Establish Security Psychology – How to Educate and Training for End Users

Uchida, Katsuya

doi:10.1007/978-3-319-58753-0_92

Establish Security Psychology – How to Educate and Training for End Users

Katsuya Uchida¹¹

Conference paper
First Online: 13 May 2017

2617 Accesses
1 Citations

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 714))

Abstract

Social engineering that attacks human psychological weakness is becoming mainstream. Attackers and methods of attack have been published from the old age for countermeasure of individuals. However, we need comprehensive defense methods for individuals and the organization. I propose “security psychology” and believe that it is important for the theory of Sun Tzu which is “know the enemy and know thyself”. The “to know the enemies” part is almost the same as social engineering, so I focus on the “to know thyself” part and considered it. And I will describe the result of training of “To know thyself”.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

This paper discusses a practical approach to cyber security education, training and awareness.

This approach based on a human activity perspective, that is, the cognitive psychology, Human factor, and Criminal psychology perspective and so on.

The definition of Security psychology is the research and practice based on human security such as cyber security areas, human factor, and security management of organization, mainly.

Security education, training, and awareness in security psychology are divided into two areas, namely Social engineering and CSEAT.

Figure 1 is the bird’s-eye view of Security Psychology

.

Social engineering has practical social engineers’ books, hands-on education & training and research papers [1, 2].

CSEAT is defined in this paper and is a comprehensive education, training and awareness system, not only targeting individual users but also education and training considering organizations.

2 Essential Knowledge of Security Training

It is important to clarify what to protect and it is important to think about the risk of assets to protect.

2.1 Definition of Information Assets

The following are definition of the information assets which are classified with the four groups [3].

People are those who are vital to the expected operation and performance of the service. People may be internal or external to the organization.
Information is any information or data, on any media including paper or electronic form.
Technology describes any technology component or asset that supports or automates a service and facilitates its ability to accomplish its mission. Some technology are specific to a service (such as an application system) and others are shared by the organization (such as the enterprise-wide network infrastructure).
Facilities are the places where services are executed and can be owned and controlled by the organization or by external business partners. In general, any of the information assets are targeted attackers and many of the cyber-attacks use the findings of psychology and behavioral science as well as the technical knowledge.

2.2 Security Incident

One of the security survey shows that the top four patterns.account for nearly 90% of all incidents.is people (Fig. 2) [4].

Also, July, 2002, Howard Schmidt is vice chairman of the president’s Critical Infrastructure Protection Board speaks about cyber security issues.

Q: What kinds of technology will be needed to stave off electronic attacks? Do we need bigger anti-virus programs?

A: The common misconception is this is a technology issue. But it’s not a technology issue. For example, the DOD did an analysis last year and it’s somewhere in the high 90s, like 97 [percent] to 98% of things that have hit the DOD systems have been the result not of some new piece of technology but exploitation of people that have not had processes in place to install patches or to configure their systems properly.

Kevin Mitnick, most excellent social engineer, said in his book,

As noted security consultant Bruce Schneier puts it, “Security is not a product, it’s a process.” Moreover, security is not a technology problem - it’s a people and management problem.

3 Practical Security Training for End-Users

3.1 Training Background

Private information about a woman who was stalked and killed by her former boyfriend a year ago is thought to have been leaked by the local government in Japan.

Senior officials of the firm are suspected of obtaining her address from the local government within hours of receiving the request and giving it to the detective agency.

It seems that the detective used the elicitation technique which is technique used to discreetly gather information [5].

In accordance with this incident, three-hour training was conducted for staff of a local government and there were 37 participants.

3.2 Contents of the Training

Outline of the training is as follows

The importance of confirmation (Fig. 3A)
Fig. 3.
The importance of confirmation [A] The importance of experience [B] How to memorize [C]
Full size image
The importance of experience (Fig. 3B)
How to memorize (Fig. 3C)
Human Element: Importance of organizing communication

CRM: Crew Resource Management [6]
Team STEPPS
The invisible gorilla

3.3 Results of the Training

The result of the training was as follows

Almost all attendees are satisfied
The questionnaire is done just after training (Fig. 4)..
Fig. 4.
Evaluation of the training
Full size image

4 Conclusion

This education/training can be used for other security incidents.

It is said that the evaluation of the municipal officials in Japan is severe, but the result of this time was a relatively good evaluation.

Since the questionnaire is done just after training, it has not been verified whether it will be useful at an actual incident occurs.

References

Christopher, H.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2010)
Google Scholar
Mitnick, K.D.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2003)
Google Scholar
Caralli, R.A., et al.: CERT Resilience Management Model, version 1.0, pp. 4–5. Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2010)
Google Scholar
Verizon, 2015 Data Breach Investigations Report (2015). http://www.verizon.com/about/news/2015-data-breach-report-info/
Federal Bureau of Investigation, Elicitation. https://www.fbi.gov/file-repository/elicitation-brochure.pdf/view
Crew Resource Management. http://www.crewresourcemanagement.net/
Agency for Healthcare Research & Quality, Team STEPPS. https://www.ahrq.gov/teamstepps/index.html
The invisible gorilla. http://www.theinvisiblegorilla.com/videos.html

Download references

Author information

Authors and Affiliations

Institute of Information Security, Yokohama, Japan
Katsuya Uchida

Authors

Katsuya Uchida
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Katsuya Uchida .

Editor information

Editors and Affiliations

Foundation for Research & Technology – Hellas (FORTH), University of Crete, Heraklion, Crete, Greece
Constantine Stephanidis

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Uchida, K. (2017). Establish Security Psychology – How to Educate and Training for End Users. In: Stephanidis, C. (eds) HCI International 2017 – Posters' Extended Abstracts. HCI 2017. Communications in Computer and Information Science, vol 714. Springer, Cham. https://doi.org/10.1007/978-3-319-58753-0_92

Download citation

DOI: https://doi.org/10.1007/978-3-319-58753-0_92
Published: 13 May 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-58752-3
Online ISBN: 978-3-319-58753-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics