Raw notes …<\/p>\n
<\/p>\n
Bruce Schneier:I put the panel together because there’s a lot of work on the human side of security, pscyhology, risk.\u00c2\u00a0 There’s a lot to be learned from researchers in these subjects, economics, cultural anthropology … it’s a taste of the stuff out there.\u00c2\u00a0 How do we design systems and social policy in a way that they’re effective?\u00c2\u00a0 How do we respond to events and rhetoric?<\/p>\n
The feeling and reality of security are different.\u00c2\u00a0 You can feel secure if you’re not; you can be secure even if you don’t feel that way.\u00c2\u00a0 Two concepts, we use the same word.\u00c2\u00a0 We need to split them apart.\u00c2\u00a0 We don’t have the words to talk about a lot of these things.<\/p>\n
I view security as a tradeoff.\u00c2\u00a0 No such thing as absolute; you’re trading off time, convenience, etc.\u00c2\u00a0 The question isn’t “is it effective”, it’s abou the tradeoff.\u00c2\u00a0 e.g. bulletproof vests work great; none of us are wearing them.\u00c2\u00a0 People have different intuitions, and we talk based on our intuitions. Making security tradeoffs is part of being alive … we should be really good at it, since it’s key to evolutionary success.\u00c2\u00a0 Sometimes we’re really bad.\u00c2\u00a0 Why?<\/p>\n
A lot of it’s the distinction between risk and reality.\u00c2\u00a0 Work being done on evolutionary psychology – how we evolved based on situations 100,000 years ago.We’re highly optimized for decisions in small group living in the east african highlands 100,000 yeas ago.<\/p>\n
_________<\/p>\n
Christine Jolls of Yale Law School: focusing on privacy.\u00c2\u00a0 Almos everything we regard as private isn’t private vis-a-vis everyone.\u00c2\u00a0 Whether it’s personal informaiotn or your unclothed body, there are some people you don’t mind giving access to it.\u00c2\u00a0 When peple make decisions about who to give access, undersanding psychology and behavioral economics is key.\u00c2\u00a0 Brandeis: “privacy is the right to be let alone”. But nobody wants to be completely alone.\u00c2\u00a0 The work I do focuses on how the law should try to construct the relationship between ourseles and others.<\/p>\n
Think about workpalce email monitoring.\u00c2\u00a0 Employees are typically told that employers reserve the right to monitor email.\u00c2\u00a0 Employees may make bad decisions in this context.\u00c2\u00a0 People are aware their email may be monitored; many people don’t process this, and optimism bias explains a lot of this.\u00c2\u00a0 Example of optimism bias: economist professor Thaler asks students to predict where they’ll finish in the class, and 80% predict they’ll be in the top 20%.\u00c2\u00a0 Workplace drug testing’s anohter example; most people who are caught just smoked pot with a friend on the weekend, but figure “oh i probably won’t get tested”. Ditto for email accesss.<\/p>\n
Another facter: the way people think about the future vs. present.\u00c2\u00a0 “The priority of the present is like ‘me’ vs. the rest of the world — everything else is later.”\u00c2\u00a0 People make decisions focusing on what they want right now, so the potential of future email monitoring\/testing is lower.\u00c2\u00a0 This is different from situations where people aren’t aware of the issues; people do <\/em>know what they’re consenting to, and they still do.<\/p>\n Congress han’t been responsive to these kinds of concerns.\u00c2\u00a0 Common “judge-made” law, however, often picks up on this.\u00c2\u00a0 For drug testing, if you sign a form just as you’re being tested, courts will trea thast as consent.\u00c2\u00a0 If you sign it a year in advance (where these kinds of effects kick in), courts won’t treat it as valuable.\u00c2\u00a0 The same pattern applies elsewhere.\u00c2\u00a0 Why is statuatory law so less aware of these issues?<\/p>\n ___________<\/p>\n Rachna Dhamija, CEO, Usable Security Systems and Fellow at the Harvard Center for Research on Computation and Society. Think about educating uses.\u00c2\u00a0 Tips are pages and pages long — even just on “how to choose a password”.\u00c2\u00a0 We’re starting to see security games.\u00c2\u00a0 Or fun posters: “passwords are like pants, you shouldn’t sure them”.