ࡱ> NPMb 4jbjb $@.$ $ $ $ 8  nX L P R R R R R R RmR  R P  g P P P *  P P  P P P P L $ P P } 0 P 'P 'P P ``Towards Understanding Security Education Markus Jakobsson  HYPERLINK "mailto:Markus.Jakobsson@parc.com" Markus.Jakobsson@parc.com This note argues that security education is not as straightforward as many of us might have thought. At the same time, we suggest that by approaching things in a different way than has traditionally been done, we can hope for much better impact of the efforts. We describe an approach for determining how to address a given problem, based on user experiments, surveys, statistics, reported incidence rates and economical aspects. A full paper is in the process of being produced; contact the author for more information or for advice of how to practically apply the techniques described herein. It is the lifeblood of scientists to hypothesize, measure and evaluate. All established sciences do, computer science and social sciences not being exceptions. But the intersection of these two sciences as embodied by anti-fraud education has not reached that level of maturity yet. Institutions with a need to educate their clients do not have clear motivations backing their educational campaigns. Little effort is spent on evaluating the success of the campaigns, and campaigns are hardly ever tested before being deployed. The lack of measurements is not due to a disagreement that knowledge is beneficial. Rather, measuring is very difficult, and is fraught with pitfalls. For example, one cannot ask a person Have you been a victim to fraud without having to worry that the confrontational style associated with the stigma of victimization makes him or her answer no even if that is not the truthful answer. (See  HYPERLINK "http://portal.acm.org/citation.cfm?doid=1290958.1290968" http://portal.acm.org/citation.cfm?doid=1290958.1290968 for evidence that stigma substantially affects the results of surveys.) Moreover, it has not been evident how the outcome of the measurements should best guide the educational efforts. Example of survey pitfall: Our experiments show that 83% of people who were asked Have you been a victim to fraud select the answer No, I am very cautious to avoid being tricked. In contrast, if the person is first told Online crime is rampant. to suggest that they are not the only one to potentially have lost money followed by the question Based on your own experience with online fraud, do you think that users like you might lose money to online criminals? then only 35% of them select the answer No, crime is not a big concern to me and users like me. While one may argue that the two questions measure slightly different phenomena, the very different outcomes still serve to highlight the importance of formulation. The above example does not mean that we believe that surveys are not meaningful, but it does say that special care has to be taken when designing the questions. The design, ultimately, should be informed by knowledge of actual fraud rates (which may be difficult to obtain) or by naturalistic experiments, also referred to as sting experiments. Such experiments, which can be thought of as ethical versions of real fraud incidents, have the benefit of reporting the truth at least when performed correctly. (An added benefit of using naturalistic