Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Infosec training / On phishing tests and deception

Infosec training / On phishing tests and deception

For LIS 510 "Human factors in information security"

Dorothea Salo

April 19, 2022
Tweet

More Decks by Dorothea Salo

Other Decks in Technology

Transcript

  1. Infosec training

    View full-size slide

  2. A lot of you said “training!”
    in your “how to make it better” section
    of your news presentations.
    I’m about to question that advice.

    View full-size slide

  3. Why training?
    ✦ The%motivation%is%usually%not%improving%security.%
    Maybe%it%should%be,%but%it%isn’t.%
    ✦ The%motivation%for%workplace%infosec%training%is%
    usually%COMPLIANCE,%legal%or%standards-based.%
    ✦ Legal:%if%some%law%constrains%an%organization%to%meet%minimum%
    security%standards,%it%will%usually%stipulate%some%kind%of%employee%
    training.%HIPAA,%for%example,%requires%training%all%employees%as%part%of%
    the%hire/onboarding%process.%GDPR%also%has%training%requirements.%
    ✦ Standards:%PCI,%for%example,%requires%documentation%of%security%
    practices%and%procedures,%including%in%employee%manuals.%
    ✦ It%may%also%be%cleanup%after%an%incident.%
    ✦ With%all%the%hasty%ill-considered%panicky%flailing%that%implies.%
    ✦ And%the%one-person-messed-up-but-we’re-all-stuck-doing-this%problem.

    View full-size slide

  4. This has implications.
    ✦ Viewed%as%unimportant%check-the-box%exercise%
    ✦ Including%by%org-internal%infosec%folks!%They%could%treat%this%as%an%
    opportunity,%but%more%often%they%roll%their%eyes%at%it.%
    ✦ If%training%is%developed%internally,%it’s%often%done%
    by%people%who…%don’t%teach%well.%
    ✦ So%it’s%too%techie,%or%condescending,%or%communicated%ineptly,%or…%
    ✦ Teaching,%like%most%work,%is%a%set%of%learned%skills%not%present%at%birth.%
    ✦ If%training%is%outsourced%(as%it%often%is),%there’s%no%
    connection%to%the%local%environment.%
    ✦ Production%values%are%likely%higher,%but%it’ll%be%easy%to%scoff%at%because%
    the%examples%will%feel%farfetched%and%the%systems%discussed%won’t%be%
    familiar%(or%named%according%to%local%practice).

    View full-size slide

  5. No, really, terminology
    matters here!
    ✦ Generic,%non-localized%training%will%talk%about%
    “video-conferencing%apps.”%Ring%a%bell?%
    ✦ But%you%know%what%Zoom%is.%Of%course%you%do.%
    ✦ The%jargon%problem%is%exponentially%worse%with%
    infrastructure%most%folks%don’t%think%about.%
    ✦ Would%you%have%known%what%a%“multi-factor%authentication%system”%
    was%before%this%class?%(If%you%did,%go%you!)%
    ✦ Training%must%use%“Duo”%(or%whatever’s%actively%in%use%at%the%org)%to%
    be%even%minimally%understood.%
    ✦ (There%are%reasons%I%rely%on%UW-Madison%examples%in%this%class!)

    View full-size slide

  6. The eternal 101
    ✦ I%have%never%taken%a%required%infosec%training%that%
    went%anywhere%close%to%the%richness%and%usefulness%
    of%the%CR%Security%Planner.%
    ✦ It’s%always%Infosec%101.%Passwords,%phishing,%yawn.%
    ✦ While%I%understand%the%need%to%raise%the%floor,%
    repeated%101-level%training%does%not%help%people%
    learn%more%advanced%(and%useful!)%concepts,%tools,%
    or%behaviors.%
    ✦ It%sure%does%teach%them%to%despise%infosec,%though.%
    How%remarkably%counterproductive!%
    ✦ Moral:%let%people%“place%out”%of%basics%
    ✦ e.g.%through%quizzing%them%up-front%and%exempting%those%who%pass

    View full-size slide

  7. Decontextualized rules

    View full-size slide

  8. Why?
    Why are these rules important?
    Why are these even the rules?

    View full-size slide

  9. You all now know why
    because I talked
    about attacks and attackers
    in this class.
    Most people haven’t taken
    this class, though,
    or anything like it.
    They don’t know why.

    View full-size slide

  10. Without some kind of “why”
    — ideally in the form of a story —
    these rules look like pointless arbitrary
    nitpicking.

