Cyber-crime Science = Crime Science + Information Security

Download Report

Transcript Cyber-crime Science = Crime Science + Information Security 

Social Science Experiment
Jan-Willem Bullee
Background
 Effectiveness of authority on compliance
 We can get some of the answers from
» Literature (Meta-analysis)
» Attacker stories/interviews
 But the answers are inconclusive
» Different context
» Hard to measure human nature
» Difficult to standardize behaviour.
2
Cyber-crime Science
Principles of Persuasion
 Authority
» More likely to listen to an police officer
 Conformity
» Peer pressure
 Commitment
» Say yes to something small first
 Reciprocity
» Return the favour
 Liking
» People like you and me
 Scarcity
» Wanting the ungettable
3
Cyber-crime Science
Literature on Authority
 Classical Milgram Shock Experiment
» 66% full compliance
[Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal
and Social Psychology, 67(4), 371–378.
5
Cyber-crime Science
Introduction Key Experiment
 Get something from an employee
 Equal to password or PIN
 Intervention
 Impersonate
5
Cyber-crime Science
Experimental Setup
 Design
R1
R2
X
O
O
 Intervention
» Written memo
» Key-chain
» Poster
5
Cyber-crime Science
Hypotheses
 H0: Intervention and Control comply
equally
 H0: Authority and Control comply equally
 H0: Effect of Authority on compliance
5
Cyber-crime Science
Results
 351 rooms targeted
» N=118 (33,6%) populated
 Demographics Targets
» Female: 24 (20%) Male: 94 (80%)
» Mage = 34, range (23-63) years
 Overall compliance distribution
» 52.5%/47.5%
5
Cyber-crime Science
Results
5
Cyber-crime Science
Results
 Intervention distribution
» 60%/40%
 H0: Intervention and Control comply equally
» χ²-test
» Hypothesis rejected
5
Cyber-crime Science
Results
 Authority distribution
» ≈50/50
 H0: Authority and Control comply equally
» χ²-test
» Hypothesis accepted
5
Cyber-crime Science
Results
 Effect of authority
» Logistic Regression
Intervention
Give Key
» Employees that did not get the
intervention are 2.84 times more
likely to give their key away
5
Cyber-crime Science
Results
 Effect of authority
» Logistic Regression
Give Key
Intervention
Authority
» Employees that did not get the
intervention are 2.84 times more
likely to give their key away
» Authority: No effect
5
Cyber-crime Science
Results
 Comments:
» “Great test!” “Cool Experiment” “Interesting study”
» “I had doubts” “Having an keychain is important”
» “Suspicious looking box”
» “Guy in suit looked LESS trustworthy”
» “Asked for my ID”
» “Trusted me since I looked friendly”
» “I feel stupid”
» “I didn’t wanted to give the key, but did it anyway”
5
Cyber-crime Science
Take Home Message
 Children, animals, people never react the
way you want.
 Limited availability in July and August
 You are not important for others
 …unless you want to break the system
 1/3 of employees works on a Wednesday
in September
 2.84 times higher odds to get key if no
intervention
5
Cyber-crime Science
Charging Mobile Phone
10
Cyber-crime Science
Charging Mobile Phone
 What are the security considerations of
the users of a public mobile phone
charger?
» What is the use rate of the device (per number of
people at that location per hour),
» Why do people use (or not) the system?
» How do the safety perceptions of the current users
differ between the former users and the non-users.
 You are the researchers!
10
Cyber-crime Science
Crime Prevention
 CPTED Framework (Crime Prevention
Through Environmental Design)
 Activity Support
» Eyes on the street
» Unfortunately: also provides opportunity
» Overall crimes are reduced by increasing activity
[Coz05] Cozens, P. M., Saville, G., & Hillier, D. (2005). Crime prevention through
environmental design (CPTED): a review and modern bibliography. Property
management, 23(5), 328-356.
10
Cyber-crime Science
Hypotheses
 H0: Cabinets in busy and quite areas are
equally used.
 H0: Cabinets with surveillance (e.g.
service desk) and with no surveillance are
equally used.
 H0: Cabinets in lunch hours (e.g. lunch)
and lecture hours are equally used.
10
Cyber-crime Science
Our Design
 Researchers: You (Student)
 Target: Fellow Students and Employee
 Goal: Observe
» Observe and interview people
 Interface: Face 2 Face
 Count people and short questionnaire
11
Cyber-crime Science
Method : Our design
 2 experimental conditions
» Users of the system / non users of the system
 6 locations
» Experimental: Bastille, Hal-B, Horst and Spiegel
» Control: ITC (city center), Ravelijn
12
Cyber-crime Science
Method : Our procedure
 Subjects from the experimental building
» Teams of 1 researcher
» One minute count: the people that pass-by
» Approach users of the system
 Subjects from the control building
» Teams of 2 researchers
» Interview people walking in the area
 More details on the course-site
13
Cyber-crime Science
What to do
 Before Tuesday 9 September
» Register in the Doodle
 On 10, 17 (and 24) September
» 09:30 - 09:50 Briefing at ZI4047
» Travel to location
» 10:30 - 12:45 Experiment
» 12:45 - 13:30 Break and travel
» 13:30 - 15:45 Experiment part 2
15
Cyber-crime Science
What to do
 We have permission to do this only at
» UT: Bastille, Hal-B, Horst, Ravelijn, Spiegel and ITC
 Enter your data in SPSS
» Directly after the attack
» Come to me ZI4047
 Earn 0.5 (out of 10) bonus points
16
Cyber-crime Science
Ethical issues
 Informed consent not possible
 Zero risk for the subjects
 Approved by facility management
 Consistent with data protection (PII form)
 Approved by ethical committee, see
http://www.utwente.nl/ewi/en/research/ethics_protocol/
17
Cyber-crime Science
Conclusion
 Designing research involves:
» Decide what data are needed
» Decide how to collect the data
» Use validated techniques where possible
» Experimental Design, pilot, evaluate and improve
» Training, data gathering
18
Cyber-crime Science
Further Reading
[Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009.
http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895
[Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996.
http://doi.acm.org/10.1145/228292.228295
[Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician
relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.
19
Cyber-crime Science