\u00c2\u00a0 MSR did a major study: uses have 25 accoutns and 6 passwords they reuse.\u00c2\u00a0 3M Yahoo! pasword resets\/month.\u00c2\u00a0 Google password study: 15M accounts, 50% choose from only 1M possibilities.<\/p>\n Why don’t uses do better?\u00c2\u00a0 “I can’t” — cogintive limitations.\u00c2\u00a0 “I have nothing to lose!”\u00c2\u00a0 That infuriates me as asecurity researcher, but on second thought maybe users are right: Consumers Union’s recent survey shows that most people don’t have issues.<\/p>\n Users in their daily lives just wan tto get tasks done, they’re not focused on security.\u00c2\u00a0 Attackers exploit this by adding urgency.\u00c2\u00a0 Security interrupts like “invalid certificate”, users see “something happened and you need to hit okay to get on with doing things.”\u00c2\u00a0 Geting informed consent is hard; users will knowingly install spyware if they think functionality is vlauable.\u00c2\u00a0 Users are over-confident in their abiilty to protect themselves: “I can always uninstall it.”<\/p>\n Users don’t notice the absence of security indicators.\u00c2\u00a0 RSA’s response: “You found a weakness, but Gartner’s survey showed most users find our security conenient.”\u00c2\u00a0 Bruce’s point abou difference<\/p>\n Design assumptions: users<\/p>\n websites:<\/p>\n Currently working on UsableLogin: consistent across sites, only one “codeword” to remember, no single point of failure.\u00c2\u00a0 Can take it to various sites, converts my codeword the site’s login info.<\/p>\n _______<\/p>\n Alessandro Acquisti<\/p>\n A rational model of privacy descision making.\u00c2\u00a0 Johnny MySpace debates about whether to publicize his kinks on MySpace, weighs benefits (i might find a lover) and risks (my employer might find it) and decides.\u00c2\u00a0 It doesn’t work that way.\u00c2\u00a0 2004 paper: incomplete informaiton, bounded rationality, psychological and behavioral biases (hyperbolic discounting, optimism bias).\u00c2\u00a0 Now focus on experiments in privacy decision-making. Subtle variations of framing can lead to dramatic changes in valuation of personal information or willingness to reveal iformation.<\/p>\n 1. the herding effect.\u00c2\u00a0 People were asked questions about ethical q’s and wheher htey engaged in them.\u00c2\u00a0 We’d then show information about ostensible rates of how others had answerd: low admission rates, high admission rates, high “decline to answer” rates.\u00c2\u00a0 e.g. have you made a false or inflated insurance claim.\u00c2\u00a0 We found that after seeing high admission rates for other questions, people would be more likely to admit — even on questions about other kinds of behavior.\u00c2\u00a0 “the herding effect”: if i see others admit, I’m likely to.<\/p>\n 2. the frog effect: do privacy intrusions alert u to privacy concerns, or densitize us?\u00c2\u00a0 We simulated privacy intrusions thorugh a survey with 30 diff questions at different level of sensitivity and intrusivienss. \u00c2\u00a0 e.g. “have you ever left the lights on because you were lazy” vs “have you watched pornography w\/o being sure of the age of the people involved.”\u00c2\u00a0 We manipulated the order: tampe to intrusive, intrusive to tame, pseudo-random, sudden.\u00c2\u00a0 Alo when identifying info was asked: at the start vs. at the end.\u00c2\u00a0\u00c2\u00a0 “Frog hypothesis”: people will admit to sensitive behavior more often as they get warmed up (i.e. qustions go from tame to untrusive).\u00c2\u00a0 “Cohereent arbitrariness”: peole will admit less <\/em>often as they get warmed (questions go fform more to less senseitive).\u00c2\u00a0 Results: frog hypothesis rejected.\u00c2\u00a0 “Have you had a fantasy of torturing somebody?” W\/ decreasing order, 60% say use; with increasing order, 40%.<\/p>\n 3. willingness ot pay for protection of personal data vs. willingness ot accept $ to reveal personal data.\u00c2\u00a0 $10\u00c2\u00a0 anonymous gift card: your name won’t be linked, usage won’t be tracked.\u00c2\u00a0 $12 trackable card.\u00c2\u00a0 We then give subjects an option of a second card, and asked if they want to switch.\u00c2\u00a0 Do I want to get $2 more to give away my data? vs. Do I want to give away $2 to protect”.\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 50% of subjects will switch from $10 to $12 card; value of privacy = $1.