    View full-size slide

  11. I’m not saying I’m a master storyteller
    or anything,
    but I’m TOTALLY saying
    that telling Alice/Bob/Eve stories
    was a deliberate choice I made.
    Human beings respond
    to “why” and to stories about why.
    Basic human thing!
    So why doesn’t infosec training
    tell stories?

    View full-size slide

  12. Because the current vocational turn
    in higher education treats storytelling
    as unimportant “liberal arts” stuff
    that’s not professionally useful?
    Yeah, I totally do think
    that’s part of it.
    And I think that thinking
    is MASSIVELY misguided.

    View full-size slide

  13. Humans tell stories!
    ✦ We%learned%that%already,%right?%Folk%models%of%
    security%are%basically%a%whisper%game,%people%
    passing%stories%around.%
    ✦ You%all%told%true%stories%in%your%news%
    presentations.%
    ✦ I%routinely%bookmark%good%infosec%stories%I%can%tell%in%class,%or%point%
    people%to.%
    ✦ Plus%you%all%analyzed%human-written%stories%for%
    what%they%say%(rightly%or%wrongly)%about%security.%
    ✦ You%know%stories%matter.%I%know%stories%matter.%
    Take%that%with%you%into%your%lives%as%citizens,%
    employees,%teachers/trainers,%and…%humans.

    View full-size slide

  14. TAKE YOUR COMM A
    AND COMM B
    COURSES SERIOUSLY,
    Y’ALL.
    They’re where you start
    to learn this kind of thing.
    A favorite word of mine:
    KAIROS.
    Means adapting communication
    to audience and situation.

    View full-size slide

  15. Okay, another moral:
    ✦ For%all%kinds%of%education%and%training,%not%only%infosec!%
    ✦ MEET%PEOPLE%WHERE%THEY%ARE.%
    ✦ This%is%an%ideal,%of%course.%Whenever%you’re%dealing%with%a%lot%of%
    people%(hi%there,%y’all!),%they’ll%be%in%lots%of%different%places.%
    ✦ But%you%can%still%be%explicit%about%the%audience(s)%you’re%aiming%at,%
    and%you%can%(and%should)%apologize%to%everyone%else.%
    ✦ A%much%better%structure%than%“lecture,%then%test”%
    is%“check,%then%teach%as%needed.”%
    ✦ If%I%were%in%charge%of%infosec%training,%I’d%start%with%a%pre-test,%divided%
    into%modules%(“email/phishing,”%“passwords,”%“BYOD,”%etc).%
    ✦ Pass%a%module?%You%either%get%to%skip%that%training%OR%(my%
    preference)%you%get%more%advanced%content.%
    ✦ You%view%only%the%101%modules%you%actually%need%to.

    View full-size slide

  16. This also means knowing
    people’s practices.
    ✦ As%we’ve%discussed,%people’s%approach%to%many%
    infosec%matters%falls%into%known%patterns.%
    ✦ Infosec%training%rarely%takes%that%into%account.%
    ✦ “Choose%a%strong%password!”%instead%of%“Here%are%common%password%
    practices%that%are%easily%breached,%so%don’t:”%or%even%“here’s%why%the%
    system’s%password%tester%rejects%certain%kinds%of%passwords:”%
    ✦ “Don’t%click%on%links%in%emails!”%when%that’s%clearly%impractical%advice.%
    ✦ (I’ve%seen%“don’t%click%links!”%in%UW%trainings.%UW%constantly%sends%
    out%emails%with%clickable%links.%Sigh.)%
    ✦ Infosec%training%rarely%if%ever%starts%with%
    ethnographic-style%inquiry%into%the%org.%
    ✦ It%should,%though.%It%sure%should.

    View full-size slide

  17. One size fits no one
    ✦ Typically,%everybody%in%the%org%gets%the%same%old%
    Infosec%101%training.%
    ✦ This%completely%ignores%different%behaviors,%
    threats,%and%risks%associated%with%different%roles.%
    ✦ Example:%As%an%instructor%here,%I%don’t%need%to%know%about%infosec%in%
    hiring.%Not%my%problem!%I%don’t%do%hiring%paperwork!%
    ✦ Do%I%need%to%know%how%to%keep%student%emails%to%me%secure?%Heck%
    yeah%I%do;%if%I%don’t%do%that,%I%risk%harm%to%students%and%violating%
    federal%law%(FERPA).%Our%HR%folks%also%need%to%know%this,%because%we%
    hire%student%employees.%
    ✦ And%because%people%(wrongly)%think%that%the%same%
    old%Infosec%101%is%everything%they%ever%need%to%
    know…%they’re%vulnerable%to%role-based%attacks.

