For LIS 510 "Human factors in information security"
✦ The motivation is usually not improving security.
Maybe it should be, but it isn’t.
✦ The motivation for workplace infosec training is
usually COMPLIANCE, legal or standards-based.
✦ Legal: if some law constrains an organization to meet minimum
security standards, it will usually stipulate some kind of employee
training. HIPAA, for example, requires training all employees as part of
the hire/onboarding process. GDPR also has training requirements.
✦ Standards: PCI, for example, requires documentation of security
practices and procedures, including in employee manuals.
✦ It may also be cleanup after an incident.
✦ With all the hasty ill-considered panicky
ailing that implies.
✦ And the one-person-messed-up-but-we’re-all-stuck-doing-this problem.
This has implications.
✦ Viewed as unimportant check-the-box exercise
✦ Including by org-internal infosec folks! They could treat this as an
opportunity, but more often they roll their eyes at it.
✦ If training is developed internally, it’s often done
by people who… don’t teach well.
✦ So it’s too techie, or condescending, or communicated ineptly, or…
✦ Teaching, like most work, is a set of learned skills not present at birth.
✦ If training is outsourced (as it often is), there’s no
connection to the local environment.
✦ Production values are likely higher, but it’ll be easy to sco
the examples will feel farfetched and the systems discussed won’t be
familiar (or named according to local practice).
No, really, terminology
✦ Generic, non-localized training will talk about
“video-conferencing apps.” Ring a bell?
✦ But you know what Zoom is. Of course you do.
✦ The jargon problem is exponentially worse with
infrastructure most folks don’t think about.
✦ Would you have known what a “multi-factor authentication system”
was before this class? (If you did, go you!)
✦ Training must use “Duo” (or whatever’s actively in use at the org) to
be even minimally understood.
✦ (There are reasons I rely on UW-Madison examples in this class!)
The eternal 101
✦ I have never taken a required infosec training that
went anywhere close to the richness and usefulness
of the CR Security Planner.
✦ It’s always Infosec 101. Passwords, phishing, yawn.
✦ While I understand the need to raise the
repeated 101-level training does not help people
learn more advanced (and useful!) concepts, tools,
✦ It sure does teach them to despise infosec, though.
How remarkably counterproductive!
✦ Moral: let people “place out” of basics
✦ e.g. through quizzing them up-front and exempting those who pass
Okay, larger moral:
✦ For all kinds of education and training, not only infosec!
✦ MEET PEOPLE WHERE THEY ARE.
✦ This is an ideal, of course. Whenever you’re dealing with a lot of
people (hi there, y’all!), they’ll be in lots of di
✦ But you can still be explicit about the audience(s) you’re aiming at,
and you can (and should) apologize to everyone else.
✦ A much better structure than “lecture, then test”
is “check, then teach as needed.”
✦ If I were in charge of infosec training, I’d start with a pre-test, divided
into modules (“email/phishing,” “passwords,” “BYOD,” etc).
✦ Pass a module? You either get to skip that training OR (my
preference) you get more advanced content.
✦ You view only the 101 modules you actually need to.
This also means knowing
✦ As we’ve discussed, people’s approach to many
infosec matters falls into known patterns.
✦ Infosec training rarely takes that into account.
✦ “Choose a strong password!” instead of “Here are common password
practices that are easily breached, so don’t:” or even “here’s why the
system’s password tester rejects certain kinds of passwords:”
✦ “Don’t click on links in emails!” when that’s clearly impractical advice.
✦ (I’ve seen the above in UW trainings. UW constantly sends out emails
with clickable links. Sigh.)
✦ Infosec training rarely if ever starts with
ethnographic-style inquiry into the org.
✦ It should, though. It sure should.
One size fits no one
✦ Typically, everybody in the org gets the same old
Infosec 101 training.
✦ This completely ignores di
threats, and risks associated with di
✦ Example: As an instructor here, I don’t need to know about infosec in
hiring. Not my problem! I don’t do hiring paperwork!
✦ Do I need to know how to keep student emails to me secure? Heck
yeah I do; if I don’t do that, I risk harm to students and violating
federal law (FERPA). Our HR person also needs to know this, because
we hire student employees.
✦ And because people (wrongly) think that the same
old Infosec 101 is everything they ever need to
know… they’re vulnerable to role-based attacks.
Focusing too much on tech
✦ What use is the strongest password there is, if
people aren’t prepared to resist attempts by social
engineers to get them to reveal it?
✦ PHISHING. Phishing phishing phishing.
✦ Did you know that business-email compromise (spearphishing aimed
at conning people into various kinds of false payments) is collectively
the most expensive infosec fail in the US? Now you do.
