Infosec training

A lot of you said “training!” in your “how to make it better” section of your news presentations. I’m about to question that advice.

Why training? ✦ The%motivation%is%usually%not%improving%security.% Maybe%it%should%be,%but%it%isn’t.% ✦ The%motivation%for%workplace%infosec%training%is% usually%COMPLIANCE,%legal%or%standards-based.% ✦ Legal:%if%some%law%constrains%an%organization%to%meet%minimum% security%standards,%it%will%usually%stipulate%some%kind%of%employee% training.%HIPAA,%for%example,%requires%training%all%employees%as%part%of% the%hire/onboarding%process.%GDPR%also%has%training%requirements.% ✦ Standards:%PCI,%for%example,%requires%documentation%of%security% practices%and%procedures,%including%in%employee%manuals.% ✦ It%may%also%be%cleanup%after%an%incident.% ✦ With%all%the%hasty%ill-considered%panicky%flailing%that%implies.% ✦ And%the%one-person-messed-up-but-we’re-all-stuck-doing-this%problem.

This has implications. ✦ Viewed%as%unimportant%check-the-box%exercise% ✦ Including%by%org-internal%infosec%folks!%They%could%treat%this%as%an% opportunity,%but%more%often%they%roll%their%eyes%at%it.% ✦ If%training%is%developed%internally,%it’s%often%done% by%people%who…%don’t%teach%well.% ✦ So%it’s%too%techie,%or%condescending,%or%communicated%ineptly,%or…% ✦ Teaching,%like%most%work,%is%a%set%of%learned%skills%not%present%at%birth.% ✦ If%training%is%outsourced%(as%it%often%is),%there’s%no% connection%to%the%local%environment.% ✦ Production%values%are%likely%higher,%but%it’ll%be%easy%to%scoff%at%because% the%examples%will%feel%farfetched%and%the%systems%discussed%won’t%be% familiar%(or%named%according%to%local%practice).

No, really, terminology matters here! ✦ Generic,%non-localized%training%will%talk%about% “video-conferencing%apps.”%Ring%a%bell?% ✦ But%you%know%what%Zoom%is.%Of%course%you%do.% ✦ The%jargon%problem%is%exponentially%worse%with% infrastructure%most%folks%don’t%think%about.% ✦ Would%you%have%known%what%a%“multi-factor%authentication%system”% was%before%this%class?%(If%you%did,%go%you!)% ✦ Training%must%use%“Duo”%(or%whatever’s%actively%in%use%at%the%org)%to% be%even%minimally%understood.% ✦ (There%are%reasons%I%rely%on%UW-Madison%examples%in%this%class!)

The eternal 101 ✦ I%have%never%taken%a%required%infosec%training%that% went%anywhere%close%to%the%richness%and%usefulness% of%the%CR%Security%Planner.% ✦ It’s%always%Infosec%101.%Passwords,%phishing,%yawn.% ✦ While%I%understand%the%need%to%raise%the%floor,% repeated%101-level%training%does%not%help%people% learn%more%advanced%(and%useful!)%concepts,%tools,% or%behaviors.% ✦ It%sure%does%teach%them%to%despise%infosec,%though.% How%remarkably%counterproductive!% ✦ Moral:%let%people%“place%out”%of%basics% ✦ e.g.%through%quizzing%them%up-front%and%exempting%those%who%pass

No content

Decontextualized rules

Why? Why are these rules important? Why are these even the rules?

You all now know why because I talked about attacks and attackers in this class. Most people haven’t taken this class, though, or anything like it. They don’t know why.

Without some kind of “why” — ideally in the form of a story — these rules look like pointless arbitrary nitpicking.

I’m not saying I’m a master storyteller or anything, but I’m TOTALLY saying that telling Alice/Bob/Eve stories was a deliberate choice I made. Human beings respond to “why” and to stories about why. Basic human thing! So why doesn’t infosec training tell stories?

