Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Infosec training / On phishing tests and deception

Infosec training / On phishing tests and deception

For LIS 510 "Human factors in information security"

Dorothea Salo

April 19, 2022

More Decks by Dorothea Salo

Other Decks in Technology


  1. Infosec training

    View Slide

  2. Why training?
    ✦ The motivation is usually not improving security.
    Maybe it should be, but it isn’t.

    ✦ The motivation for workplace infosec training is
    usually COMPLIANCE, legal or standards-based.

    ✦ Legal: if some law constrains an organization to meet minimum
    security standards, it will usually stipulate some kind of employee
    training. HIPAA, for example, requires training all employees as part of
    the hire/onboarding process. GDPR also has training requirements.

    ✦ Standards: PCI, for example, requires documentation of security
    practices and procedures, including in employee manuals.

    ✦ It may also be cleanup after an incident.

    ✦ With all the hasty ill-considered panicky
    ailing that implies.

    ✦ And the one-person-messed-up-but-we’re-all-stuck-doing-this problem.

    View Slide

  3. This has implications.
    ✦ Viewed as unimportant check-the-box exercise

    ✦ Including by org-internal infosec folks! They could treat this as an
    opportunity, but more often they roll their eyes at it.

    ✦ If training is developed internally, it’s often done
    by people who… don’t teach well.

    ✦ So it’s too techie, or condescending, or communicated ineptly, or…

    ✦ Teaching, like most work, is a set of learned skills not present at birth.

    ✦ If training is outsourced (as it often is), there’s no
    connection to the local environment.

    ✦ Production values are likely higher, but it’ll be easy to sco
    at because
    the examples will feel farfetched and the systems discussed won’t be
    familiar (or named according to local practice).

    View Slide

  4. No, really, terminology
    matters here!
    ✦ Generic, non-localized training will talk about
    “video-conferencing apps.” Ring a bell?

    ✦ But you know what Zoom is. Of course you do.

    ✦ The jargon problem is exponentially worse with
    infrastructure most folks don’t think about.

    ✦ Would you have known what a “multi-factor authentication system”
    was before this class? (If you did, go you!)

    ✦ Training must use “Duo” (or whatever’s actively in use at the org) to
    be even minimally understood.

    ✦ (There are reasons I rely on UW-Madison examples in this class!)

    View Slide

  5. The eternal 101
    ✦ I have never taken a required infosec training that
    went anywhere close to the richness and usefulness
    of the CR Security Planner.

    ✦ It’s always Infosec 101. Passwords, phishing, yawn.

    ✦ While I understand the need to raise the
    repeated 101-level training does not help people
    learn more advanced (and useful!) concepts, tools,
    or behaviors.

    ✦ It sure does teach them to despise infosec, though.
    How remarkably counterproductive!

    ✦ Moral: let people “place out” of basics

    ✦ e.g. through quizzing them up-front and exempting those who pass

    View Slide

  6. Okay, larger moral:
    ✦ For all kinds of education and training, not only infosec!


    ✦ This is an ideal, of course. Whenever you’re dealing with a lot of
    people (hi there, y’all!), they’ll be in lots of di
    erent places.

    ✦ But you can still be explicit about the audience(s) you’re aiming at,
    and you can (and should) apologize to everyone else.

    ✦ A much better structure than “lecture, then test”
    is “check, then teach as needed.”

    ✦ If I were in charge of infosec training, I’d start with a pre-test, divided
    into modules (“email/phishing,” “passwords,” “BYOD,” etc).

    ✦ Pass a module? You either get to skip that training OR (my
    preference) you get more advanced content.

    ✦ You view only the 101 modules you actually need to.

    View Slide

  7. This also means knowing
    people’s practices.
    ✦ As we’ve discussed, people’s approach to many
    infosec matters falls into known patterns.

    ✦ Infosec training rarely takes that into account.

    ✦ “Choose a strong password!” instead of “Here are common password
    practices that are easily breached, so don’t:” or even “here’s why the
    system’s password tester rejects certain kinds of passwords:”

    ✦ “Don’t click on links in emails!” when that’s clearly impractical advice.

    ✦ (I’ve seen the above in UW trainings. UW constantly sends out emails
    with clickable links. Sigh.)

    ✦ Infosec training rarely if ever starts with
    ethnographic-style inquiry into the org.