✦ Yet most Infosec 101 is all about tech stu
✦ This is even worse because social engineering is…
actually hard to make boring?!
✦ And it sets up a clear us-against-the-world feeling, which is socially
useful for infosec folks and the org in general.
✦ (Though be careful to discuss insider threat also!)
✦ … in my experience, it’s a lot easier for people to
understand attacks if they
attackERS, and their techniques and motives.
✦ Would this have a lot to do with the topic sequencing in this course?
Yep, you betcha.
✦ Use the
uency heuristic (people remember and
repeat what they’re familiar with) to help.
✦ Get people familiar with an “attacker” persona.
✦ Would this be why I teach you Alice/Bob/Eve and use the phrase
“garbage human” a lot? Yep, you betcha, at least in part.
✦ (Alice/Bob/Eve is common infosec jargon; that’s another reason I use it.)
✦ And use real-world case studies, ideally from peer
orgs in the same or similar industry.
2021 research on infosec
✦ “[E]mployee perceptions of [training] programs
relate to their previously held beliefs about:
✦ “cybersecurity threats,
✦ “the content and delivery of the training program,
✦ “the behaviour of others around them, and
✦ “features of their organisation.” (This amounted to the usability of
security measures and perceived necessity to work around them…
which should sound familiar to you by now!)
✦ Reeves, Calic, and Delfabbro. “‘Get a red-hot poker and open up my
eyes, it's so boring’: Employee perceptions of cybersecurity training”
Computers & Security 106 (2021), https://doi.org/10.1016/
✦ Best article title ever, or best article title EVER?!
What do people believe
about infosec threats?
✦ We’ve seen a lot of it before. But for the record,
here are themes the article found:
✦ “I already know all this, or at least enough to make my own
decisions!” (Another pitfall of neverending Infosec 101… people have
no reason to realize everything they don’t know, because they’re
never shown anything beyond the 101 level!)
✦ “I don’t need to understand this, even if I could! The system needs to
handle its own security! Usably!” (Attributed to “younger users.”)
✦ Password issues. (Including one org where the training recommended
a password manager… which the org refused to let employees install
Content and delivery
✦ Few surprises here: it ain’t great. (For the record: I
very don’t love our trainings here.)
✦ People’s mood at training time also matters, unsurprisingly.
✦ Misery loves company: group training preferred to individual.
✦ I have sympathy! Of course I do. High production
values take a lot more time and e
ort than I have.
✦ Add in internationalization and accessibility requirements, and the
workload multiplies by… a lot.
✦ I don’t have sympathy for:
✦ Measures that try to force attention — e.g. online trainings that won’t
advance unless they’re the topmost window, video that only plays at 1x
speed. Get over yourselves, trainers.
✦ Irrelevancies. Again, know the context and work within it!
✦ Unexplained or unnecessary jargon. Condescension. Scare tactics.
The behavior of others
✦ We’re social animals, we humans. We behave as the
others around us behave.
✦ In almost all organizations, “the others around us”
are not infosec folks!
✦ And infosec folks tend to be pretty siloed. Those of you with jobs: do you
know who’s securing your org’s systems? By name? I’d be surprised if you
did. Who’s the current UW-Madison CISO, for that matter? I don’t think
✦ So we enable each others’ poor infosec hygiene.
✦ Including spreading misunderstandings and broken mental models.
✦ It’s worse if the poor hygienist is our boss. They can
demand that we do the wrong thing!
✦ Where training con
icts with human social
behaviors, training will lose. No question about it.
With one caveat:
✦ People will bring infosec dilemmas to someone
they trust, respect, and believe is knowledgeable.
✦ I’ve had it happen a fair bit, with colleagues as well as students.
✦ (Hey, I appreciate the trust and respect! I’m kind of proud of this.)
✦ For an org that’s serious about security…
✦ (rather than treating it as a pointless compliance exercise)
✦ … it makes a lot of sense to locate and leverage
✦ Could they be involved in training somehow?
✦ Can they be recognized for their e
Okay, two caveats:
✦ People will use convenient, available, usually
informal comms channels to ask infosec questions.
✦ They come up not-infrequently on the UW-Madison subreddit.
✦ It can make sense to (discreetly and non-creepily)
keep an eye on those.
✦ Setting up alerts on words (e.g. in a work Slack) may make sense.
✦ If there’s an infosec person (or a connector, as before) with very good
social judgment and skill at explaining, answering questions or weighing
in on situations may be a way to build useful social trust.
✦ But the good social judgment is vital!!!! Just horning in on every
vaguely-relevant conversation (or worse, posting canned answers) won’t
help — in fact, it’ll hurt.
