Upload
vuongminh
View
220
Download
0
Embed Size (px)
Citation preview
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Psychology of SecuritySecurity as human behaviour and experience
Stefan Schumacherwww.sicherheitsforschung-magdeburg.de
DeepSec Vienna21.11.2013
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
About me
President of the Magdeburg Institute for Security ResearchEditor of the Magdeburg Journal of Security ResearchFreelance Security ConsultantHacker for 20 years, ex-NetBSD developerEducational Science and Psychology, Research on SocialEngineeringFocus on Social Engineering, Security Awareness,Organizational Security
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
ToC
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Inhaltsverzeichnis
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Psychology
empirical and theoretical sciencedescribes, explains and predicts human behaviour andexperienceshuman development and the internal and external causesand conditionsDifferential and Personality P., Social P., Industrial P.,Organisational P., Pedagogical P.
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Psychology and IT-Security?
Security is a latent social Construct and has to be treated assuch. Psychological and sociological Methods and Tools arerequired. If the Security of a System should be enhanced, aDiagnosis, Prognosis and Intervention is required.
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Security and Psychology
Security is concluded by making DecisionsIndividuals make decisions based on their Biography, theSituation and how they perceive their Environmentsee: von Foerster, Luhmann, Spencer Brown, Baecker et.al.Psychology is the Science which researches these Topics.Therefore, Psychology is required to research Security.Psychology is the only Science able to research the basicfundamentals of Security.
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Washing your Hands
More pregnant Women died in the Vienna GeneralHospital than in a MonasteryIgnaz Semmelweis discovered that Physicians transmitpathogenic agentsHe proposed that Physicians should wash their HandsHis Idea was rejected and he was considered to besomewhat crazyThis can only be explained by Psychology
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Washing your Hands
More pregnant Women died in the Vienna GeneralHospital than in a MonasteryIgnaz Semmelweis discovered that Physicians transmitpathogenic agentsHe proposed that Physicians should wash their HandsHis Idea was rejected and he was considered to besomewhat crazyThis can only be explained by Psychology
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
1996: Ariane 5 Flight 501
320 000 000 Euro
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Some Examples
Users choose weak Passwords ...Users are not interested in Security ...Users don’t understand Security ...Programmers create Buffer Overflows and forget safetyRegulations ...Admins forget to patch ...Developers use MD5 as Password Hash ...Social EngineeringSecurity Awareness
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Research Programme
Vienna Programme for Cyber-Peaceintroduced last yearPsychology of Security is part of it3 years estimatedcurrently started
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
What do we need?
Fundamental Research about the Perception of SecurityFundamental Research about Personality/Attitudes andSecurityOrganizational Development and SecurityCultural DifferencesDidactics (Teaching Methodology) of SecurityWhat to teach?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Inhaltsverzeichnis
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Perception of Security
radical constructivistic approacheach Individual perceives the World in one’s own Wayshaped by one’s former experiencesWe have to explore this Worldview in depthby qualitative Research
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Perception of Security
different Tools and Methods existseveral qualitative/semi-structured Interviews are leadwith different intervieweseg. autobiographic-narrative Interviews with Hackers andUsersExpertinterviews with Hackers and ResearchersWhat shapes a Hacker’s mind?How do Users perceive IT-Security?How can this Perception be changed?Are there Science based Security Awareness Tools?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Riskhomeostasis
Risk behaviour is controlled by different VariablesSelf-perception, subjective Skills, objective Skills,Perception of Risk, Risk acceptanceResearched in Industrial Psychology: Air TrafficController/Pilots, Workers in Nuclear Power Plants, MotorVehicle Operator ...Study: East German Taxi Drivers switched from Wolga toMercedes and had more accidents
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Riskhomeostasis
Risk behaviour is controlled by different VariablesSelf-perception, subjective Skills, objective Skills,Perception of Risk, Risk acceptanceResearched in Industrial Psychology: Air TrafficController/Pilots, Workers in Nuclear Power Plants, MotorVehicle Operator ...Study: East German Taxi Drivers switched from Wolga toMercedes and had more accidents
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Personality and Security
Different Theories of Personality existWe use empirical sound Tools to examine PersonalityTraits and security relevant BehaviourPersonality Traits are very stable over Lifetimequantitative researchBig5: Neuroticism, Extraversion, Openness,Conscientiousness, AgreeablenessMotives: Power, Achievement Orientation and othersHow do they correlate with security relevant behaviour?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Inhaltsverzeichnis
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Organizational Development
Security is a huge and hot Topic in Companieslots of Money is spend on Security Awareness and Traininglots of different Methods exist eg. in KnowledgeManagement, Leadership, Organizational DevelopmentWhich of them are useful for security relevant Behaviour?Strict Hierarchies can be easily attacked with SocialEngineering ...
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Inhaltsverzeichnis
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Cultural Differences
Culture influences Organisations and IndividualsWhat are the differences? How can they influenceSecurity?eg: How is the TVET system organizes? Is there a TVETSystem? On the job training? Only colleges?Lots of Tools and Methods exist, Research Results alsoCan they be transfered to our Problems?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Inhaltsverzeichnis
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Didactics
Didactics is the Science of Learning and TeachingTeaching Methodologyvery well researched in Germany due to the dual TVETSystemwell funded and empirical soundseveral curriculums for IT skilled labour existhow can they be enhanced with IT security
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
How?
How can we teach Security?Which Methods work best under which Circumstances?E-Learning? Blended Learning? Only Facts? Theory?Practical Approach?Culture is relevantwell researched Model of Competencies/Capabilites isused in Germanynot only facts are taught, but also studying and researchmethodsindependent learning is emphasizedtrainees learn how to keep their knowledge up to datetrainees have to be able to know what to learn
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
How?
How can we use this Model of Competencies/Capabilites?What are the best Methods to develop thoseCompetencies?action oriented teaching? project work? masterpieces?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Who?
Who has to learn about IT Security?Sysadmins, Developers, End Userscreate different rolesdetermine what each role has to learn
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
What
What to teach and learn?Who needs to understand Elliptic Curve Cryptography?Webmaster? Sysadmins? End Users?Who needs to understand what?How do we test that?When and How do those Curriculums and Tests need to berevised?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Web based teaching
Part of the Programmemodularized Curriculumadapted for different Rolesdifferent web based Methods including Mobile Learningincluding tests and certification
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Inhaltsverzeichnis
1 Intro
2 Fundamental Research
3 Organizational Development and Security
4 Cultural Differences
5 Didactics of Security
6 Knowledge Base
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
Getting Knowledge
Too much information is floating aroundtoo old information, which is obsolete and outdatedfalse informationfind methods to identify correct knowledgecreate a knowledge base?who decides about the contents?empower users to identify correct/required knowledge?
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
What to do?
Finish fundamental researchDiscuss what to teachResearch cultural DifferencesFind adequate teaching Methods
Sicherheitsforschung-Magdeburg.de
Psychology of Security
Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base
sicherheitsforschung-magdeburg.destefan.schumacher@sicherheitsforschung-magdeburg.deyoutube.de/Sicherheitsforschunghttp://www.sicherheitsforschung-magdeburg.de/publikationen/journal.html
Sicherheitsforschung-Magdeburg.de
Psychology of Security