Upgrade to Pro — share decks privately, control downloads, hide ads and more …

purplecon — like, comment and subscribe: effect...

Serena Chen
November 15, 2018
Technology
0
290

purplecon — like, comment and subscribe: effective communication of security advice

for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom?

in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.

Serena Chen

November 15, 2018
Tweet

More Decks by Serena Chen

See All by Serena Chen
Like Share and Subscribe: Effective Communication of Security Advice
heisenburger
0
95
Design for Security — Web Directions Summit 2019
heisenburger
0
170
Design for Security — O'Reilly Velocity 2018
heisenburger
2
440
Design for Security — BSides Wellington 2017
heisenburger
1
520
The Ideal Styling Language — CSSConfAu 2016
heisenburger
2
240
Intro to Design and UX — The Good Bits
heisenburger
0
300

Other Decks in Technology

See All in Technology
自分の軸足を見つけろ
tsuemura
2
660
Automatically generating types by running tests
sinsoku
2
660
AIエージェントの地上戦 〜開発計画と運用実践 / 2025/04/08 Findy W&Bミートアップ #19
smiyawaki0820
29
9k
さくらの夕べ Debianナイト - さくらのVPS編
dictoss
0
190
CBになったのでEKSのこともっと知ってもらいたい!
daitak
1
160
AWSLambdaMCPServerを使ってツールとMCPサーバを分離する
tkikuchi
1
2.8k
20250413_湘南kaggler会_音声認識で使うのってメルス・・・なんだっけ?
sugupoko
1
440
OSSコントリビュートをphp-srcメンテナの立場から語る / OSS Contribute
sakitakamachi
0
1.3k
システムとの会話から生まれる先手のDevOps
kakehashi
PRO
0
250
SREの視点で考えるSIEM活用術 〜AWS環境でのセキュリティ強化〜
coconala_engineer
1
270
MCP Documentation Server @AI Coding Meetup #1
yyoshiki41
2
2.6k
開発視点でAWS Signerを考えてみよう!! ~コード署名のその先へ~
masakiokuda
3
160

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
336
57k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Adopting Sorbet at Scale
ufuk
76
9.3k
GraphQLの誤解/rethinking-graphql
sonatard
71
10k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
660
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.2k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Visualization
eitanlees
146
16k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
Code Review Best Practice
trishagee
67
18k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k

Transcript

  1. like, comment and subscribe @Sereeena | purplecon 2018

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. Infosec

  9. Tech Infosec (Blockchain is in there somewhere) →

  10. Everyone else Tech Infosec

  11. Everyone deserves security

  12. Security is hard.

  13. People who do the “right” things People who do the

    “wrong” things supply chain 0days XSS vulns lack of 2FA adoption old operating systems password reuse

  14. People who do the “right” things People who do the

    “wrong” things

  15. “I can’t help you.”

  16. Security is hard ⊗ People aren’t good at security

  17. People who do the “right” things People who do the

    “wrong” things

  18. What if we didn’t give up?

  19. People who do the “right” things People who do the

    “wrong” things

  20. Security is hard ⊗ People aren’t good at security

  21. Security is hard ⊖ People aren’t good at security

  22. “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems

  23. Everyone else Tech Infosec

  24. None

  25. 1. Who are these people? 2. What advice should we

    be giving them? 3. How do we communicate this advice?

  26. PART ONE WHO IS “EVERYONE ELSE”

  27. None

  28. I Ion, R Reeder, S Consolvo. “...No one Can Hack

    My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015. What is good practice?
  29. None
  30. None

  31. Don’t reuse passwords "

  32. None

  33. –Interview participant 4 “I know I shouldn’t do this, but

    I cycle through two or three passwords for all of my accounts.”

  34. –Interview participant 3 “I know about password managers, I just

    haven’t gotten around to it yet. It seems like a big time investment.”

  35. –Interview participant 4 “I’ve been meaning to change my passwords,

    but my current password system is just so memorised.”

