Like Share and Subscribe: Effective Communication of Security Advice

Like Share and Subscribe: Effective Communication of Security Advice

For everyday people, security advice is confusing, boring, and ever changing. In response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

There are two big problems here. First, how do we effectively communicate relevant security advice to non-experts? And secondly, is that advice even persuasive enough to encourage real behavioural change? What kind of advice should we be conveying, and to whom?

In this talk we cover why everyday people don’t follow security advice. To help us come up with some solutions, we introduce concepts from behavioural design, psychology and medicine. And I put the theory to the test by trialing some unconventional ways of communicating security to the masses.

C2817e27f333415dec3be6e5b805469a?s=128

Serena Chen

January 15, 2020
Tweet

Transcript

  1. like, comment and subscribe: effective communication of security advice @Sereeena

    | LinuxConfAu 2020
  2. jingeri jingeri jingeri jingeri jingeri jingeri

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. Infosec

  10. Tech Infosec

  11. Everyone else Tech Infosec

  12. everyone deserves security.

  13. People who do the “right” things People who do the

    “wrong” things supply chain 0days XSS vulns lack of 2FA adoption old operating systems password reuse
  14. People who do the “right” things People who do the

    “wrong” things
  15. “I can’t help you”

  16. security is hard people are bad at security

  17. People who do the “right” things People who do the

    “wrong” things
  18. what if we didn’t give up?

  19. People who do the “right” things People who do the

    “wrong” things
  20. security is hard people are bad at security

  21. “I don’t think about security” ↓ “I’m used to insecurity

    and lack of privacy” ↓ “I consume tech but don’t demand privacy or security” ↓ “I make tech but security isn’t top of mind” ↓ “I care about security but no one else cares… no funding/support” ↓ “Why are there bugs and vulns everywhere???” The system enables security problems
  22. Everyone else Tech Infosec

  23. None
  24. 1. Who are these people? 2. What advice should we

    be giving them? 3. How do we communicate this advice?
  25. PART ONE PART ONE PART ONE PART ONE PART ONE

    WHO IS “EVERYONE ELSE”?
  26. None
  27. group one group one group one group one group one

    group one
  28. I Ion, R Reeder, S Consolvo. “...No one Can Hack

    My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015. “Visit only websites you know” “Change passwords often” “Use antivirus”
  29. group two group two group two group two group two

    group two
  30. None
  31. None
  32. Don’t reuse passwords

  33. None
  34. None
  35. –“Sally” “I know I shouldn’t do this, but I cycle

    through two or three passwords for all of my accounts.”
  36. –“Sally” “I know about password managers, I just haven’t gotten

    around to it yet. It seems like a big time investment.”
  37. –“Sally” “I’ve been meaning to change my passwords, but my

    current password system is just so memorised.”
  38. ←“Sally”

  39. “asking for a friend”

  40. None
  41. Our (rough) personas • Those who are confused about what

    to do • Those who know what to do but not how to implement it
  42. PART TWO PART TWO PART TWO PART TWO PART TWO

    WHAT ADVICE DO WE GIVE?
  43. –Interview participant 6 “Which program do I need to install

    to be secure?”
  44. Security is like exercise • There is always room for

    improvement • Must be customised to the individual’s needs • Must be habitual and ongoing
  45. incremental incremental incremental incremental incremental incremental

  46. None
  47. What is running? Let’s do a marathon!

  48. What is security? Change ALL the passwords and put them

    in a password manager!!!11!1
  49. Old software Accept the next update

  50. Same password for everything Just change your email password

  51. Unique passwords but memorised Try a password manager

  52. the perfect is the enemy of the good

  53. personalised personalised personalised personalised personalised personalised

  54. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state
  55. Lean on the familiar • Store passwords in browser …

    or a notebook • Rely on smartphone • End-to-end encrypted chat apps Technological capability Not comfortable with technology Can quit vim
  56. Technological capability Not comfortable with technology Can quit vim Customise,

    try new stuff • Independent password manager • U2F keys • Ok, fine, you can tell them about PGP
  57. Be a minimalist • Turn off location permissions • Strict

    privacy settings • Compartmentalise • Regular follower/friend purging Privacy needs “I am in hiding” “I need to be visible”
  58. Obfuscate • Remove metadata / information in the background of

    photos • Use scheduling to hide activity patterns • Separate public / private personas “I am in hiding” “I need to be visible” Privacy needs
  59. Use generic protections • Unique passwords • App-based 2FA Likely

    adversaries Script kiddies Nation state
  60. Get specialist advice • Don’t take advice from a talk

    slide • Introduce them to someone who knows what they are doing • Seek !! professional !! help !! Likely adversaries Script kiddies Nation state
  61. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state
  62. Personas by the Open Internet Tools Project; illustrations by Rob