✦ (I do answer infosec questions on the sub when I see them. My answers
get upvoted, so my social acumen seems… mostly okay?)
✦ Infosec training sucks, but it doesn’t have to.
✦ Making it not suck involves:
✦ taking it seriously, and having goals for it besides compliance
✦ not putting people through endless rounds of the same old Infosec
; letting those who are ready learn more!
✦ understanding and working with local context and human habits
✦ leveraging and building on org-internal social relationships, partly to
hear and answer point-of-need questions
ering workable guidance, avoiding unreachable “don’t ever click
links in email!” ideals
✦ helping people build mental models, threat models, etc. without
which very little guidance (even when it’s workable) makes sense
Questions? Ask them!
This lecture is copyright 2018 by Dorothea Salo.
It is available under a Creative Commons Attribution
4.0 International license.
On phishing tests
I’ve changed my tune
on phishing tests.
✦ I used to be just eyerolly about phishing tests.
✦ I now think they are unethical, and not only
ectual, but actively dangerous to an
organization’s overall infosec posture.
✦ Don’t do them. Don’t pay for them. Protest them.
Why these happen
✦ Compliance and “cover our butts,” again.
✦ Like training, phishing tests are construed as Doing Something.
✦ “Number go up” assessment mentality
✦ If 90% of employees pass the
rst phish test and 95% pass the
second, NUMBER WENT UP, so everything’s cool in infosecland,
cial, erroneous “they must be ignorant/
stupid” belief about why people fall for phishes
✦ If you actually ask people (what a concept, I know!), it’s because
they’re overworked and rushed.
✦ Who has time to thoughtfully consider each and every link in an
email?! Their boss would just yell at them for being unproductive.
✦ Phishing tests cannot
x this root cause!!!!!!!!
The “gotcha” motive
✦ A lot of infosec people enjoy puzzles, games,
especially in competitive contexts. Nothing
necessarily wrong with that, okay?
✦ Though I do think it’s a limiter for the broader infosec workforce.
✦ It becomes a problem when it turns into the wish
to trick/con, embarrass, trash-talk, or laugh at
other people. That’s garbage-human territory.
✦ Do I think phishing tests happen partly because
some infosec folks get their jollies out of feeling
superior to others?
✦ And build phish tests that give them maximum jollies?
✦ Yeah. I do. And that’s a bad, bad problem.
✦ My dad was a university professor. Anthropology.
✦ He hated his students. HATED. Despised them.
Genuinely loved putting trick questions on exams
and laughing when his students fell for them.
✦ He also used students as pawns in
ghts with his department.
✦ This is horri
c pedagogy. When I accidentally
ended up teaching, I swore to myself that I would
do things di
erently. I hope I have.
✦ It may seem obvious that instructors actually have to want their
students to learn, but… my dad never did.
✦ … A lot of infosec trainers (infosec people in
general, really) remind me of my dad. Not good.
If I just speared you…
✦ … yeah, sorry. I have Feelings about all this.
✦ But I need you to
x your heart, okay? We all
need you to.
✦ A world where folks are all out to trick and laugh
at other folks is… not a good world.
✦ It’s possible to change. It’s possible to do and be
better. You don’t win by shoving others down.
✦ I’ve had to struggle with my own character defects too. I lived
through it and did better. If I can, you can.
✦ Take joy in other people. Celebrate them!
✦ As a teacher/trainer, celebrate their learning.
Randall Munroe, “Ten Thousand”
How phish tests work
✦ Internal infosec o
ce or external contractor
designs test, including the pretext(s) it will use.
✦ Links in the email usually lead to some kind of “you got phished!
don’t do that!” gotcha/training page.
✦ Test is
elded against all employees, with little or
no notice beforehand.
✦ Here there’s usually some kind of announcement, but it’s buried and
easy to miss.
✦ Those who fall for the phish are individually
ed and reported on.
✦ There’ll be an identi
er in the link in the fake-phish email, tied to
each email address the fake phish is sent to.
Cost in time, productivity,
✦ UW-Madison employs over 20,000 people.
✦ Imagine that each person spends just one minute
considering that fake phish. That’s over 20,000
minutes of work time, or 333 hours.
✦ I don’t have an average salary to hand (median would be better
anyway), but let’s assume it’s something like $40/hour. That’s $13,320
plus the cost to build and
eld the test and analyze the results, just
for one dang phishing test.
✦ Notice that I’m not even counting (re)training time here. It adds up.
✦ Nobody likes phish tests. (I actively resent UW
System for doing them.) Does your org need
more reasons for employees to be mad at it?