Because the current vocational turn in higher education treats storytelling as unimportant “liberal arts” stuff that’s not professionally useful? Yeah, I totally do think that’s part of it. And I think that thinking is MASSIVELY misguided.

Humans tell stories! ✦ We%learned%that%already,%right?%Folk%models%of% security%are%basically%a%whisper%game,%people% passing%stories%around.% ✦ You%all%told%true%stories%in%your%news% presentations.% ✦ I%routinely%bookmark%good%infosec%stories%I%can%tell%in%class,%or%point% people%to.% ✦ Plus%you%all%analyzed%human-written%stories%for% what%they%say%(rightly%or%wrongly)%about%security.% ✦ You%know%stories%matter.%I%know%stories%matter.% Take%that%with%you%into%your%lives%as%citizens,% employees,%teachers/trainers,%and…%humans.

TAKE YOUR COMM A AND COMM B COURSES SERIOUSLY, Y’ALL. They’re where you start to learn this kind of thing. A favorite word of mine: KAIROS. Means adapting communication to audience and situation.

Okay, another moral: ✦ For%all%kinds%of%education%and%training,%not%only%infosec!% ✦ MEET%PEOPLE%WHERE%THEY%ARE.% ✦ This%is%an%ideal,%of%course.%Whenever%you’re%dealing%with%a%lot%of% people%(hi%there,%y’all!),%they’ll%be%in%lots%of%different%places.% ✦ But%you%can%still%be%explicit%about%the%audience(s)%you’re%aiming%at,% and%you%can%(and%should)%apologize%to%everyone%else.% ✦ A%much%better%structure%than%“lecture,%then%test”% is%“check,%then%teach%as%needed.”% ✦ If%I%were%in%charge%of%infosec%training,%I’d%start%with%a%pre-test,%divided% into%modules%(“email/phishing,”%“passwords,”%“BYOD,”%etc).% ✦ Pass%a%module?%You%either%get%to%skip%that%training%OR%(my% preference)%you%get%more%advanced%content.% ✦ You%view%only%the%101%modules%you%actually%need%to.

This also means knowing people’s practices. ✦ As%we’ve%discussed,%people’s%approach%to%many% infosec%matters%falls%into%known%patterns.% ✦ Infosec%training%rarely%takes%that%into%account.% ✦ “Choose%a%strong%password!”%instead%of%“Here%are%common%password% practices%that%are%easily%breached,%so%don’t:”%or%even%“here’s%why%the% system’s%password%tester%rejects%certain%kinds%of%passwords:”% ✦ “Don’t%click%on%links%in%emails!”%when%that’s%clearly%impractical%advice.% ✦ (I’ve%seen%“don’t%click%links!”%in%UW%trainings.%UW%constantly%sends% out%emails%with%clickable%links.%Sigh.)% ✦ Infosec%training%rarely%if%ever%starts%with% ethnographic-style%inquiry%into%the%org.% ✦ It%should,%though.%It%sure%should.

One size fits no one ✦ Typically,%everybody%in%the%org%gets%the%same%old% Infosec%101%training.% ✦ This%completely%ignores%different%behaviors,% threats,%and%risks%associated%with%different%roles.% ✦ Example:%As%an%instructor%here,%I%don’t%need%to%know%about%infosec%in% hiring.%Not%my%problem!%I%don’t%do%hiring%paperwork!% ✦ Do%I%need%to%know%how%to%keep%student%emails%to%me%secure?%Heck% yeah%I%do;%if%I%don’t%do%that,%I%risk%harm%to%students%and%violating% federal%law%(FERPA).%Our%HR%folks%also%need%to%know%this,%because%we% hire%student%employees.% ✦ And%because%people%(wrongly)%think%that%the%same% old%Infosec%101%is%everything%they%ever%need%to% know…%they’re%vulnerable%to%role-based%attacks.

