Upgrade to Pro — share decks privately, control downloads, hide ads and more …

purplecon — like, comment and subscribe: effective communication of security advice

Serena Chen
November 15, 2018
Technology
0
230

purplecon — like, comment and subscribe: effective communication of security advice

for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom?

in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.

Serena Chen

November 15, 2018
Tweet

More Decks by Serena Chen

See All by Serena Chen
Like Share and Subscribe: Effective Communication of Security Advice
heisenburger
0
88
Design for Security — Web Directions Summit 2019
heisenburger
0
160
Design for Security — O'Reilly Velocity 2018
heisenburger
2
380
Design for Security — BSides Wellington 2017
heisenburger
1
440
The Ideal Styling Language — CSSConfAu 2016
heisenburger
2
180
Intro to Design and UX — The Good Bits
heisenburger
0
290

Other Decks in Technology

See All in Technology
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
430
Android Target SDK 35 (Android 15) 対応の概要
akkie76
0
110
.NET Profiler in 2024.
kkamegawa
1
130
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
ServiceNow Knowledge Learning Rise up
manarobot
0
210
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
4
440
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
230
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
1
250
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
650
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
370
私が trocco を推す理由
__allllllllez__
1
260

Featured

See All Featured
Optimizing for Happiness
mojombo
370
69k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
GraphQLとの向き合い方2022年版
quramy
32
12k
Visualization
eitanlees
136
14k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Six Lessons from altMBA
skipperchong
21
3k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
It's Worth the Effort
3n
180
27k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Typedesign – Prime Four
hannesfritz
36
2.1k
Gamification - CAS2011
davidbonilla
76
4.6k

Transcript

  1. like, comment and subscribe @Sereeena | purplecon 2018

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. Infosec

  9. Tech Infosec (Blockchain is in there somewhere) →

  10. Everyone else Tech Infosec

  11. Everyone deserves security

  12. Security is hard.

  13. People who do the “right” things People who do the

    “wrong” things supply chain 0days XSS vulns lack of 2FA adoption old operating systems password reuse

  14. People who do the “right” things People who do the

    “wrong” things

  15. “I can’t help you.”

  16. Security is hard ⊗ People aren’t good at security

  17. People who do the “right” things People who do the

    “wrong” things

  18. What if we didn’t give up?

  19. People who do the “right” things People who do the

    “wrong” things

  20. Security is hard ⊗ People aren’t good at security

  21. Security is hard ⊖ People aren’t good at security

  22. “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems

  23. Everyone else Tech Infosec

  24. None

  25. 1. Who are these people? 2. What advice should we

    be giving them? 3. How do we communicate this advice?

  26. PART ONE WHO IS “EVERYONE ELSE”

  27. None

  28. I Ion, R Reeder, S Consolvo. “...No one Can Hack

    My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015. What is good practice?
  29. None
  30. None

  31. Don’t reuse passwords "

  32. None

  33. –Interview participant 4 “I know I shouldn’t do this, but

    I cycle through two or three passwords for all of my accounts.”

  34. –Interview participant 3 “I know about password managers, I just

    haven’t gotten around to it yet. It seems like a big time investment.”

  35. –Interview participant 4 “I’ve been meaning to change my passwords,

    but my current password system is just so memorised.”

  36. ←“Sally”

  37. “asking for a friend”

  38. None

  39. Our (rough) personas •Those who are confused about what to

    do •Those who know what to do but not how to implement it

  40. PART TWO WHAT ADVICE TO GIVE

  41. –Interview participant 6 “Which program do I need to install

    to be secure?”
  42. None

  43. Security is like exercise •There is always room for improvement

    •Must be customised to the individual’s needs •Must be habitual and ongoing

  44. Incremental change

  45. None

  46. What is running? Let’s do a marathon!

  47. What is security? Change ALL the 
 passwords and put

    
 them in a password
 manager!!!1 1!1

  48. Old software Accept the next update

  49. Same password 
 for everything Just change your 
 email

    password

  50. Unique passwords
 but memorised Try a password
 manager

  51. The perfect is the enemy of the good

  52. Personalised change

  53. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state

  54. Technological capability Not comfortable with technology Can quit vim Recommend

    defaults • Store passwords in browser • Rely on smartphone

  55. Technological capability Not comfortable with technology Can quit vim Recommend

    customisation • Independent password manager • U2F key • More compartmentalisation