  36. ←“Sally”

  37. “asking for a friend”

  38. None

  39. Our (rough) personas •Those who are confused about what to

    do •Those who know what to do but not how to implement it

  40. PART TWO WHAT ADVICE TO GIVE

  41. –Interview participant 6 “Which program do I need to install

    to be secure?”
  42. None

  43. Security is like exercise •There is always room for improvement

    •Must be customised to the individual’s needs •Must be habitual and ongoing

  44. Incremental change

  45. None

  46. What is running? Let’s do a marathon!

  47. What is security? Change ALL the 
 passwords and put

    
 them in a password
 manager!!!1 1!1

  48. Old software Accept the next update

  49. Same password 
 for everything Just change your 
 email

    password

  50. Unique passwords
 but memorised Try a password
 manager

  51. The perfect is the enemy of the good

  52. Personalised change

  53. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state

  54. Technological capability Not comfortable with technology Can quit vim Recommend

    defaults • Store passwords in browser • Rely on smartphone

  55. Technological capability Not comfortable with technology Can quit vim Recommend

    customisation • Independent password manager • U2F key • More compartmentalisation

  56. Privacy needs “I am in hiding” “I need to be

    visible” Recommend minimalism •Delete profiles, only keep what is necessary • Compartmentalise • Regular follower/friend purging • Change contact details regularly

  57. Privacy needs “I am in hiding” “I need to be

    visible” Recommend obfuscation • Remove metadata from photos/posts •Only allow messages from known people • Use scheduling to hide activity patterns

  58. Likely adversaries Script kiddies Recommend general protections •Unique passwords for

    most important accounts • 2FA turned on Nation state

  59. Likely adversaries Script kiddies Recommend specialist advice • Don’t take

    advice from a talk slide •Introduce them to someone who knows what they’re talking about • Seek !! professional !! help !! Nation state

  60. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state

  61. Personas by the Open Internet Tools Project; illustrations by Rob

    Vincent

  62. Ongoing change

  63. Lay a path for progression

  64. Couch to 5K for security

  65. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager

  66. The perfect is the enemy of the good

  67. Effective security advice •Make it incremental •Make it personalised •Make

    it habitual

  68. PART THREE HOW TO COMMUNICATE

  69. “Tell, sell, and shame” doesn’t work.

  70. Infosec has a pervasive culture of shame

  71. None
  72. None

  73. “Windows XP”

  74. “Tell, sell, and shame” doesn’t work.

  75. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”

  76. Shaming culture means people don’t ask for advice

  77. So what should we do?

  78. Obligatory xkcd: https://xkcd.com/1053/

  79. “Can I show you a better way to do this?”

  80. Show don’t tell

  81. Reactance theory AKA don’t tell me what to do

  82. Direct instruction harms the feeling of self-control

  83. “Tell, sell, and shame” doesn’t work.

  84. Lead by example

  85. “This is what I do and I would recommend it

    to you”

  86. Give people a script

  87. “Tell, sell, and shame” doesn’t work.

  88. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010

  89. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  90. None

  91. ىبرع

  92. 5.3% decrease in smoking prevalence 7.8% increase in smoke free

    homes

  93. Give people successful examples to emulate

  94. How to communicate •Veer away from the culture of shame

    •“Can I show you a better way?” •Show, don’t tell •Lead by example •Give people a script to navigate social situations

  95. “Tell, sell, and shame” doesn’t work.

  96. “you’re literally telling us what to do”

  97. Let’s walk the walk

  98. What is something that has significantly changed my behaviour?

  99. The YouTube Vlogger •Showing, not telling •Gives people the choice

    to opt in (or out) •No shame or judgement, often shows vulnerability •Outlines routines, gives people steps/script to follow •Lots of different people to follow, can find one you relate to
  100. None

  101. PART FOUR SERENA BECOMES
 A VLOGGER????

  102. None

  103. What I learned: •Showing and not telling is hard •People

    just want you to acknowledge that it’s hard •Being authentic and vulnerable and personal reaches people •Relatability is important — if they can see themselves in you, and they can see you making an effort, then they can see themselves doing it •I have a lot more respect for YouTubers now
  104. None
  105. None

  106. Be more vulnerable

  107. Be more open

  108. PART I SWEAR THIS IS ALMOST OVER SUMMARY

  109. Everyone deserves security

  110. “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems
  111. None

  112. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager

  113. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state

  114. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”

  115. Obligatory xkcd: https://xkcd.com/1053/

  116. None

  117. Lead by example

  118. Be nice to people

  119. Thanks! Be nice to me @Sereeena