Cyber Risk Beliefs
ArunVishwanath,Ph.D.,MBA AssociateProfessor http://arunvishwanath.us Istudyhowhackers,cyberterrorists, hactivistsenternetworks… Istudy… Istudyhowhackers,cyberterrorists,hactivistsenter andcompromisenetworks Theproverbial“peopleproblem”ofcybersecurity UnintentionalInsiders Brute Force Hacking Spear phishing HABITS Organizational Email Provider COGN IT PROC IVE ESSIN G PERSONALITY EMPLOYEE DEFENDED UNSECURED INTERACTION External Email Provider VULNERABLE Databreacheskeepgettingbigger… Source:http:// www.informationisbeautiful.net/ visualizations/worlds-biggest-data-breacheshacks/ Spearphishingisthe attackvectorof choice Impactedeveryindustry PerpetratedbyStateandNonstateSponsors YOU ARE THE WEAKEST LINK IN CYBERSPACE Approachestodealingwith the“peopleproblem” Firewalls,antivirus;Whitelistingapproaches EMET;Constrainaccess/adminprivileges Howrealisticisthis… Humanfactorsapproach:Cyber securitytraining 1. “Phish”peoplesimulations 2. Showthemwhytheyfell forit 3. Keeptellingthemtoshapeup 4. AdmiralMikeRogers:“We shouldcourt-martial them!” ThePEOPLEPROBLEM TheProblemisNOTthePeople ItisinourUNDERSTANDINGofPEOPLE WeHavedevelopedahumanfactorsmodelthat explainshowpeoplethink,act,behaveonline,and why. Suspicion,Cognition,AutomaticityModel (SCAM) (Vishwanath,Harrison,&Ng,2016) SCAMexplainshowusers think: Scrooge:I ama cognitive miser Iusecognitive shortcutsa.k.a Heuristics Heuristics SCAMexplainswhatusers believe: CyberRiskBeliefs WHATISSAFER: • • • • • • PDFvs.WordDocument OSXvs.Windows iOSvs.Android Chromevs.Safari GoogleFibervs.Freewi-fi Browserbasedemailaccessvs. usinganemailclient SCAMexplainstheroleof habitsanddevices Habits Ritualisticallychecking email Textingwhiletalking, walking,driving Enteringlogin,password, authenticationcredentials Smartphones,smartwatches… notsosmartpeople ThanksAppleandGoogle! Suspicion,Cognition,AutomaticityModel(SCAM)(Vishwanath,Harrison,&Ng,2014) Heuristic Processing Suspicion CyberRisk Beliefs Victimization Systematic processing Personality, WorkRoutines, Patterns Work/Email Habits ©ArunVishwanath Leveragingthe understandingof people DevelopaCyberRisk Index(CRI) Anempiricaldatadrivenapproach Usesashort,40questionself-reportsurvey Canbedonewithinexisting“red-team”simulations Likecreditrating,itcanweaggregatedacrossdivision, organizations,sectors ©ArunVishwanath Decidingwhogetstrained andhow: faulty Cyberrisk beliefs Yes Belief Change No poor Yes Heuristics Better Heuristics No Systematic processing inadequate Yes Education No bad Habits Yes No Habit Change ©ArunVishwanath Decidingwhogets access: Currentsystemofprovidingaccessisbasedon organizationalroleandstatus UseCRItoidentifyindividualrisklevelsandchanges inriskbehaviorovertime ThisbecomesaquantitativescoreofINDIVIDUAL CYBERHYGIENE ©ArunVishwanath Referencestopublished researchandwritings: SelectedpiecesinCNN SelectedAcademicResearch Vishwanath,A.,Harrison,B.,&Ng, Y.J.(2016).Suspicion,Cognition, AutomaticityModel(SCAM)of PhishingSusceptibility. CommunicationResearch. Whythecyberattackskeep coming: http://www.cnn.com/2015/06/08/ opinions/vishwanath-stoppinghacking/ Vishwanath,A.2016).MobileDevice Affordance:ExplicatingHow SmartphonesInfluenceThe OutcomeOfPhishingAttacks. ComputersinHumanBehavior. Whyweneedacyberwall: http://www.cnn.com/2016/05/02/ opinions/build-cyber-wallvishwanath/index.html Vishwanath,A.(2015).Habitual FacebookUseanditsImpacton GettingDeceivedonSocialMedia. JournalofComputer-Mediated Communication,20(1),83-98. Whenhackersturnyourlightsoff: http://www.cnn.com/2016/02/11/ opinions/cyber-infrastructureattacks-vishwanath/ ContactInformation ArunVishwanath,Ph.D.,MBA Email:[email protected] Web:http://arunvishwanath.us Mobile:716.508.0192
© Copyright 2024