$30 off During Our Annual Pro Sale. View Details »

purplecon — like, comment and subscribe: effective communication of security advice

Serena Chen
November 15, 2018

purplecon — like, comment and subscribe: effective communication of security advice

for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom?

in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.

Serena Chen

November 15, 2018
Tweet

More Decks by Serena Chen

Other Decks in Technology

Transcript

  1. like, comment and subscribe
    @Sereeena | purplecon 2018

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. Infosec

    View Slide

  9. Tech
    Infosec
    (Blockchain is in there somewhere) →

    View Slide

  10. Everyone else
    Tech
    Infosec

    View Slide

  11. Everyone deserves security

    View Slide

  12. Security is hard.

    View Slide

  13. People who do the “right” things
    People who do the “wrong” things
    supply chain
    0days
    XSS vulns
    lack of 2FA adoption
    old operating systems
    password reuse

    View Slide

  14. People who do the “right” things
    People who do the “wrong” things

    View Slide

  15. “I can’t help you.”

    View Slide

  16. Security is hard

    People aren’t good at
    security

    View Slide

  17. People who do the “right” things
    People who do the “wrong” things

    View Slide

  18. What if we didn’t give up?

    View Slide

  19. People who do the “right” things
    People who do the “wrong” things

    View Slide

  20. Security is hard

    People aren’t good at
    security

    View Slide

  21. Security is hard

    People aren’t good at
    security

    View Slide

  22. “I don’t think about security”
    ↓

    “I’m used to insecurity and lack of privacy”
    ↓

    “I consume tech but don’t demand privacy or security”
    ↓

    “I make tech but security isn’t top of mind”
    ↓

    “I care about security but no one else cares… no funding/support”
    ↓

    “Why are there bugs and vulns everywhere???”
    The system enables security problems

    View Slide

  23. Everyone else
    Tech
    Infosec

    View Slide

  24. View Slide

  25. 1. Who are these people?
    2. What advice should we be giving them?
    3. How do we communicate this advice?

    View Slide

  26. PART ONE
    WHO IS “EVERYONE ELSE”

    View Slide

  27. View Slide

  28. I Ion, R Reeder, S Consolvo. “...No one Can Hack My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015.
    What is good practice?

    View Slide

  29. View Slide

  30. View Slide

  31. Don’t reuse passwords
    "

    View Slide

  32. View Slide

  33. –Interview participant 4
    “I know I shouldn’t do this, but I cycle through
    two or three passwords for all of my accounts.”

    View Slide

  34. –Interview participant 3
    “I know about password managers, I just
    haven’t gotten around to it yet. It seems like a
    big time investment.”

    View Slide

  35. –Interview participant 4
    “I’ve been meaning to change my passwords,
    but my current password system is just so
    memorised.”

    View Slide

  36. ←“Sally”

    View Slide

  37. “asking for a friend”

    View Slide

  38. View Slide

  39. Our (rough) personas
    •Those who are confused
    about what to do
    •Those who know what to do
    but not how to implement it

    View Slide

  40. PART TWO
    WHAT ADVICE TO GIVE

    View Slide

  41. –Interview participant 6
    “Which program do I need to install to be
    secure?”

    View Slide

  42. View Slide

  43. Security is like exercise
    •There is always room for improvement
    •Must be customised to the individual’s needs
    •Must be habitual and ongoing

    View Slide

  44. Incremental change

    View Slide

  45. View Slide

  46. What is running?
    Let’s do a marathon!

    View Slide

  47. What is security?
    Change ALL the 

    passwords and put 

    them in a password

    manager!!!1
    1!1

    View Slide

  48. Old software Accept the next update

    View Slide

  49. Same password 

    for everything
    Just change your 

    email password

    View Slide

  50. Unique passwords

    but memorised
    Try a password

    manager

    View Slide

  51. The perfect is the enemy of
    the good

    View Slide

  52. Personalised change

    View Slide

  53. Technological capability
    Privacy needs
    Likely adversaries
    Not comfortable
    with technology
    “I am in hiding”
    Script kiddies
    Can quit vim
    “I need to be visible”
    National state

    View Slide

  54. Technological capability
    Not comfortable
    with technology
    Can quit vim
    Recommend defaults
    • Store passwords in browser
    • Rely on smartphone

    View Slide

  55. Technological capability
    Not comfortable
    with technology
    Can quit vim
    Recommend customisation
    • Independent password manager
    • U2F key
    • More compartmentalisation

    View Slide

  56. Privacy needs
    “I am in hiding” “I need to be visible”
    Recommend minimalism
    •Delete profiles, only keep what is necessary
    • Compartmentalise
    • Regular follower/friend purging
    • Change contact details regularly

    View Slide

  57. Privacy needs
    “I am in hiding” “I need to be visible”
    Recommend obfuscation
    • Remove metadata from photos/posts
    •Only allow messages from known people
    • Use scheduling to hide activity patterns

    View Slide

  58. Likely adversaries
    Script kiddies
    Recommend general protections
    •Unique passwords for most important accounts
    • 2FA turned on
    Nation state

    View Slide

  59. Likely adversaries
    Script kiddies
    Recommend specialist advice
    • Don’t take advice from a talk slide
    •Introduce them to someone who knows what they’re talking about
    • Seek !! professional !! help !!
    Nation state

