Smart Phone Security amp Privacy
What Should We Teach Our Users
hellipand How
Norman M Sadeh PhD
Professor School of Computer Science Co-Founder amp Chief Scientist Director Mobile Commerce Lab Wombat Security Technologies Carnegie Mellon University
The Smart Phone Invasion
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 2
BYOD The New Frontier
48 of employees will buy their own devices ndash whether their organization approves that particular device or NOT (Forrester Research)
Blur between work life amp private life
Unrealistic policies donrsquot work ndash even if they look good
ldquoIf you canrsquot fight them join themrdquo
helliphopefully under your own termshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 3
knowledgeable
accountableIs this truly possible
The Problem is thathellip
BYOD implies users who are
responsible
Do we really have a choice
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 4
Training has a Big Role to Play
hellipBut training has traditionally failed Security is a secondary task
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast amp continues to grow
Practical strategies and tips are not always easy to articulate
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 5
Phone calls SMS camera location email apps and much more
Lack of awareness People do not think of their smart phone as a computer
Variety of devices
Mobile Security amp Privacy Training
hellipat least as complexhellip Mediates a wide range of scenarios
hellipand obviously they are mobile deviceshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 6
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
The Smart Phone Invasion
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 2
BYOD The New Frontier
48 of employees will buy their own devices ndash whether their organization approves that particular device or NOT (Forrester Research)
Blur between work life amp private life
Unrealistic policies donrsquot work ndash even if they look good
ldquoIf you canrsquot fight them join themrdquo
helliphopefully under your own termshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 3
knowledgeable
accountableIs this truly possible
The Problem is thathellip
BYOD implies users who are
responsible
Do we really have a choice
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 4
Training has a Big Role to Play
hellipBut training has traditionally failed Security is a secondary task
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast amp continues to grow
Practical strategies and tips are not always easy to articulate
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 5
Phone calls SMS camera location email apps and much more
Lack of awareness People do not think of their smart phone as a computer
Variety of devices
Mobile Security amp Privacy Training
hellipat least as complexhellip Mediates a wide range of scenarios
hellipand obviously they are mobile deviceshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 6
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
BYOD The New Frontier
48 of employees will buy their own devices ndash whether their organization approves that particular device or NOT (Forrester Research)
Blur between work life amp private life
Unrealistic policies donrsquot work ndash even if they look good
ldquoIf you canrsquot fight them join themrdquo
helliphopefully under your own termshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 3
knowledgeable
accountableIs this truly possible
The Problem is thathellip
BYOD implies users who are
responsible
Do we really have a choice
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 4
Training has a Big Role to Play
hellipBut training has traditionally failed Security is a secondary task
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast amp continues to grow
Practical strategies and tips are not always easy to articulate
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 5
Phone calls SMS camera location email apps and much more
Lack of awareness People do not think of their smart phone as a computer
Variety of devices
Mobile Security amp Privacy Training
hellipat least as complexhellip Mediates a wide range of scenarios
hellipand obviously they are mobile deviceshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 6
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
knowledgeable
accountableIs this truly possible
The Problem is thathellip
BYOD implies users who are
responsible
Do we really have a choice
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 4
Training has a Big Role to Play
hellipBut training has traditionally failed Security is a secondary task
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast amp continues to grow
Practical strategies and tips are not always easy to articulate
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 5
Phone calls SMS camera location email apps and much more
Lack of awareness People do not think of their smart phone as a computer
Variety of devices
Mobile Security amp Privacy Training
hellipat least as complexhellip Mediates a wide range of scenarios
hellipand obviously they are mobile deviceshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 6
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Training has a Big Role to Play
hellipBut training has traditionally failed Security is a secondary task
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast amp continues to grow
Practical strategies and tips are not always easy to articulate
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 5
Phone calls SMS camera location email apps and much more
Lack of awareness People do not think of their smart phone as a computer
Variety of devices
Mobile Security amp Privacy Training
hellipat least as complexhellip Mediates a wide range of scenarios
hellipand obviously they are mobile deviceshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 6
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Phone calls SMS camera location email apps and much more
Lack of awareness People do not think of their smart phone as a computer
Variety of devices
Mobile Security amp Privacy Training
hellipat least as complexhellip Mediates a wide range of scenarios
hellipand obviously they are mobile deviceshellip
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 6
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Android Permissions An Example of the Challenges We Face
P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 7
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
of apps even though they donrsquot
Unusable security Most users do not understand Android permissions
Bad habits amp cognitive biases Most users rely on word of mouth and
star ratings
Users always proceed with the download
What Are We Up Against
Misconceptions Most users did not realize that apps were not vetted
Where Do We Start
understand the permissions
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 8
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Understanding the Risks The Big Gap
copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012
Most people do not realize how sensitive their phones are
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 9
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
hellipand How Vulnerable They Arehellip
Challenge them to take quizzes
hellipor better Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 10
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Phishing as An Example
Email phishing Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source Trusteer Jan 2011 ndash similar
Copyright copy 2011-2012 Norman M Sadeh
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Training via Mock Attacks PhishGuru
Teach people in the context they would be attacked
If a person falls for simulated phish then pop up an intervention
Unique ldquoteachable momentrdquo
Copyright copy 2011-2012 Norman M Sadeh
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Select Target
Employees
Customize Fake
Phishing Email
Select Training
Internal Test and Approval Process
Hit Send
Monitor amp Analyze Employee Response
Copyright copy 2011-2012 Norman M Sadeh
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
This really works
Reduces the chance of falling for an attack by more than 70
Actual Results
percentage
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Starting with the Most Common Threats
rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone
Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Learning by Doing is Critical
copy Wombat Security Technologies 2011-2012
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
P id th ith f db k
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
adually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Mobile Apps
Challenge difficult to come up with full-proof rules
Train people to be suspicious amp look for possible red flags
Emphasis on Learning by doing
Feedback
Opportunities for reflection
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
t t
From Simple to Increasingly Realistic
copy W b S i T h l i 2011 2012
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
Concluding Remarks BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios ndash including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employeersquos daily life ndash repetition amp variations are critical
QampA
httpmcomcscmuedu
httpwombatsecuritycom
QampA
httpmcomcscmuedu
httpwombatsecuritycom