\u00c2\u00a0 only 10% will switch from $12 to $10, value of privacy = $0.20.<\/p>\n ____<\/p>\n Schneier recommends The Science of Fear.<\/p>\n ____<\/p>\n Mike Nelson: people are looking at pscyhology of children online.\u00c2\u00a0 Are you looking at how kids develop senses of this?<\/p>\n Schneier: danah boyd has looked at this.\u00c2\u00a0 THere’s a huge generational diff between comfort about saying things online.\u00c2\u00a0 Parents need cybersecurity training a lot more than kinds.<\/p>\n Christine: children discount the future more, and suffer from more optimism bias.<\/p>\n Rachel in the audience: there was an Annenberg study when COPPA came out on marketers focusing on 14-17 year olds to get family informaiton.\u00c2\u00a0 A sudy from NC State was that the online behavioral differences from children mirror behavioral differences offline.<\/p>\n Rachna: plenty of evidence that minors are good at subverting filters.<\/p>\n Q for Christine: are you suggesting that the law needs to accomodate that people don’t make rational decisions?\u00c2\u00a0 Does this extend beyond the privacy sphere?<\/p>\n Christine: Richard Posner claims that judge-made law tends to be economically efficient.\u00c2\u00a0 Why?\u00c2\u00a0 Occam’s razor: judges are human beings and understand hese distortions.\u00c2\u00a0 Here are ohter areas where judges don’t map so closely to behavioral economics.\u00c2\u00a0 What is it about privacy that leads judges to get it right?\u00c2\u00a0 Maybe i’s just that it’s had and hey think about a lot.<\/p>\n Alessandro: perhasp one reason statutory law doesn’t reflect this is that legislators are concerned about being paternalistics.<\/p>\n Christine: certainly possible, although it might also be lobbying etc.<\/p>\n Bruce: decisions under fear are highly optimized.\u00c2\u00a0 you can so somebody a picture of a snake, and their reactions kick in before they realize its a snake.<\/p>\n David Campbell: how should security professionals react?<\/p>\n Rachna: need to avoid training — it’s usually fine to hit “ok”<\/p>\n Alessandro: giving people total control often doesn’t help.\u00c2\u00a0 so there’s a room for regulation<\/p>\n Bruce: another good book: The paradox of choice<\/p>\n Audience: Dan Gilbert’s TED Talk “what makes us happy” is a great<\/p>\n Q: we’re socialized for certain kinds of risks — don’t give out your phone # to trangers in bars.\u00c2\u00a0 we’re not socialized to other risks, like FB.\u00c2\u00a0 Is this self-correcting over time<\/p>\n Bruce: yes<\/p>\n Rachna: yes if harm’s traceable back to the mistakes that leads to harm.\u00c2\u00a0 most people who have their identity stolen have no idea how\/why.<\/p>\n Christine: big distinction betwen knowing the average risk and pesonal risks.\u00c2\u00a0 i think people will correct for average risk, but due to optimism bias not so sure about personal risk<\/p>\n Audience: there are a lot of people who avoid activities because of fear.\u00c2\u00a0 have you studied the effectiveness of techniques?<\/p>\n Rachna: seals like truste are effective at helping people with fear, although also easily spoofed by attackers<\/p>\n Audience: trying to reconcile “people don’t pay enough attention to privacy”, but first presentation said that the cost is low.\u00c2\u00a0 aren’t people being rational?\u00c2\u00a0 what’s the problem?<\/p>\n Schneier: people are making the right choice, it’s just a bad design.<\/p>\n Christine: its different depending on the context.\u00c2\u00a0 in the workplace, people make bad decisions all the time.\u00c2\u00a0 in another context, people would sign away the privacy of their house — “you can come in and repossess furniture even if i’m not home”.\u00c2\u00a0 udges hae struck this down.<\/p>\n Alessandro: we’re not saying right or wrong, we’re showing that small changes in wording can lead to huge differences in behavior.\u00c2\u00a0 so privacy preferences are malleable.<\/p>\n","protected":false},"excerpt":{"rendered":" Raw notes …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-815","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=815"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/815\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n