How People Learn about Computer Security
Interesting research: “Identifying patterns in informal sources of security information,” by Emilee Rader and Rick Wash, Journal of Cybersecurity, 1 Dec 2015.
Abstract: Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as “Should I click on this potentially shady link?” or “Should I enter my password into this form?” For these decisions, much knowledge comes from incidental and informal learning. To better understand differences in the security-related information available to users for such learning, we compared three informal sources of computer security information: news articles, web pages containing computer security advice, and stories about the experiences of friends and family. Using a Latent Dirichlet Allocation topic model, we found that security information from peers usually focuses on who conducts attacks, information containing expertise focuses instead on how attacks are conducted, and information from the news focuses on the consequences of attacks. These differences may prevent users from understanding the persistence and frequency of seemingly mundane threats (viruses, phishing), or from associating protective measures with the generalized threats the users are concerned about (hackers). Our findings highlight the potential for sources of informal security education to create patterns in user knowledge that affect their ability to make good security decisions.
Artur Marek Maciag • December 10, 2015 8:04 AM
Hello,
thank you very much for focusing on that aspect. My personal and professional experience are the same as they findings.
I’m as a lot of others IS officers/administrators/analysts involved in hopeless struggle with regular users and external regulations/good practices. All is about education/awareness/training. Nothing new.
After series of interesting discussions among members of Technology Risk and Information Security Wroclaw forum (we are almost all are from Poland, but represents all the market segments), we create the Initiative, which focuses on four fundamentals:
a) human – is user centric -human is the source and main consumer of data
b) information – is free – we use creative commons SA, BY licence
c) conversation -emphasises conversation as main tool for humans interaction
d) safety – highlights the aspect of safety of daily activities and routines
All of them equally impact our culture, which needed to be altering to catch up the modern communication, like ‘savoire vivre’.
Initiative rely on existing sources: news, blogs, social media networks, articles, infographics, courses and anything accessible on-line with public and free access.
What we do with that content? We classify it against our taxonomy. Create the “database” -heart of the Initiative – Knowledge Vault.
Based on that KV we create the Knowledge Paths – subsets of articles with common topic, difficulty level, hashtags and give it to the users as “additional resources” – resourceful materials for learning on specific topic.
Some of KV URL-s direct to knowledge about threats, in form of reports or analysis -they are sources of (or for if there is lack of it) intrusion kill chain analysis. Based on that model we create scenario from up to 5 scenes about that threat. Scenes reflect various stages of intrusion kill chain analysis fining, and are used for validation of user knowledge or “feel&sense” of security (or limited trust in most of cases). We do it by describing the scene and asking question with 4 answers – only one is the best one.
If user succeed to defend the company/home/device -will be rewarded with certificate/badge (internal) about relevant Knowledge Path. That element we call Knowledge Path Certification.
In the context of what you can do when you apply the classification to the news stream, possibilities are many. We use following one:
a) knowledge pathes
b) extracting IOC for awareness, certification and monitoring of infrastructure
c) news digest (list of URLs to the original media)
d) security tips communication
All of that is in line with recent framework Cyber Intelligence Tradecraft Project released by Carnegie Mellon University SEI Emerging Technology Center (http://www.sei.cmu.edu/about/organization/etc/citp.cfm). This could be viewed as CyberInteligence in the Data Gathering, Functional Analysis and Strategic Analysis functions.
Currently our Initiative is supported by our community and can be reviewed here:
Users ready materials:
Elementary (security 101): https://prezi.com/zkrdursavbgu/
Knowledge Path (example): https://plus.google.com/collection/klKHFB
Presentation about: https://prezi.com/zu9r103hfo_4/ https://prezi.com/hr1bwqzpgq4v/
Supporters and researchers materials:
ECOSYSTEM FULL (PNG): https://goo.gl/Tuhv1s
ECOSYSTEM STORY (PNG): https://goo.gl/fxTyCk
ECOSYSTEM INSIDE SCI (PNG): https://goo.gl/jKz5UP
ECOSYSTEM FILE (www.draw.io): https://goo.gl/4fQDpW
Knowledge Vault:
https://goo.gl/I7aZDd (file)
https://goo.gl/Swy3yp (web)
LinkedIn group:
https://www.linkedin.com/grp/post/6706076-6054292104832643075?goback=%2Egna_6706076
How anyone is welcome to support our initiative?
a) without any security background- talk about it, consume the media, learn and share you knowledge, comment, contact us if you have idea how to grown the Safety Culture better
b) if you have security background, you can do anything what anyone can, and you can support us with your feedback, validation of our content, approach, media coverage or anything you find useful for increasing the common safety posture of any user
c) if you are security media creator (blogger, article author, foundation or any organization) you can help us with a) and b) or do more: prepare your content to be automated harvested, added and classified with using tags in the rss channel, or any other way you find helpful.
You can contact us by:
a) facebook: https://www.facebook.com/Inicjatywa-Kultury-Bezpiecze%C5%84stwa-1478638835779103/?ref=ts&fref=ts
b) google+: https://plus.google.com/113159177017352022631
c) linkedIn: https://www.linkedin.com/grp/home?gid=6706076
Or me.
Let’s change the cyberspace into more safe place.