opinion/re
    ection questions as
    well as more fact-based questions.

    View Slide

  24. In the (Higher-Ed) News
    ✦ Current awareness is so important in infosec and
    privacy work. Stu
    changes! So this is a current-
    awareness exercise.

    ✦ Use it to
    gure out your own ongoing current-awareness strategies!

    ✦ Find news stories. Three-minute in-class
    summary of the HUMAN ASPECTS of the story.

    ✦ Whodunnit? Who’s been harmed (actually or potentially)? How did
    people respond when it happened?

    ✦ Limiting to higher ed for two reasons:

    ✦ Having a scope should make this less overwhelming.

    ✦ Consciousness-raising. Too many students are… well, kinda
    overtrusting about security threats on and to campus.

    View Slide

  25. Each one teach one!
    ✦ Intended to help you practice:

    ✦ Understanding a new-to-you privacy/security threat

    ✦ Once you understand it, helping others understand it too

    ✦ Trust me, these are di
    erent skills!

    ✦ Also intended to give you a chance to decode
    poorly-communicated security incidents.

    ✦ … which, frankly, many of them are.

    ✦ And it’s good practice for work email.

    ✦ I know, I know, email is an older-person thing. It still runs a whole lot
    of workplaces, so learning to use it well is a good idea.

    ✦ Tip: BLUF (BOTTOM LINE UP FRONT). In fandom, this is sometimes
    known as tl;dr (too long; didn’t read). 1-2 sentence summary of what
    the person most needs to do at start of email! THEN you explain.

    View Slide

  26. Book analysis
    ✦ I read this Really Cool Article, y’all!

    ✦ (It’s in your readings for next week.)

    ✦ Fulton et al. 2019. “The e
    ect of entertainment media on mental models of
    computer security.” https://www.usenix.org/system/

    ✦ You’re going to reproduce (parts of) their analysis on a
    book you choose.

    ✦ (I wanted to do movie nights, but rights clearance is too expensive. Sorry.)

    ✦ One book list in syllabus; you may also choose anything in the “Fiction /
    Cyber Novel” category of Cybersecurity Canon.

    ✦ It doesn’t have to be a good book. If you want to point and laugh at a terrible
    one, go right ahead.

    ✦ Goals: better media literacy, better security awareness,
    and some fun with a book!

    View Slide

  27. Semesterlong project:
    Incident analysis
    ✦ You will pick a real-world security incident
    (grads: incident type) to read up on, analyze, and
    report out about.

    ✦ There’s a list in the syllabus. If you have an incident [class] in mind
    that’s not on there, email me. Usually I say yes!

    ✦ You will explain it to others in three ways:

    ✦ “Communication artifact” helping people protect themselves

    ✦ Slides and script for an incident presentation (such as you’d give to
    organization leadership)

    ✦ Incident report

    View Slide

  28. Really? Three times?
    ✦ Yes, because each type of explanation happens in
    the real world, and each has di
    erent constraints.

    ✦ Length and detail (which are inversely correlated, of course)

    ✦ Audience

    ✦ Goals

    ✦ Meta-reason: putting briefer explanations
    gives you more time to accumulate and assimilate
    information for the lengthier
    nal report.

    ✦ It also helps you not procrastinate on info-gathering.

    ✦ I’ll explain more in the syllabus and the Canvas
    assignment descriptions!

    View Slide

  29. Working together
    ✦ I don’t mind if several of you choose the same
    (class of) incident so that you can share the
    research load. It’s not obligatory, but it’s

    ✦ I’m being explicit about this because some classes don’t allow it.

    ✦ In the Real World™, though, it’s somewhat unlikely that you’d be
    working on threat intelligence or incident response all by yourself.

    ✦ All your deliverables must be your own individual
    work, though.

    ✦ Caveat: It’s completely
    ne (and I encourage you) to seek feedback on
    your deliverables from classmates, the Writing Center, and/or the
    Design Lab.

