The Millennial Cybersecurity Project

Size: px
Start display at page:

Download "The Millennial Cybersecurity Project"

Transcription

1 The Millennial Cybersecurity Project Improving Awareness of and Modifying Risky Behavior in Cyberspace 29 September 2012 Authors Noel P. Greis, Center for Logistics and Digital Strategy Monica L. Nogueira, Center for Logistics and Digital Strategy Susan Kellogg, Information Technology Department Kenan-Flagler Business School The University of North Carolina at Chapel Hill

2 Prepared for: Department of Homeland Security U.S. Department of Homeland Security Washington, D.C Contract No Prepared by: RTI International Institute for Homeland Security Solutions Research Triangle Park, North Carolina This document is in the public domain and may be used and reprinted without special permission. Citation of the source is appreciated. None of the investigators have any affiliations or financial involvement that conflicts with the material presented in this report. Suggested citation: Greis, N.P.; Nogueira, M.L.; and Kellogg, S. The Millennial Cybersecurity Project: Improving Awareness of and Modifying Risky Behavior in Cyberspace. Final Report. Institute for Homeland Security Solutions, 29 September (Prepared by RTI International Institute for Homeland Security Solutions under contract ) This report is based on research conducted under the Institute for Homeland Security Solutions (IHSS) under contract to the Department of Homeland Security, Washington, DC. (Contract ). The findings and conclusions in this document are those of the author(s), who are responsible for its contents; the findings and conclusions do not necessarily represent the views of the Department of Homeland Security. Therefore, no statement in this article should be construed as an official position of the Department of Homeland Security. ii

3 Table of Contents Executive Summary... 1 Statement of Problem... 3 Background Lack of Awareness of Organizational Cybersecurity Policies Limited Adherence to Organizational Cybersecurity Policies Need for New Approaches that Build Awareness of Risky Cyber Behaviors... 4 Conceptual Approach Avatars and Digital (Self) Representations Digital Messaging Real-TimePperformance Feedback... 7 Methods and Results... 8 Experiment 1: Understanding Millennial Attitudes about Cybersecuirty... 8 Policies Regarding Firewalls, Antivirus, and OS Updates Password Behaviors Problems Due to Risky Behaviors Experiment 2: Determining Baseline Risky Behaviors in Millennials Phishing Behaviors Password Generation Behaviors Experiment 3: Modifying Risky Behavior in Millennials Modifying Risky Behavior in Phishing s Modifying Risky Behaviors in Passowrd Creation and Use Recommendations Conclusions and Future Directions References iii

4 List of Figures Figure 1. Millennial Cybersecurity Project Conceptual Model... 6 Figure 5. Distribution of Clues Selected by Millennials for Phishing Decision Figure 6. Distribution of Baseline Password Length Behavior Figure 7. Distribution of Baseline Password Complexity Behavior Figure 8. Example of Avatar-Based Phishing Strategy Figure 9. Example of Avatar Positive Reinforcement Figure 10. Experimental Results of Intervention for Phishing Behavior Figure 11. Performance Feedback for Intervention Figure 12. Intervention Feedback for Intervention Figure 13. Example of Password Strategy Messaging with Avatar Figure 14. Example of Animated Strategy Messaging Figure 15. Post-Intervention Password Length Improvement by Group Figure 16. Post-Intervention Password Complexity Improvement by Group Figure 17. Distribution of Individual Password Complexity Score Improvement Figure 18. Distribution of Password Complexity Score Improvement Figure 19. Comparison of Pre-Intervention and Post-Intervention Password Complexity Scores by Group iv

5 List of Tables Table 1. UNC Cybersecurity Policies... 8 Table 2. Experimental Design for Phishing Experiment Table 3. Lists of Clues for identifying Phishing s Table 4. Results of Phishing Experiment Stratified by Sender Type Table 5. Results of Phishing Experiment Stratified by Gender and Sender Type Table 6. Results of Phishing Experiment Stratified by Sender Type (Millennials) Table 7. Experimental Design for Phishing Experiment Table 8. Results of Phishing Experiment (First 24 Hours after Delivery) Table 9. Risky vs. Best Practices for Password Creation and Use Table 10. Overview of Experimental Design for Password Experiment Table 11. Distribution of Repeated Password Behavior by Group v

6 Executive Summary Millennials are the first always connected generation ensconced within an ecosystem of digital devices from iphones and ipads to tablets and laptops. They bring these devices and behaviors into the places where they study and work which can expose organizations to security vulnerabilities. Millennials are reported to lack awareness of and demonstrate limited adherence to organizational security policies which highlights the need for new approaches that build awareness of risky behaviors in cyberspace. The goal of the Millennial Cybersecurity Project is to improve our understanding of millennials awareness of cybersecurity threats, to identify risky behaviors that put organizations at risk, and to explore new digitally-mediated tools to modify risky behaviors in cyberspace. The underlying premise of the Millennial Cybersecurity Project is that the best way to communicate with millennials is through the language of technology. Most organizations today employ communications strategies that are better suited to previous generations. Instead of more traditional text-based materials and face-to-face interactions, this project demonstrates that risky behaviors can be reduced by moving from more traditional approaches to digitallymediated and interactive online approaches that are more aligned with millennial familiarity and comfort with messaging that is short and simple and supported by graphics and symbols for fast and easy comprehension. In particular we demonstrate the effectiveness of 1) the use of real-time feedback of (lack of) conformance with security best practices, 2) the online reinforcement of best practices by encoding them in a strategy that is delivered digitally, and 3) the use of avatars or other digital (self) representations to personalize the messaging. While stereotypes portray millennials as risk-seeking and blithely unaware of threats to and policies regarding cybersecurity, our results reveal a broad range of attitudes from highly aware and competent to completely uninformed and dangerous. These behavioral categories tend to transcend traditional boundaries of gender and age. Survey results of millennial business students and staff at the Kenan-Flagler Business School revealed that among the more vulnerable behaviors are password creation and use, and ability to recognize and respond properly to phishing s. Self-reported risky password and phishing behaviors by millennials were confirmed by experiment. The Millennial Cybersecurity Project demonstrated that digitally-mediated interventions can both reinforce positive identification of phishing s and reduce associated risky behaviors. Phishing s are increasingly difficult to spot as senders get better at portraying themselves as legitimate. Further, while millennials rely on a number of standard clues to catch phishing s, they often overlook clues if the sender appears to come from a trusted source. In online experiments, only 68% of millennials correctly identified phishing s as legitimate while 32% incorrectly identified phishing s as legitimate. The presence of a 1

7 trustworthy sender and a realistic corporate logo were most useful in identifying legitimate s, while suspicious links and unknown senders clued millennials as to fraudulent s. Millennials that experienced real-time feedback about their skill at identifying phishing s and who received best practice phishing strategies from avatars improved their ability to identify suspicious s from low-and medium-trust senders. Millennials, however, consistently overlooked standard clues in phishing s from high-trust senders. Risky behaviors regarding password creation and use were also reduced after online interventions. Two types of interventions were tested. The first intervention provided real-time feedback about password strength while the second intervention supplemented feedback about password strength with a password strategy that encoded best practices for password creation both delivered by a personalized avatar. The strategy offered guidelines for creating passwords that are long and complex and that repeat patterns in a memorable way for us on for different devices. The password is a front door into an organization s accumulated confidential and competitive information. However, self-reported and observed password behaviors confirmed that millennials fail to use best practices in managing their passwords, thereby putting the organizations where they work and study at risk. Both interventions achieved reductions in risky behaviors related to password strength, suggesting that awareness and behavioral training programs that integrate real-time, online interactions with students about their cyber behaviors are worth further experimentation and development. 2

8 Statement of Problem Millennials are reported to prize freedom and innovation over security and stability and, thus, may expose business to cyber vulnerabilities especially small and medium-sized enterprises that do not have the resources to adequately protect against unsafe technology use by millennials. The workplace attitudes and behaviors of the millennials have been the focus of several high-profile surveys in the last several years. These surveys, combined with anecdotes, have reinforced stereotypes of risky behavior in a number of domains including cyberspace. The Millennial Cybersecurity Project 1 conducted a set of experiments to determine the effectiveness of interventions such as the use of avatars and other digital (self) representations for message personalization, real-time digital feedback about observed risky behaviors, and messaging of policies and best practices in formats and language that are more aligned with how millennials communicate with others and experience the world. The project s underlying premise is that cybersecurity awareness initiatives for millennials might be improved when messaging is accomplished digitally and in formats consistent with digital devices such as personal computers, cell phones, and mobile devices rather than more traditional media such as paper hand-outs and face-to-face communications and lectures. To test this premise the Millennial Cybersecurity Project conducted three studies to determine: 1) millennial awareness of and self-reported behavior regarding policies and best practices of cyber behavior; 2) millennial baseline performance regarding risky behaviors in cyberspace related to organizational policy; and 3) post-intervention reductions in risky behaviors after technology-mediated interventions that raise awareness about observed specific risky behaviors and inform about best practices. The goal of the Millennial Cybersecurity Project is to provide insights into millennial behaviors and possible tools for behavior modification so as to better inform awareness training practices, improve millennial adherence to cybersecurity policies, and reduce risky behaviors in cyberspace. Background Born after 1980 and the first generation to come of age in the new millennium, millennials are the first always connected generation [1, 2, 22]. Growing up in the age of digital technology and social media, they treat their multi-tasking hand-held gadgets like a body part. For millennials, technology provides a new ecosystem for their social lives that increasingly merges with their work lives. Technology-mediated messaging from s to product advertisements is becoming the dominant mode of communication with this generation. At the same time millennials have a greater degree of trust in the virtual world that is not shared by older generations especially the baby boomers. For many millennials, this increasing trust 1 The URL address for the website is: 3