    View full-size slide

  18. Focusing too much on tech
    ✦ What%use%is%the%strongest%password%there%is,%if%
    people%aren’t%prepared%to%resist%attempts%by%social%
    engineers%to%get%them%to%reveal%it?%
    ✦ PHISHING.%Phishing%phishing%phishing.%
    ✦ Did%you%know%that%business-email%compromise%(spearphishing%aimed%
    at%conning%people%into%various%kinds%of%false%payments)%is%collectively%
    the%most%expensive%infosec%fail%in%the%US?%Now%you%do.%
    ✦ Yet%most%Infosec%101%is%mostly%about%tech%stuff.%
    ✦ This%is%even%worse%because%social%engineering%is…%
    actually%hard%to%make%boring?!%
    ✦ And%it%sets%up%a%clear%us-against-the-world%feeling,%which%is%socially%
    useful%for%infosec%folks%and%the%org%in%general.%
    ✦ (Though%be%careful%to%discuss%insider%threat%also!)

    View full-size slide

  19. In fact…
    ✦ …%in%my%experience,%it’s%a%lot%easier%for%people%to%
    understand%attacks%if%they%first%understand%
    attackERS,%and%their%techniques%and%motives.%
    ✦ Would%this%have%a%lot%to%do%with%the%topic%sequencing%in%this%course?%
    Yep,%you%betcha.%
    ✦ Use%the%fluency%heuristic%(people%remember%and%
    repeat%what%they’re%familiar%with)%to%help.%
    ✦ Get%people%familiar%with%an%“attacker”%persona.%
    ✦ Would%this%be%why%I%teach%you%Alice/Bob/Eve%and%use%the%phrase%
    “garbage%human”%a%lot?%Yep,%you%betcha,%at%least%in%part.%
    ✦ (Alice/Bob/Eve%is%common%infosec%jargon;%that’s%another%reason%I%use%it.)%
    ✦ And%use%real-world%case%studies%(STORIES!),%ideally%
    from%peer%orgs%in%the%same%or%similar%industry.

    View full-size slide

  20. Hard to make boring… but not
    impossible

    View full-size slide

  21. SHOW REAL PHISH,
    for pity’s sake!
    You’re DoIT, you’ve got
    THOUSANDS of real phish
    you can show people
    and talk about
    the consequences of.
    Also, IMAGES.
    People like those!

    View full-size slide

  22. Ask for help.
    Like, seriously.
    ✦ Reciprocity%and%kindness%are%major%forces%in%
    interpersonal%relations.%
    ✦ Instead%of%“we’re%the%Smart%People%telling%all%y’all%
    peons%what%to%do!”…%
    ✦ …%try%“attackers%are%everywhere,%we%need%your%
    help%to%keep%them%out,%please%help%us!”%
    ✦ signed%(and%ideally%written)%by%an%actual%human%being,%not%an%office%
    ✦ Anything%that%humanizes%IT/infosec%people%is%a%
    good%idea,%honestly.%
    ✦ Because,%again,%people%help%other%PEOPLE.

    View full-size slide

  23. Dorothea tells the story
    of the CyberBob/CIO office visit.
    (or: how a CIO-office employee
    lost my friendship for good)

    View full-size slide

  24. 2021 research on infosec
    training:
    ✦ “[E]mployee%perceptions%of%[training]%programs%
    relate%to%their%previously%held%beliefs%about:%
    ✦ “cybersecurity%threats,%
    ✦ “the%content%and%delivery%of%the%training%program,%
    ✦ “the%behaviour%of%others%around%them,%and%
    ✦ “features%of%their%organisation.”%(This%amounted%to%the%usability%of%
    security%measures%and%perceived%necessity%to%work%around%them…%
    which%should%sound%familiar%to%you%by%now!)%
    ✦ From:
    ✦ Reeves,%Calic,%and%Delfabbro.%“‘Get%a%red-hot%poker%and%open%up%my%
    eyes,%it's%so%boring’:%Employee%perceptions%of%cybersecurity%training”%
    Computers%&%Security%106%(2021),%https://doi.org/10.1016/
    j.cose.2021.102281%
    ✦ Best%article%title%ever,%or%best%article%title%EVER?!