    ✦ It should, though. It sure should.

    View Slide

  8. One size fits no one
    ✦ Typically, everybody in the org gets the same old
    Infosec 101 training.

    ✦ This completely ignores di
    erent behaviors,
    threats, and risks associated with di
    erent roles.

    ✦ Example: As an instructor here, I don’t need to know about infosec in
    hiring. Not my problem! I don’t do hiring paperwork!

    ✦ Do I need to know how to keep student emails to me secure? Heck
    yeah I do; if I don’t do that, I risk harm to students and violating
    federal law (FERPA). Our HR person also needs to know this, because
    we hire student employees.

    ✦ And because people (wrongly) think that the same
    old Infosec 101 is everything they ever need to
    know… they’re vulnerable to role-based attacks.

    View Slide

  9. Focusing too much on tech
    ✦ What use is the strongest password there is, if
    people aren’t prepared to resist attempts by social
    engineers to get them to reveal it?

    ✦ PHISHING. Phishing phishing phishing.

    ✦ Did you know that business-email compromise (spearphishing aimed
    at conning people into various kinds of false payments) is collectively
    the most expensive infosec fail in the US? Now you do.

    ✦ Yet most Infosec 101 is all about tech stu

    ✦ This is even worse because social engineering is…
    actually hard to make boring?!

    ✦ And it sets up a clear us-against-the-world feeling, which is socially
    useful for infosec folks and the org in general.

    ✦ (Though be careful to discuss insider threat also!)

    View Slide

  10. In fact…
    ✦ … in my experience, it’s a lot easier for people to
    understand attacks if they
    rst understand
    attackERS, and their techniques and motives.

    ✦ Would this have a lot to do with the topic sequencing in this course?
    Yep, you betcha.

    ✦ Use the
    uency heuristic (people remember and
    repeat what they’re familiar with) to help.

    ✦ Get people familiar with an “attacker” persona.

    ✦ Would this be why I teach you Alice/Bob/Eve and use the phrase
    “garbage human” a lot? Yep, you betcha, at least in part.

    ✦ (Alice/Bob/Eve is common infosec jargon; that’s another reason I use it.)

    ✦ And use real-world case studies, ideally from peer
    orgs in the same or similar industry.

    View Slide

  11. 2021 research on infosec
    ✦ “[E]mployee perceptions of [training] programs
    relate to their previously held beliefs about:

    ✦ “cybersecurity threats,

    ✦ “the content and delivery of the training program,

    ✦ “the behaviour of others around them, and

    ✦ “features of their organisation.” (This amounted to the usability of
    security measures and perceived necessity to work around them…
    which should sound familiar to you by now!)

    ✦ From:

    ✦ Reeves, Calic, and Delfabbro. “‘Get a red-hot poker and open up my
    eyes, it's so boring’: Employee perceptions of cybersecurity training”
    Computers & Security 106 (2021), https://doi.org/10.1016/

    ✦ Best article title ever, or best article title EVER?!

    View Slide

  12. What do people believe
    about infosec threats?
    ✦ We’ve seen a lot of it before. But for the record,
    here are themes the article found:

    ✦ “I already know all this, or at least enough to make my own
    decisions!” (Another pitfall of neverending Infosec 101… people have
    no reason to realize everything they don’t know, because they’re
    never shown anything beyond the 101 level!)

    ✦ “I don’t need to understand this, even if I could! The system needs to
    handle its own security! Usably!” (Attributed to “younger users.”)

    ✦ Password issues. (Including one org where the training recommended
    a password manager… which the org refused to let employees install
    or use.)

    View Slide

  13. Content and delivery
    ✦ Few surprises here: it ain’t great. (For the record: I
    very don’t love our trainings here.)

    ✦ People’s mood at training time also matters, unsurprisingly.

    ✦ Misery loves company: group training preferred to individual.

    ✦ I have sympathy! Of course I do. High production
    values take a lot more time and e
    ort than I have.

    ✦ Add in internationalization and accessibility requirements, and the
    workload multiplies by… a lot.

    ✦ I don’t have sympathy for:

    ✦ Measures that try to force attention — e.g. online trainings that won’t
    advance unless they’re the topmost window, video that only plays at 1x
    speed. Get over yourselves, trainers.

    ✦ Irrelevancies. Again, know the context and work within it!