9 of technology and feelings of security in the virtual world have led to a dissolution of conventional boundaries between private and public and a tendency to overlook risks associated with technology use [10, 11]. New cyber threats resulting from risky behaviors by millennials are the result of the convergence of three trends. First, the millennials workplace is no longer defined by the four walls of their organization. Rather millennials make less of a distinction between work and play working on the road, at home, and even on vacation. Second, technology has mo ved from hard-wired systems to wireless mobile technologies including smartphones, notebooks, and ipads (among others) for work-related tasks. In addition, collaboration is the dominant mode of work and play using social networking, online chats, and othe r technologies. These factors, combined with millennials indiscriminate use of these technologies, exposes businesses to new and greater vulnerabilities. Several points can be made: 1. Lack of Awareness of Organizational Cybersecurity Policies In a 2010 survey of millennials by Accenture, only 40 percent reported that their employers have published detailed policies related to posting work or client information on public web sites. Further, only 34 percent of millennials said they were aware of their company's cybersecurity policy. Approximately 31 percent of millennials said they don t know if their company has such a policy, 17 percent said their employer hasn t published such a policy, 6 percent said that whatever policy their company has published is too complex to understand, and 6 percent said they will post work or client information on public sites regardless of any policy, at least when communicating with colleagues [2]. 2. Limited Adherence to Organizational Cybersecurity Policies Studies have also shown that millennials routinely bypass corporate approvals and policies when using various devices and technologies. Equal numbers of millennials report that they have accessed online collaborative tools (75 percent) and online applications (71 percent) from free public websites when those technologies were not available at work or not meeting their expectation. Approximately 45 percent of millennials use social networking web sites at work, regardless of whether their organization or company prohibits their use [20]. 3. Need for New Approaches that Build Awareness of Risky Cyber Behaviors Organizations from the White House 2 and large multinationals to SMEs and non-profit organizations are searching for strategies to accommodate millennial attitudes toward technology and cybersecurity, and to reconcile these attitudes with need for enterprise security, data privacy, and regulatory compliance [4, 6, 12, 13, 16, 21, 27]. The university, and in particular the Kenan-Flagler Business School, offers an excellent microcosm of the millennial 2 In October 2011, the White House held many events and activities along with federal, state, and local government, the private sector, and international partners as part of National Cybersecurity Month. 4

10 generation. Kenan-Flagler students will become employers and managers in a range of companies and industries. These students can be expected to be aware of organizational perspectives towards cybersecurity, yet many demonstrate many of the risky generational behaviors that create vulnerabilities in an organization s cyber environment. Risky behavior permeates almost all human activity. When asked to compare the level of risk between various alternatives, evidence shows that people s choices are based on their knowledge of the threat and how they feel about it, i.e. their level of anxiety, concern, or fear. Risk assessment by experts is based on objective information about a threat to a given subject, knowledge of the level of exposure of the subject, and estimation of the probability that the subject will be impacted by the adverse outcome of the threat. To calculate risk, experts utilize measurable norms vetted by other professionals and their representative associations. General public perceptions are commonly subjective and may not match experts views, being guided by personal experiences, circumstances and, like experts, highly influenced by the standards of their groups of peers. Studies have shown that millennials are risk seekers, e.g. enjoying extreme sports, while older people tend to be risk averse. The challenge for organizations is to turn millennial affinity for technology into new tools to build awareness of cybersecurity vulnerabilities and to modify behavior so as to reduce those vulnerabilities [27]. The contributions of this project are multiple. First, the results of this study confirmed that millennials engage in risky cyber behaviors in the workplace (i.e. university), thereby validating previously self-reported survey results. Further technology-mediated interventions were shown by experiment to be effective in reducing risky behaviors, suggesting opportunities for new tools for behavior modification in cyberspace. Based on the results of the Millennial Cybersecurity Project, employment screening could be tailored to include measures of risky behavior that eliminate inappropriate employment candidates, or to select candidates whose behaviors are more easily modified within the workplace. Conceptual Approach The Millennial Cybersecurity Project explores the premise that the best way to communicate with millennials is to use the language of technology [8, 20, 23, 25]. We address the broad question as to whether digitally encoded and delivered interventions that target risky behaviors by millennials is more effective in reducing risky behavior than traditional classroom approaches that include printed informational materials and even traditional s. These questions are important since cybersecurity policies today tend to be delivered by babyboomer managers and professors using methods that may not be as effective communication vehicles for millennials. Our conceptual model is provided in Figure 1. The model suggests that each millennial 5

11 can be associated with a baseline level of awareness of and adherence to organizational policies about cybersecurity, and that this awareness is associated with a set of baseline behaviors. Our premise is that an intervention, delivered digitally and in real time, can raise the awareness of and adherence to best practice policies regarding cyber behavior and thereby reduce future risky behaviors in cyberspace concerning password generation and phishing s. Figure1. Millennial Cybersecurity Project Conceptual Model We explore three specific modes of technology-mediated interaction with millennials to reduce risky behavior. These interactions are combined to create customized interventions associated with password and phishing behavior. The three digital interactions are: 1) Avatars and Digital (Self) Representations. The effectiveness of avatars and other digital (self) representation technologies have been the focus of a new stream of research to modify personal behavior [5, 18]. In virtual environments an avatar is defined as a perceptible digital representation whose behaviors reflect those executed, typically in real time, by a specific human being [3]. The theory is that in the anonymity of the online environment, people are de-individuated and will adhere to a new identity that is inferred from avatars, in many cases from their own avatars. The phenomenon in which people infer their expected behaviors and attitudes from observing their avatar s appearance is known as the Proteus Effect after the Greek god who could change shape. This phenomenon, first described by researchers at Stanford University, occurs when a subject transfers expectations or understanding of their avatar s behavior to their own real-world behavior [29] and has been documented in experiments elsewhere [7, 14, 19, 26, 29, 30]. 2) Digital Messaging. The emergence of the digital environment and new technologies for interpersonal interactions within that environment has changed how people 6

12 communicate with one another not only the way they shape information into messages but also the frequency of communications and the mode of communication according to device. We refer to digital messaging as a (usually) short communication transmitted by words, signals, or other graphical means from one person or group to another in a digital format that can include graphical representations of concepts and ideas. The digital messaging trend among millennials is towards shorter, more frequent, and more interactive communications where the messages can be parsed quickly and easily. In the digital world, an emphasis on short and simple is increasingly dictated by the device long texts are reduced to phrases and graphics to convey both factual information and emotion. Tweets, for example, cannot exceed 140 characters. And millennials are frequent users of emoticons the abbreviated smiley and other faces by which they alert a responder to the tenor or temper of a statement. 3) Real-Time Performance Feedback. Modification of personal behavior through feedback of performance is well-documented in the academic literature and, while there are exceptions, most studies confirm a positive relationship between feedback and improved performance. In the typical classroom, for example, personal feedback from the teacher or professor has been shown to reduce disruptive behavior in elementary school children and improve academic performance, respectively. New digital technologies have broadened the potential for online feedback as a tool for enhanced learning and real-time feedback of performance has been explored in a number of domains from athletics [15] to business [17[ to medicine [24]. The Millennial Cybersecurity Project addresses three research questions, each of which is discussed in the pages which follow: 1) Our model suggests that each millennial can be associated with a baseline level of awareness of and adherence to an organization s policies about cybersecurity. Specifically, how a ware are millennials at the Kenan-Flagler Business School of university policies regarding cybersecurity and what is their self-reported level of behavior regarding these policies? 2) While there have been many studies of millennials as to their behaviors and attitudes toward cybersecurity [1, 2, 22], there have been few that validate these self-reports with empirical evidence of risky behaviors. Specifically, what are the baseline cybersecurity behaviors of Kenan-Flagler millennials regarding password generation and phishing s and do they align with self-reported behaviors? 3) The success of approaches to modify risky behavior in cyberspace depends on how and whether the information is encoded and delivered (i.e. messaged ) in a digital format that is more aligned with how millennials consume and create information. Specifically, can risky behavior regarding password generation and phishing s by Kenan-Flagler millennials be reduced by interventions that are delivered online and in 7