    View full-size slide

  25. What do people believe
    about infosec threats?
    ✦ We’ve%seen%a%lot%of%it%before.%But%for%the%record,%
    here%are%themes%the%article%found:%
    ✦ “I%already%know%all%this,%or%at%least%enough%to%make%my%own%
    decisions!”%(Another%pitfall%of%neverending%Infosec%101…%people%have%
    no%reason%to%realize%everything%they%don’t%know,%because%they’re%
    never%shown%anything%beyond%the%101%level!)%
    ✦ (This%is%another%reason%I%like%Backdoors%and%Breaches%in%this%class.%It%
    gives%you%a%sense%of%the%breadth%of%infosec%knowledge%that%there%is.)%
    ✦ “I%don’t%need%to%understand%this,%even%if%I%could!%The%system%needs%to%
    handle%its%own%security!%Usably!”%(Attributed%to%“younger%users.”%The%
    pitfall%here%is%that%no%tech%system%can%fix%social%engineering%attacks.)%
    ✦ Password%issues.%(Including%one%org%where%the%training%recommended%
    a%password%manager…%which%the%org%refused%to%let%employees%install%
    or%use.)

    View full-size slide

  26. Content and delivery
    ✦ As%we’ve%seen:%it%ain’t%great.%(I%critique%UW’s%trainings%
    because%I%genuinely%think%they’re%awful.)%
    ✦ People’s%mood%at%training%time%also%matters,%unsurprisingly.%
    ✦ Misery%loves%company:%group%training%preferred%to%individual.%
    ✦ I%have%sympathy!%Of%course%I%do.%High%production%
    values%take%a%lot%more%time%and%effort%than%I%have.%
    ✦ Add%in%internationalization%and%accessibility%requirements,%and%the%
    workload%multiplies%by…%a%lot.%
    ✦ I%don’t%have%sympathy%for:%
    ✦ Measures%that%try%to%force%attention%—%e.g.%online%trainings%that%won’t%
    advance%unless%they’re%the%topmost%window,%video%that%only%plays%at%1x%
    speed.%Get%over%yourselves,%trainers.%
    ✦ Irrelevancies.%Again,%know%the%context%and%work%within%it!%
    ✦ Unexplained%or%unnecessary%jargon.%Condescension.%Scare%tactics.

    View full-size slide

  27. The behavior of others
    ✦ We’re%social%animals,%we%humans.%We%behave%as%the%
    others%around%us%behave.%
    ✦ In%almost%all%organizations,%“the%others%around%us”%
    are%not%infosec%folks!%
    ✦ And%infosec%folks%tend%to%be%pretty%siloed.%Those%of%you%with%jobs:%do%you%
    know%who’s%securing%your%org’s%systems?%By%name?%I’d%be%surprised%if%you%
    did.%Who’s%the%current%UW-Madison%CISO,%for%that%matter?%I%don’t%think%
    I’ve%mentioned…%
    ✦ So%we%enable%each%others’%poor%infosec%hygiene.%
    ✦ Including%spreading%misunderstandings%and%broken%mental%models.%
    ✦ It’s%worse%if%the%poor%hygienist%is%our%boss.%They%can%
    demand%that%we%do%the%wrong%thing!%
    ✦ Where%training%conflicts%with%human%social%
    behaviors,%training%will%lose.%No%question%about%it.

    View full-size slide

  28. With one caveat:
    ✦ People%bring%infosec%dilemmas%to%someone%they%
    trust,%respect,%and%believe%is%knowledgeable.%
    ✦ I’ve%had%it%happen%a%fair%bit,%with%colleagues%as%well%as%students.%
    ✦ (Hey,%I%appreciate%the%trust%and%respect!%I’m%kind%of%proud%of%this.)%
    ✦ For%an%org%that’s%serious%about%security…%
    ✦ (rather%than%treating%it%as%a%pointless%compliance%exercise)%
    ✦ …%it%makes%a%lot%of%sense%to%locate%and%leverage%
    these%people!%
    ✦ Could%they%be%involved%in%training%somehow?%
    ✦ Can%they%be%recognized%for%their%efforts?