    ✦ Unexplained or unnecessary jargon. Condescension. Scare tactics.

    View Slide

  14. The behavior of others
    ✦ We’re social animals, we humans. We behave as the
    others around us behave.

    ✦ In almost all organizations, “the others around us”
    are not infosec folks!

    ✦ And infosec folks tend to be pretty siloed. Those of you with jobs: do you
    know who’s securing your org’s systems? By name? I’d be surprised if you
    did. Who’s the current UW-Madison CISO, for that matter? I don’t think
    I’ve mentioned…

    ✦ So we enable each others’ poor infosec hygiene.

    ✦ Including spreading misunderstandings and broken mental models.

    ✦ It’s worse if the poor hygienist is our boss. They can
    demand that we do the wrong thing!

    ✦ Where training con
    icts with human social
    behaviors, training will lose. No question about it.

    View Slide

  15. With one caveat:
    ✦ People will bring infosec dilemmas to someone
    they trust, respect, and believe is knowledgeable.

    ✦ I’ve had it happen a fair bit, with colleagues as well as students.

    ✦ (Hey, I appreciate the trust and respect! I’m kind of proud of this.)

    ✦ For an org that’s serious about security…

    ✦ (rather than treating it as a pointless compliance exercise)

    ✦ … it makes a lot of sense to locate and leverage
    these people!

    ✦ Could they be involved in training somehow?

    ✦ Can they be recognized for their e

    View Slide

  16. Okay, two caveats:
    ✦ People will use convenient, available, usually
    informal comms channels to ask infosec questions.

    ✦ They come up not-infrequently on the UW-Madison subreddit.

    ✦ It can make sense to (discreetly and non-creepily)
    keep an eye on those.

    ✦ Setting up alerts on words (e.g. in a work Slack) may make sense.

    ✦ If there’s an infosec person (or a connector, as before) with very good
    social judgment and skill at explaining, answering questions or weighing
    in on situations may be a way to build useful social trust.

    ✦ But the good social judgment is vital!!!! Just horning in on every
    vaguely-relevant conversation (or worse, posting canned answers) won’t
    help — in fact, it’ll hurt.

    ✦ (I do answer infosec questions on the sub when I see them. My answers
    get upvoted, so my social acumen seems… mostly okay?)

    View Slide

  17. Summing up
    ✦ Infosec training sucks, but it doesn’t have to.

    ✦ Making it not suck involves:

    ✦ taking it seriously, and having goals for it besides compliance

    ✦ not putting people through endless rounds of the same old Infosec
    101 stu
    ; letting those who are ready learn more!

    ✦ understanding and working with local context and human habits

    ✦ leveraging and building on org-internal social relationships, partly to
    hear and answer point-of-need questions

    ✦ o
    ering workable guidance, avoiding unreachable “don’t ever click
    links in email!” ideals

    ✦ helping people build mental models, threat models, etc. without
    which very little guidance (even when it’s workable) makes sense

    View Slide

  18. Questions? Ask them!
    This lecture is copyright 2018 by Dorothea Salo.

    It is available under a Creative Commons Attribution
    4.0 International license.

    View Slide

  19. On phishing tests

    and deception
    LIS 510

    View Slide

  20. I’ve changed my tune

    on phishing tests.
    ✦ I used to be just eyerolly about phishing tests.

    ✦ I now think they are unethical, and not only
    ectual, but actively dangerous to an
    organization’s overall infosec posture.

    ✦ Don’t do them. Don’t pay for them. Protest them.

    View Slide

  21. Why these happen
    ✦ Compliance and “cover our butts,” again.

    ✦ Like training, phishing tests are construed as Doing Something.

    ✦ “Number go up” assessment mentality

    ✦ If 90% of employees pass the
    rst phish test and 95% pass the
    second, NUMBER WENT UP, so everything’s cool in infosecland,
    right? RIGHT?!

    ✦ Super
    cial, erroneous “they must be ignorant/
    stupid” belief about why people fall for phishes

    ✦ If you actually ask people (what a concept, I know!), it’s because
    they’re overworked and rushed.

    ✦ Who has time to thoughtfully consider each and every link in an
    email?! Their boss would just yell at them for being unproductive.

    ✦ Phishing tests cannot
    x this root cause!!!!!!!!

