Security Awareness Training Influence and Personality Walk into a Bar Karla Carter rptrpn karlacarterbellevueedu Social engineering techniques rely on influencing the victim to do something that is against their best interest but different influence techniques work better on dif ID: 767991
Download Presentation The PPT/PDF document "Security Awareness Training, Influence, ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Security Awareness Training, Influence, and Personality Walk into a Bar… Karla Carter | @rptrpn | karla.carter@bellevue.edu
“Social engineering techniques rely on influencing the victim to do something that is against their best interest, but different influence techniques work better on different victims, because everyone has different personalities, strengths and weaknesses. Research has shown a correlation between the five-factor personality measure (“The Big 5”) and cybersecurity behaviors. While it’s impractical to set up personalized security awareness training programs for each individual, it’s possible to create a program that will speak to multiple types of personalities and the influence risks those imply. Come explore ways to help users resist social engineering by designing security awareness training programs that align employees’ risk of influence factors (authority, social proof, scarcity, consistency/commitment, likability, and reciprocation) with their Big 5 personality profiles.”
The audience is expected to participate! (Professor Karla says so)
Warning! The content of this talk is not intended to be prescriptive. Any information presented here should not be used to keep someone out of a cybersecurity role if they truly want to be in cybersecurity…nor should users be let go for being agreeable.
Why?Personality InfluenceSecurity Awareness Training
Why do we care?
Verizon Data Breach Investigations Report (DBIR) Nearly half of all incidents are related to human factors aka social engineeringMost incidents are attributable to human error – combination of social engineering with user error “miscellaneous errors”Security awareness training is patching the human
“Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites.” (Ars Technica )
Actual page: http://www.equifax.com/help/data-breach-solutions/
“The hacker compromised the firm’s global email server through an ‘administrator’s account’ that, in theory, gave them privileged, unrestricted ‘access to all areas’. The account required only a single password and did not have ‘two-step’ verification, sources said.”
Personality TraitsBehavior = intersection between traits and situational variablesStudents in lecture hall sit quietly, regardless of personalityStudents at social gathering likely to show personality Predictive? Temperament versus personality Temperament is dynamic behavior, e.g. energy, emotionality Personality is content-based, e.g. values, preferencesIPIP-NEO aka OCEAN aka Big 5 aka Five-Factor Model (FFM)
IPIP-NEO aka OCEAN aka “Big 5” aka FFM IPIP: International Personality Item Pool http://ipip.ori.org/ NEO: Neuroticism – Extraversion – Openness Inventory (“Big 3”) http://personal.psu.edu/faculty/j/5/j5j/IPIP/ipipneo120.htm Star Wars version (for fun): http://www.celebritytypes.com/star-wars/test.php OCEAN: Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism Continuum Works across cultures One measure most psychologists can agree on Correlations, not causations
A Note about Conscientiousness… Motivated by different thingsHigher Conscientiousness = internalLower Conscientiousness = external: people, deadlinesBenefits of Lower Conscientiousness Higher life satisfaction outside work; able to handle unemployment or work setbacks much better Faster to adapt to change; associated with higher creativity Correlated with higher Openness Workplace victim status highly correlated with higher Conscientiousness
Freed Cybersecurity Professional Study Ms. Freed is an HR specialist with an MS in Industrial Organizational Psychology“Examination of Personality Characteristics Among Cybersecurity and Information Technology Professionals” by Sarah Freed, March 2014“… indicating the need for specialized training, assessment, and selection procedures for cybersecurity professionals”
Freed Cybersecurity Professional Study Openness – score higherScore higher on IntellectScore higher on AdventurousnessConscientiousness Score higher on Dutifulness Score higher on Cautiousness Extraversion Score higher on AssertivenessAgreeableness – score lowerScore lower in TrustScore lower on SympathyNeuroticism Score higher on Anxiety Score lower in Vulnerability Score lower in Self-consciousness
