CRANE, Ind. – Dr. Timothy Kelley of Naval Surface Warfare Center, Crane Division (NSWC Crane) was a featured presenter at the Vienna Symposium on Global Cybersecurity Awareness Messaging held in Vienna, Austria from August 30-31. The symposium was hosted by the United Nations Office of Drugs and Crime with a goal of organizing and deploying a maximally effective national cybersecurity awareness campaign.
The audience consisted of computer emergency response teams who are attempting to deal with financial and security loss due to phishing attacks, as well as financial institutions, such as PayPal. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Dr. Kelley used analogies from public health education and financial risk management education to help explain the national cybersecurity awareness campaign.
“We are beginning to look at cybersecurity as a public health issue, such as smoking, for example,” Dr. Kelley said. “Essentially, poor cyber health from one person can affect the cyber health of everyone around them.”
Dr. Kelley’s presentation – based on protocol he developed at Indiana University – focused on the importance of quantitative measures of user behavior for evaluating cybersecurity education. An example of such quantitative measures is the U.S. Army’s phishing education test, which compares a pre-education score with a post-education score to see how likely individuals are to fall for phishing, and also to determine if their scores improve following their education.
“It’s a really interesting way to try and figure out how likely someone is to fall for a phishing website,” Dr. Kelley said.
Dr. Kelley and other cyber experts at Indiana University created an innovative way to gauge how likely individuals were to fall for phishing websites. If the participant completed the test with 100 percent accuracy, they would receive eight dollars. However, every second it takes to respond results in a deduction of three cents, and a wrong answer forces the user to wait 15 seconds before answering again.
Among 173 participants, the average bonus pay was two dollars, and the average accuracy was just over 60 percent.
“The thermal dynamics really do favor the attacker. They only have to find one, but you have to secure them all,” Dr. Kelley said. “That’s where the resiliency comes in. With the understanding that we cannot build a perfect system, that once it is exposed, people are going to exploit it, how do we minimize the losses?”
The plan is to establish a global strategy for transnational cybersecurity messaging, with assets deployed as a form of cybercrime prevention, and maintained as an instrument of behavioral management subject to the same rigor as any other kind of public health measure.
“It’s far easier to get the human to give up that information than it is to find a flaw in the infrastructure and acquire that information in a technical way,” Dr. Kelley said. “The human mind has heuristics and biases that allow us to make complicated decisions very quickly and very accurately. Once you start designing a system with the assumption that the human is the weak link, you start to exasperate those heuristics and biases and create much stronger decision boundaries that are much easier to exploit.”
NSWC Crane is a naval laboratory and a field activity of Naval Sea Systems Command (NAVSEA). NSWC Crane is responsible for multi-domain, multi-spectral, full life cycle support of technologies and systems enhancing capability of today’s warfighter.