  56. Privacy needs “I am in hiding” “I need to be

    visible” Recommend minimalism •Delete profiles, only keep what is necessary • Compartmentalise • Regular follower/friend purging • Change contact details regularly

  57. Privacy needs “I am in hiding” “I need to be

    visible” Recommend obfuscation • Remove metadata from photos/posts •Only allow messages from known people • Use scheduling to hide activity patterns

  58. Likely adversaries Script kiddies Recommend general protections •Unique passwords for

    most important accounts • 2FA turned on Nation state

  59. Likely adversaries Script kiddies Recommend specialist advice • Don’t take

    advice from a talk slide •Introduce them to someone who knows what they’re talking about • Seek !! professional !! help !! Nation state

  60. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state

  61. Personas by the Open Internet Tools Project; illustrations by Rob

    Vincent

  62. Ongoing change

  63. Lay a path for progression

  64. Couch to 5K for security

  65. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager

  66. The perfect is the enemy of the good

  67. Effective security advice •Make it incremental •Make it personalised •Make

    it habitual

  68. PART THREE HOW TO COMMUNICATE

  69. “Tell, sell, and shame” doesn’t work.

  70. Infosec has a pervasive culture of shame

  71. None
  72. None

  73. “Windows XP”

  74. “Tell, sell, and shame” doesn’t work.

  75. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”

  76. Shaming culture means people don’t ask for advice

  77. So what should we do?

  78. Obligatory xkcd: https://xkcd.com/1053/

  79. “Can I show you a better way to do this?”

  80. Show don’t tell

  81. Reactance theory AKA don’t tell me what to do

  82. Direct instruction harms the feeling of self-control

  83. “Tell, sell, and shame” doesn’t work.

  84. Lead by example

  85. “This is what I do and I would recommend it

    to you”

  86. Give people a script

  87. “Tell, sell, and shame” doesn’t work.

  88. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010

  89. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  90. None

  91. ىبرع

  92. 5.3% decrease in smoking prevalence 7.8% increase in smoke free

    homes

  93. Give people successful examples to emulate

  94. How to communicate •Veer away from the culture of shame

    •“Can I show you a better way?” •Show, don’t tell •Lead by example •Give people a script to navigate social situations

  95. “Tell, sell, and shame” doesn’t work.

  96. “you’re literally telling us what to do”

  97. Let’s walk the walk

  98. What is something that has significantly changed my behaviour?

  99. The YouTube Vlogger •Showing, not telling •Gives people the choice

    to opt in (or out) •No shame or judgement, often shows vulnerability •Outlines routines, gives people steps/script to follow •Lots of different people to follow, can find one you relate to
  100. None

  101. PART FOUR SERENA BECOMES
 A VLOGGER????

  102. None

  103. What I learned: •Showing and not telling is hard •People

    just want you to acknowledge that it’s hard •Being authentic and vulnerable and personal reaches people •Relatability is important — if they can see themselves in you, and they can see you making an effort, then they can see themselves doing it •I have a lot more respect for YouTubers now
  104. None
  105. None

  106. Be more vulnerable

  107. Be more open

  108. PART I SWEAR THIS IS ALMOST OVER SUMMARY

  109. Everyone deserves security

  110. “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems
  111. None

  112. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager

  113. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state

  114. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”

  115. Obligatory xkcd: https://xkcd.com/1053/

  116. None

  117. Lead by example

  118. Be nice to people

  119. Thanks! Be nice to me @Sereeena