    Vincent
  63. habitual habitual habitual habitual habitual habitual

  64. Lay a path for progression

  65. Couch to 5K for security

  66. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager
  67. Effective security advice • Make it incremental • Make it

    personalised • Make it habitual
  68. PART THREE PART THREE PART THREE PART THREE PART THREE

    HOW DO WE COMMUNICATE?
  69. “Tell, sell, and shame” doesn’t work.

  70. “Tell, sell, and shame” doesn’t work.

  71. reactance theory AKA don’t tell me what to do

  72. Direct instruction harms the feeling of autonomy

  73. Lead by example

  74. “This is what I do and I would recommend it

    to you”
  75. “Tell, sell, and shame” doesn’t work.

  76. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  77. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  78. None
  79. ىبرع

  80. 5.3% decrease in smoking prevalence 7.8% increase in smoke free

    homes A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL, M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  81. Give people successful examples to emulate

  82. FOR EXAMPLE !

  83. “Tell, sell, and shame” doesn’t work.

  84. Tech has a pervasive culture of shame

  85. None
  86. None
  87. “Windows XP”

  88. None
  89. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”
  90. Shame culture means people don’t ask for advice

  91. Obligatory xkcd: https://xkcd.com/1053/

  92. “Can I show you a better way to do this?”

  93. How to communicate • Veer away from the culture of

    shame • “Can I show you a better way?” • Show, don’t tell • Lead by example • Give people a script to navigate social situations
  94. “Tell, sell, and shame” doesn’t work.

  95. “you are literally telling us what to do”

  96. Let’s walk the walk

  97. What is something that has significantly changed my behaviour?

  98. “influencers” • Showing, not telling • Gives people the choice

    to opt in (or out) • Shows their mistakes, imperfections • Outlines routines, gives people steps/script to follow • Lots of different people to follow, can find one you relate to
  99. None
  100. PART FOUR PART FOUR PART FOUR PART FOUR PART FOUR

    SERENA BECOMES A YOUTUBER???
  101. None
  102. I made a security YT channel, AMA • I made

    some average videos • They were cringeworthy • The experiment lasted 3 months • YouTube + full time work is HARD, how does SimplyNailogical do it???
  103. I made a security YT channel, AMA • Immediately fell

    back into the habit of TELL, SELL and SHAME • Most successful video was me going through my conference bag before Kiwicon
  104. What I learned • To reach and connect with people

    requires vulnerability • My brain was screaming, “BUT OPSEC”
  105. The paradox of personal security

  106. What else happened • Friends and colleagues started asking me

    about security • I got over myself • I showed people, IRL, my personal setup, and how I got there • I was honest about how hard it was
  107. What else happened • A lot of them were already

    clued up about what to do • Seeing someone they knew IRL do the Good Security allowed them to make the leap
  108. Be vulnerable

  109. I SWEAR THIS IS ALMOST OVER I SWEAR THIS IS

    ALMOST OVER I SWEAR THIS IS ALMOST OVER I SWEAR THIS IS ALMOST OVER I SWEAR THIS IS ALMOST OVER SUMMARY
  110. everyone deserves security.

  111. “I don’t think about security” ↓ “I’m used to insecurity

    and lack of privacy” ↓ “I consume tech but don’t demand privacy or security” ↓ “I make tech but security isn’t top of mind” ↓ “I care about security but no one else cares… no funding/support” ↓ “Why are there bugs and vulns everywhere???” The system enables security problems
  112. None
  113. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager
  114. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state
  115. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”
  116. Obligatory xkcd: https://xkcd.com/1053/

  117. Lead by example

  118. None
  119. Be nice to people

  120. thanks! be nice to me @Sereeena reading & references: serena.nz/talks/like-share-subscribe-references/

    a lil’ worksheet: serena.nz/work/purplecon-worksheet.pdf