experiments in comparison to observing real incidence rates is that naturalistic experiments allow us to assess the risk associated with abuse types that have not yet become prevalent threats.) Thus, knowledge of the correct answer whether obtained by observing incidence rates or by experimenting can be used to fine-tune how survey questions are designed; this design can then be extended to topics and demographics where no naturalistic experiments have been or can be performed. Performing naturalistic experiments is not trivial. Apart from requiring technical and social insights, it also poses both ethical and branding dilemmas. We refer to  HYPERLINK "http://www2.computer.org/portal/web/csdl/doi/10.1109/MSP.2008.52" http://www2.computer.org/portal/web/csdl/doi/10.1109/MSP.2008.52 for an overview of the former; the latter problem corresponds to the understandable unwillingness for the affected brands to taint themselves by performing experiments that look like fraud to their users. It is possible to largely avoid this problem by having the research done by third parties (see e.g.,  HYPERLINK "http://portal.acm.org/citation.cfm?id=1135853" http://portal.acm.org/citation.cfm?id=1135853 ), by performing the experiment in controlled environments, or by performing the experiment using a hypothetical brand although the latter two could affect the correctness of the outcome if care is not taken. Measuring education. There are several things worth measuring. The first and most obvious is the need for education for a given type of fraud and a particular demographic group. This is a measure of how well people understand what to do to avoid being victimized. If we compute the ratio between needed education and the known losses for various topics, we can then see what topics are most important to educate consumers about. (This can be done from the perspective of a given organization or society as such.) Such a normalized measurement helps us identify where educational efforts have the greatest potential of making a difference in terms of losses. Example: phishing vs. Nigerian scams Without going into details of how the numbers below were derived, or even what they mean, lets look at an example of how to identify what educational campaign is most needed. In one large-scale study run by the author of this note, subjects were determined to have an understanding of how to avoid Nigerian scams estimated at 267, and an understanding of how to avoid phishing estimated at 230 (where larger numbers means a better understanding). The losses of these two crimes to a collection of organizations considered were 0.57 resp. 1.44. This results in education-to-losses ratios of 470 resp 160. This approach normalizes the degree of education to the observed losses, and tells us that people understand how to defend themselves against Nigerian scams much better than against phishing relative to the need for them to have this understanding. This may not be a surprise given the nature of the defenses against the two attacks, but the principle helps us identify such relations for problems where this is much less clear a priori. Measuring perceived education. The degree of existing education is not the only important aspect to quantify. It is also important to measure the perceived need for education. That is the