Domain/Facet............ Score OPENNESS TO EXPERIENCE.....88 ..Imagination..............83 ..Artistic Interests.......88 ..Emotionality.............3 ..Adventurousness..........88 ..Intellect................91 ..Liberalism...............78 -------------------- Domain/Facet............ Score CONSCIENTIOUSNESS.....13 ..Self-Efficacy............34 ..Orderliness..............2 ..Dutifulness..............1 ..Achievement-Striving.....26 ..Self-Discipline..........33 ..Cautiousness.............75 Domain/Facet............ Score EXTRAVERSION...............29 ..Friendliness.............14 ..Gregariousness...........2 ..Assertiveness............66 ..Activity Level...........63 ..Excitement-Seeking.......51 ..Cheerfulness.............39 -------------------- Domain/Facet............ Score AGREEABLENESS..............0 ..Trust....................13 ..Morality.................10 ..Altruism.................5 ..Cooperation..............24 ..Modesty..................7 ..Sympathy.................11 Domain/Facet............ Score NEUROTICISM................38 ..Anxiety..................76 ..Anger....................60 ..Depression...............7 ..Self-Consciousness.......66 ..Immoderation.............9 ..Vulnerability............43
Influence Robert Cialdini InfluenceSix Principles Reciprocity – “I’ll scratch your back…” Commitment and consistency – “It is easier to resist at the beginning than at the end” – attributed to Leonardo da Vinci Social proof – “monkey see, monkey do”, standing ovation, Amazon ratings Authority – titles and trappings Liking – physical attractiveness, similarity, compliments, cooperation, familiarityScarcity – “The way to love anything is to realize that it might be lost” – G.K. Chesterton
Generalizations (research-based) Reciprocity – higher ConscientiousnessCommitment and consistency – lower Openness, higher Conscientiousness, higher Agreeableness Social proof – lower Openness, higher Neuroticism, Authority – men, lower Openness, higher Agreeableness Liking – lower Openness, lower Conscientiousness, higher Agreeableness Scarcity – women
So, then, we just don’t hire people with low Openness and high Agreeableness? NO!!!!You train them, using their trait vulnerabilities to appeal to them
Security Awareness Training Security Awareness Maturity Model – Lance Spitzner for SANS Securing the HumanNon-Existent – 7.6% Compliance Focused – 27.1% Compliance or audit requirements Annual or ad-hoc No attempt to change behaviorFalse sense of security; just as vulnerable as non-existent programPromoting Awareness & Behavior Change 54.6%Long-Term Sustainment & Culture Change 9.8% Metrics Framework .85%
Security Awareness Training Over time the investment in cybersecurity tools has gone up, but investment in human awareness has not – usually lack of people and timeMost security expects know the human risks, but don’t communicate in a way they are heard Not engaging vs CDC Zombie Apocalypse https://www.cdc.gov/phpr/zombie/index.htm Not in users’ termsToo much content at onceFocus on “no”Multi-prong approachPlay to their personality Let users pick the materials that appeal to them
[Insert Audience brainstorming Here]
Domain/Facet............ Score OPENNESS TO EXPERIENCE.....88 ..Imagination..............83 ..Artistic Interests.......88 ..Emotionality.............3 ..Adventurousness..........88 ..Intellect................91 ..Liberalism...............78 -------------------- Domain/Facet............ Score CONSCIENTIOUSNESS.....13 ..Self-Efficacy............34 ..Orderliness..............2 ..Dutifulness..............1 ..Achievement-Striving.....26 ..Self-Discipline..........33 ..Cautiousness.............75 Gender: Female Domain/Facet............ Score EXTRAVERSION...............29 ..Friendliness.............14 ..Gregariousness...........2 ..Assertiveness............66 ..Activity Level...........63 ..Excitement-Seeking.......51 ..Cheerfulness.............39 -------------------- Domain/Facet............ Score AGREEABLENESS..............0 ..Trust....................13 ..Morality.................10 ..Altruism.................5 ..Cooperation..............24 ..Modesty..................7 ..Sympathy.................11 Domain/Facet............ Score NEUROTICISM................38 ..Anxiety..................76 ..Anger....................60 ..Depression...............7 ..Self-Consciousness.......66 ..Immoderation.............9 ..Vulnerability............43
Questions?
October is National Cybersecurity Awareness Month (NCSAM)!