    View Slide

  22. The “gotcha” motive
    ✦ A lot of infosec people enjoy puzzles, games,
    especially in competitive contexts. Nothing
    necessarily wrong with that, okay?

    ✦ Though I do think it’s a limiter for the broader infosec workforce.

    ✦ It becomes a problem when it turns into the wish
    to trick/con, embarrass, trash-talk, or laugh at
    other people. That’s garbage-human territory.

    ✦ Do I think phishing tests happen partly because
    some infosec folks get their jollies out of feeling
    superior to others?

    ✦ And build phish tests that give them maximum jollies?

    ✦ Yeah. I do. And that’s a bad, bad problem.

    View Slide

  23. (a digression)
    ✦ My dad was a university professor. Anthropology.

    ✦ He hated his students. HATED. Despised them.
    Genuinely loved putting trick questions on exams
    and laughing when his students fell for them.

    ✦ He also used students as pawns in
    ghts with his department.

    ✦ This is horri
    c pedagogy. When I accidentally
    ended up teaching, I swore to myself that I would
    do things di
    erently. I hope I have.

    ✦ It may seem obvious that instructors actually have to want their
    students to learn, but… my dad never did.

    ✦ … A lot of infosec trainers (infosec people in
    general, really) remind me of my dad. Not good.

    View Slide

  24. If I just speared you…
    ✦ … yeah, sorry. I have Feelings about all this.

    ✦ But I need you to
    x your heart, okay? We all
    need you to.

    ✦ A world where folks are all out to trick and laugh
    at other folks is… not a good world.

    ✦ It’s possible to change. It’s possible to do and be
    better. You don’t win by shoving others down.

    ✦ I’ve had to struggle with my own character defects too. I lived
    through it and did better. If I can, you can.

    ✦ Take joy in other people. Celebrate them!

    ✦ As a teacher/trainer, celebrate their learning.

    View Slide

  25. Randall Munroe, “Ten Thousand”

    https://xkcd.com/1053/ CC-BY-NC

    View Slide

  26. How phish tests work
    ✦ Internal infosec o
    ce or external contractor
    designs test, including the pretext(s) it will use.

    ✦ Links in the email usually lead to some kind of “you got phished!
    don’t do that!” gotcha/training page.

    ✦ Test is
    elded against all employees, with little or
    no notice beforehand.

    ✦ Here there’s usually some kind of announcement, but it’s buried and
    easy to miss.

    ✦ Those who fall for the phish are individually
    ed and reported on.

    ✦ There’ll be an identi
    er in the link in the fake-phish email, tied to
    each email address the fake phish is sent to.

    View Slide

  27. Cost in time, productivity,
    and trust
    ✦ UW-Madison employs over 20,000 people.

    ✦ Imagine that each person spends just one minute
    considering that fake phish. That’s over 20,000
    minutes of work time, or 333 hours.

    ✦ I don’t have an average salary to hand (median would be better
    anyway), but let’s assume it’s something like $40/hour. That’s $13,320
    plus the cost to build and
    eld the test and analyze the results, just
    for one dang phishing test.

    ✦ Notice that I’m not even counting (re)training time here. It adds up.

    ✦ Nobody likes phish tests. (I actively resent UW
    System for doing them.) Does your org need
    more reasons for employees to be mad at it?

    View Slide

  28. Is it worth it?
    ✦ No training or testing has been shown to
    eliminate successful phishes altogether.

    ✦ Research: counterintuitively, repeated phishing
    tests plus non-mandatory training can make
    people MORE likely to click on real phish.

    ✦ Lain, Kostiainien & Čaron 2021

    ✦ Why? Not totally clear, but it appears the a
    ected folks think the
    training means the org is protecting them, so they don’t actually have
    to worry about phish as individuals.

    ✦ In other words, folks completely misunderstood the point of the test!
    That… doesn’t bode well for their infosec hygiene generally, and it
    also doesn’t say much for any training they’ve gotten.

    View Slide

  29. Cruel pretexts
    ✦ Money, sometimes life-changing money, aimed at
    folks who are poor and/or poorly paid

    ✦ Real-life examples: COVID bene
    ts, bonuses, health-care promises,
    discounts — that didn’t exist.

    ✦ I saw an infosec pro on Twitter point out that the root cause here is
    actually lousy pay and bene
    ts. That’s absolutely correct; treating people
    poorly and underpaying them creates a lot of infosec risk.

