LIS 510 "Human Factors in Information Security" course introduction

Welcome to

Human Factors

in Information Security!
Dorothea Salo

View Slide

What is this course for?
✦ Your self-protection, and helping you contribute
to a safer, more secure world for everyone

✦ For some of you, a light on possible career paths

✦ A lot of communication and workplace practice!

✦ This is the major motive behind course assignments.

✦ Work-appropriate communication styles have to be learnt; they are
very di
ff
erent from academic communication. I will steep you in the
di
ff
erences! (I will also try to teach you how best to communicate
around tricky subjects—like errors and blame.)

✦ Infosec has its own communication genres: bug/vulnerability reports,
incident reports, training materials… so I’ll be acquainting you with
those. It won’t be enough! But at least they won’t come as a surprise.

View Slide

This course’s theme
Information security

is about PEOPLE

or it is
🐂💩.

View Slide

No comment.

(photo by [email protected],

reproduced by kind permission)

View Slide

Sorry, what?!

Training isn’t cybersecurity?!

View Slide

Losing the ability to even…

(reproduced by kind permission of Lea Kissner)

View Slide

Corollaries
✦ Infosec is about people because it has to be.

✦ There is no such thing as a technological system
completely devoid of people.

✦ People design systems.

✦ People build them.

✦ People use them — and by using them, become part of them!

✦ People abuse them, often to harm other people.

✦ The people parts of systems work di
ff
erently
from the tech parts. We’re not technologies!

✦ You can’t always use tech to
fi
x human behavior.
We’ll see some reasons why not.

View Slide

Questions we’ll (start to)
answer in this course
✦ What IS IT with people? Why are we (as a
species) so bad at security?

✦ Spoiler: the answers have little or nothing to do with intelligence.

✦ Why do we make the security decisions we do?

✦ Where do we learn bad practices? How can we make better decisions?

✦ How can we make it easier for everyone to make better decisions?

✦ Can we make people who don’t give a 💩 about the impact of their
💩-y practices on everybody else’s security… actually give a 💩?

✦ Who’s out to ruin our security, why, and how?

✦ The answers to this one are legion, and some will surprise you.

✦ How do the human and organizational processes
around security work, in the Real World™?

View Slide

Students who take 510…
✦ … typically come in a few di
ff
erent
fl
avors.

✦ MA/LIS students, interested in privacy and/or information/data
governance

✦ MS/Info students: often responsible for securing data or systems

✦ CS/SE, iSci, or Digital Studies undergrads interested in infosec careers

✦ B-school students, often interested in risk management

✦ (None of these may apply to you — and if so, GREAT! Welcome!)

✦ If one of these is you, here is what I have for you!

✦ MA/LIS, MS/Info folks: a little technology, a fair amount of pragmatic
big-picture knowledge

✦ CS/SE, iSci folks: Ethics, law, and communication likely won’t land you
your
fi
rst infosec job. If you want to do well in that job and/or move
up the ladder, though — they are absolutely, positively ESSENTIAL.

✦ All of you: if you want to use your tech knowledge for good, 510
should give you avenues for that.

View Slide

Cool? Cool. Thanks!
This presentation is copyright 2023 by Dorothea Salo.

It is available under a

Creative Commons Attribution 4.0

International license.

View Slide

Class logistics

View Slide

Ground rules
✦ Every one of you is welcome and wanted here. Every
one of you can succeed here.

✦ It’s my job to help that happen. Help me do my job by telling me when I
can make a di
ff
erence for you. I am not psychic! I don’t always realize.

✦ Grades in this course are not competitive. Everyone can get an A!

✦ But it’ll be easier if you support your classmates. So do that.

✦ We have widely varying levels of pre-existing tech
knowledge in this class. I do my best to design the
class around that, in fact.

✦ I will be Very Upset with you if you mess up my careful design work by
being scornful or dismissive of classmates who didn’t come in with the
same tech preparation you did. So don’t. Thanks.

✦ Some speci
fi
c things to avoid: “well actually,” “RTFM,” “how could you not
know that?!” and sexist/racist/ageist/ableist words, phrases, and
stereotypes (“so easy my grandma could…”) Not in my class, please.