13 real time and that include one or more of the above technology-mediated digital interactions? Methods and Results Experiment 1: Understanding Millennial Attitudes about Cybersecurity To establish the level of awareness about cybersecurity threats and behaviors of UNC s Kenan-Flagler millennial students a baseline survey was used to gather data about students attitudes toward UNC s Information Security Policies and cybersecurity in general. The surveys collected three categories of question: 1) descriptive information about the respondent; 2) self-reported conformance with seven UNC cybersecurity policies shown in Table 1; and 3) self-reported problems resulting from potentially risky behavior in cyberspace. Surveys were collected during three different student events in August 2011 shown below: Table 1. UNC Cybersecurity Policies 3 Collection Method Online Online Daemon Daemon Daemon UNC Policy Phishing links/attachment Phishing for personal info Social Engineering Password generation OS critical updates Antivirus updates Firewall status Kenan-Flagler BSBA Orientation. Full day orientation event for incoming BSBA junior students to the Kenan-Flagler Business School on August 20, Kenan-Flagler MBA Welcome Reception. Welcome Reception for incoming MBA students and Master of Accounting students to the Kenan- Flagler Business School on August 23, Kenan-Flagler ITS Laptop Cleanup Day. Bimonthly event on August 25, 2011 where all Kenan-Flagler students learn about cybersecurity. A total of 189 anonymous surveys were collected of which 134 were from millennials and 49 from non-millennial students and staff. 4. The baseline survey showed that UNC millennials: 1) lack a comprehensive and consistent methodology for password usage; 2) have difficulty identifying s with social engineering attacks such as phishing and scam s; and 3) show a general lack of awareness of certain best practices necessary to assure a safe experience in cyberspace. Figure 2 shows the reported frequency by gender and age group of 3 The initial project scope included all seven policies. However, based on limitations at UNC regarding privacy and the loading of daemon software on students laptops, the revised scope includes only the first four policy categories (phishing s and password generation/social engineering). 4 Six participants did not provide their age group and were excluded from the sample. 8

14 selected risky behaviors and behaviors related to password usage. Figure 3 illustrates the distribution by gender of 1) self-reported cybersecurity behaviors related to UNC policies, and 2) self-reported negative experiences related to risky behaviors. Figure 2. Distribution of Some Risky Cyber Behaviors by Age Group and Gender Figure 3. Cybersecurity Behaviors and Experiences Self-Reported on Surveys Specific observations include: Policies Regarding Firewalls, Antivirus, and OS Updates. Survey results indicate that a majority of millennials comply with UNC policies regarding Firewalls, Antivirus, and OS Updates but that there are some differences between genders for some behaviors : a) Majority report use of antivirus and automatic updates (86% for males and 76% for females); 9

15 b) Majority report automatic update of operating system (81% for males and 71% for females). Approximately 40% of males reported also performing manual updates versus only 19% of females. c) Majority report active firewall in use (74% for males and 57% for females), however, 35% of females didn t know if their computer had a firewall compared with only 15% of males. Password Behaviors. Millennials reported inconsistent behavior regarding password use specifically the use of the same password for some computers or systems and different passwords for others. These conflicting behaviors suggest that students may lack awareness of best practices regarding password use across technologies/systems. Females, in particular, may engage in more risky behavior than males when choosing passwords due to lack of awareness of best practices: a) Approximately 76% of males reported using the same password on some of their computer systems and different passwords on other computers compared with 89% for females; b) Approximately 36% of males reported using the same password on all their systems compared with 30% reported by females. c) Approximately 60% of males and females report the use of different passwords in all their systems/technologies. d) Given the above variability of behaviors regarding password usage, it is not inconsistent that a majority of millennials reported forgetting passwords. Males showed a higher incidence of forgetfulness (62%), compared with only 38% for women. Problems Due to Risky Behaviors. An unexpectedly large fraction of millennials reported experiencing problems with their computers after engaging in certain online behaviors. Differences were observed between males and females. However, it is not clear whether these differences are due to riskier male behavior or whether males are more knowledgeable than females on this particular issue. a) Approximately 32% of both males and females experienced problems after visits to unsecure web sites; b) Approximately, 32% of males reported experiencing problems with computer virus attacks against 24% of females. c) Approximately 28% of males and only 10% of women reported attacks by spyware and malware. These results suggest that millennials may lack a clear understanding of the difference between spyware and malware attacks, since almost exactly the same answers were provided for the questions targeting these two problems. 10

16 d) A small number of students reported problems with social engineering websites after providing personal information (9% of males and 6% of females). Even though these are small numbers, they may have significant impact on an organization s vulnerability since a network is only as strong as its weakest link. e) Approximately equal numbers of males and females reported problems after receiving illegitimate s, i.e. phishing or scam (21% for females and 17% for males). The results of the baseline survey indicate that millennials are aware of best practices about how to protect one s system through the use of firewall, antivirus and operating system updates. However, results suggest that millennials are not as knowledgeable regarding the dangers of inadequate password usage or risky practices in cyberspace that can create vulnerabilities, for example phishing s. Reported behaviors suggest that male millennials are somewhat more knowledgeable than female millennials. However, males also appear to experience more problems due, perhaps, to higher engagement in riskier online behaviors than their female counterparts. Experiment 2: Determining Baseline Risky Behaviors in Millennials In Experiment 2 we investigated baseline cybersecurity behaviors regarding phishing s and password generation, and explored whether these results confirm the self-reported behaviors discussed in the last section. Studies have shown that young people, including millennials, tend to be inaccurate when self-reporting behavior. In addition, this inaccuracy may be exacerbated when there is a negative connotation associated to the behavior reported, as it is the case with risky cyber behaviors. Phishing Behaviors Description. This experiment compared the ability of millennials and non-millennials to identify phishing s as fraudulent or legitimate based on the level of sophistication of the phishing technique and the purported sender of the and explored which clues were considered in the decision-making process. We explore, first, the premise that observed behavior regarding phishing s is determined by how skilled millennials are in identifying clues that determine fraudulence. Second, we explore whether the level of ascribed trust in an sender is directly related to the likelihood that a millennial will open a phishing . Millennials may perceive potentially fraudulent s from people and organizations to which they have strong social connections such as Facebook and LinkedIn as more trustworthy than similar s from arms-length organizations. That is, millennials will tend to overlook clues 11

17 of fraudulence and ascribe more trust to an when it is believed to come from a source such as Facebook or LinkedIn. Experimental Design. A web-based experiment was designed, developed 5, and implemented for a sample of more than 100 millennial (undergraduate and MBA) students and staff at the Kenan-Flagler Business School. The purpose of the experiment was to compare the observed behaviors of millennials and non-millennials regarding phishing s (opening the s, clicking on links and attachments, forwarding to others, and sharing of personal information). The experiment was conducted during the Kenan-Flagler Security Day on February 23, The usable sample was comprised of 56 millennials and 44 nonmillennials (52 females and 48 males). Study participants were shown a sequence of three screens. On the first screen, participants were shown one of eight s and asked to indicate whether it was fraudulent or legitimate. Once a participant has indicated whether the is fraudulent or legitimate, he or she is provided with a list of clues representing commonly accepted best practices for identifying legitimate and fraudulent phishing s. The participant is then asked to indicate which of those clues, if any, helped in the decision process. The lists of clues are provided in Table 3 below. The third screen asked participants for their millennial status (i.e. 17 or under, 18 to 31, older than 31) and gender. Each was characterized by one of two levels of trust (financial organization versus social network) and degree of phishing sophistication (obvious clues versus subtle clues). The 2-way experimental design is shown on the Table 2 below. Table 2. Experimental Design for Phishing Experiment Trust Level Sender Obvious Clues Subtle Clues LOW TRUST (Financial Organizations) BANK OF AMERICA PAYPAL Misspellings, Incorrect Grammar, etc. Misspellings, Incorrect Grammar, etc. Erroneous links, Out-of-date forms, Multiple Recipients, etc. Erroneous links, Out-of-date forms, Multiple Recipients, etc. HIGH TRUST (Social Networks) LINKEDIN FACEBOOK Misspellings, Incorrect Grammar, etc. Misspellings, Incorrect Grammar, etc. Erroneous links, Out-of-date forms, Multiple Recipients, etc. Erroneous links, Out-of-date forms, Multiple Recipients, etc. 5 Survey instruments designed and implemented using Qualtrics. 12

18 Table 3. Lists of Clues for Identifying Phishing s Clues of Legitimate Trustworthy sender Addressed directly to me Presence of corporate logo Presence of security certification padlock Recognize embedded link addresses [Correct language] 6 [Plausible contents] 7 Unknown sender Clues of Phishing Never dealt with this company List of recipients indicates mass List of recipients seems suspicious Contains suspicious link Too many grammatical/misspelling errors Suspicious contents resemble known scams Results. We first comment on results for the entire sample of millennials and nonmillennials based on results in Table 4. A broad inability to identify phishing s was observed. Only 68% of sample correctly identified s as phishing, against 32% who incorrectly indicated phishing s were legitimate. s from financial organizations were correctly identified with slightly more skill (52%) than s from social networks (48%). Table 4. Results of Phishing Experiment Stratified by Sender Type Trust Level LOW TRUST (Financial Organizations) HIGH TRUST (Social Networks) Sender Correct Answers (%) Incorrect Answers (%) Total BANK OF AMERICA PAYPAL FACEBOOK LINKEDIN TOTAL The stratification of the results by gender and sender type, shown in Table 5, indicates that of those participants correctly identifying phishing s, females (62%) were moderately better than males (38%) if the sender was a financial organization. Since the Kenan-Flagler 6 While noticeably incorrect language can serve as a good indicator of a phishing , correct language is not particularly helpful on determining the legitimacy of a message. Thus, this clue did not appear on the list of clues presented to participants after their decision on the test legitimacy. 7 Similarly, while suspicious contents should raise concerns about s legitimacy, plausible contents per se is not a clear sign of an authenticity. For this reason, this clue was omitted from the list shown to participants. 13