Focusing too much on tech ✦ What%use%is%the%strongest%password%there%is,%if% people%aren’t%prepared%to%resist%attempts%by%social% engineers%to%get%them%to%reveal%it?% ✦ PHISHING.%Phishing%phishing%phishing.% ✦ Did%you%know%that%business-email%compromise%(spearphishing%aimed% at%conning%people%into%various%kinds%of%false%payments)%is%collectively% the%most%expensive%infosec%fail%in%the%US?%Now%you%do.% ✦ Yet%most%Infosec%101%is%mostly%about%tech%stuff.% ✦ This%is%even%worse%because%social%engineering%is…% actually%hard%to%make%boring?!% ✦ And%it%sets%up%a%clear%us-against-the-world%feeling,%which%is%socially% useful%for%infosec%folks%and%the%org%in%general.% ✦ (Though%be%careful%to%discuss%insider%threat%also!)

In fact… ✦ …%in%my%experience,%it’s%a%lot%easier%for%people%to% understand%attacks%if%they%first%understand% attackERS,%and%their%techniques%and%motives.% ✦ Would%this%have%a%lot%to%do%with%the%topic%sequencing%in%this%course?% Yep,%you%betcha.% ✦ Use%the%fluency%heuristic%(people%remember%and% repeat%what%they’re%familiar%with)%to%help.% ✦ Get%people%familiar%with%an%“attacker”%persona.% ✦ Would%this%be%why%I%teach%you%Alice/Bob/Eve%and%use%the%phrase% “garbage%human”%a%lot?%Yep,%you%betcha,%at%least%in%part.% ✦ (Alice/Bob/Eve%is%common%infosec%jargon;%that’s%another%reason%I%use%it.)% ✦ And%use%real-world%case%studies%(STORIES!),%ideally% from%peer%orgs%in%the%same%or%similar%industry.

Hard to make boring… but not impossible

SHOW REAL PHISH, for pity’s sake! You’re DoIT, you’ve got THOUSANDS of real phish you can show people and talk about the consequences of. Also, IMAGES. People like those!

Ask for help. Like, seriously. ✦ Reciprocity%and%kindness%are%major%forces%in% interpersonal%relations.% ✦ Instead%of%“we’re%the%Smart%People%telling%all%y’all% peons%what%to%do!”…% ✦ …%try%“attackers%are%everywhere,%we%need%your% help%to%keep%them%out,%please%help%us!”% ✦ signed%(and%ideally%written)%by%an%actual%human%being,%not%an%office% ✦ Anything%that%humanizes%IT/infosec%people%is%a% good%idea,%honestly.% ✦ Because,%again,%people%help%other%PEOPLE.

Dorothea tells the story of the CyberBob/CIO office visit. (or: how a CIO-office employee lost my friendship for good)

2021 research on infosec training: ✦ “[E]mployee%perceptions%of%[training]%programs% relate%to%their%previously%held%beliefs%about:% ✦ “cybersecurity%threats,% ✦ “the%content%and%delivery%of%the%training%program,% ✦ “the%behaviour%of%others%around%them,%and% ✦ “features%of%their%organisation.”%(This%amounted%to%the%usability%of% security%measures%and%perceived%necessity%to%work%around%them…% which%should%sound%familiar%to%you%by%now!)% ✦ From: ✦ Reeves,%Calic,%and%Delfabbro.%“‘Get%a%red-hot%poker%and%open%up%my% eyes,%it's%so%boring’:%Employee%perceptions%of%cybersecurity%training”% Computers%&%Security%106%(2021),%https://doi.org/10.1016/ j.cose.2021.102281% ✦ Best%article%title%ever,%or%best%article%title%EVER?!