View Slide

Foundational expectations
✦ You will be here. Physically. In class. Every week. On
time and ready to work.

✦ This course does get taught online-asynchronous (usually spring) — I
will not be o
ff
ended if you drop to take the online version.

✦ 36% of your grade comes from the “weekly huddles” I start class with,
week 3 on. There is no makeup for these. Be here or lose points.

✦ You will do the readings for each week before you
come to class.

✦ I do use a textbook and another book for this class. The library has the
textbook as an ebook! The other is readily available used.

✦ A lot of the work of this class will happen right
here in this classroom! And it won’t be passive!

✦ What even is the point of an in-person class otherwise?!

View Slide

That said…
✦ I super do not love the current COVID numbers.

✦ I also had an exposure scare in late August, ugh. I did manage to
dodge the ’vid. This time.

✦ Lots of reasons they’ll get worse, at least during
the weeks after semester start.

✦ Look after yourselves. You’re young (mostly), but this thing’s sneaky
and its e
ff
ects can compound over multiple infections.

✦ If you’re interested in my stylin’ duckbill n95 masks, let me know.

✦ DO NOT come to class contagious, please. Email
me and we’ll work it out.

✦ (If I get sick despite precautions, we’ll survive — I can remote in or
we can move online.)

View Slide

Assignment aids
✦ Grammarly: if you must, but its data privacy is
crap. ChatGPT: not in my class, please.

✦ There will be opportunities to work together and
learn from each other. Infosec is social!

✦ I’ll try to remember to point out where collaboration is a good idea. If
I don’t remember, you can always ask me.

✦ That said, please don’t be That Person who
systematically leeches o
ff
other students. That
Person doesn’t learn. Also it’s gross and
dishonorable. Do better.

✦ I can’t always catch That Person. Sometimes I can. When I can, I have
a lot of discretion under campus misconduct rules.

View Slide

Exams
✦ There aren’t any. There, that was easy.

✦ Yes, this means you can DISREGARD our
fi
nal-exam slot when
making travel plans for December. WE HAVE NO FINAL.

✦ I may occasionally use the Canvas quiz feature
for something or other. But it won’t be anything
as heavy as an exam.

✦ Sometimes, for me, it’s a convenient way of structuring and pacing a
step-by-step hands-on activity.

✦ ONLINE EXAM PROCTORING SOFTWARE IS A
RACIST, ABLEIST, PRIVACY-DESTROYING
DUMPSTER FIRE so I refuse to use it.

✦ We’ll read a thing or two about this that’s shaped my thinking.

View Slide

Many low-stakes
assignments. Deliberately.
✦ Putting all the grade eggs in one or two baskets is
really stressful for students, I
fi
nd.

✦ So I haven’t.

✦ My grading strategy is to have plenty of small
pass/fail assignments, a couple of medium-size
assignments, and one semesterlong assignment
with pieces of it due throughout the semester
(instead of semester-end all-nighters).

View Slide

Morning-class logistics
✦ Food and drink:
fi
ne, just don’t make a mess

✦ Liquids capped/lidded, please.

✦ Try to avoid crumbs, stains, strong smells, etc.

✦ If there’s something foodish you absolutely can’t be around, let me
know privately and I’ll announce in class without using your name.

✦ Water-bottle station near elevators. Vending in College Library.

✦ Devices are
fi
ne, but honor system: don’t check
out, don’t distract yourself or others.

✦ There are
fl
oor and wall outlets you can use. Try not to trip people!

✦ Recording:
fi
ne, but I’m not sure it’ll help much.

✦ Breaks: Yes, at least one, 10-15 minutes.

✦ You can quietly slope out for a biobreak at other times if you need to.

View Slide

Student/office hours
✦ In my physical o
ff
i
ce or via Zoom (see Canvas)

✦ If you come to my physical o
ff
i
ce, I’d appreciate it if you masked. Thanks!

✦ Can’t make my regular hours?

✦ You can ADD AN APPOINTMENT to my O365 calendar directly. Meetings
can start between 8 and 3; please don’t con
fl
ict with meetings already in
my calendar. Let me know how we’re meeting: in-person, Zoom, or call
(leave your number).