19 staff is mostly female and they work on administrative tasks related to financial documentation these results may be skewed by their knowledge of standard norms for financial communications. Males did comparatively better discerning social networking phishing s (58%) than females (42%). Table 5. Results of Phishing Experiment Stratified by Gender and Sender Type Gender FEMALE MALE Sender Type Correct Answers (%) Incorrect Answers (%) Totals Financial Organization Social Network Financial Organization Social Network TOTAL Participants relied on a range of clues to correctly identify phishing s as fraudulent or legitimate as shown in Figure 4. Overall, 158 clues, or reasons, were selected by participants from the lists in Table 3 above. Interestingly, the top two reasons cited in deciding that an was a fake were related to recognition and/or trust of the sender and any embedded links. This seems to indicate that if people are better trained in recognizing unsafe links and learn to trust messages from unknown sources less, then their ability to identify phishing s may improve significantly. Figure 4. Distribution of Clues Selected By Participants For Phishing Decision 14

20 When only millennials were included in the sample, the results were similar to the results for the sample as a whole (i.e. both millennials and non-millennials). As shown in Table 6, for the 66 millennials in the sample, nearly 70% correctly identified phishing s as either legitimate or fraudulent. The identification of sender financial organization of social networking site did not appear to affect the ability of millennials to identify phishing s. Table 6. Results of Phishing Experiment Stratified by Sender Type (Millennials) Sender Type LOW TRUST (Financial Organization) HIGH TRUST (Social Network) Sender Correct Answers (%) Incorrect Answers (%) Totals (%) BANK OF AMERICA 17% 6% 23% PAYPAL 17% 11 27% FACEBOOK 21% 6% 27% LINKEDIN 14% 9% 23% TOTAL 69% 31% 100% Participants relied on a range of clues to correctly identify phishing s. The results shown in Figure 5 indicate that, while the overall range of reasons cited for correctly identifying phishing s is comparable of that of the entire sample, the most frequently cited reason for Figure 5. Distribution of Clues Selected By Millennials For Phishing Decision 15

21 incorrectly identifying a phishing as legitimate does not follow the same pattern. For millennials, the presence of the corporate logo on the was the most frequently cited reason (29%) millennials incorrectly identified an as legitimate; trustworthy sender was the second most cited reason (26%). This choice should not come as a surprise since the millennials participating in this study are all business students and staff from UNC s Kenan- Flagler Business School. This finding reinforces that trust is a crucial factor governing people s judgment in cyberspace and indicates that behavior modification based on trust should be differentiated based on the target group profile. Password Generation Behaviors Description. A second online experiment was designed, developed, 8 and implemented to determine a baseline of observed behaviors regarding password generation (password length, complexity, memorability, customization, and re-use on different systems). The experiment assessed participants ability to create new passwords during online visits to two websites one a UNC web site and the other a retail website. This password generation baseline experiment consisted of 112 millennial (undergraduate, MBA, and MAC) students and nonmillennial staff at the Kenan-Flagler Business School. Results. Results were analyzed with respect to password length, complexity, and repeated use of same string in both passwords including entering the same password twice. a. Password Length Results The mandatory minimal password length for all users of the Kenan-Flagler computer network is 8 characters. Therefore, it was expected that, due to habit, the millennials would have passwords 8 or more characters long. Thus, it was not surprising that the mean length computed for both Password 1 and Password 2 was 10 characters. Figure 6 provides the distribution of the length of Password 1 and Password 2 which serves as the baseline for our subsequent experiment on modification of risky password behavior. Note that a few outliers appear in this distribution, i.e. passwords more than 15 characters long. Although very long passwords are useful for high security systems, i.e. common practice for routers passwords is 26 characters long, it is not clear why a student would use such a long password for this experiment, except for beating the system and to receive the maximum score. b. Password Complexity Results Besides mandating passwords at least 8 characters long, Kenan-Flagler passwords must meet the standard minimum requirements for traditional passwords and contain at least one of each of these sets of characters: lowercase letters, uppercase letters, digits, and special symbols. The strength of a password can be measured based on the combination of use of 8 Customized software and website were developed in-house using Java and PHP technologies. 16

22 Frequency Count these characters by a password meter algorithm. A password meter takes into account not only which types of characters are used to form a password, but also the sequence in which they appear and the length of the password to compute a password complexity score a measure of the password s strength. Following the minimum guidelines does not provide a guarantee that the password generated will have a high complexity score but ensures a certain level of protection. It was interesting to verify whether participants password complexity behavior would be influenced by the practices mandated by UNC, as it had happened for the password length behavior and whether these practices would help them generate passwords with high complexity scores. Figure 6. Distribution of Baseline Password Length Behavior Password 1 Password Password Length The distribution of the complexity scores for the baseline Password 1 and Password 2 is presented in Figure 7. The mean computed for the password complexity scores obtained in this experiment was 60, which serves as the breakpoint between a good and strong password on the password meter program used in this experiment. Overall, the baseline distribution shows that password complexity behavior for a large number of Kenan-Flagler millennials is acceptable. c. Password Repeated Use Results To better protect an individual s multiple computer accounts and to avoid compromising all accounts simultaneously, security experts recommend that users generate different passwords for different systems. This is one of the UNC information security policies considered in this study. Risky behavior associated with repeated use of a single password in more than one system was tested by comparing Password 1 and Password 2. We found that 36 students, or 32% of the sample, entered the same password for the two different websites they were shown. All those who did not repeat the password were millennials, of which twothirds were males and one-third were female. Regarding to affiliation, 61% of those who 17

23 Frequency Count repeated passwords were MBA students, 19% BSBA students, 6% MAC students, 8% indicated no affiliation to Kenan-Flagler, and 6% were staff. Figure 7. Distribution of Baseline Password Complexity Behavior Password 1 Password Password Complexity Score Experiment 3: Modifying Risky Behavior in Millennials In Experiment 3 we explore the effectiveness of digitally-mediated interventions in modifying risky behavior by millennials regarding password generation and phishing s. For each behavior an intervention was designed that fuses digital messaging of a strategy to include the use of an avatar for personalized delivery as appropriate and feedback to the millennial about the riskiness of his or her observed behaviors. Modifying Risky Behavior in Phishing s Description. An intervention experiment was designed, developed 9 and implemented to test millennial ability to recognize phishing s and to improve their behavior appropriately (do not open , do not open any attachments, do not send any personal information). The goal of the intervention was to modify risky behavior by reinforcing a safe strategy for recognizing and handling phishing s from suspicious sources. As shown in Figure 8, the phishing strategy is comprised of a set of features or clues and appropriate actions to take if the is suspected to be phishing accompanied by an avatar to personalize the messaging. 9 Surveys were developed in Qualtrics. 18

24 Figure 8. Example of Avatar-Based Phishing Strategy 19

25 Actions correspond to accepted best possible practices. For example, some clues (fishy subject, suspicious sender, etc.) should be examined before opening an ; others can be examined only afterward opening (suspicious links, etc.). The intervention consists of a personalized reinforcement for correct responses and personalized remedial reinforcement for incorrect responses in each case the intervention is accompanied by a messaging of the phishing strategy. Reinforcement s are personalized according to the behavior of the millennial. For example, if the millennial did not open the phishing , a positive reinforcement for correct behavior was sent; If the millennial opened the phishing and clicked on a bad link, a reinforcement for incorrect behavior was sent alerting the millennial that he or she had been observed opening a phishing and clicking on a suspicious link. Examples of reinforcement s for correct and incorrect behavior are provided in Figure 9. The reinforcement at the top of Figure 9 was sent to a millennial who incorrectly opened a phishing and clicked on a link; the reinforcement in the middle was sent to a millennial who opened the phishing but did not click on the bad link; the reinforcement at the bottom was sent to a millennial who neither opened nor clicked. Experimental Design. This 2-way experiment explored whether millennials are more likely to open phishing s from senders with a higher trust level and whether they can discern a sophisticated phishing with subtle clues such as erroneous links, out-of-date forms, and suspicious attachments from phishing s with obvious clues such as misspellings, requests for personal information, multiple recipients, and incorrect grammar. We were also interested in knowing whether millennials are more inclined to overlook clues if the source of the appears to come from a high-trust sender. For example, a low-trust sender would be an organization that does not have any personal connection to the millennial and may not even be an organization that is familiar to the individual. Examples might be a recognized scam-type from a source in Nigeria or some other source of dubious heritage. A high-trust would appear to come from a sender with whom the recipient is familiar or with whom the recipient has exchanged s in the past. Examples might be Facebook, LinkedIn, or even UNC. Table 7 provides an overview of the experimental design and the types of s according to trust level. Over the course of three weeks, students were sent a series of six phishing s, two for each of three levels of trust. s contained several types of clues as to whether those were indeed a phishing as described above. In addition, to test response to social engineering attacks some s requested that students provide personal information in return for a service, reward, information, etc. Sample s for low, medium and high trust are provided in Appendix A to this document. 20