degree to which a given group believes they need (vs. do not need) education about a given topic. If there is a large need for education of how to deal with a given problem, but very little perceived need for the same, then it will be difficult to make the target group pay attention to the efforts to educate them. Using a similar approach as in the example above, we can rank topics by their perceived need for education, normalized by the actual estimated needs for education and the losses. This shows us a small perceived need for education on lost pet scams (a type of fraud in which a criminal reports to have found a lost pet, and asks for a payment to ship it from where he supposedly is located), and a much greater perceived need for knowledge of how to deal with malware. This is in spite of the fact that many consumers think that having AV software whether with an active subscription or not is sufficient to be protected. Again, while this result may not be surprising, being able to rank all threats allow us a comparison of closely related threats. Measuring awareness. A third important aspect to measure is the degree of awareness a target group has of a given type of fraud. We note that it is much less expensive to mount an awareness campaign than an educational campaign. Awareness campaigns can be used to increase the perceived need for education, and may sometimes suffice by themselves to address the problem. An easily described example of such a situation is the typical warning of pickpockets in a crowded market this is an awareness campaign with no need for an associated educational campaign. The target audience would know already what it means to be careful. For many other types of crime, and online fraud in particular, this may not be the case. If a given topic needs improved education, but there is a very small perceived need for this, an awareness campaign may be a first step towards educating consumers. Continuing our example from above, we can see that among the types of fraud considered in our study, the problem that deserves most attention to be given to it in the form of an awareness campaign again, normalized by losses is auction fraud, while the topic with the least need is the Nigerian scam. This makes intuitive sense given how often people see Nigerian spam in their mailboxes, while attempts to auction fraud might not be as easy to spot for average consumers. Understanding costs and making decisions. It is important to consider the costs of a given type of fraud, along with the cost and anticipated impact of the appropriate campaign to address the problem. Given estimates of these, and of all of the previously described quantities, it is possible to rank all the types of fraud in terms of their relative needs to be addressed using educational campaigns and awareness campaigns. When we have this ranking, we can determine how to proceed. The same rankings can be used to identify what technical strategies to prioritize as well. The beauty of our approach is that it allows us to develop strategies for hypothetical scenarios based on measurements of how consumers would be likely to react to a give threat, were it to start being commonplace. Why imperfection is not a show-stopper. One may argue that the estimates one may base the strategy decisions on are not