purplecon — like, comment and subscribe: effective communication of security advice

C2817e27f333415dec3be6e5b805469a?s=47 Serena Chen
November 15, 2018

purplecon — like, comment and subscribe: effective communication of security advice

for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom?

in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.

C2817e27f333415dec3be6e5b805469a?s=128

Serena Chen

November 15, 2018
Tweet

Transcript

  1. like, comment and subscribe @Sereeena | purplecon 2018

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. Infosec

  9. Tech Infosec (Blockchain is in there somewhere) →

  10. Everyone else Tech Infosec

  11. Everyone deserves security

  12. Security is hard.

  13. People who do the “right” things People who do the

    “wrong” things supply chain 0days XSS vulns lack of 2FA adoption old operating systems password reuse
  14. People who do the “right” things People who do the

    “wrong” things
  15. “I can’t help you.”

  16. Security is hard ⊗ People aren’t good at security

  17. People who do the “right” things People who do the

    “wrong” things
  18. What if we didn’t give up?

  19. People who do the “right” things People who do the

    “wrong” things
  20. Security is hard ⊗ People aren’t good at security

  21. Security is hard ⊖ People aren’t good at security

  22. “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems
  23. Everyone else Tech Infosec

  24. None
  25. 1. Who are these people? 2. What advice should we

    be giving them? 3. How do we communicate this advice?
  26. PART ONE WHO IS “EVERYONE ELSE”

  27. None
  28. I Ion, R Reeder, S Consolvo. “...No one Can Hack

    My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015. What is good practice?
  29. None
  30. None
  31. Don’t reuse passwords "

  32. None
  33. –Interview participant 4 “I know I shouldn’t do this, but

    I cycle through two or three passwords for all of my accounts.”
  34. –Interview participant 3 “I know about password managers, I just

    haven’t gotten around to it yet. It seems like a big time investment.”
  35. –Interview participant 4 “I’ve been meaning to change my passwords,

    but my current password system is just so memorised.”
  36. ←“Sally”

  37. “asking for a friend”

  38. None
  39. Our (rough) personas •Those who are confused about what to

    do •Those who know what to do but not how to implement it
  40. PART TWO WHAT ADVICE TO GIVE

  41. –Interview participant 6 “Which program do I need to install

    to be secure?”
  42. None
  43. Security is like exercise •There is always room for improvement

    •Must be customised to the individual’s needs •Must be habitual and ongoing
  44. Incremental change

  45. None
  46. What is running? Let’s do a marathon!

  47. What is security? Change ALL the 
 passwords and put

    
 them in a password
 manager!!!1 1!1
  48. Old software Accept the next update

  49. Same password 
 for everything Just change your 
 email

    password
  50. Unique passwords
 but memorised Try a password
 manager

  51. The perfect is the enemy of the good

  52. Personalised change

  53. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state
  54. Technological capability Not comfortable with technology Can quit vim Recommend

    defaults • Store passwords in browser • Rely on smartphone
  55. Technological capability Not comfortable with technology Can quit vim Recommend

    customisation • Independent password manager • U2F key • More compartmentalisation
  56. Privacy needs “I am in hiding” “I need to be

    visible” Recommend minimalism •Delete profiles, only keep what is necessary • Compartmentalise • Regular follower/friend purging • Change contact details regularly
  57. Privacy needs “I am in hiding” “I need to be

    visible” Recommend obfuscation • Remove metadata from photos/posts •Only allow messages from known people • Use scheduling to hide activity patterns
  58. Likely adversaries Script kiddies Recommend general protections •Unique passwords for

    most important accounts • 2FA turned on Nation state
  59. Likely adversaries Script kiddies Recommend specialist advice • Don’t take

    advice from a talk slide •Introduce them to someone who knows what they’re talking about • Seek !! professional !! help !! Nation state
  60. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state
  61. Personas by the Open Internet Tools Project; illustrations by Rob

    Vincent
  62. Ongoing change

  63. Lay a path for progression

  64. Couch to 5K for security

  65. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager
  66. The perfect is the enemy of the good

  67. Effective security advice •Make it incremental •Make it personalised •Make

    it habitual
  68. PART THREE HOW TO COMMUNICATE

  69. “Tell, sell, and shame” doesn’t work.

  70. Infosec has a pervasive culture of shame

  71. None
  72. None
  73. “Windows XP”

  74. “Tell, sell, and shame” doesn’t work.

  75. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”
  76. Shaming culture means people don’t ask for advice

  77. So what should we do?

  78. Obligatory xkcd: https://xkcd.com/1053/

  79. “Can I show you a better way to do this?”

  80. Show don’t tell

  81. Reactance theory AKA don’t tell me what to do

  82. Direct instruction harms the feeling of self-control

  83. “Tell, sell, and shame” doesn’t work.

  84. Lead by example

  85. “This is what I do and I would recommend it

    to you”
  86. Give people a script

  87. “Tell, sell, and shame” doesn’t work.

  88. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  89. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  90. None
  91. ىبرع

  92. 5.3% decrease in smoking prevalence 7.8% increase in smoke free

    homes
  93. Give people successful examples to emulate

  94. How to communicate •Veer away from the culture of shame

    •“Can I show you a better way?” •Show, don’t tell •Lead by example •Give people a script to navigate social situations
  95. “Tell, sell, and shame” doesn’t work.

  96. “you’re literally telling us what to do”

  97. Let’s walk the walk

  98. What is something that has significantly changed my behaviour?

  99. The YouTube Vlogger •Showing, not telling •Gives people the choice

    to opt in (or out) •No shame or judgement, often shows vulnerability •Outlines routines, gives people steps/script to follow •Lots of different people to follow, can find one you relate to
  100. None
  101. PART FOUR SERENA BECOMES
 A VLOGGER????

  102. None
  103. What I learned: •Showing and not telling is hard •People

    just want you to acknowledge that it’s hard •Being authentic and vulnerable and personal reaches people •Relatability is important — if they can see themselves in you, and they can see you making an effort, then they can see themselves doing it •I have a lot more respect for YouTubers now
  104. None
  105. None
  106. Be more vulnerable

  107. Be more open

  108. PART I SWEAR THIS IS ALMOST OVER SUMMARY

  109. Everyone deserves security

  110. “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems
  111. None
  112. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager
  113. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state
  114. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”
  115. Obligatory xkcd: https://xkcd.com/1053/

  116. None
  117. Lead by example

  118. Be nice to people

  119. Thanks! Be nice to me @Sereeena