Presentation is loading. Please wait.

Presentation is loading. Please wait.

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.

Similar presentations


Presentation on theme: "Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile."— Presentation transcript:

1 Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University Co-Founder & Chief Scientist Wombat Security Technologies

2 Copyright © Norman M. Sadeh The Smart Phone Invasion FISSEA

3 Copyright © Norman M. Sadeh BYOD: The New Frontier 48% of employees will buy their own devices – whether their organization approves that particular device or NOT! (Forrester Research) Blur between work life & private life FISSEA Unrealistic policies dont work – even if they look good If you cant fight them, join them …hopefully under your own terms…

4 Copyright © Norman M. Sadeh The Problem is that… BYOD implies users who are: responsible knowledgeable accountable FISSEA Is this truly possible? Do we really have a choice?

5 Copyright © Norman M. Sadeh Training has a Big Role to Play …But training has traditionally failed Security is a secondary task: employees are not motivated to learn Traditional delivery methods and content have not been very compelling Required knowledge is vast & continues to grow Practical strategies and tips are not always easy to articulate FISSEA

6 Copyright © Norman M. Sadeh Mobile Security & Privacy Training …at least as complex… Mediates a wide range of scenarios Phone calls, SMS, camera, location, , apps and much more Lack of awareness: People do not think of their smart phone as a computer Variety of devices FISSEA ….and obviously they are mobile devices…

7 Copyright © Norman M. SadehFISSEA P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall,A Conundrum of Permissions: Installing Applications on an Android Smartphone, USEC2012. Android Permissions: An Example of the Challenges We Face

8 Copyright © Norman M. Sadeh What Are We Up Against? Misconceptions: Most users did not realize that apps were not vetted Unusable security: Most users do not understand Android permissions Bad habits & cognitive biases: Most users rely on word of mouth and star ratings Users always proceed with the download of apps, even though they dont understand the permissions FISSEA Where Do We Start?

9 Copyright © Norman M. Sadeh Understanding the Risks: The Big Gap FISSEA Most people do not realize how sensitive their phones are © Wombat Security Technologies,

10 Copyright © Norman M. Sadeh …and How Vulnerable They Are… Challenge them to take quizzes …or better: Motivate them via mock attacks Nothing beats showing a user how vulnerable (s)he is FISSEA

11 Copyright © Norman M. Sadeh Phishing as An Example phishing: Much worse on mobile phones Mobile users are first to arrive at phishing websites Mobile users 3x more likely to submit credentials than desktop users Source: Trusteer, Jan – similar

12 Copyright © Norman M. Sadeh Teach people in the context they would be attacked If a person falls for simulated phish, then pop up an intervention Unique teachable moment Training via Mock Attacks: PhishGuru

13 Copyright © Norman M. Sadeh Select Target Employees Customize Fake Phishing Select Training Internal Test and Approval Process Hit Send Monitor & Analyze Employee Response

14 Copyright © Norman M. Sadeh This really works! Reduces the chance of falling for an attack by more than 70% ! Actual Results percentage

15 Copyright © Norman M. Sadeh Starting with the Most Common Threats FISSEA Source for image: Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs

16 Copyright © Norman M. Sadeh Learning by Doing is Critical Teach people to better appreciate the risks Create mock situations Force them to make decisions Provide them with feedback FISSEA © Wombat Security Technologies,

17 Copyright © Norman M. Sadeh Gradually Move Towards More Complex Tasks Mobile Apps Location Social Networking FISSEA

18 Copyright © Norman M. Sadeh Mobile Apps Challenge: difficult to come up with full-proof rules Train people to be suspicious & look for possible red flags Emphasis on: Learning by doing Feedback Opportunities for reflection FISSEA

19 Copyright © Norman M. Sadeh From Simple to Increasingly Realistic FISSEA © Wombat Security Technologies,

20 Copyright © Norman M. Sadeh Concluding Remarks BYOD trends make training critical Users have little awareness of the risks associated with smart phones Effective training requires adoption of learning science principles Creating realistic scenarios – including mock attacks Interactive training - Learning by doing Start with most common risks Training has to be part of an employees daily life – repetition & variations are critical FISSEA

21 Copyright © Norman M. Sadeh Q&A


Download ppt "Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile."

Similar presentations


Ads by Google