    View full-size slide

  29. Okay, two caveats:
    ✦ People%will%use%convenient,%available,%usually%
    informal%comms%channels%to%ask%infosec%questions.%
    ✦ They%come%up%not-infrequently%on%the%UW-Madison%subreddit.%
    ✦ It%can%make%sense%to%(discreetly%and%non-creepily)%
    keep%an%eye%on%those.%
    ✦ Setting%up%alerts%on%words%(e.g.%in%a%work%Slack)%may%make%sense.%
    ✦ If%there’s%an%infosec%person%(or%a%connector,%as%before)%with%very%good%
    social%judgment%and%skill%at%explaining,%answering%questions%or%weighing%
    in%on%situations%may%be%a%way%to%build%useful%social%trust.%
    ✦ But%the%good%social%judgment%is%vital!!!!%Just%horning%in%on%every%
    vaguely-relevant%conversation%(or%worse,%posting%canned%answers)%won’t%
    help%—%in%fact,%it’ll%hurt.%
    ✦ (When%I%was%on%Reddit,%I%answered%infosec%questions%on%the%sub.%My%
    answers%got%upvoted,%so%my%social%acumen%seems…%mostly%okay?)

    View full-size slide

  30. Summing up
    ✦ Infosec%training%sucks,%but%it%doesn’t%have%to.%
    ✦ Making%it%not%suck%involves:%
    ✦ taking%it%seriously,%and%having%goals%for%it%besides%compliance%
    ✦ not%putting%people%through%endless%rounds%of%the%same%old%Infosec%
    101%stuff;%letting%those%who%are%ready%learn%more!%
    ✦ understanding%and%working%with%local%context%and%human%habits%
    ✦ offering%workable%guidance,%avoiding%unreachable%“don’t%ever%click%
    links%in%email!”%ideals%
    ✦ using%STORIES,%explaining%WHY,%because%that…%
    ✦ …%helps%people%build%mental%models,%threat%models,%etc.%without%
    which%very%little%guidance%(even%when%it’s%workable)%makes%sense%
    ✦ leveraging%and%building%on%org-internal%social%relationships,%partly%to%
    hear%and%answer%point-of-need%questions

    View full-size slide

  31. Questions? Ask them!
    This lecture is copyright 2018 by Dorothea Salo.
    It is available under a Creative Commons Attribution
    4.0 International license.

    View full-size slide

  32. On phishing tests
    and deception
    LIS 510

    View full-size slide

  33. I’ve changed my tune
    on phishing tests.
    ✦ I%used%to%be%just%eyerolly%about%phishing%tests.%
    ✦ I%now%think%they%are%unethical,%and%not%only%
    ineffectual,%but%actively%dangerous%to%an%
    organization’s%overall%infosec%posture.%
    ✦ Don’t%do%them.%Don’t%pay%for%them.%Protest%them.

    View full-size slide

  34. How people are
    successfully phished
    ✦ Do%they%know/recall%that%phishing%is%a%thing?%
    ✦ Research:%this%is%the%big%stumbling%block,%actually!%
    ✦ Experts%and%non-experts%use%most%of%the%same%cues%to%detect%phish.%
    Experts,%however,%always%have%the%possibility%of%phish%in%mind.%
    ✦ Do%they%know%what%to%do%about%it?%
    ✦ Is%there%an%easy%way%to%report?%Do%they%know%they%won’t%be%punished%if%
    they%report%a%false%positive?%Or%report%that%they%fell%for%a%phish?%
    ✦ Do%they%think%that%reporting%a%phish%actually%
    accomplishes%anything?%
    ✦ Around%here%they%disappear%into%a%black%box.%Bad%idea%—%people%are%
    curious!%Teach%them%by%satisfying%their%curiosity!%
    ✦ Does%the%phish%“hook”%them?%
    ✦ Urgency,%$$$,%authority%are%the%Big%Three%hooks.

    View full-size slide

  35. Handling phishing right:
    UW-Madison’s library-IT folks
    (for%the%record,%I%got%Ayça’s%permission%to%show%you%her%email)%

    View full-size slide

  36. What’s good about this
    ✦ Ayça%is%a%human%being%and%a%colleague!%
    ✦ (She%was%always%the%one%to%send%out%those%emails.)%
    ✦ She%also%has%a%longstanding%reputation%for%expertise%and%helpfulness.%
    ✦ Point-of-need%and%point-of-curiosity%training%
    ✦ Not%once-a-year%yawnfests%
    ✦ Actual%real-world%example%
    ✦ Better%yet,%one%that%was%going%around%just%then%
    ✦ Conversational%tone%
    ✦ Again,%Ayça%is%writing%as%a%PERSON,%not%a%parrot%(stochastic%or%
    otherwise).%
    ✦ Kairos!%Helpful%navigation%for%a%lengthy%email.