What do people believe about infosec threats? ✦ We’ve%seen%a%lot%of%it%before.%But%for%the%record,% here%are%themes%the%article%found:% ✦ “I%already%know%all%this,%or%at%least%enough%to%make%my%own% decisions!”%(Another%pitfall%of%neverending%Infosec%101…%people%have% no%reason%to%realize%everything%they%don’t%know,%because%they’re% never%shown%anything%beyond%the%101%level!)% ✦ (This%is%another%reason%I%like%Backdoors%and%Breaches%in%this%class.%It% gives%you%a%sense%of%the%breadth%of%infosec%knowledge%that%there%is.)% ✦ “I%don’t%need%to%understand%this,%even%if%I%could!%The%system%needs%to% handle%its%own%security!%Usably!”%(Attributed%to%“younger%users.”%The% pitfall%here%is%that%no%tech%system%can%fix%social%engineering%attacks.)% ✦ Password%issues.%(Including%one%org%where%the%training%recommended% a%password%manager…%which%the%org%refused%to%let%employees%install% or%use.)

Content and delivery ✦ As%we’ve%seen:%it%ain’t%great.%(I%critique%UW’s%trainings% because%I%genuinely%think%they’re%awful.)% ✦ People’s%mood%at%training%time%also%matters,%unsurprisingly.% ✦ Misery%loves%company:%group%training%preferred%to%individual.% ✦ I%have%sympathy!%Of%course%I%do.%High%production% values%take%a%lot%more%time%and%effort%than%I%have.% ✦ Add%in%internationalization%and%accessibility%requirements,%and%the% workload%multiplies%by…%a%lot.% ✦ I%don’t%have%sympathy%for:% ✦ Measures%that%try%to%force%attention%—%e.g.%online%trainings%that%won’t% advance%unless%they’re%the%topmost%window,%video%that%only%plays%at%1x% speed.%Get%over%yourselves,%trainers.% ✦ Irrelevancies.%Again,%know%the%context%and%work%within%it!% ✦ Unexplained%or%unnecessary%jargon.%Condescension.%Scare%tactics.

The behavior of others ✦ We’re%social%animals,%we%humans.%We%behave%as%the% others%around%us%behave.% ✦ In%almost%all%organizations,%“the%others%around%us”% are%not%infosec%folks!% ✦ And%infosec%folks%tend%to%be%pretty%siloed.%Those%of%you%with%jobs:%do%you% know%who’s%securing%your%org’s%systems?%By%name?%I’d%be%surprised%if%you% did.%Who’s%the%current%UW-Madison%CISO,%for%that%matter?%I%don’t%think% I’ve%mentioned…% ✦ So%we%enable%each%others’%poor%infosec%hygiene.% ✦ Including%spreading%misunderstandings%and%broken%mental%models.% ✦ It’s%worse%if%the%poor%hygienist%is%our%boss.%They%can% demand%that%we%do%the%wrong%thing!% ✦ Where%training%conflicts%with%human%social% behaviors,%training%will%lose.%No%question%about%it.

With one caveat: ✦ People%bring%infosec%dilemmas%to%someone%they% trust,%respect,%and%believe%is%knowledgeable.% ✦ I’ve%had%it%happen%a%fair%bit,%with%colleagues%as%well%as%students.% ✦ (Hey,%I%appreciate%the%trust%and%respect!%I’m%kind%of%proud%of%this.)% ✦ For%an%org%that’s%serious%about%security…% ✦ (rather%than%treating%it%as%a%pointless%compliance%exercise)% ✦ …%it%makes%a%lot%of%sense%to%locate%and%leverage% these%people!% ✦ Could%they%be%involved%in%training%somehow?% ✦ Can%they%be%recognized%for%their%efforts?