26 Figure 9. Example of Avatar Positive Reinforcement 21

27 Table 7. Experimental Design for Phishing Experiment Trust Level Delivery Order INTERVENTION GROUP Sender and Description CONTROL GROUP 1 NACHA The Electronic Payments Association LOW TRUST MEDIUM TRUST HIGH TRUST Intervention and Reinforcement No 2 American Bankers Association (ABA) Intervention and Reinforcement No 3 NC QUICK PASS Intervention and Reinforcement No 4 Free Tickets from Chapel Hill Cinema Grill Intervention and Reinforcement No 5 Triangle Carolina Mornings No No 6 Free Tickets from UNC Athletics Association The experiment included a control group and an intervention group. The control group received a text describing the standard policies regarding acceptable online behavior from the Kenan-Flagler IT department, but did not receive any messaging of the phishing strategy or any personalized avatar-based reinforcement interventions in response to their behavior. The second group received reinforcement interventions as described above and shown in Figure 9 as well as with an avatar-delivered strategy message as shown in Figure 8. The reinforcement was personalized to their observed level of performance. People that did not open a phishing were given positive reinforcement congratulating them on correct behavior, while people who opened a phishing were alerted to their incorrect behavior. Results. Table 8 summarizes the results of intervention on observed phishing behavior during the first 24 hours after the test phishing s were sent. Student responses were automatically tracked through subscription to a third-party tracking service. For each phishing , Table 8 reports several metrics (i.e. number of times the was read, whether it was forwarded to others, whether links or attachments were clicked, and whether unsolicited and solicited replies were sent from students). A total of 63 millennials participated in this experiment divided between the intervention group that received interventions and the control group that received no intervention. 22

28 Table 8. Results of Phishing Experiment (First 24 Hours after Delivery) Type Intervention Group Control Group Tracking Statistics LOW TRUST MEDIUM TRUST HIGH TRUST FIRST EXPERIMENT: NACHA The Electronic Payments Association Read 78.6% Read 67.3% # read 120 Forwarded 28.6% Forwarded 28.6% #Forwarded 22 Clicked link1 50.0% Clicked link1 34.7% #Links clicked 71 Clicked link2 28.6% Clicked link2 12.2% Unsolicited 7.1% Unsolicited 4.1% #Unsolicited 4 SECOND EXPERIMENT: American Bankers Association (ABA) Read 50% Read 38.8% # read 33 Forwarded 0% Forwarded 6.1% #Forwarded 3 Clicked link1 0% Clicked link1 0% #Links clicked 0 Clicked link2 0% Clicked link2 0% # ed back 0 Solicited back 0% Solicited back 0% THIRD EXPERIMENT: NC QUICK PASS Read 28.6% Read 61.2% # read 61 Forwarded 0% Forwarded 12.2% #Forwarded 6 Clicked link1 0% Clicked link1 0% #Links clicked 3 Clicked link2 0% Clicked link2 6.1% #Clicked attachment 10 Clicked attachment 0% Clicked attachment 20.4% Unsolicited 0% Unsolicited 0% #Unsolicited 0 FOURTH EXPERIMENT: Chapel Hill Cinema Grill Read 28.6% Read 55.1% # read 46 Forwarded 7.1% Forwarded 6.1% #Forwarded 4 Solicited back 0% Solicited back 2.0% #Solicited FIFTH EXPERIMENT: Triangle Carolina Mornings back Read 57.1% Read 51.0% # read 60 Forwarded 14.3% Forwarded 2.0% #Forwarded 3 Clicked link1 7.1% Clicked link1 0% #Links clicked 6 Clicked link2 7.1% Clicked link2 4.1% #Clicked attachment 2 Clicked attachment 14.3% Clicked attachment 0% Unsolicited 7.1% Unsolicited 0% #Unsolicited 1 SIXTH EXPERIMENT: UNC Athletics Department Read 78.6% Read 75.5% # read 107 Forwarded 78.6% 28.6% Forwarded 16.3% #Forwarded 12 Clicked link 0% Clicked link 6.1% #Links clicked 5 Clicked attachment 0% Clicked attachment 10.2% #Clicked attachment 5 Solicited back 0% Solicited back 6.1% # ed back

29 Initial inspection of the results suggests that the intervention had a quantitative and positive effect in modifying millennials behavior upon receiving phishing s. The rate at which each of the phishing s was opened for both the intervention and control groups is shown in Figure 10. The read rate is computed as the number of times the phishing was opened/read by each group during the first 24 hours after each was delivered. To better understand the observed behaviors, we focus on three behaviors corresponding to low, medium and high trust behavior indicated by the arrows in Figure 10 : Figure 10. Experimental Results of Intervention for Phishing Behavior a. Low-Trust Phishing s An overwhelmingly large and worrisome fraction of both the intervention (80%) and control groups (70%) opened and read the first phishing from NACHA The Electronic Payments Association an assumedly unknown sender 10. The , which reported a problem with a recent payment, contained a number of clues that should have alerted millennials that it was a fake. Once open, millennials recognized the as phishing when they repeatedly received a SERVER NOT FOUND error message after clicking on links embedded in the . Many millennials contacted Kenan-Flagler IT HelpDesk staff with questions about phishing and virus infection, and requests for computer clean-up. The large response to the was unanticipated, as was the response in alerting IT. The IT staff was 10 We assume that the sender is not well known by millennials because, although NACHA is a real organization, it is fairly obscure to the general public. 24

30 instructed to play along and not to disclose that this was part of an experiment. They provided feedback to students enquiries following standard departmental procedures. Several millennials replied to the phishing asking for further information regarding their rejected transaction. Although the Millennial Cybersecurity Project was heavily publicized to Kenan- Flagler students, staff, and faculty during the campaign to solicit volunteers, among all 63 participants of this experiment only one millennial speculated that this first phishing was part of the study and contacted IT Helpdesk to confirm this hypothesis. An intervention consisting of a reinforcement encoding the safe phishing strategy and a personalized message was sent to the intervention group 24 hours after the phishing was delivered and before the delivery of the second phishing from.the American Bankers Association (ABA). Although no intervention was sent to the control group, we observed a pronounced reduction (almost 30% for both groups) in the number of instances in which the second phishing was opened and read, as well as a sharp drop in other risky behaviors. We hypothesize that more than one factor may have contributed to this observation. First, the control group may have reduced their risky behavior due to the fact that this repeated the financial theme of the first . This may have increased millennials suspicions, who then decided to not open or explore the further. Second, as can be seen in the example s provided in Appendix A, this phishing is distinguished from the first in that it contains a request for personal information from the recipient a well known give away of scams. Third, members of the control group who contacted IT Help Desk after the first phishing were reminded of best practices and may have acted more cautiously immediately afterward. b. Medium-Trust Phishing s The positive impact of the intervention in reducing risky behavior can be discerned more clearly for the medium-trust s. The third phishing is from NC Quick Pass, a prepaid account used for all (unmanned) electronic toll collection in North Carolina. Services are fairly new having started only last year. A strong state-wide advertisement campaign was launched to inform the public about the program and required procedures for enrollment. All registered drivers in the state, which include a large number of millennials in this study, can therefore be assumed to have some knowledge and interest in learning which roads are now subject to a toll fee collection. Thus, the response to this phishing was expected to be higher than that of the low-trust s for the control group. If the intervention was effective we would expect that the intervention group would exhibit less risky behavior. This expectation was confirmed by the data; the increase in risky behavior occurred for the control group but not for the intervention group. Specifically, the number of s read by the control group increased from 39% for the ABA to 61% for the NC Quick Pass one, while the number of s read by the intervention group decreased from 50% for the ABA to 29% for the NC Quick Pass . These opposing trends are seen as positive support for that intervention and reinforcement feedback are able to modify risky phishing behavior through raised 25

31 awareness of best practices. While some millennials in the intervention group still opened the phishing , none clicked on the embedded link or attachment. Besides opening the , 20% of the control group still missed the clues and clicked on the invoice attached while 6% clicked on a (suspicious) link to access the NC Quick Pass website. Low read rates persisted when the two groups were sent the fourth from Chapel Hill Cinema Grill. This tried to persuade millennials to provide personal information promising free movie tickets to a (fictitious) local theater. A company logo was also added to the message since results from Experiment 2 suggested that logos strengthen millennials level of trust and appeal to their preference for visually appealing symbols. Results showed the same trend as the previous . The intervention group read only 29% of s while the control group read 55% of the s. One millennial from the control group provided the sender with the requested personal information (c.f. mailing address and UNC class in order to receive the promised free tickets). c. High-Trust Phishing s. The high-trust s were designed to further test whether interventions are effective in reducing risky behaviors for s from high-trust senders. The fifth from fictitious sender Triangle Carolina Mornings was designed to elicit high trust among millennial students at UNC because it described a Kenan-Flagler student club. Recall that, in Experiment 2 we observed that millennials were inclined to overlook usual clues when they receive an from a high-trust sender. Consistent with the previous four s, the intervention group received a reinforcement and phishing strategy message 24 hours after the initial delivery of the phishing and prior to the delivery of the fifth phishing . Results indicated that intervention was only partially successful in preventing millennials from opening the phishing . Among the intervention group, especially, the clues with which millennials had identified phishing s in previous tests were overlooked. The number of students from the intervention group who opened the increased from 29% on the Cinema Grill to 57%, while the no intervention group slipped from 55% to 51%. These results are attributed to the level of high trust associated with this phishing (c.f. as shown on the example provided on Appendix A, the phishing s subject line read Kenan-Flagler Networking Event, which appealed to new students who had just arrived at the Business School for the summer session. Again, one millennial sent an unsolicited reply to the sender reporting an error when trying to open the attached Meeting Agenda and requesting a new copy. The sixth and last high-trust was sent to millennials without any prior reinforcement. The phishing from UNC Athletics Department included the possibility of receiving free tickets to UNC games a credible and highly desired situation by millennials. We anticipated that this would present millennials with an irresistible offer and attract a large number of participants into opening the and providing the personal information requested. Of the 26

