using data from breaches
play

Using Data from Breaches What is the User Level of Comfort? - PowerPoint PPT Presentation

Using Data from Breaches What is the User Level of Comfort? Yingquan Yu My story Source: https://infosecurity.cathaypacific.com/ How many online accounts compromised through data breach? 5,575,703,782 Source: https://haveibeenpwned.com


  1. Using Data from Breaches What is the User Level of Comfort? Yingquan Yu

  2. My story Source: https://infosecurity.cathaypacific.com/

  3. How many online accounts compromised through data breach? 5,575,703,782 Source: https://haveibeenpwned.com

  4. What happen to the data that was compromised during the breach? Most of the times become available in the black market for free/paid download

  5. Several Use for Data from Breach Research Look up service Proactive Security Investigate Journalism

  6. Research Questions • Do user understand breaches ? • What are acceptable uses for breached data ?

  7. User understand risk of breaches Identity Theft 93% Personal Data Loss Understand the meaning of data Monetary Loss breach What is their level of comfort with various uses of breached data?

  8. Scenario based assessment • N = 10,000 • US, IN, DE, UK, AU, CA • 8 scenario total, 2 scenario per participant

  9. Sample Scenario Background • Global Inc • Email, Chat, Blogs, Profile Page • Username and password stolen • Sold on black market for $$$ • Example: • A researcher from UIUC • Investigate online security (password strength) • Buy a copy from black market for research

  10. Scenarios Competitor use Researcher use Look Up Service: Revealing a Tax Evasion breached data to breached data for Have I been pwned Scam advertise their service security research Proactive Protection: Revealing Dating Site Private Profiles Process Password Dump Treat Intelligence: Notify Payment Service Treat Intelligence: Notify Social Network Service Security Investigate Journalism Marketing Researcher

  11. Scenario: Threat Intelligence Comfort Level: 40% Comfortable, 20% Neutral “ I don’t have any issue with hacked “ Global Inc has already failed firm contacting them. It is probably in securing my data, and I do the best thing to do. They can reset not trust them to make any my password before anyone has a effort to secure my data chance to try and hack my account ” elsewhere in the future ”

  12. Scenario: Security Research Scenario: Security Research Comfort Level: 15% Comfortable, 10% Neutral Comfort Level: 15% Comfortable, 10% Neutral “ I have faith that this action “I have faith that this action “ It’s incredibly unethical for the will ultimately contribute to will ultimately contribute to “It’s incredibly unethical for the researcher to buy passwords research that will make the research that will make the researcher to buy passwords from from hackers. It’s no different general population less general population less hackers. It’s no di ff erent than someone vulnerable in the long run.” than someone buying a car that vulnerable in the long run. ” buying a car that was stolen.” was stolen. ”

  13. Level of comfort highest for scenarios with direct security benefit Direct Security Benefit Proactive Threat Hacked Or Journalism Competitor/ Journalism Scanning Intelligence Not Research and (Dating) (Tax Scam) Marketing sharing Service Protection Most Comfortable Comfort Spectrum Least Comfortable

  14. Order Preserved Regardless of buy vs free download Proactive Hacked Or Journalism Competitor/ Journalism Scanning Not Research and (Dating) (Tax Scam) Marketing Service Protection Most Comfortable Comfort Spectrum Least Comfortable

  15. Comfort Spectrum consistent across countries

  16. Prior victims of data breach expressed significantly higher level of comfort Victims more comfortable on • Proactive Measures (No matter data is purchased or free) • Damage Control Measure (Both financial and social network data) • Hacked or not Service (Only if data is free)

  17. Implications for company Breached company Articulate how any Proactively reset password need to be security service can And lock down accounts transparent and provide a direct benefit From further damage notify victims to the victims “ “ “ This is a proactive step from I have faith this action will I think it’s imperative for the company, and one that ultimately contribute to the company to tell people they are not obligated to do. making the general population whose data has been This makes me feel like the less vulnerable in the long run accessed. Companies should company cares about not control but rather protecting my identify empower ” ” ”

  18. Back to my story Source: https://infosecurity.cathaypacific.com/

Recommend


More recommend