Okay, two caveats: ✦ People%will%use%convenient,%available,%usually% informal%comms%channels%to%ask%infosec%questions.% ✦ They%come%up%not-infrequently%on%the%UW-Madison%subreddit.% ✦ It%can%make%sense%to%(discreetly%and%non-creepily)% keep%an%eye%on%those.% ✦ Setting%up%alerts%on%words%(e.g.%in%a%work%Slack)%may%make%sense.% ✦ If%there’s%an%infosec%person%(or%a%connector,%as%before)%with%very%good% social%judgment%and%skill%at%explaining,%answering%questions%or%weighing% in%on%situations%may%be%a%way%to%build%useful%social%trust.% ✦ But%the%good%social%judgment%is%vital!!!!%Just%horning%in%on%every% vaguely-relevant%conversation%(or%worse,%posting%canned%answers)%won’t% help%—%in%fact,%it’ll%hurt.% ✦ (When%I%was%on%Reddit,%I%answered%infosec%questions%on%the%sub.%My% answers%got%upvoted,%so%my%social%acumen%seems…%mostly%okay?)

Summing up ✦ Infosec%training%sucks,%but%it%doesn’t%have%to.% ✦ Making%it%not%suck%involves:% ✦ taking%it%seriously,%and%having%goals%for%it%besides%compliance% ✦ not%putting%people%through%endless%rounds%of%the%same%old%Infosec% 101%stuff;%letting%those%who%are%ready%learn%more!% ✦ understanding%and%working%with%local%context%and%human%habits% ✦ offering%workable%guidance,%avoiding%unreachable%“don’t%ever%click% links%in%email!”%ideals% ✦ using%STORIES,%explaining%WHY,%because%that…% ✦ …%helps%people%build%mental%models,%threat%models,%etc.%without% which%very%little%guidance%(even%when%it’s%workable)%makes%sense% ✦ leveraging%and%building%on%org-internal%social%relationships,%partly%to% hear%and%answer%point-of-need%questions

Questions? Ask them! This lecture is copyright 2018 by Dorothea Salo. It is available under a Creative Commons Attribution 4.0 International license.

On phishing tests and deception LIS 510

I’ve changed my tune on phishing tests. ✦ I%used%to%be%just%eyerolly%about%phishing%tests.% ✦ I%now%think%they%are%unethical,%and%not%only% ineffectual,%but%actively%dangerous%to%an% organization’s%overall%infosec%posture.% ✦ Don’t%do%them.%Don’t%pay%for%them.%Protest%them.

How people are successfully phished ✦ Do%they%know/recall%that%phishing%is%a%thing?% ✦ Research:%this%is%the%big%stumbling%block,%actually!% ✦ Experts%and%non-experts%use%most%of%the%same%cues%to%detect%phish.% Experts,%however,%always%have%the%possibility%of%phish%in%mind.% ✦ Do%they%know%what%to%do%about%it?% ✦ Is%there%an%easy%way%to%report?%Do%they%know%they%won’t%be%punished%if% they%report%a%false%positive?%Or%report%that%they%fell%for%a%phish?% ✦ Do%they%think%that%reporting%a%phish%actually% accomplishes%anything?% ✦ Around%here%they%disappear%into%a%black%box.%Bad%idea%—%people%are% curious!%Teach%them%by%satisfying%their%curiosity!% ✦ Does%the%phish%“hook”%them?% ✦ Urgency,%$$$,%authority%are%the%Big%Three%hooks.

Handling phishing right: UW-Madison’s library-IT folks (for%the%record,%I%got%Ayça’s%permission%to%show%you%her%email)%

What’s good about this ✦ Ayça%is%a%human%being%and%a%colleague!% ✦ (She%was%always%the%one%to%send%out%those%emails.)% ✦ She%also%has%a%longstanding%reputation%for%expertise%and%helpfulness.% ✦ Point-of-need%and%point-of-curiosity%training% ✦ Not%once-a-year%yawnfests% ✦ Actual%real-world%example% ✦ Better%yet,%one%that%was%going%around%just%then% ✦ Conversational%tone% ✦ Again,%Ayça%is%writing%as%a%PERSON,%not%a%parrot%(stochastic%or% otherwise).% ✦ Kairos!%Helpful%navigation%for%a%lengthy%email.