32 intervention group, the number opening the increased from 57% to 79%. Of the control group, the number opening the also increased from 51% to 76%. The results obtained were not surprising, given the attractiveness of the , but still interesting. In addition, 6% of the control group attempted to click on embedded links, 10% attempted to click on the attachment, and 6% ed back for tickets, while the intervention group presented none of these risky behaviors. Three millennials in the control group replied to the request for personal information while none replied in the intervention group. We draw the following preliminary conclusions from the results observed on the risky phishing behavior illustrated by Figure 7: 1) The level of trust of the sender of the , as evident from the sender s address and the subject of the , is a determining factor in millennials decision to open a phishing ; 2) There appears to be a limit on the effectiveness of the intervention (reinforcement and messaging of strategy with avatars) in modifying risky cybersecurity behaviors; 3) Although limited, the results show that the combined use of a strategy and avatars had a positive impact which seemed to have some persistent results; 4) The results are sufficiently positive results to warrant a larger study aimed at verifying whether the intervention can be improved and whether it would be as effective with other millennials, i.e. non-business students. Modifying Risky Behaviors in Password Creation and Use Description. An online experiment was designed, developed and implemented to compare the effectiveness of different interventions in modifying behaviors relative to the creation of passwords and their use by millennials. UNC millennials know the basics of generating a complex password but the large majority do not know strategies for creating passwords that are easy to remember and strong (i.e. difficult to crack ), and that can be customized for multiple sites. This leads to risky behaviors such as writing down the passwords on paper or choosing simple passwords and/or using the same password for multiple sites. The goal of the experiment was to test millennials ability to generate passwords that are difficult to crack and to develop a strategy for creating multiple passwords for multiple uses that are both easy to remember and difficult to crack. There are best practice standards for password length and complexity, but use pattern and memorability are intertwined parameters that are more difficult to standardize. Experts agree that using the same password everywhere is risky because, even if that is a very strong password long and complex, if it is cracked the information it guards will be exposed on all systems at once. On the other hand, using different passwords everywhere which are lengthy and complex may produce a less memorable password and lead to the adoption of risky 27

33 behaviors, such as writing it down to avoid forgetting it. Table 9 summarizes risky versus best practices standards for these four parameters that are key elements of creating a strong password. Table 9. Risky vs. Best Practices Behaviors for Password Creation and Use Password Cyber Behaviors PARAMETER RISKY PRACTICES BEST PRACTICES Memorability Lack of customization (hard to remember) Customized (easy to remember) Length Short (<8 characters) Long (>=8 characters) Complexity Simple, easy to crack (<60 score) Complex, hard to crack (>=60 score) Use Pattern Same everywhere Different everywhere In this experiment, we develop two interventions: 1) messaging of a safe password strategy; and 2) providing real-time feedback about password generation performance, as described below: a) Intervention 1: Real-Time Feedback. Intervention 1 comprises reinforcement messaging that contains real-time feedback about the millennial s password generation performance. Millennials are provided with the complexity scores for the passwords they generated in a tabular format. These scores are not accompanied by a reinforcement message from an avatar. No information about password strategy is provided. Millennials try to improve their scores without clear guideli nes as to best practices. An example of Intervention 1 is provided in Figure 11. b) Intervention 2: Real-Time Feedback + Password Strategy Messaging + Avatar. Intervention 2 comprises a message that contains real-time performance feedback and a strategy for improving password skill. This performance feedback is accompanied by a reinforcement message from an avatar of a hacker. An example of performance feedback message for Intervention 2 is provided in Figure 12. A strategy is based on the concept of a paraphrase which has the quality of being easier to remember than traditional (random) passwords. A paraphrase consists of the first letter of each word on a phrase, song, poem, or sentence. When choosing a paraphrase a person should make sure to select some phrase that can be easily remember but not easily associated with them by other people. For example, one should not select as their paraphrase their favorite saying which hangs on a plaque above their desks. Paraphrases should still meet the requirements for traditional passwords, including be 8 to 26 characters in length, and include at least one 28

34 character of at least three of the following sets: lowercase letters: a-z, uppercase letters: A-Z, digits: 0-9, and special symbols:?., _ - % + = $!. As shown in Figure 13, the strategy developed for this experiment entails the following four steps : 1) choose a password base (c.f. the first line of a memorable song); 2) make it longer (c.f. add the next line or repeat); 3) make it more complex (c.f. add numbers and special characters); and 4) customize for different sites. This strategy is delivered by an avatar. The use of the cyberwoman and hacker avatars attempts to convey to millennials the subliminal message of good behavior and bad/risky behavior by associating cyberwoman with the password strategy that conforms with the best practices for password creation while linking the hacker s feedback message about how risky it is to use weak passwords as the hacker is actively seeking to find easy passwords to crack. The strategy is delivered in real-time using a sequence of animated screens corresponding to each strategy step. Figure 14 illustrates the animated strategy messaging Figure 11. Performance Feedback for Intervention 1 29

35 Figure 12. Intervention Feedback for Intervention 2 30

36 Figure 13. Example of Password Strategy Messaging with Avatar 31

37 Figure 14. Example of Animated Strategy Messaging 32

38 Experimental Design. The high-level experimental design is provided on Table 10. The sample included 112 millennials; 54 received Intervention 1 and 58 received Intervention 2. Millennials log-on to an experimental web site comprised of a series of screens. The first screen requests demographic information such as age (i.e. 17 or under, 18 to 31, older than 31) and gender. The next two screens ask millennials to provide passwords for each of the web sites shown in Table 10. After creating passwords for the first two websites to determine baseline performance, students are shown an intervention. Password experiments are online so the intervention can be provided on the fly, or instantaneously as the person goes through the experiment. The different groups receive different reinforcement messages. One half of the group received Intervention 1 or real-time performance feedback of complexity scores; the other half received Intervention 2 or real-time reporting of scores delivered by an avatar followed by the strategy messaging. Table 10. Overview of Experimental Design for Password Experiment Type Of Experiment PHASE INTERVENTION 1 INTERVENTION 2 DEMOGRAPHICS ASSESSMENT BASELINE PASSWORD ASSESSMENT PASSWORD STRATEGY FOR MULTIPLE SITES Log-On Personal Demographics First Website UNC Alumni Association Second Website ASDA Online Shopping Site Real-Time Performance Feedback Third Website Great Southern Travel Site Fourth Website Netflix Movie Site Log-On Personal Demographics First Website UNC Alumni Association Second Website ASDA Online Shopping Site Real-Time Performance Feedback With Strategy+Avatar Third Website Great Southern Travel Site Fourth Website Netflix Movie Site Final Reporting of Scores Intervention 1 group is shown only the complexity scores computed for their passwords. Besides their complexity scores, Intervention 2 group receives customized feedback message delivered by a hacker avatar to motivate the student to make a greater effort to create stronger passwords, as well as the scores for the passwords they submitted. The following several screens deliver the password strategy. After the scores are shown, the password 33

39 strategy message provides instructions to create a stronger password. The millennials are then asked to provide two more passwords, at the completion of which they are again shown their scores and any improvements are noted. As each password is entered, it is automatically recorded by the system for subsequent analysis according to the dimensions of the strategy (i.e. length, complexity, repetition of strings). A sample sequence of screen shots as seen by the millennials is provided in Appendix B. Results. Results with respect to password length, complexity, and repeated use of same password during the experiment are analyzed next. a. Password Length Both types of intervention improved millennials password length, with the strategy+avatar intervention resulting in significantly more students with improved scores. A straightforward way to measure password length improvement is to compare the average length of preintervention passwords 1 and 2 against the average length of post-intervention passwords 3 and 4. Using this approach, a student is considered to have improved his/her behavior performance with respect to password length, after been shown the intervention, if the average length of passwords 3 and 4 is greater than the average length of passwords 1 and 2. We found that 75% of the students in the Intervention 2 group those whose feedback/ reinforcement message contained the strategy with avatars have improved their password length against only 46% of the students in the Intervention 1 group those who only received password complexity scoring. By the same token, a student s behavior performance regarding password length is considered worse, if the average length of the post-intervention passwords 3 and 4 is smaller than the average length of the pre-intervention passwords 1 and 2. We found that only 17% of students in Intervention group 2 showed a worse behavior against 33% of Intervention 1 group. Some millennials recorded no change. In Intervention 1 group 21% of the students fall under this category versus only 8% of students in Intervention 2 group. Overall, Intervention 2 group showed a moderate improvement regarding password length when compared to the Intervention 1 group, as shown in Figure 15. b. Password Complexity Both types of intervention improved millennials complexity scores. A student s performance is defined as having improved with respect to password complexity if the average of the complexity scores of post-intervention passwords 3 and 4 is greater than the average of the complexity scores for pre-intervention passwords 1 and 2. Post-reinforcement improvement for password complexity computed for the intervention 2 group was 59% while that of Intervention 1 group was 54%. The password complexity behavior of 39% of the students in Intervention 1 group worsened compared with 34% of students Intervention 2 group. No behavioral change was registered for 7% of the students in either group. These findings are summarized in Figure

40 P Figure 15. Post-Intervention Password Length Improvement By Group P Figure 16. Post-Intervention Password Complexity Improvement By Group Both interventions were equally successful in improving password complexity scores. In this case, the addition of the password strategy and avatar plus score reporting did not significantly outperform simple feedback of complexity scores. Students from both groups received a numerical, and the equivalent categorical, score (as computed by a password meter) and we hypothesize that given the highly competitive nature of Kenan-Flagler students, the password complexity score was a larger motivating factor in creating a more complex password. This millennial competitive behavior was registered in the data collected, when some students, after been shown their scores for the pre-reinforcement passwords they created, went back to these previous screens and entered new passwords. Unbeknownst to them, the software program saved all passwords entered. When we examined the data and noticed this anomaly we decided to use for analysis purposes only their first attempt for each 35