Is it worth it?
✦ No training or testing has been shown to
eliminate successful phishes altogether.
✦ Research: counterintuitively, repeated phishing
tests plus non-mandatory training can make
people MORE likely to click on real phish.
✦ Lain, Kostiainien & Čaron 2021
✦ Why? Not totally clear, but it appears the a
ected folks think the
training means the org is protecting them, so they don’t actually have
to worry about phish as individuals.
✦ In other words, folks completely misunderstood the point of the test!
That… doesn’t bode well for their infosec hygiene generally, and it
also doesn’t say much for any training they’ve gotten.
✦ Money, sometimes life-changing money, aimed at
folks who are poor and/or poorly paid
✦ Real-life examples: COVID bene
ts, bonuses, health-care promises,
discounts — that didn’t exist.
✦ I saw an infosec pro on Twitter point out that the root cause here is
actually lousy pay and bene
ts. That’s absolutely correct; treating people
poorly and underpaying them creates a lot of infosec risk.
✦ Higher ed: grade- or disciplinary-action-related scare
✦ Phishes ostensibly from the [Big] Boss, often
designed to make person think they might be (or get)
✦ I’m waiting for somebody with anxiety to sue under the ADA over this. I
am not a lawyer, but I have to think it’d be a workable case.
Defense from phish testers:
“But garbage humans are using
these tactics to phish!”
✦ Yeah. They are.
✦ So what does that make you, exactly, O Phish
✦ Look. Infosec is not a get-out-of-garbage-human-
-free card. Cruelty is cruelty. Lying is lying.
✦ Phish testers deserve every bit of the pushback
they get over phishing tests. And more, frankly.
over phishing-test results
✦ It’s happened. It shouldn’t.
✦ It’s an absolutely sordid and unethical idea.
✦ One reason: phish people often enough, and everyone will eventually
click. Yes, pretty much everyone. (Lain, Kostiainien & Čaron 2021)
erent people fall for di
erent pretexts, but everybody’s vulnerable
✦ Another reason: disincentivizing reporting, again — if people are
afraid to report infosec issues because they fear punishment,
incidents are more likely, higher-severity, and longer-lasting.
✦ A third: disciplining people you intentionally deceived is just gross.
It’s a garbage-humanny, unethical way to treat people.
✦ Keep in mind also that people perceive “you
failed; go take another training” as punishment.
✦ Are you kidding me?!?!?! I didn’t want to believe
this even happens.
✦ Management 101: never, ever, EVER shame
employees in public.
✦ Any conversation involving critique (much less discipline) must be
held in private! And kept as con
dential as possible!
✦ Anything else creates an organizational culture of terror and secrecy
over mistakes… which is awful for the org’s infosec posture.
✦ Public shaming is also (one more time!) just an
awful way to treat people. It won’t help them
learn… but will make them leave!
in infosec people
✦ You DO NOT want the top association people
have with infosec folks to be phishing tests.
✦ Like, this is actually super-dangerous!!!!!
✦ Will someone who associates infosec with
deception and cruelty report infosec problems?
✦ Will they do what infosec says? (What if it’s mid-
incident, and really important that they do?)
✦ Will they write o
because “those people are just JERKS”?
and lost productivity
✦ (mostly from the Lain et al. piece)
✦ Make it easy to report suspected phish. Then take
people’s reports seriously!
✦ It turns out that if reporting is easy enough, people will get in the habit
of doing it (habituation for the win, for once!), and won’t get sick of it.
✦ Averaged over the organization, these reports are indeed good advance
indicators of phishing campaigns. (I think it’s possible to improve on
this, by evaluating who’s a good phish reporter, then paying extra
attention to their reports. Future research!)
✦ Positive reinforcement: reward phish-
✦ Including those who initially fall for a phish, but report it quickly anyway.
✦ Tell them when they detected real phish, so their phish-radar improves.
✦ Detect phish technically, and stop delivery.
Address root causes
✦ Starvation wages and bene
✦ I cannot get over how long it takes organizations (of all sizes, small to
gargantuan) to notice fake invoices!!!!!
✦ There are supposed to be PROCESSES for knowing who your vendors
are, and that a given invoice is legitimate!
✦ Rushed workers
✦ Crappy systems that get in people’s way and force
them to come up with workarounds
✦ Jerk bosses, intimidation at work
✦ (Notice how only one of these is technological?
Yeah. Infosec is about people or it’s garbage.)
Questions? Ask them!
This lecture is copyright 2018 by Dorothea Salo.
It is available under a Creative Commons Attribution
4.0 International license.