    View full-size slide

  37. Why phish tests happen
    ✦ Compliance%and%“cover%our%butts,”%again.%
    ✦ Like%training,%phishing%tests%are%construed%as%Doing%Something.%
    ✦ “Number%go%up”%assessment%mentality%
    ✦ If%90%%of%employees%pass%the%first%phish%test%and%95%%pass%the%
    second,%NUMBER%WENT%UP,%so%everything’s%cool%in%infosecland,%
    right?%RIGHT?!%
    ✦ Superficial,%erroneous%“they%must%be%ignorant/
    stupid”%belief%about%why%people%fall%for%phishes%
    ✦ If%you%actually%ask%people%(what%a%concept,%I%know!),%it’s%because%
    they’re%overworked%and%rushed.%Or%they%don’t%care,%screw%IT.%
    ✦ Who%has%time%to%thoughtfully%consider%each%and%every%link%in%an%
    email?!%Their%boss%would%just%yell%at%them%for%being%unproductive.%
    ✦ Phishing%tests%cannot%fix%this%root%cause!!!!!!!!

    View full-size slide

  38. The “gotcha” motive
    ✦ A%lot%of%infosec%people%enjoy%puzzles,%games,%
    especially%in%competitive%contexts.%Nothing%
    necessarily%wrong%with%that,%okay?%
    ✦ Though%I%do%think%it’s%a%limiter%for%the%broader%infosec%workforce.%
    ✦ It%becomes%a%problem%when%it%turns%into%the%wish%
    to%trick/con,%embarrass,%trash-talk,%or%laugh%at%
    other%people.%That’s%garbage-human%territory.%
    ✦ Do%I%think%phishing%tests%happen%partly%because%
    some%infosec%folks%get%their%jollies%out%of%feeling%
    superior%to%others?%
    ✦ And%build%phish%tests%that%give%them%maximum%jollies?%
    ✦ Yeah.%I%do.%And%that’s%a%bad,%bad%problem.

    View full-size slide

  39. (a digression)
    ✦ My%dad%was%a%university%professor.%Anthropology.%
    ✦ He%hated%his%students.%HATED.%Despised%them.%
    Genuinely%loved%putting%trick%questions%on%exams%
    and%laughing%when%his%students%fell%for%them.%
    ✦ He%also%used%students%as%pawns%in%fights%with%his%department.%
    ✦ This%is%horrific%pedagogy.%When%I%accidentally%
    ended%up%teaching,%I%swore%to%myself%that%I%would%
    do%things%differently.%I%hope%I%have.%
    ✦ It%may%seem%obvious%that%instructors%actually%have%to%want%their%
    students%to%learn,%but…%my%dad%never%did.%
    ✦ …%A%lot%of%infosec%trainers%(infosec%people%in%
    general,%really)%remind%me%of%my%dad.%Not%good.

    View full-size slide

  40. If I just speared you
    over schadenfreude…
    ✦ …%yeah,%sorry.%I%have%Feelings%about%all%this.%
    ✦ But%we%all%need%you%to%fix%your%heart,%okay?%
    ✦ A%world%where%folks%are%all%out%to%con%and%laugh%
    at%and%despise%other%folks%is…%not%a%good%world.%
    ✦ Also,%making%people%feel%special%via%inviting%them%to%despise%others%is%
    an%enormously%common%con/grift%tactic.%Resist%it%for%your%OWN%sake.%
    ✦ It’s%possible%to%change.%It’s%possible%to%do%and%be%
    better.%You%don’t%win%by%shoving%others%down.%
    ✦ I’ve%had%to%struggle%with%my%own%character%defects%too.%I%lived%
    through%it%and%did%better.%If%I%can,%you%can.%
    ✦ Take%joy%in%other%people.%Celebrate%them!%
    ✦ As%a%teacher/trainer,%celebrate%their%learning.

    View full-size slide

  41. Randall Munroe, “Ten Thousand”
    https://xkcd.com/1053/ CC-BY-NC

    View full-size slide

  42. How phish tests work
    ✦ Internal%infosec%office%or%external%contractor%
    designs%test,%including%the%pretext(s)%it%will%use.%
    ✦ Links%in%the%email%usually%lead%to%some%kind%of%“you%got%phished,%you%
    big%silly!%don’t%do%that!”%gotcha/training%page.%
    ✦ Test%is%fielded%against%all%employees,%with%little%or%
    no%notice%beforehand.%
    ✦ Here%there’s%usually%some%kind%of%announcement,%but%it’s%buried%and%
    easy%to%miss.%
    ✦ Those%who%fall%for%the%phish%are%individually%
    identified%and%reported%on.%
    ✦ There’ll%be%an%identifier%in%the%link%in%the%fake-phish%email,%tied%to%
    each%email%address%the%fake%phish%is%sent%to.

