purplecon — like, comment and subscribe: effective communication of security advice

C2817e27f333415dec3be6e5b805469a?s=47 Serena Chen
November 15, 2018

purplecon — like, comment and subscribe: effective communication of security advice

for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom?

in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.

C2817e27f333415dec3be6e5b805469a?s=128

Serena Chen

November 15, 2018
Tweet

Transcript

  1. 2.
  2. 3.
  3. 4.
  4. 5.
  5. 6.
  6. 7.
  7. 8.
  8. 13.

    People who do the “right” things People who do the

    “wrong” things supply chain 0days XSS vulns lack of 2FA adoption old operating systems password reuse
  9. 22.

    “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems
  10. 24.
  11. 25.

    1. Who are these people? 2. What advice should we

    be giving them? 3. How do we communicate this advice?
  12. 27.
  13. 28.

    I Ion, R Reeder, S Consolvo. “...No one Can Hack

    My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015. What is good practice?
  14. 29.
  15. 30.
  16. 32.
  17. 33.

    –Interview participant 4 “I know I shouldn’t do this, but

    I cycle through two or three passwords for all of my accounts.”
  18. 34.

    –Interview participant 3 “I know about password managers, I just

    haven’t gotten around to it yet. It seems like a big time investment.”
  19. 35.

    –Interview participant 4 “I’ve been meaning to change my passwords,

    but my current password system is just so memorised.”
  20. 38.
  21. 39.

    Our (rough) personas •Those who are confused about what to

    do •Those who know what to do but not how to implement it
  22. 42.
  23. 43.

    Security is like exercise •There is always room for improvement

    •Must be customised to the individual’s needs •Must be habitual and ongoing
  24. 45.
  25. 47.

    What is security? Change ALL the 
 passwords and put

    
 them in a password
 manager!!!1 1!1
  26. 53.

    Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state
  27. 54.

    Technological capability Not comfortable with technology Can quit vim Recommend

    defaults • Store passwords in browser • Rely on smartphone
  28. 55.

    Technological capability Not comfortable with technology Can quit vim Recommend

    customisation • Independent password manager • U2F key • More compartmentalisation
  29. 56.

    Privacy needs “I am in hiding” “I need to be

    visible” Recommend minimalism •Delete profiles, only keep what is necessary • Compartmentalise • Regular follower/friend purging • Change contact details regularly
  30. 57.

    Privacy needs “I am in hiding” “I need to be

    visible” Recommend obfuscation • Remove metadata from photos/posts •Only allow messages from known people • Use scheduling to hide activity patterns
  31. 58.
  32. 59.

    Likely adversaries Script kiddies Recommend specialist advice • Don’t take

    advice from a talk slide •Introduce them to someone who knows what they’re talking about • Seek !! professional !! help !! Nation state
  33. 60.

    Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state
  34. 65.

    Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager
  35. 71.
  36. 72.
  37. 88.

    A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  38. 89.

    A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
  39. 90.
  40. 91.
  41. 94.

    How to communicate •Veer away from the culture of shame

    •“Can I show you a better way?” •Show, don’t tell •Lead by example •Give people a script to navigate social situations
  42. 99.

    The YouTube Vlogger •Showing, not telling •Gives people the choice

    to opt in (or out) •No shame or judgement, often shows vulnerability •Outlines routines, gives people steps/script to follow •Lots of different people to follow, can find one you relate to
  43. 100.
  44. 102.
  45. 103.

    What I learned: •Showing and not telling is hard •People

    just want you to acknowledge that it’s hard •Being authentic and vulnerable and personal reaches people •Relatability is important — if they can see themselves in you, and they can see you making an effort, then they can see themselves doing it •I have a lot more respect for YouTubers now
  46. 104.
  47. 105.
  48. 110.

    “I don’t think about security” ↓
 “I’m used to insecurity

    and lack of privacy” ↓
 “I consume tech but don’t demand privacy or security” ↓
 “I make tech but security isn’t top of mind” ↓
 “I care about security but no one else cares… no funding/support” ↓
 “Why are there bugs and vulns everywhere???” The system enables security problems
  49. 111.
  50. 112.

    Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager
  51. 113.

    Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state
  52. 116.