Why phish tests happen ✦ Compliance%and%“cover%our%butts,”%again.% ✦ Like%training,%phishing%tests%are%construed%as%Doing%Something.% ✦ “Number%go%up”%assessment%mentality% ✦ If%90%%of%employees%pass%the%first%phish%test%and%95%%pass%the% second,%NUMBER%WENT%UP,%so%everything’s%cool%in%infosecland,% right?%RIGHT?!% ✦ Superficial,%erroneous%“they%must%be%ignorant/ stupid”%belief%about%why%people%fall%for%phishes% ✦ If%you%actually%ask%people%(what%a%concept,%I%know!),%it’s%because% they’re%overworked%and%rushed.%Or%they%don’t%care,%screw%IT.% ✦ Who%has%time%to%thoughtfully%consider%each%and%every%link%in%an% email?!%Their%boss%would%just%yell%at%them%for%being%unproductive.% ✦ Phishing%tests%cannot%fix%this%root%cause!!!!!!!!

The “gotcha” motive ✦ A%lot%of%infosec%people%enjoy%puzzles,%games,% especially%in%competitive%contexts.%Nothing% necessarily%wrong%with%that,%okay?% ✦ Though%I%do%think%it’s%a%limiter%for%the%broader%infosec%workforce.% ✦ It%becomes%a%problem%when%it%turns%into%the%wish% to%trick/con,%embarrass,%trash-talk,%or%laugh%at% other%people.%That’s%garbage-human%territory.% ✦ Do%I%think%phishing%tests%happen%partly%because% some%infosec%folks%get%their%jollies%out%of%feeling% superior%to%others?% ✦ And%build%phish%tests%that%give%them%maximum%jollies?% ✦ Yeah.%I%do.%And%that’s%a%bad,%bad%problem.

(a digression) ✦ My%dad%was%a%university%professor.%Anthropology.% ✦ He%hated%his%students.%HATED.%Despised%them.% Genuinely%loved%putting%trick%questions%on%exams% and%laughing%when%his%students%fell%for%them.% ✦ He%also%used%students%as%pawns%in%fights%with%his%department.% ✦ This%is%horrific%pedagogy.%When%I%accidentally% ended%up%teaching,%I%swore%to%myself%that%I%would% do%things%differently.%I%hope%I%have.% ✦ It%may%seem%obvious%that%instructors%actually%have%to%want%their% students%to%learn,%but…%my%dad%never%did.% ✦ …%A%lot%of%infosec%trainers%(infosec%people%in% general,%really)%remind%me%of%my%dad.%Not%good.

If I just speared you over schadenfreude… ✦ …%yeah,%sorry.%I%have%Feelings%about%all%this.% ✦ But%we%all%need%you%to%fix%your%heart,%okay?% ✦ A%world%where%folks%are%all%out%to%con%and%laugh% at%and%despise%other%folks%is…%not%a%good%world.% ✦ Also,%making%people%feel%special%via%inviting%them%to%despise%others%is% an%enormously%common%con/grift%tactic.%Resist%it%for%your%OWN%sake.% ✦ It’s%possible%to%change.%It’s%possible%to%do%and%be% better.%You%don’t%win%by%shoving%others%down.% ✦ I’ve%had%to%struggle%with%my%own%character%defects%too.%I%lived% through%it%and%did%better.%If%I%can,%you%can.% ✦ Take%joy%in%other%people.%Celebrate%them!% ✦ As%a%teacher/trainer,%celebrate%their%learning.

Randall Munroe, “Ten Thousand” https://xkcd.com/1053/ CC-BY-NC

How phish tests work ✦ Internal%infosec%office%or%external%contractor% designs%test,%including%the%pretext(s)%it%will%use.% ✦ Links%in%the%email%usually%lead%to%some%kind%of%“you%got%phished,%you% big%silly!%don’t%do%that!”%gotcha/training%page.% ✦ Test%is%fielded%against%all%employees,%with%little%or% no%notice%beforehand.% ✦ Here%there’s%usually%some%kind%of%announcement,%but%it’s%buried%and% easy%to%miss.% ✦ Those%who%fall%for%the%phish%are%individually% identified%and%reported%on.% ✦ There’ll%be%an%identifier%in%the%link%in%the%fake-phish%email,%tied%to% each%email%address%the%fake%phish%is%sent%to.