    View Slide

  60. Technological capability
    Privacy needs
    Likely adversaries
    Not comfortable
    with technology
    “I am in hiding”
    Script kiddies
    Can quit vim
    “I need to be visible”
    Nation state

    View Slide

  61. Personas by the Open Internet Tools Project; illustrations by Rob Vincent

    View Slide

  62. Ongoing change

    View Slide

  63. Lay a path for progression

    View Slide

  64. Couch to 5K for security

    View Slide

  65. Update your email password
    Get a password manager
    Turn 2FA on for your email
    Turn 2FA on for Facebook, Twitter, LinkedIn
    Save current passwords to manager
    Update passwords with manager
    Put a passcode on your phone
    Update passwords with manager

    View Slide

  66. The perfect is the enemy of
    the good

    View Slide

  67. Effective security advice
    •Make it incremental
    •Make it personalised
    •Make it habitual

    View Slide

  68. PART THREE
    HOW TO COMMUNICATE

    View Slide

  69. “Tell, sell, and shame”
    doesn’t work.

    View Slide

  70. Infosec has a pervasive
    culture of shame

    View Slide

  71. View Slide

  72. View Slide

  73. “Windows XP”

    View Slide

  74. “Tell, sell, and shame”
    doesn’t work.

    View Slide

  75. –Interview participant 3
    “I googled it, and kept installing antivirus
    programs until one worked.”

    View Slide

  76. Shaming culture means
    people don’t ask for advice

    View Slide

  77. So what should we do?

    View Slide

  78. Obligatory xkcd: https://xkcd.com/1053/

    View Slide

  79. “Can I show you a better
    way to do this?”

    View Slide

  80. Show don’t tell

    View Slide

  81. Reactance theory
    AKA don’t tell me what to do

    View Slide

  82. Direct instruction harms the
    feeling of self-control

    View Slide

  83. “Tell, sell, and shame”
    doesn’t work.

    View Slide

  84. Lead by example

    View Slide

  85. “This is what I do and I
    would recommend it to you”

    View Slide

  86. Give people a script

    View Slide

  87. “Tell, sell, and shame”
    doesn’t work.

    View Slide

  88. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL, M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a
    comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2,
    2010

    View Slide

  89. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL, M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a
    comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2,
    2010

    View Slide

  90. View Slide

  91. ىبرع

    View Slide

  92. 5.3% decrease
    in smoking prevalence
    7.8% increase
    in smoke free homes

    View Slide

  93. Give people successful
    examples to emulate

    View Slide

  94. How to communicate
    •Veer away from the culture of shame
    •“Can I show you a better way?”
    •Show, don’t tell
    •Lead by example
    •Give people a script to navigate social situations

    View Slide

  95. “Tell, sell, and shame”
    doesn’t work.

    View Slide

  96. “you’re literally telling us
    what to do”

    View Slide

  97. Let’s walk the walk

    View Slide

  98. What is something that has
    significantly changed my behaviour?

    View Slide

  99. The YouTube Vlogger
    •Showing, not telling
    •Gives people the choice to opt in (or out)
    •No shame or judgement, often shows vulnerability
    •Outlines routines, gives people steps/script to follow
    •Lots of different people to follow, can find one you relate to

    View Slide

  100. View Slide

  101. PART FOUR
    SERENA BECOMES

    A VLOGGER????

    View Slide

  102. View Slide

  103. What I learned:
    •Showing and not telling is hard
    •People just want you to acknowledge that it’s hard
    •Being authentic and vulnerable and personal reaches people
    •Relatability is important — if they can see themselves in you, and they
    can see you making an effort, then they can see themselves doing it
    •I have a lot more respect for YouTubers now

    View Slide

  104. View Slide

  105. View Slide

  106. Be more vulnerable

    View Slide

  107. Be more open

    View Slide

  108. PART I SWEAR THIS IS ALMOST OVER
    SUMMARY

    View Slide

  109. Everyone deserves security

    View Slide

  110. “I don’t think about security”
    ↓

    “I’m used to insecurity and lack of privacy”
    ↓

    “I consume tech but don’t demand privacy or security”
    ↓

    “I make tech but security isn’t top of mind”
    ↓

    “I care about security but no one else cares… no funding/support”
    ↓

    “Why are there bugs and vulns everywhere???”
    The system enables security problems

    View Slide

  111. View Slide

  112. Update your email password
    Get a password manager
    Turn 2FA on for your email
    Turn 2FA on for Facebook, Twitter, LinkedIn
    Save current passwords to manager
    Update passwords with manager
    Put a passcode on your phone
    Update passwords with manager

    View Slide

  113. Technological capability
    Privacy needs
    Likely adversaries
    Not comfortable
    with technology
    “I am in hiding”
    Script kiddies
    Can quit vim
    “I need to be visible”
    National state

    View Slide

  114. –Interview participant 3
    “I googled it, and kept installing antivirus
    programs until one worked.”

    View Slide

  115. Obligatory xkcd: https://xkcd.com/1053/

    View Slide

  116. View Slide

  117. Lead by example

    View Slide

  118. Be nice to people

    View Slide

  119. Thanks!
    Be nice to me @Sereeena

    View Slide