Skip The Words - Give Me Videos
Do you know that smoking causes cancer? Specifically smoking behavior is found to be highly correlated with cancer. Experts over the years have gained a good understanding about the various mechanisms that initiates cancerous growth. However what you need to know is, "Don't Smoke".
Take the same approach to computer security. Give straight-forward warnings. Tell simple stories. Use context to give people warnings when they need them. More details on how to instrument this approach are available at UsableSecurity.net
Here is the common approach to warnings:
Here is the computer science approach to smoking warnings.
Communication should focus on the ability to mitigate or avoid a risk, not the details of the risk.
You are welcome to use these vidoes and images for your own warnings and training. Please do let us know when you do so, and if you have feedback we would love to hear it.
Short Form Videos Using Mental Models
Current projects include vishing, spear phishing, whaling, smishing (call the IT hotline!); USBs (don't touch that port!), and various forms of malware including fake apps (verify!), and malicious scipts.
We also have a demonstration project on creating stronger passwords and encouraing their use in specific contexts. Our video for that will follow our experimental evaluation.
Password reuse modeled as unhealthy germ-accepting toothbrush resue.Using an unknown USB modeled as unclear food.
Anti-smishing modeling smishing compliance as insane compliance.
Each of these have been tested in pilots, and shown to increase understanding of how to mitigate online risks.
Long Form Videos Access control - http://www.youtube.com/watch?v=F9m6A4gWKX8
Here we use the metaphor of inviting an unexpected visitor into your home, as opposed to keeping them on the porch, to encourage individuals not to download potentially dangerous malware.
Keylogger - http://www.youtube.com/watch?v=6zHJoZqrCB0
This video makes phishing something that hits home. This video is unqiue in that is was used is a wide-scale study and illustrated significant increas in risk awareness in a population representative of elders in the US.
Phishing - http://www.youtube.com/watch?v=4ZQ9pFTCdy4
We are currently updating this video for the workplace.
Patching is a more complicated challenge. Here is our long-form video for patching. If you choose to shorten it, under the Creative Commons license, please send the shortened version back to host here. This is a link to the mp4.
MP4 of the larger Patching Video as the uncompressed version is quite large indeed.
We have a long-term agenda for creating and testing videos for risk awareness. Please contact Jean Camp.
We are implementing a human-centered extension based on the concept of contexts: work, banking, play, etc. This extension provides warnings only when individuals are actually taking the risk. We combine user click traces, group histories and cyptographic analysis of certificates to identify risky situations. Our team is looking for a partner with whom we will customize and then test our DHS-funded open-source software.
In addition, we have a prototype for encouraging the use of stronger passwords, and making it more difficult to comply with various social engineering attacks. If you would like a preview of this work, please contact info@cognitivesecurity.net.
The videos require only a reference for use under the Creative Commons license. To use please reference one of these for basic theory, construction of a mental models system to use these, or proof of efficacy of videos (respectively).
V. Garg, and L. Jean Camp, Heuristics and Biases: Implications for Security Design
, IEEE Technology & Society, Mar. 2013.
or
J. Blythe & L. Jean Camp, Implementing Mental Models
, Semantic Computing and Security, An IEEE Symposium on Security and Privacy (SP) Workshop (San Francisco, CA) 24 May 2012.
or
Vaibhav Garg, L Jean Camp and Kay Connelly, Risk Communication Design: Video vs. Text
, PETS (Vigo, Spain) 11-13 July 2012.