In this episode of Defrag This, Dr. Arun Vishwanath calls in to talk about his session at BlackHat and his years of research around the "people problem" of cyber security.
For instance, why do people continue to click on phishing emails even after rigorous cyber security training? You can learn more about Dr. Vishwanath's research here.
Giving your users one-size fits all anti-phishing training materials is like having a doctor give every patient the same pill, no matter what symptoms they’re showing. That’s why these types of training don’t help your users stop falling for these attacks.
Equating computer viruses to healthcare issues isn’t new. Malware, ransomware, and their assorted friends can all be compared to a disease that cyber security and IT professionals need to cure.
Following that line of thought, users are like the immune system. Nine times out of ten, a user falling for a phishing attack is what lets the more insidious disease into the system. They are the first line of defense in preventing the spread of viruses.
The problem with that is, just as an unhealthy immune system makes it easier to get sick, an uneducated user can weaken your cyber defenses. But how do you educate users effectively so they don’t fall for every phishing scam that comes their way?
To answer that, let’s look at the phishing problem, the current faulty solution, and a solution that actually works.
In the beginning, phishing attacks were largely ignored. No one really paid much attention even as the attacks became more targeted and more sophisticated. The,, over time, the attacks stopped being merely junk mail or spam that was easily filtered out and ignored.
Large organizations with money to spend and assets to protect started taking more notice. Now most companies have some level of anti-phishing training for their employees.
Thousands of dollars are spent on cyber security training each year, yet users keep falling for the same tricks again and again. This is costly for companies both from the apparent wasting of funds on training and the other expenses that arise from getting the virus eradicated from the system when that training fails.
So, what the deal? Are the users just ignoring the training?
Well, not exactly. Let’s look at how training is currently trying to solve the phishing issue to get a better idea of why it isn’t working so well.
The Current (Faulty) Solution
Have you ever been to a doctor who prescribes you medication without even finding out what your symptoms are?
Of course not. That would be unprofessional and reckless.
But, that’s exactly what many IT professionals are doing when they produce anti-phishing training materials. They seem to believe that just by telling users what to look for, that will solve all the problems. And when it doesn’t work, they tend to blame the users.
Another piece of the problem is that most users already think they’re great at recognizing potential phishing attacks. Training materials might be skimmed through or ignored completely because the users already believe they know what they’re doing.
Alternatively, the training materials might be too technical to the point that the user tunes out because they believe they will never need this information for their position.
Then there are the training programs that will send an email to test whether or not users are following the advice they’ve been given. Yet, that just creates another issue.
These “gotcha” style exams often serve only to shame the people who fail, and that’s not helpful. The goal is to help people recognize risky emails, not embarrass them into never wanting to check their inbox.
Does this mean that current anti-phishing training doesn’t work at all? No, but it is important to recognize that the training programs aren’t working as well as most people like to think, nor as well as they could.
The (Better) Solution
So how do we make better training programs that actually teach users what they think they already know but clearly don’t?
To start, we need to understand why people fall for phishing scams. There is a certain amount of psychology behind why phishing scams persist and have even become a greater issue over time.
If you can understand the user and the handful of reasons why they click on suspicious links, you’ll be much closer to figuring out how to get them to stop. Going back to the doctor analogy, once you know what the symptoms are, you can prescribe meds that will actually cure the disease.
One method proposed by Arun Vishwanath, associate professor at the State University of New York at Buffalo, involves giving users surveys to create risk scores. These are measurements to help with diagnosis. Looking at suspicion, cognition, and automaticity (SCAM) is a helpful measurement tool.
For instance, how suspicious of a bad link is the person? Do they even know what they’re looking for at the most basic level?
Are they using cognitive thought to decide whether or not to click on the link or reply to the email? And if so, is it actually logical thoughts or is the user following a strange rule that they made up for themselves, like believing that one device is more secure than another?
Finally, are they operating using automaticity? These are the normal patterns of the behavior that people pick up to the point where they are on autopilot.
You can find more about this topic and other cyber security issues on Arun Vishwanath’s website.
If computer viruses are a disease, your users are the immune system that can either keep the disease out or let it wreak havoc on the whole system.
But users, like immune systems, don’t do well with one-size-fits-all solutions. How one person learns not to click the bad link may not work for the next person. By learning how your users think and why they fall for phishing scams, you can create anti-phishing training that actually works.
This post is based on an interview with Arun Vishwanath, a cyber security expert and associate professor at the State University of New York at Buffalo.
You can find this interview and many more, by subscribing to Defrag This. Listen to the episode that this post was based on here.