entirely accurate, and depend intrinsically on how we assign numeric values to opinions and expressions of these. Similarly, while the functions involved in computing the ranking most certainly are monotonic, there is no clear evidence that they are linear functions. While this suggests the need for further refinements, it does not mean that it is not useful to compute such rankings based on simple models of relationships: The alternative is to base a decision of what to do without considering these measures at all clearly a less desirable strategy. Author bio: Dr. Markus Jakobsson is a Principal Scientist at PARC, and a member of the PARC security group. He is also running a consulting company aimed at improving security education, and serves on the advisory boards of several organizations concerned with fraud. While he is maybe best known for his research on phishing and crimeware, he has also made significant contributions to online payment schemes, applied security, security education, and privacy-preserving cryptographic protocols. Markus believes in taking a holistic approach to security, in which everything is measured, modeled and considered in the final design. This belief has compelled him to study the human aspect of security, and has guided his work on phishing, crimeware, user authentication, and user messaging. Before joining PARC, Markus held positions at Bell Labs, RSA Labs, New York University, Indiana University, and RavenWhite, the anti-fraud startup that he co-founded. He holds over 100 patents and has published two books and over a hundred papers. He has a PhD in Computer Science from University of California at San Diego, a Masters degree in engineering from Lund Institute of Technology, and a Scottish Terrier named Zero. );<jkl  Eu^_߻ַvvvi\ij@h jU_H jhch jU_H hch j6_H hch j_H hgPh j0Jjh jU hch jjhch jUhch j6h jhch j0JCJjhch jCJUhch jCJjhch jCJUhch jCJ hch95CJ(")*; ef|!789:Z&$$a$gd j4#$_`adf|q{!:DNZ '$=$|)),,@/L/0111V2W244¾¤¾¾¾| hch jhch j^J_H hch j\^J_H aJhch j5h9h j56h9h j6hch j6h jhch j56jh jU_H hch j_H  h j_H jhch jU_H hgPh j0J_H )&$'$=$''{)|)),,,?/@/L/11W24 1$7$8$H$gd j":p j/ =!"#$%DyK Markus.Jakobsson@parc.comyK Bmailto:Markus.Jakobsson@parc.comUDyK 8http://portal.acm.org/citation.cfm?doid=1290958.1290968yK phttp://portal.acm.org/citation.cfm?doid=1290958.1290968yDyK Ahttp://www2.computer.org/portal/web/csdl/doi/10.1109/MSP.2008.52yK http://www2.computer.org/portal/web/csdl/doi/10.1109/MSP.2008.52-DyK .http://portal.acm.org/citation.cfm?id=1135853yK \http://portal.acm.org/citation.cfm?id=1135853<@< NormalCJaJmH sH tH DA@D Default Paragraph FontRiR  Table Normal4 l4a (k(No ListDD M Balloon TextCJOJQJaJ0U@0 c Hyperlink>*B*.@.)*; ef|!789:Z&'=!!{#|##&&&?)@)L)1+W,.0`@0@0@0@0@0@0@0@0@0@0@0@0`@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0`@0@0@0`@0@0@0Ж@0@0)*; ef|!7Z&'=?)@)L)1+W,.0!0!0!0!0!0!0!0!0!0!Q@0@$ @0 @0@$ @0@$@0@$@0@$ @0@$@0@$@0@$ @0@$ @0@$ @0@$@0@$@0@$ @0@$U@X0 U@X0 U@X0 @0@$@0@$4&$44;k^#`.XXXX1:^# 6:tx4<W)`)(*5*6*?*@*D*}****,!,#,,,,,.|J R!d6!E!|##&&)L*--.::::::@.P @UnknownGTimes New Roman5Symbol3 Arial7 Verdana;HelveticaCrpLucida Grande 1hemҦu %P4d.