    View full-size slide

  43. Cost in time, productivity,
    and trust
    ✦ UW-Madison%employs%over%20,000%people.%
    ✦ Imagine%that%each%person%spends%just%one%minute%
    considering%that%fake%phish.%That’s%over%20,000%
    minutes%of%work%time,%or%333%hours.%
    ✦ I%don’t%have%an%average%salary%to%hand%(median%would%be%better%
    anyway),%but%let’s%assume%it’s%something%like%$50/hour.%That’s%$16,650%
    plus%the%cost%to%build%and%field%the%test%and%analyze%the%results,%just%
    for%one%dang%phishing%test.%
    ✦ Notice%that%I’m%not%even%counting%(re)training%time%here.%It%adds%up.%
    ✦ Nobody%likes%phish%tests.%(I%actively%resent%UW%
    System%for%doing%them.)%Does%your%org%need%
    more%reasons%for%employees%to%be%mad%at%it?

    View full-size slide

  44. Is it worth it?
    ✦ No%training%or%testing%has%been%shown%to%
    eliminate%successful%phishes%altogether.%
    ✦ Counterintuitively,%repeated%phishing%tests%plus%
    non-mandatory%training%can%make%people%MORE%
    likely%to%click%on%real%phish.%
    ✦ Lain,%Kostiainen%&%Čapkun%2021%
    ✦ Why?%Not%clear,%but%it%seems%the%affected%folks%think%the%“you%failed%
    the%phish%test”%page%means%the%org%detects%and%handles%phishing…%
    ✦ …%so%they%don’t%actually%have%to%worry%about%phish%as%individuals.%
    ✦ In%other%words,%folks%completely%misunderstood%the%point%of%the%test!%
    That…%doesn’t%bode%well%for%their%infosec%hygiene%generally,%and%it%
    also%doesn’t%say%much%for%any%training%they’ve%gotten.

    View full-size slide

  45. Cruel pretexts
    ✦ Money,%sometimes%life-changing%money,%aimed%at%
    folks%who%are%poor%and/or%poorly%paid%
    ✦ Real-life%examples:%COVID%benefits,%bonuses,%health-care%promises,%
    discounts%—%that%didn’t%exist.%
    ✦ I%saw%an%infosec%pro%on%Twitter%point%out%that%the%root%cause%here%is%
    actually%lousy%pay%and%benefits.%That’s%absolutely%correct;%treating%people%
    poorly%and%underpaying%them%creates%a%lot%of%infosec%risk.%
    ✦ Higher%ed:%grade-%or%disciplinary-action-related%scare%
    tactics%
    ✦ Phishes%ostensibly%from%the%[Big]%Boss,%often%
    designed%to%make%person%think%they%might%be%(or%get)%
    in%trouble%
    ✦ I’m%waiting%for%somebody%with%anxiety%to%sue%under%the%ADA%over%this.%I%
    am%not%a%lawyer,%but%I%have%to%think%it’d%be%a%workable%case.

    View full-size slide

  46. Seriously don’t do this.
    It’s evil.

    View full-size slide

  47. Defense from phish testers:
    “But garbage humans are using
    these tactics to phish!”
    ✦ Yeah.%They%are.%
    ✦ So%what%does%that%make%you,%exactly,%O%Phish%
    Tester?%
    ✦ Look.%Infosec%is%not%a%get-out-of-garbage-human-
    stuff-free%card.%Cruelty%is%cruelty.%Lying%is%lying.%
    ✦ Phish%testers%deserve%every%bit%of%the%pushback%
    they%get%over%phishing%tests.%And%more,%frankly.