Cost in time, productivity, and trust ✦ UW-Madison%employs%over%20,000%people.% ✦ Imagine%that%each%person%spends%just%one%minute% considering%that%fake%phish.%That’s%over%20,000% minutes%of%work%time,%or%333%hours.% ✦ I%don’t%have%an%average%salary%to%hand%(median%would%be%better% anyway),%but%let’s%assume%it’s%something%like%$50/hour.%That’s%$16,650% plus%the%cost%to%build%and%field%the%test%and%analyze%the%results,%just% for%one%dang%phishing%test.% ✦ Notice%that%I’m%not%even%counting%(re)training%time%here.%It%adds%up.% ✦ Nobody%likes%phish%tests.%(I%actively%resent%UW% System%for%doing%them.)%Does%your%org%need% more%reasons%for%employees%to%be%mad%at%it?

Is it worth it? ✦ No%training%or%testing%has%been%shown%to% eliminate%successful%phishes%altogether.% ✦ Counterintuitively,%repeated%phishing%tests%plus% non-mandatory%training%can%make%people%MORE% likely%to%click%on%real%phish.% ✦ Lain,%Kostiainen%&%Čapkun%2021% ✦ Why?%Not%clear,%but%it%seems%the%affected%folks%think%the%“you%failed% the%phish%test”%page%means%the%org%detects%and%handles%phishing…% ✦ …%so%they%don’t%actually%have%to%worry%about%phish%as%individuals.% ✦ In%other%words,%folks%completely%misunderstood%the%point%of%the%test!% That…%doesn’t%bode%well%for%their%infosec%hygiene%generally,%and%it% also%doesn’t%say%much%for%any%training%they’ve%gotten.

Cruel pretexts ✦ Money,%sometimes%life-changing%money,%aimed%at% folks%who%are%poor%and/or%poorly%paid% ✦ Real-life%examples:%COVID%benefits,%bonuses,%health-care%promises,% discounts%—%that%didn’t%exist.% ✦ I%saw%an%infosec%pro%on%Twitter%point%out%that%the%root%cause%here%is% actually%lousy%pay%and%benefits.%That’s%absolutely%correct;%treating%people% poorly%and%underpaying%them%creates%a%lot%of%infosec%risk.% ✦ Higher%ed:%grade-%or%disciplinary-action-related%scare% tactics% ✦ Phishes%ostensibly%from%the%[Big]%Boss,%often% designed%to%make%person%think%they%might%be%(or%get)% in%trouble% ✦ I’m%waiting%for%somebody%with%anxiety%to%sue%under%the%ADA%over%this.%I% am%not%a%lawyer,%but%I%have%to%think%it’d%be%a%workable%case.

Seriously don’t do this. It’s evil.

Defense from phish testers: “But garbage humans are using these tactics to phish!” ✦ Yeah.%They%are.% ✦ So%what%does%that%make%you,%exactly,%O%Phish% Tester?% ✦ Look.%Infosec%is%not%a%get-out-of-garbage-human- stuff-free%card.%Cruelty%is%cruelty.%Lying%is%lying.% ✦ Phish%testers%deserve%every%bit%of%the%pushback% they%get%over%phishing%tests.%And%more,%frankly.