`th(Towards Understanding Security Educationmarkus jakobssonmarkus jakobsson Oh+'0" ,8 X d p|',Towards Understanding Security Educationmarkus jakobssonNormalmarkus jakobsson9Microsoft Word 11.5.0@ c@fAf@6m;%GX!PICT!Nb HHb bHHbb          Kss{s{{{{{{{sw{{;ZNskZV^{cs^ZF1c=o{^RF1kZVVNscs^g9g9F1V^g9g9kZBg9kZwkZVg9^JRNscs=cg9F1cg9kZVsNsVkZs^g9scVNs1F1F1RBF1F19Bg9F1%)F1=99F1F1RF1kZZNs=sF1BF1BF1JRNsw9ZF1BRJRF1NsVF1F1Vg9g9   / cc{wg9w{g9{g9{g9{w3VJRJR^JRNsNs^JRJRVJRNsVVF1w -oososswwCVVR^NJ_Z{cRNRNZZRJ_^^J_R^^{^-c So{wwwwwwwwwswswwAkZZkZc^Zg9ZZg9^ZZcg9ZZg9cZ^Zg9kZg9kZZVZ^Zg9kZZ^kZc^F1g9ZV^ZZg9cVg9VZcVR^kZZRcV^^Zg9YwwwwwwwwwwwwwwwssZZkZZg9Z;^Zg9Rg9g9ZZcZVRg9kZVNscVcZ^^Zcg9g9ZZg9VkZZ^^g9ZZ^ZkZ^RZkZ^^V^ZVkZkZRg9Z^RwZkZ iwwwwwwwwwwswww swsso{wg9ZZ^ZZcg9g9ZVkZg9kZZ^ZkZ#VZZ^F1JRZZ^Z^ZZ^ZkZZg9VR^ZVZg9g9ZZVVZ^NskZg9ZkZRg9g9JRo{ZQwwwo{wwwwwwwwwwwAVZc^g9kZVZZ^Z^^g9ZZ^F1g9VZg9Zg9V^^kZJRJRccZZVVg9ZcNs^kZkZZ^g9ZVkZZVkZVZcZF1^ZcZg9EwwwwwwwwwswwCZg9^Zg9kZVRF1wcZg9kZZkZc^g9Zg9kZNsRcZ^Zg9g9ZNs^^kZVZ^JRg9Zg9ZNs^VZ^Z^ZV^^ZRc^Z^g9JRwkZZkZkZUwwwswwwwwwswsws^Z^Zg9kZckZ^g9ZZ^g9Z^ZcVF1ZkZ^g9ZVZ^ZV^Z^g9Z^g9g9Zg9Zg9VRg9ZkZRZg9VRg9kZZJRg9kZZg9 Pwwsw wwwwwwwwwwu3ZVkZkZ^ZRZZccZ^g9Z^g9kZ^ZkZRF1kZkZg9ZZg9Z^Z^kZ^ZZJRZc^g9kZVZF1g9ZkZ^w  Ww wwswwswwwwwwwww Zo{Zg9R^kZo{RJRZ1kZZco{JRg9Rg9Zg9ZRg9ZZJR^ZV^wNsRVZ^kZ^VZ^kZNs^VRZg9kZ^ZNsRkZRR^Z-wwwwo{wZZ^VcJRZVcZNskZZ^RkZZcVVc^VVZ cNskZZcVVc^ZVZg9R^Nsc^kZc^NsRVZVZg9g9R^9swwwwwswww>Nsg9^kZZ^NsZVZkZg9R^ZRVwZcVVc^ZsVZ^NskZF1Zo{^ZRg9VVg9g9kZkZV^Z^Z^cJRRVsRVZVZg9 Q wwwwwswwwwwwwRg?Nk_RRNk_VcNk_Zk_ck_NV^ZVck_Nk_ZZRk_k_g?^V^cVZ^V^VVRkZ^kZo{ZJRc^g9RVNs^cNsNsUwwwsswwswwwwww@ZF1Zg9VJRo{NskZNskZRcNsg9R^kZ^ZRNsZkZZ^kZ^g9ZkZVg9ZkZJRkZ^kZwZRVZVZg9R^^V^kZR^Vg9RZVwJR^=swwwwwwwwssy5Z^RZNsRZkZJR^NsRVZ^kZF1RVg9ZZRZ^RR^Nsc^o{Z^JR^^Z^cJRRVVRkZRkZNs   +o{wwswsww5Vg9ZVVkZZZVZg9kZZkZ^kZZZkZkZMo{wwo{o{swswwwwo{wwBcVkZ^kZZ^^NsRVg9ZZRZVwJRVNs^^kZZkZZ^ZZRVwRZVZkZ^VZV^ZZNskZ^g9Z^R^^VVkZZg9o{NsZZM swswwo{wwwwwwswsAkZV^ZsZ^Rcg9JR^VVZVZkZVkZZg9VNskZkZ^ZcV^g9R^Zg9ZVkZZo{ZR^NscZZV^ZsNscZVZVNsw^Cwswso{wswwwwBJR^Z^kZZVo{ZkZ^Nsg9ZRscNskZNs^ckZo{NsRo{ZkZBkZZVVg9ssg9ZZ^cc^Nsg9RVg9JR^g9VkZ^VZg9g9R^ZVkZg9Awwwwswwwwso{wZV^g9ZRVg9NskZZRNs^RZg9NsRV^g9skZZkZZVZZRg9JR^Z^ZVsVRZ^ZZVg9Z^kZZVR IwwswwwwwwwwwwC^kZZ^^JRc^VwZRZVkZNs^kZV^ZVZg9Z^g9RNsVJRVg9^Z^kZRNs^g9Z^Ns^cRg9kZZ^NsRV^g9g9ZZVkZNs^Iwo{swwo{sswswwwswwwAc^Ns^VVRkZsg9RJRZVkZg9^c^kZZkZJR^NsR^Rcg9JR^VZVZkZs^kZZwVo{NsRo{ZVZg9VRo{ccZVc^NsNs>wwwso{wwwwww*NsRVZ^Z^kZRNs^NsRsckZNsRZV^NsNsg9VkZc^^g9RVg9JR^g9VV^Zg9RVZNsRVZ^kZJRkZZRg9kZg9Kwsswwwsww wwwwwBZo{kZRkZJRg9ZR^VBkZ^VVwJR^kZ^kZg9Zo{kZ^kZJRg9Z^g9NsNskZ^ZZ^kZR^kZRg9ZRZRkZZRg9g9R^o{NsRZZVVc^ssw# ZkZkZRNskZ^Ns^ZV   CkZwwwwwwwwswwCkZR^VRZkZ^^kZVNsRkZ^ZZ^ZVZg9NskZ^VJRVNsw^RRo{R^JRVNs^kZkZ^g9ZVkZ^VZg9NsRVVo{VV^kZwF1g9o{g9KwwwwwwwwwkZww VZZNsVg9JRVg9ZZ^ZVkZ^RVZg9ZR^g9VV^VVwR^VZ^RcVNscg9R^^ NsRVZkZR^Z^ZZVwhwwwwswwwwwswswwwww(^Zo{NsNsRkZg9VRZ^kZZR^o{VRkZNsRZRg9VVZVg9^Zc^ZkZVcRVkZVJRkZVg9^ZkZVNsZRNskZVg9R^ QwsswwwwwwwwswwAZo{kZVVZg9ZZRg9VNskZZkZRg9^Zg9Zg9ZkZkZNsg9kZJR^^NsRVNswVRZkZ^kZ^kZkZ^NsZVZcg9kZ^^kZZ^kZo{NsF1g9Z             k ՜.+,D՜.+,@ `hpx  'P. )Towards Understanding Security Education Title 8@ _PID_HLINKS'Ahl .http://portal.acm.org/citation.cfm?id=1135853UAhttp://www2.computer.org/portal/web/csdl/doi/10.1109/MSP.2008.52j 8http://portal.acm.org/citation.cfm?doid=1290958.1290968x!mailto:Markus.Jakobsson@parc.com  "#$%&'(*+,-./012456789:;<=>?@ABCDFGHIJKLORoot Entry F&ϾQData !1Table)'WordDocument$@SummaryInformation(3,#DocumentSummaryInformation8ECompObjXObjectPool&Ͼ&Ͼ FMicrosoft Word DocumentNB6WWord.Document.8