Norman M. Sadeh is a Professor in the School of Computer Science at Carnegie Mellon University. He is director of Carnegie Mellon’s e-Supply Chain Management Laboratory, director of its Mobile Commerce Laboratory, and co-Director of the School’s PhD Program in Computation, Organizations and Society. He also co-directs the newly created MBA track in Technology Leadership launched jointly by the Tepper School of Business and the School of Computer Science.
Jason Hong is an associate professor in the Human Computer Interaction Institute. He works in the areas of ubiquitous computing and usable privacy and security, focusing on location-based services, anti-phishing, mobile social computing, and end-user programming. He is also an author of the book The Design of Sites, a pattern-based approach to designing customer-centered web sites.
posted by Richard Power
CyLab Chronicles: In 2008, CyLab Chronicles reported on the launch of Wombat Security, another success story in CyLab technology transfer. Well, before we get into your big announcement about the U.S. Air Force, can you give us an update on where Wombat is and where it's going? What are some of the highlights of the last two years?
Norman Sadeh: Over the past two years, Wombat has been expanding its product lines and bolstering marketing and sales. Today, we have established ourselves as a leader in the fight against phishing, with the most comprehensive and most effective combination of training solutions and a unique anti-phishing filter, PhishPatrol, that has been shown to catch many of the more dangerous spear phishing emails not caught by other filters. Our products have been licensed for use by millions of users in the US and abroad. Our customers come from a number of different sectors, showing the breadth of the appeal of our solutions. This includes government, finance, insurance, health care, energy, IT, consulting, transportation and logistics, education as well as culture and entertainment.
CyLab Chronicles: Now tell us about the U.S. Air Force's award of a $750,000 contract to Wombat Security Technologies to provide "innovative micro-game platform for cyber security awareness and training." What will your work for the USAF consist of, and what will the deliverable offer? Where will it be deployed? How will it used?
Jason Hong: The goal of the platform is to make it easier to develop, deploy, and manage a suite of micro-games for cyber security awareness. This includes features for motivating employees to train (using carrots rather than just sticks), as well as monitoring its effectiveness and compliance rates within your organization. We are planning on two versions of the platform. The first is a cloud-based one that organizations can subscribe to. The second is one that organizations can install locally, if they are concerned about having any data be stored in the cloud, for example the military or governments.
CyLab Chronicles: To provide some context, talk a little about the underlying research, and what you have found both at CyLab and at Wombat that inform your approach to the challenges of cybersecurity awareness and training?
Jason Hong: When we started looking at phishing in 2004, it was a small but growing kind of security attack, where criminals would target the person behind the keyboard rather than the computer itself. The conventional wisdom at the time was that you can’t train people to be more secure, because people aren’t motivated and because security is a secondary task. By secondary, we mean that people don’t go to their bank’s web site to check on its security, they go there to do banking. Our anti-phishing training research had two key themes to it. The first theme was micro games, games that you can play for a few minutes. At the time, most micro games were just for entertainment. We wanted to see if we could use micro games as a way to train people in a manner that was fun and effective. Towards this end, we developed Anti-Phishing Phil, a micro game that teaches people about phishing scams and how to identify legitimate and fake URLs in the web browser. Our studies with several thousand people showed that Phil was quite effective. The second theme was teachable moments. Phil worked well if a person knew that they needed to learn more about phishing. However, most people don’t even realize that phishing is a problem, or think that they already know how to protect themselves. With this insight, we designed PhishGuru, a system that the good guys can use to send simulated phishing emails to people in their organization. If a person falls for a simulated phishing email, it creates a teachable moment that shows that individual how vulnerable they are. They see training that teaches them what just happened, how attackers create phishing emails, and how to avoid these scams in the future. Our user studies showed that people who fell for one of our simulated phishing emails were able to avoid future phishing scams quite well. We’ve commercialized Anti-Phishing Phil and PhishGuru, and have used what we’ve learned in creating follow-up products as well.
CyLab Chronicles: What will the end-product of the USAF contract mean for other large-scale, at risk realms within government sector? And what are the implications for other sectors beyond government? What kind of environments could benefit from such an approach?
Norman Sadeh: We are designing our micro-game platform so that it can be deployed in a number of settings, from small-scale organizations to large-scale enterprises. Our goal is to make it so that any organization that has our platform will find it easier to train and motivate employees, and also to evaluate their security posture as it relates to employee training. In addition, we envision some versions of the platform also being used to train customers. From what we’ve seen, practically every organization needs to improve the cybersecurity awareness levels of their employees. There are well over 100 million employees in the US who, as part of their work, access the Web on a daily basis, and several times as many if one includes major overseas markets. On top of that, many of these organizations also need to better train their customers. Think online banking, Amazon customers, IRS tax filers, Facebook users, etc. The government and military have the most obvious pains due to the need to preserve national security and protect US citizens, whether as tax filers or social security recipients. Corporations also need to defend themselves from corporate espionage and other attacks, in the form of stolen intellectual property, sensitive documents, or customer data. Universities are trying to prevent students and faculty from becoming victims of scams, as well as keeping their computers from being used in other attacks. Over time, we think we’re going to see greater adoption of cybersecurity training as more organizations grapple with compliance with regulations like FISMA (information security for the US federal government), Gramm-Leach-Bliley (finance), or HIPPA (health care).
CyLab Chronicles: Give us a sense of what a user in an enterprise's workforce could expect to encounter from Wombat technology. What would the user interact with and how? What would be user-experience be? What would they be looking at? How would they be interacting? What would they come away with it?
Jason Hong: Through our platform, a user can see the entire collection of cybersecurity micro games that they can play along with additional training material and relevant security alerts. They can also see what achievements they have earned for performing well on specific games, their overall score, as well as challenges and contests. A user can print out specific lessons (to keep important tips on their office wall), as well as certificates showing that they have reached certain levels of training. Our platform also makes it easier for the people in charge of cybersecurity in an organization to link actual prizes to specific performance goals and/or tailor training recommendations and requirements based on an employee’s role or prior performance. For example, they might require some employees to take remedial modules, or take a refresher quizzes. They might offer prizes to those individuals who score the highest on a micro-game or even organize competitions among different groups of users (e.g. free dinner for the department with the best score).
CyLab Chronicles: Looking beyond this latest news, what is in Wombat's future? Where do you see your work going?
Norman Sadeh: Our success over the past 2+ years has validated the appeal of our products and shown how large of a potential market there is in this space. Our objective moving forward is to continue to scale up both domestically and overseas. This will likely include building more partnerships, especially as far as our filtering solutions are concerned. On the training side, our goal is to establish ourselves as the global leader in cyber security awareness and training for everyday Internet users, just as we have for phishing.
Some Relevant Links:
See all CyLab Chronicles articles