Punishment over phishing-test results ✦ It’s%happened.%It%shouldn’t.% ✦ It’s%an%absolutely%sordid%and%unethical%idea.% ✦ One%reason:%phish%people%often%enough,%and%everyone%will%eventually% click.%Yes,%pretty%much%everyone.%(Lain,%Kostiainen%&%Čapkun%2021)% Different%people%fall%for%different%pretexts,%but%everybody’s%vulnerable% to%something.% ✦ Another%reason:%disincentivizing%reporting,%again%—%if%people%are% afraid%to%report%infosec%issues%because%they%fear%punishment,% incidents%are%more%likely,%higher-severity,%and%longer-lasting.% ✦ A%third:%disciplining%people%you%intentionally%deceived%is%just%gross.% It’s%a%garbage-humanny,%unethical%way%to%treat%people.% ✦ Keep%in%mind%also%that%people%perceive%“you% failed;%go%take%another%training”%as%punishment.

Public blame-and-shame ✦ Are%you%kidding%me?!?!?!%I%didn’t%want%to%believe% this%even%happens.% ✦ Management%101:%never,%ever,%EVER%shame% employees%in%public.% ✦ Any%conversation%involving%critique%(much%less%discipline)%must%be% held%in%private!%And%kept%as%confidential%as%possible!% ✦ Anything%else%creates%an%organizational%culture%of%terror%and%secrecy% over%mistakes…%which%is%terrible%for%the%org’s%infosec%posture.% ✦ Public%shaming%is%also%(one%more%time!)%just%an% awful%way%to%treat%people.%It%won’t%help%them% learn…%but%will%make%them%leave!

Lost trust in infosec people ✦ You%DO%NOT%want%the%top%association%people% have%with%infosec%folks%to%be%phishing%tests.% ✦ Like,%this%is%actually%super-dangerous!!!!!% ✦ Will%someone%who%associates%infosec%with% deception%and%cruelty%report%infosec%problems?% ✦ Will%they%do%what%infosec%says?%% ✦ What%if%it’s%mid-incident,%and%really%important%that%they%do?% ✦ Will%they%feel%morally/ethically%justified%doing% end-runs%around%those%liars%in%infosec?% ✦ Will%they%write%off%everything%infosec-related% because%“those%people%are%just%JERKS”?

Malicious “compliance” and lost productivity

Better ideas ✦ (mostly%from%the%Lain%et%al.%piece)% ✦ Make%it%easy%to%report%suspected%phish.%Then%take% people’s%reports%seriously!% ✦ It%turns%out%that%if%reporting%is%easy%enough,%people%will%get%in%the%habit% of%doing%it%(habituation%for%the%win,%for%once!),%and%won’t%get%sick%of%it.% ✦ Averaged%over%the%organization,%these%reports%are%indeed%good%advance% indicators%of%phishing%campaigns.%(I%think%it’s%likely%possible%to%improve% on%this,%by%evaluating%who’s%a%good%phish%reporter,%then%paying%extra% attention%to%their%reports.%Future%research!)% ✦ Positive%reinforcement:%reward%phish-finders!% ✦ Including%those%who%initially%fall%for%a%phish,%but%report%it%quickly%anyway.% ✦ Tell%them%when%they%detected%real%phish,%so%their%phish-radar%improves.% ✦ Detect%phish%technically,%and%stop%delivery.

Address root causes ✦ Starvation%wages%and%benefits% ✦ Poor%financial%controls% ✦ I%cannot%get%over%how%long%it%takes%organizations%(of%all%sizes,%small%to% gargantuan)%to%notice%fake%invoices!!!!!%% ✦ There%are%supposed%to%be%PROCESSES%for%knowing%who%your%vendors% are,%and%that%a%given%invoice%is%legitimate!% ✦ Rushed%workers,%understaffing% ✦ Crappy%systems%that%get%in%people’s%way%and%force% them%to%come%up%with%workarounds% ✦ Jerk%bosses,%intimidation%at%work% ✦ (Notice%how%only%one%of%these%is%technological?% Yeah.%Infosec%is%about%people%or%it’s%garbage.)

Questions? Ask them! This lecture is copyright 2018 by Dorothea Salo. It is available under a Creative Commons Attribution 4.0 International license.