    View Slide

  30. I don’t give a flip about citation styles
    in this class.

    Most workplaces don’t.

    If you formally cite, you may use
    whichever style you prefer.

    For most of your deliverables,

    a title linked to the source is enough.

    View Slide

  31. How to get started
    ✦ Pick your incident (class).

    ✦ Start piling up sources that look possibly-useful.

    ✦ You don’t have to read it all thoroughly at
    rst—just make that pile.

    ✦ You CERTAINLY don’t have to understand it all yet! You’ll likely run
    into plenty of tech-talk and policy-talk you don’t have the background
    for. That’s perfectly
    ne. What the course itself doesn’t answer, ask
    about in class!

    ✦ For now, just FIND INFORMATION… and be able to
    nd it again!

    ✦ Suggestion: annotated linklist

    ✦ Google Doc, Raindrop, Zotero, whatever.

    ✦ Copy-paste the title. Paste the link.

    ✦ When you get a chance to read it, take what notes seem good to you.

    View Slide

  32. My linklist for this class:


    View Slide

  33. That’s it.

    The rest is in the syllabus
    and on Canvas.

    Go to it!

    View Slide

  34. Other semi-random
    possibly-useful stuff

    View Slide

  35. About me
    ✦ “Professor Salo” is
    ne. (I’m not “Dr.” anything.)

    ✦ Librarian (UW-Madison MA/LIS class of 2005!)

    ✦ Which gives me a professional obsession with privacy, which I leveraged into
    an interest in infosec

    ✦ iSchool instructor since 2007; full-time since 2011

    ✦ Main professional interests: student and library-patron privacy, data/
    information rescue (from obsolete media) and preservation, scholarly
    communication, metadata

    ✦ Feral techie, jack-of-all-trades-master-of-none

    ✦ Almost no formal CS or software-engineering education; what I know I
    mostly picked up from solving problems for myself or others

    ✦ In any tech-ish class I teach, one or more students knows more than I do
    about something I’m teaching. It’s cool. Often it’s helpful!

    ✦ https://dsalo.info/ and https://speakerdeck.com/dsalo
    and https://github.com/dsalo

    View Slide

  36. My surveillance practices
    ✦ We’ll be looking at Canvas’s surveillance capacity.

    ✦ Because in my informed opinion, SURVEILLANCE IS A THREAT TO
    INDIVIDUAL SECURITY! The best way I know to drive this home to you is
    to use Canvas as an example.

    ✦ I owe it to you to tell you how I use it.

    ✦ Mostly I don’t. Assignments aside, I never grade (much less discipline)
    based on what you do in Canvas or how long you spend doing it. I don’t
    even LOOK at this except…

    ✦ … if it looks like you’ve GHOSTED ON THE CLASS, I will look at when you
    last logged in and how much time you’ve spent in the class lately.

    ✦ If it looks like a ghosting, I then email you to ask what’s going on and
    whether/how I can help. Usually that solves things. If I don’t hear back, I
    may involve other people (your advisor, McBurney if appropriate, etc).

    ✦ My goal is ALWAYS to get you through the course successfully.

    View Slide

  37. UW Cybersecurity Club
    ✦ Exists! And is pretty great!

    ✦ You are all welcome, obviously.

    ✦ https://win.wisc.edu/organization/csec

    ✦ https://www.cybersecurityuw.com/

    ✦ I’ll put a link to the Discord server in Canvas.

    ✦ Discord: a voice and text/web chat application, a bit like Slack crossed
    with Zoom

    ✦ The club mostly uses chat, not voice.

    ✦ Disclaimer: I’m one of the club’s faculty advisors.

    ✦ But it’s student-run! I only hang around to cut red tape!

    View Slide

  38. Cool? Cool. Thanks!
    This presentation is copyright 2021 by Dorothea Salo.

    It is available under a

    Creative Commons Attribution 4.0

    International license.

    View Slide