    View full-size slide

  48. Punishment
    over phishing-test results
    ✦ It’s%happened.%It%shouldn’t.%
    ✦ It’s%an%absolutely%sordid%and%unethical%idea.%
    ✦ One%reason:%phish%people%often%enough,%and%everyone%will%eventually%
    click.%Yes,%pretty%much%everyone.%(Lain,%Kostiainen%&%Čapkun%2021)%
    Different%people%fall%for%different%pretexts,%but%everybody’s%vulnerable%
    to%something.%
    ✦ Another%reason:%disincentivizing%reporting,%again%—%if%people%are%
    afraid%to%report%infosec%issues%because%they%fear%punishment,%
    incidents%are%more%likely,%higher-severity,%and%longer-lasting.%
    ✦ A%third:%disciplining%people%you%intentionally%deceived%is%just%gross.%
    It’s%a%garbage-humanny,%unethical%way%to%treat%people.%
    ✦ Keep%in%mind%also%that%people%perceive%“you%
    failed;%go%take%another%training”%as%punishment.

    View full-size slide

  49. Public blame-and-shame
    ✦ Are%you%kidding%me?!?!?!%I%didn’t%want%to%believe%
    this%even%happens.%
    ✦ Management%101:%never,%ever,%EVER%shame%
    employees%in%public.%
    ✦ Any%conversation%involving%critique%(much%less%discipline)%must%be%
    held%in%private!%And%kept%as%confidential%as%possible!%
    ✦ Anything%else%creates%an%organizational%culture%of%terror%and%secrecy%
    over%mistakes…%which%is%terrible%for%the%org’s%infosec%posture.%
    ✦ Public%shaming%is%also%(one%more%time!)%just%an%
    awful%way%to%treat%people.%It%won’t%help%them%
    learn…%but%will%make%them%leave!

    View full-size slide

  50. Lost trust
    in infosec people
    ✦ You%DO%NOT%want%the%top%association%people%
    have%with%infosec%folks%to%be%phishing%tests.%
    ✦ Like,%this%is%actually%super-dangerous!!!!!%
    ✦ Will%someone%who%associates%infosec%with%
    deception%and%cruelty%report%infosec%problems?%
    ✦ Will%they%do%what%infosec%says?%%
    ✦ What%if%it’s%mid-incident,%and%really%important%that%they%do?%
    ✦ Will%they%feel%morally/ethically%justified%doing%
    end-runs%around%those%liars%in%infosec?%
    ✦ Will%they%write%off%everything%infosec-related%
    because%“those%people%are%just%JERKS”?

    View full-size slide

  51. Malicious “compliance”
    and lost productivity

    View full-size slide

  52. Better ideas
    ✦ (mostly%from%the%Lain%et%al.%piece)%
    ✦ Make%it%easy%to%report%suspected%phish.%Then%take%
    people’s%reports%seriously!%
    ✦ It%turns%out%that%if%reporting%is%easy%enough,%people%will%get%in%the%habit%
    of%doing%it%(habituation%for%the%win,%for%once!),%and%won’t%get%sick%of%it.%
    ✦ Averaged%over%the%organization,%these%reports%are%indeed%good%advance%
    indicators%of%phishing%campaigns.%(I%think%it’s%likely%possible%to%improve%
    on%this,%by%evaluating%who’s%a%good%phish%reporter,%then%paying%extra%
    attention%to%their%reports.%Future%research!)%
    ✦ Positive%reinforcement:%reward%phish-finders!%
    ✦ Including%those%who%initially%fall%for%a%phish,%but%report%it%quickly%anyway.%
    ✦ Tell%them%when%they%detected%real%phish,%so%their%phish-radar%improves.%
    ✦ Detect%phish%technically,%and%stop%delivery.

    View full-size slide

  53. Address root causes
    ✦ Starvation%wages%and%benefits%
    ✦ Poor%financial%controls%
    ✦ I%cannot%get%over%how%long%it%takes%organizations%(of%all%sizes,%small%to%
    gargantuan)%to%notice%fake%invoices!!!!!%%
    ✦ There%are%supposed%to%be%PROCESSES%for%knowing%who%your%vendors%
    are,%and%that%a%given%invoice%is%legitimate!%
    ✦ Rushed%workers,%understaffing%
    ✦ Crappy%systems%that%get%in%people’s%way%and%force%
    them%to%come%up%with%workarounds%
    ✦ Jerk%bosses,%intimidation%at%work%
    ✦ (Notice%how%only%one%of%these%is%technological?%
    Yeah.%Infosec%is%about%people%or%it’s%garbage.)

    View full-size slide

  54. Questions? Ask them!
    This lecture is copyright 2018 by Dorothea Salo.
    It is available under a Creative Commons Attribution
    4.0 International license.

    View full-size slide