41 password and to eliminate the secondary input attempts. Results suggest that providing a numerical score may be enough to influence students to modify their password creation behavior with respect to complexity. In a deeper analysis of the data, we eliminate those millennials whose average baseline password scores were greater than 60 which is the breakpoint between good and strong password ability based on the algorithm. In this way, we focus only on the less -aware students those whose poor baseline behavior indicates they have something to learn from the intervention. A score of 60 was also the mean for the complete sample. The distribution of the password complexity behavior improvement in Figure 17 shows the frequency counts of pre- and post-intervention password scores for the complete sample and the reduced sample with scores less than 60. The arrows in the figure highlight the positive (rightward) shift in the complexity score frequencies post-intervention, meaning that the intervention positively affected, i.e. positively modified, students password complexity behavior. The effects are considerably greater for the reduced sample reflecting the relatively larger improvement in performance of that group. Figure 17. Distribution of Individual Password Complexity Score Improvement We also computed the improvement gain in individual password complexity scores after the intervention by subtracting, for each individual student, the average of the pre -intervention passwords 1 and 2 from the average of post-intervention passwords 3 and 4. The results, depicted in Figure 18, show the improvement gains achieved by the reduced sample students who had a pre-intervention password average of less the 60 versus the improvement obtained by the complete sample. The gain can be seen in the rightward shift of the most frequently observed improvement gains. 36

42 Frequency Count P Figure 18. Distribution of Password Complexity Score Improvement Reduced Sample Whole Sample Password Complexity Improvement A comparison of the distribution of pre-intervention versus post-intervention password complexity scores by intervention group is shown in Figure 19. Overall, improvement results for each intervention group were positive but show different effects. There was a pronounced positive shift in password complexity score behavior for Intervention 1 which peaked at 65, a little above the sample mean of 60. The peak for Intervention 2 occurs at 77 suggesting that Intervention 2 (with the strategy and avatars) had a more positive effect in the modification of password complexity behavior. P Figure 19. Comparison of Pre-Intervention and Post-Intervention Password Complexity Scores By Group 37

43 c. Password Repeated Use Results Approximately one-third of the sample or 36 students used the same password for the two websites 1 and 2. After the intervention, only 19%, or 21 students repeated their passwords for websites 3 and 4. Thus, there was a 42% improvement with respect to this behavior. Regarding gender, 50% of females improved their behavior by using different passwords for websites 3 and 4, compared with only 38% of males. Comparing this behavior for the two intervention groups we found that they had a very similar outcome as summarized in Table 11. The groups exhibit the same level of improvement after intervention, more specifically 13% of intervention group 1 and 15% of intervention 2 group created different passwords for websites 3 and 4. Table11. Distribution of Repeated Password Behavior By Group Website Intervention 1 Group (%) Intervention 2 Group (%) Total (%) Password 1 and Password 2 Password 3 and Password TOTAL Recommendations Insights gained from millennial self-reported risky cybersecurity behavior and observed experiments conducted by the Millennial Cybersecurity Project research team serve as the basis for the following recommendations herein offered as guideline for better methods to communicate cybersecurity best practices to millennials in order to increase awareness of and modification of risky behavior in cyber space. 1) Explore, employ and exploit digital messaging that is short in length, iconic, and actionable. Millennials grew up with browsers and hyperlinks, and online gaming in detriment of other practices common to previous generations. Some compelling evidence of these trends is the sharp decline in the volume of mail delivered by the U.S. Postal Service and a report from May 2012 by Funcom the online game company that 1 million users had registered ahead of time to test the beta version of its new online game The Secret World. Millennials are continually 38

44 exploring beyond Twitter and Facebook, as Pinterest s the virtual message board more than 11.7 million unique users demonstrate 11. One striking similarity between sites that, like Pinterest, have millions of followers is the reduced amount of text in benefit of visual graphics, photography, and the ability to share the contents with whomever you select. 2) Personalize communications based on the audience s profile. Insights gained from this study suggest that UNC millennials fit four different awareness-based categories of technology users: 1) expert; 2) trained; 3) confused; and 4) uninitiated. Trying to communicate cybersecurity best practices to these different users with the same level of information content may end up having limited reach, as it may be too simplistic and fail to interest the expert or trained millennial, not specific enough to dissipate the misconceptions of the confused millennial, and not simple and targeted enough for helping the uninitiated. Overlaying self-digital representation, i.e. avatars, with feedback and behavioral reinforcement messaging in our experiments led to improvements in risky behavior on both phishing and password use. 3) Develop cybersecurity tools that are technology-mediated, more interactive and capable of providing a user experience of high value. In our experience opportunities for raising cybersecurity awareness can be brought into the organization environment with great success. During Security Day, promoted by Kenan-Flagler IT Department every year, millennials wait in line to play fair games and win small prizes while chatting with IT experts who answer questions and provide information about best practices. Our phishing observed experiment was conducted during Security Day and attracted a large crowd. Mobile apps can be another vehicle for delivering cybersecurity information to all individuals of an organization. Conclusions and Future Directions The Millennial Cybersecurity Project conducted a set of experiments to determine the effectiveness of interventions such as the use of avatars and other digital (self) representations for message personalization, real-time digital feedback about observed risky behaviors, and messaging of policies and best practices in formats and language that are more aligned with how millennials communicate with others and experience the world. The project s underlying premise is that cybersecurity awareness initiatives for millennials might be improved when messaging is accomplished digitally and in formats consistent with digital devices such as 11 We are presuming that the vast majority of Pinterest users are millennials, although access to data to support this claim is not available to us at this time. 39

45 personal computers, cell phones, and mobile devices. experiments are: Specific conclusions from these Understanding Millennial Attitudes about and Behaviors in Cybersecurity. Favorable results indicate that UNC millennials are aware of best practices about how to protect one s system and adhere to UNC information security policies for use of firewall, and antivirus and operating system automatic updates. However, results also suggest that millennials are not as knowledgeable regarding the dangers of inadequate password usage or risky practices in cyberspace that can create vulnerabilities, for example phishing s. Reported behaviors suggest that male millennials are somewhat more knowledgeable than female millennials. Nonetheless, males also appear to experience more problems due, perhaps, to higher engagement in riskier online behaviors than their female counterparts. Modifying Risky Behavior in Millennials. Overall, improvement results in password creation and use for the two intervention groups were positive for all three categories: length, complexity, and repeated use; but show different effects. Regarding password complexity, the intervention presenting participants with only password scores led to an improvement that shifted participants with lower scores to slightly higher scores positioned above the sample mean and the threshold for a strong password. The improvement obtained with the intervention containing the strategy and avatars had a more positive effect in the modification of password complexity behavior translated in higher scores for similar number of participants. Contact Information Project Contact Name: Noel P. Greis and Monica L. Nogueira Mailing Address: Center for Logistics and Digital Strategy Kenan Institute of Private Enterprise, CB# 3440 Kenan Center University of North Carolina, Chapel Hill, NC Phone: References [1] Accenture. (8 November 2008) Millennials at the Gates: Results from Accenture s High Performance IT Research, Accenture.com. Available at: https://microsite.accenture.com/ foodforthought/downloads/pages/default.aspx, last accessed 11 April

46 [2] Accenture. (10 February 2010). Jumping the boundaries of corporate IT: Accenture global research on Millennials use of technology, Accenture.com. Report. Available at: se arch.pdf, last accessed 11 April [3] Bailenson, J.N. and J. Blascovich. (2004) Avatars. Encyclopedia of Human-Computer Interaction, Berkshire Publishing Group, pp [4] Barreau, D. (15 January 2008). The persistence of behavior and form in the organization of personal information, J American Society for Information Science Tech, 59 (2), pp [5] Baylor, A.L. (12 December 2009). Promoting motivation with virtual agents and avatars: role of visual presence and appearance, Phil. Trans. R. Soc. B, 364 (1535), pp [6] Bulgurcu, B., Cavusoglu, H. and I. Benbasat. (September 2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness, MIS Quarterly, 34 (3), pp [7] Colliver, V. (8 August 2008) Fat people get online chance to lose weight, SFGate.com. Available at: last accessed 11 April [8] Cone, B.D., Irvine, C.E., Thompson, M.F. and T.D. Nguyen. (February 2007). A video game for cyber security training and awareness, Computers & Security, 26 (1), pp [9] Cone, B.D., Irvine, C.E., Thompson, M.F. and T.D. Nguyen. (February 2007). A video game for cyber security training and awareness, Computers & Security, 26 (1), pp [11] Dickerson, D. The Millennial Brain and Risk (12 November 2008). Campus Activities Programming, pp. 10. Available at: accessed April [10] Dickerson, D. The Millennial Brain and Risk (12 November 2008). Campus Activities Programming, pp. 10. Available at: accessed April [11] Dickerson, D. (Jan/Feb. 2007). Risk Management and the Millennial Generation, Campus Activities Programming. Available: accessed April [12] Domínguez, C.M.F., Ramaswamy, M., Martinez, E.M. and M.G. Cleal. (2010). Framework for Information Security Awareness Programs, Issues Inf Sys, XI (1), pp [13] Hagen, J.M. and E. Albrechtsen. (2009) "Effects on employees' information security abilities by e-learning, Information Management & Computer Security, 17 (5), pp