✦ You can EMAIL ME WITH 3-5 TIMES that work for you. I’ll pick one or we’ll
negotiate.

✦ Doesn’t have to be class-related!

✦ If you’re curious about something else I do, have a question about
campus, or just want to shoot the breeze, that’s FINE.

✦ During regular o
ff i
ce hours, I do of course have to prioritize class-
related questions.

View Slide

Anything I didn’t think of?

View Slide

Cool? Cool. Thanks!




View Slide

Course design

run-through

View Slide

Weekly huddles
✦ Start of class, starting our third meeting

✦ (this should avoid the worst of drop/add chaos)

✦ 3
fi
nal-grade points each. A table-by-table activity
derived from the readings due for that week.

✦ Names of those at the table go on the sheet of paper.

✦ Answers to the questions do too.

✦ Closed book, no devices. No looking things up!

✦ Not intended to be a gotcha! I am not out to
trick, confuse, or bewilder you.

✦ I’m out to get you to do the readings! I chose them for reasons!

✦ There will be “sense of the table”-type opinion/re
fl
ection questions as
well as more fact-based questions.

View Slide

In the (Higher-Ed) News
✦ Current awareness is so important in infosec and
privacy work. Stu
ff
changes! So this is a current-
awareness exercise.

✦ Use it to
fi
gure out your own ongoing current-awareness strategies!

✦ Find news stories. Three-minute in-class
summary of the HUMAN ASPECTS of the story.

✦ Whodunnit? Who’s been harmed (actually or potentially)? How did
people respond when it happened?

✦ Limiting to higher ed for two reasons:

✦ Having a scope should make this less overwhelming.

✦ Consciousness-raising. Too many students are… well, kinda
overtrusting about security threats on and to campus.

View Slide

Each one teach one!
✦ Intended to help you practice:

✦ Understanding a new-to-you privacy/security threat

✦ Once you understand it, helping others understand it too

✦ Trust me, these are di
ff
erent skills!

✦ Also intended to give you a chance to decode
poorly-communicated security incidents.

✦ … which, frankly, many of them are.

✦ And it’s good practice for work email.

✦ I know, I know, email is an older-person thing. It still runs a whole lot
of workplaces, so learning to use it well is a good idea.

✦ Tip: BLUF (BOTTOM LINE UP FRONT). In fandom, this is sometimes
known as tl;dr (too long; didn’t read). 1-2 sentence summary of what
the person most needs to do at start of email! THEN you explain.

View Slide

Book analysis
✦ I read this Really Cool Article, y’all!

✦ (It’s in your readings for next week.)

✦ Fulton et al. 2019. “The e
ff
ect of entertainment media on mental models of
computer security.” https://www.usenix.org/system/
fi
les/soups2019-
fulton.pdf

✦ You’re going to reproduce (parts of) their analysis on a
book you choose.

✦ (I wanted to do movie nights, but rights clearance is too expensive. Sorry.)

✦ One book list in syllabus; you may also choose anything in the “Fiction /
Cyber Novel” category of Cybersecurity Canon.

✦ It doesn’t have to be a good book. If you want to point and laugh at a terrible
one, go right ahead.

✦ Goals: better media literacy, better security awareness,
and some fun with a book!

View Slide

Semesterlong project:
Incident analysis
✦ You will pick a real-world security incident
(grads: incident type) to read up on, analyze, and
report out about.

✦ There’s a list in the syllabus. If you have an incident [class] in mind
that’s not on there, email me. Usually I say yes!

✦ You will explain it to others in three ways:

✦ “Communication artifact” helping people protect themselves

✦ Slides and script for an incident presentation (such as you’d give to
organization leadership)

✦ Incident report

View Slide

Really? Three times?
✦ Yes, because each type of explanation happens in
the real world, and each has di
ff
erent constraints.

✦ Length and detail (which are inversely correlated, of course)

✦ Audience

✦ Goals

✦ Meta-reason: putting briefer explanations
fi
rst
gives you more time to accumulate and assimilate
information for the lengthier
fi
nal report.

✦ It also helps you not procrastinate on info-gathering.

✦ I’ll explain more in the syllabus and the Canvas
assignment descriptions!