    ✦ Higher ed: grade- or disciplinary-action-related scare

    ✦ Phishes ostensibly from the [Big] Boss, often
    designed to make person think they might be (or get)
    in trouble

    ✦ I’m waiting for somebody with anxiety to sue under the ADA over this. I
    am not a lawyer, but I have to think it’d be a workable case.

    View Slide

  30. Defense from phish testers:

    “But garbage humans are using
    these tactics to phish!”
    ✦ Yeah. They are.

    ✦ So what does that make you, exactly, O Phish

    ✦ Look. Infosec is not a get-out-of-garbage-human-
    -free card. Cruelty is cruelty. Lying is lying.

    ✦ Phish testers deserve every bit of the pushback
    they get over phishing tests. And more, frankly.

    View Slide

  31. Punishment

    over phishing-test results
    ✦ It’s happened. It shouldn’t.

    ✦ It’s an absolutely sordid and unethical idea.

    ✦ One reason: phish people often enough, and everyone will eventually
    click. Yes, pretty much everyone. (Lain, Kostiainien & Čaron 2021)
    erent people fall for di
    erent pretexts, but everybody’s vulnerable
    to something.

    ✦ Another reason: disincentivizing reporting, again — if people are
    afraid to report infosec issues because they fear punishment,
    incidents are more likely, higher-severity, and longer-lasting.

    ✦ A third: disciplining people you intentionally deceived is just gross.
    It’s a garbage-humanny, unethical way to treat people.

    ✦ Keep in mind also that people perceive “you
    failed; go take another training” as punishment.

    View Slide

  32. Public blame-and-shame
    ✦ Are you kidding me?!?!?! I didn’t want to believe
    this even happens.

    ✦ Management 101: never, ever, EVER shame
    employees in public.

    ✦ Any conversation involving critique (much less discipline) must be
    held in private! And kept as con
    dential as possible!

    ✦ Anything else creates an organizational culture of terror and secrecy
    over mistakes… which is awful for the org’s infosec posture.

    ✦ Public shaming is also (one more time!) just an
    awful way to treat people. It won’t help them
    learn… but will make them leave!

    View Slide

  33. Lost trust

    in infosec people
    ✦ You DO NOT want the top association people
    have with infosec folks to be phishing tests.

    ✦ Like, this is actually super-dangerous!!!!!

    ✦ Will someone who associates infosec with
    deception and cruelty report infosec problems?

    ✦ Will they do what infosec says? (What if it’s mid-
    incident, and really important that they do?)

    ✦ Will they write o
    everything infosec-related
    because “those people are just JERKS”?

    View Slide

  34. Malicious “compliance”

    and lost productivity

    View Slide

  35. Better ideas
    ✦ (mostly from the Lain et al. piece)

    ✦ Make it easy to report suspected phish. Then take
    people’s reports seriously!

    ✦ It turns out that if reporting is easy enough, people will get in the habit
    of doing it (habituation for the win, for once!), and won’t get sick of it.

    ✦ Averaged over the organization, these reports are indeed good advance
    indicators of phishing campaigns. (I think it’s possible to improve on
    this, by evaluating who’s a good phish reporter, then paying extra
    attention to their reports. Future research!)

    ✦ Positive reinforcement: reward phish-

    ✦ Including those who initially fall for a phish, but report it quickly anyway.

    ✦ Tell them when they detected real phish, so their phish-radar improves.

    ✦ Detect phish technically, and stop delivery.

    View Slide

  36. Address root causes
    ✦ Starvation wages and bene

    ✦ Poor
    nancial controls

    ✦ I cannot get over how long it takes organizations (of all sizes, small to
    gargantuan) to notice fake invoices!!!!!

    ✦ There are supposed to be PROCESSES for knowing who your vendors
    are, and that a given invoice is legitimate!

    ✦ Rushed workers

    ✦ Crappy systems that get in people’s way and force
    them to come up with workarounds

    ✦ Jerk bosses, intimidation at work

    ✦ (Notice how only one of these is technological?
    Yeah. Infosec is about people or it’s garbage.)

    View Slide

  37. Questions? Ask them!
    This lecture is copyright 2018 by Dorothea Salo.

    It is available under a Creative Commons Attribution
    4.0 International license.

    View Slide