Abstract
Social engineering that attacks human psychological weakness is becoming mainstream. Attackers and methods of attack have been published from the old age for countermeasure of individuals. However, we need comprehensive defense methods for individuals and the organization. I propose “security psychology” and believe that it is important for the theory of Sun Tzu which is “know the enemy and know thyself”. The “to know the enemies” part is almost the same as social engineering, so I focus on the “to know thyself” part and considered it. And I will describe the result of training of “To know thyself”.
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
This paper discusses a practical approach to cyber security education, training and awareness.
This approach based on a human activity perspective, that is, the cognitive psychology, Human factor, and Criminal psychology perspective and so on.
The definition of Security psychology is the research and practice based on human security such as cyber security areas, human factor, and security management of organization, mainly.
Security education, training, and awareness in security psychology are divided into two areas, namely Social engineering and CSEAT.
Figure 1 is the bird’s-eye view of Security Psychology
.
Social engineering has practical social engineers’ books, hands-on education & training and research papers [1, 2].
CSEAT is defined in this paper and is a comprehensive education, training and awareness system, not only targeting individual users but also education and training considering organizations.
2 Essential Knowledge of Security Training
It is important to clarify what to protect and it is important to think about the risk of assets to protect.
2.1 Definition of Information Assets
The following are definition of the information assets which are classified with the four groups [3].
-
People are those who are vital to the expected operation and performance of the service. People may be internal or external to the organization.
-
Information is any information or data, on any media including paper or electronic form.
-
Technology describes any technology component or asset that supports or automates a service and facilitates its ability to accomplish its mission. Some technology are specific to a service (such as an application system) and others are shared by the organization (such as the enterprise-wide network infrastructure).
-
Facilities are the places where services are executed and can be owned and controlled by the organization or by external business partners. In general, any of the information assets are targeted attackers and many of the cyber-attacks use the findings of psychology and behavioral science as well as the technical knowledge.
2.2 Security Incident
One of the security survey shows that the top four patterns.account for nearly 90% of all incidents.is people (Fig. 2) [4].
Also, July, 2002, Howard Schmidt is vice chairman of the president’s Critical Infrastructure Protection Board speaks about cyber security issues.
Q: What kinds of technology will be needed to stave off electronic attacks? Do we need bigger anti-virus programs?
A: The common misconception is this is a technology issue. But it’s not a technology issue. For example, the DOD did an analysis last year and it’s somewhere in the high 90s, like 97 [percent] to 98% of things that have hit the DOD systems have been the result not of some new piece of technology but exploitation of people that have not had processes in place to install patches or to configure their systems properly.
Kevin Mitnick, most excellent social engineer, said in his book,
As noted security consultant Bruce Schneier puts it, “Security is not a product, it’s a process.” Moreover, security is not a technology problem - it’s a people and management problem.
3 Practical Security Training for End-Users
3.1 Training Background
Private information about a woman who was stalked and killed by her former boyfriend a year ago is thought to have been leaked by the local government in Japan.
Senior officials of the firm are suspected of obtaining her address from the local government within hours of receiving the request and giving it to the detective agency.
It seems that the detective used the elicitation technique which is technique used to discreetly gather information [5].
In accordance with this incident, three-hour training was conducted for staff of a local government and there were 37 participants.
3.2 Contents of the Training
Outline of the training is as follows
-
The importance of confirmation (Fig. 3A)
-
The importance of experience (Fig. 3B)
-
How to memorize (Fig. 3C)
-
Human Element: Importance of organizing communication
-
CRM: Crew Resource Management [6]
-
Team STEPPS
-
The invisible gorilla
3.3 Results of the Training
The result of the training was as follows
-
Almost all attendees are satisfied
-
The questionnaire is done just after training (Fig. 4)..
4 Conclusion
This education/training can be used for other security incidents.
It is said that the evaluation of the municipal officials in Japan is severe, but the result of this time was a relatively good evaluation.
Since the questionnaire is done just after training, it has not been verified whether it will be useful at an actual incident occurs.
References
Christopher, H.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2010)
Mitnick, K.D.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2003)
Caralli, R.A., et al.: CERT Resilience Management Model, version 1.0, pp. 4–5. Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2010)
Verizon, 2015 Data Breach Investigations Report (2015). http://www.verizon.com/about/news/2015-data-breach-report-info/
Federal Bureau of Investigation, Elicitation. https://www.fbi.gov/file-repository/elicitation-brochure.pdf/view
Crew Resource Management. http://www.crewresourcemanagement.net/
Agency for Healthcare Research & Quality, Team STEPPS. https://www.ahrq.gov/teamstepps/index.html
The invisible gorilla. http://www.theinvisiblegorilla.com/videos.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Uchida, K. (2017). Establish Security Psychology – How to Educate and Training for End Users. In: Stephanidis, C. (eds) HCI International 2017 – Posters' Extended Abstracts. HCI 2017. Communications in Computer and Information Science, vol 714. Springer, Cham. https://doi.org/10.1007/978-3-319-58753-0_92
Download citation
DOI: https://doi.org/10.1007/978-3-319-58753-0_92
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-58752-3
Online ISBN: 978-3-319-58753-0
eBook Packages: Computer ScienceComputer Science (R0)