View Slide

Working together
✦ I don’t mind if several of you choose the same
(class of) incident so that you can share the
research load. It’s not obligatory, but it’s
fi
ne!

✦ I’m being explicit about this because some classes don’t allow it.

✦ In the Real World™, though, it’s somewhat unlikely that you’d be
working on threat intelligence or incident response all by yourself.

✦ All your deliverables must be your own individual
work, though.

✦ Caveat: It’s completely
fi
ne (and I encourage you) to seek feedback on
your deliverables from classmates, the Writing Center, and/or the
Design Lab.

View Slide

I don’t give a flip about citation styles
in this class.

Most workplaces don’t.

If you formally cite, you may use
whichever style you prefer.

For most of your deliverables,

a title linked to the source is enough.

View Slide

How to get started
✦ Pick your incident (class).

✦ Start piling up sources that look possibly-useful.

✦ You don’t have to read it all thoroughly at
fi
rst—just make that pile.

✦ You CERTAINLY don’t have to understand it all yet! You’ll likely run
into plenty of tech-talk and policy-talk you don’t have the background
for. That’s perfectly
fi
ne. What the course itself doesn’t answer, ask
about in class!

✦ For now, just FIND INFORMATION… and be able to
fi
nd it again!

✦ Suggestion: annotated linklist

✦ Google Doc, Raindrop, Zotero, whatever.

✦ Copy-paste the title. Paste the link.

✦ When you get a chance to read it, take what notes seem good to you.

View Slide

My linklist for this class:

linkspam.dsalo.info/?searchtags=510

View Slide

That’s it.

The rest is in the syllabus
and on Canvas.

Go to it!

View Slide

Other semi-random
possibly-useful stuff

View Slide

About me
✦ “Professor Salo” is
fi
ne. (I’m not “Dr.” anything.)

✦ Librarian (UW-Madison MA/LIS class of 2005!)

✦ Which gives me a professional obsession with privacy, which I leveraged into
an interest in infosec

✦ iSchool instructor since 2007; full-time since 2011

✦ Main professional interests: student and library-patron privacy, data/
information rescue (from obsolete media) and preservation, scholarly
communication, metadata

✦ Feral techie, jack-of-all-trades-master-of-none

✦ Almost no formal CS or software-engineering education; what I know I
mostly picked up from solving problems for myself or others

✦ In any tech-ish class I teach, one or more students knows more than I do
about something I’m teaching. It’s cool. Often it’s helpful!

✦ https://dsalo.info/ and https://speakerdeck.com/dsalo
and https://github.com/dsalo

View Slide

My surveillance practices
✦ We’ll be looking at Canvas’s surveillance capacity.

✦ Because in my informed opinion, SURVEILLANCE IS A THREAT TO
INDIVIDUAL SECURITY! The best way I know to drive this home to you is
to use Canvas as an example.

✦ I owe it to you to tell you how I use it.

✦ Mostly I don’t. Assignments aside, I never grade (much less discipline)
based on what you do in Canvas or how long you spend doing it. I don’t
even LOOK at this except…

✦ … if it looks like you’ve GHOSTED ON THE CLASS, I will look at when you
last logged in and how much time you’ve spent in the class lately.

✦ If it looks like a ghosting, I then email you to ask what’s going on and
whether/how I can help. Usually that solves things. If I don’t hear back, I
may involve other people (your advisor, McBurney if appropriate, etc).

✦ My goal is ALWAYS to get you through the course successfully.

View Slide

UW Cybersecurity Club
✦ Exists! And is pretty great!

✦ You are all welcome, obviously.

✦ https://win.wisc.edu/organization/csec

✦ https://www.cybersecurityuw.com/

✦ I’ll put a link to the Discord server in Canvas.

✦ Discord: a voice and text/web chat application, a bit like Slack crossed
with Zoom

✦ The club mostly uses chat, not voice.

✦ Disclaimer: I’m one of the club’s faculty advisors.

✦ But it’s student-run! I only hang around to cut red tape!

View Slide

Cool? Cool. Thanks!




View Slide

LIS 510 "Human Factors in Information Security" course introduction

LIS 510 "Human Factors in Information Security" course introduction

Dorothea Salo

More Decks by Dorothea Salo

Other Decks in Education

Featured

Transcript