47 [14] IGI Global. (11 June 2010). Battling Obesity with Virtual Self-Care: Teaching Students Design and Exploration, IGI-Global.com. Available at: main/ /battling_obesity_with_virtual_self-care_teaching, last accessed April [15] Kirby, R. (April 2009) Development of a Real-time Performance Measurement and Feedback System for Alpine Skiers. Richard Kirby, Sports Technology. Volume 2, Issue 1-2, pages [16] Liang, H. and Y. Xue. (July 2010). Understanding Security Behaviors in personal Computer Usage: A Threat Avoidance Perspective, J Assoc Information Sys, 11 (7), pp [17] Ludwig, T. and, D. Goomas (June 2009) Real-time performance monitoring, goal setting and feedback for forklift operators in a distribution centre., Journal of Occupational and Organizational Psychology, Volume 82, Issue 2, pages [18] Messinger, P.R., Ge, X., Stroulia, E., Lyons, K., Smirnov, K. and M. Boone. (November 2008). On the Relationship between My Avatar and Myself, J Virtual Worlds Res, 1 (2). [19] Morie, J.F. and E. Chance. (March 2011). Extending the Reach of Health Care for Obesity and Diabetes Using Virtual Worlds, J Diabetes Science Technology, 5 (2), pp [20] Myers, K.K. and K. Sadaghiani. (June 2010). Millennials in the Workplace: A Communication Perspective on Millennials Organizational Relationships and Performance, In: Special Issue on Millennials and the World of Work: What You Didn't Know You Didn't Know, Guest Eds: D.G. Altman and J.J. Deal, J Bus Psychol, 25(2), pp , Springer. [21] Ng, B.Y., Kankanhalli, A. and Y. Xu. ()2009). Studying users computer security behavior; A health belief perspective, Decision Support Systems, 46, pp [22] Pew Research Center. (February 2010). The Millennials: Confident. Connected. Open to Change. Available at: last accessed 11 April [23] Rezgui, Y. and A. Marks. (December 2008). Information security awareness in higher education: An exploratory study, [24] Rafiq A, Tamariz F, Boanca C, Lavrentyev V, Merrell RC (July-August 2008). Objective assessment of training surgical skills using simulated tissue interface with real-time feedback Jour. Surgical Educ., 65(4): [25] Thomson, M.E. and R. von Solms. (1998). Information security awareness: educating your users effectively, Information Management & Computer Security, 6 (4), pp [26] University of Southern California. (3 July 2008). Network Culture Project awards over $1 million lindens for Second Life and the Public Good Community Challenge, USC 42

48 Annenberg News. Available at: SecondLife.aspx, last accessed 11 April [27] U.S. Department of Homeland Security. (23 March 2011). Enabling Distributed Security in Cyberspace. Available at: last accessed 11 April [28] Yee, N. and J.N. Bailenson. (2006). Walk A Mile in Digital Shoes: The Impact of Embodied Perspective-Taking on The Reduction of Negative Stereotyping in Immersive Virtual Environments, In: Proc PRESENCE August 24 26, Cleveland, Ohio, USA. [29] Yee, N. and J.N. Bailenson. (2007) The Proteus Effect: The Effect of Transformed Self- Representation on Behavior, Human Communication Research, 33, pp , 2007 International Communication Association. [30] Zwieg, J. (March 26, 2011). Meet Future You. Like What You See? Wall Street Journal, pp. B7 and B10. 43

49 Appendix A Screenshots of Phishing Experiment s Example of Low Trust Phishing Sent to Students 44

50 Example of Low Trust Phishing Sent to Students 45

51 Example of Medium Trust Phishing Sent to Students 46

52 Example of Medium Trust Phishing Sent to Students Example of High Trust Phishing Sent to Students 47

53 48

54 Example of High Trust Phishing Sent to Students 49

55 Appendix B Screenshots of Password Experiment Websites Example of Logon Screen for Password Experiment 50

56 Example of Website for Creating First Password 51

57 Example of Website for Creating Second Password 52

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

2012 Endpoint Security Best Practices Survey

2012 Endpoint Security Best Practices Survey WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners

More information

Cyber Security. Securing Your Mobile and Online Banking Transactions

Cyber Security. Securing Your Mobile and Online Banking Transactions Cyber Security Securing Your Mobile and Online Banking Transactions For additional copies or to download this document, please visit: http://msisac.cisecurity.org/resources/guides 2014 Center for Internet

More information

2012 NORTON CYBERCRIME REPORT

2012 NORTON CYBERCRIME REPORT 2012 NORTON CYBERCRIME REPORT 2012 NORTON CYBERCRIME REPORT 24 COUNTRIES AUSTRALIA, BRAZIL, CANADA, CHINA, COLOMBIA, DENMARK, FRANCE, GERMANY, INDIA, ITALY, JAPAN, MEXICO, NETHERLANDS, NEW ZEALAND, POLAND,

More information

Cyber Security. Maintaining Your Identity on the Net

Cyber Security. Maintaining Your Identity on the Net Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD

More information

Franciscan University of Steubenville Information Security Policy

Franciscan University of Steubenville Information Security Policy Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,

More information

POLICY NO. 3.14 September 8, 2015 TITLE: INTERNET AND EMAIL USE POLICY

POLICY NO. 3.14 September 8, 2015 TITLE: INTERNET AND EMAIL USE POLICY POLICY NO. 3.14 September 8, 2015 TITLE: INTERNET AND EMAIL USE POLICY POLICY STATEMENT: Many of our employees have access to the internet as well as email capabilities. The County recognizes that these

More information

Education as a defense strategy. Jeannette Jarvis Group Program Manager PSS Security Microsoft

Education as a defense strategy. Jeannette Jarvis Group Program Manager PSS Security Microsoft Education as a defense strategy Jeannette Jarvis Group Program Manager PSS Security Microsoft Introduction to End User Security Awareness End User Security Awareness Challenges Understanding End User

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

Network Security Report:

Network Security Report: Network Security Report: The State of Network Security in Schools Managing tight budgets. Complying with regulatory requirements. Supporting Internet-based learning technologies. There are many challenges

More information

Common Cyber Threats. Common cyber threats include:

Common Cyber Threats. Common cyber threats include: Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...

More information

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May 2014. TrustInAds.org. Keeping people safe from bad online ads

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May 2014. TrustInAds.org. Keeping people safe from bad online ads Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams May 2014 TrustInAds.org Keeping people safe from bad online ads OVERVIEW Today, even the most tech savvy individuals can find themselves

More information

Protect yourself online

Protect yourself online Protect yourself online Advice from Nottinghamshire Police s Pre Crime Unit Get daily updates: www.nottinghamshire.police.uk www.twitter.com/nottspolice www.facebook.com/nottspolice www.youtube.com/nottinghampolice

More information

Information Security Awareness Training and Phishing

Information Security Awareness Training and Phishing Information Security Awareness Training and Phishing Audit Report Report Number IT-AR-16-001 October 5, 2015 Highlights The Postal Service s information security awareness training related to phishing

More information

State of the Phish 2015

State of the Phish 2015 Introduction The threat is real Phishing continues to pose a growing threat to the security of industries of every kind from financial organizations to government contractors to healthcare firms. Though

More information

How to stay safe online

How to stay safe online How to stay safe online Everyone knows about computer viruses...or at least they think they do. Nearly 30 years ago, the first computer virus was written and since then, millions of viruses and other malware

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Business ebanking Fraud Prevention Best Practices

Business ebanking Fraud Prevention Best Practices Business ebanking Fraud Prevention Best Practices User ID and Password Guidelines Create a strong password with at least 8 characters that includes a combination of mixed case letters, numbers, and special

More information

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS SIMULATED ATTACKS Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru Technical safeguards like firewalls, antivirus software, and email filters are critical for defending your infrastructure,

More information

Conducting an Email Phishing Campaign

Conducting an Email Phishing Campaign Conducting an Email Phishing Campaign WMISACA/Lansing IIA Joint Seminar May 26, 2016 William J. Papanikolas, CISA, CFSA Sparrow Health System Estimated cost of cybercrime to the world economy in 2015 was

More information

GUIDELINES FOR TENURE AND PROMOTION. Kenan-Flagler Business School The University of North Carolina

GUIDELINES FOR TENURE AND PROMOTION. Kenan-Flagler Business School The University of North Carolina GUIDELINES FOR TENURE AND PROMOTION Kenan-Flagler Business School The University of North Carolina Adopted April 24, 1985 and amended March 30, 2009, September 12, 2011 All procedures and policies relating

More information

Defending Against. Phishing Attacks

Defending Against. Phishing Attacks Defending Against Today s Targeted Phishing Attacks DeFending Against today s targeted phishing attacks 2 Introduction Is this email a phish or is it legitimate? That s the question that employees and

More information

Online Banking Fraud Prevention Recommendations and Best Practices

Online Banking Fraud Prevention Recommendations and Best Practices Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee at Continental National Bank of Miami needs to know

More information

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

PROTECT YOUR COMPUTER AND YOUR PRIVACY! PROTECT YOUR COMPUTER AND YOUR PRIVACY! Fraud comes in many shapes simple: the loss of both money protecting your computer and Take action and get peace of and sizes, but the outcome is and time. That

More information

Digital Consumer s Online Trends and Risks

Digital Consumer s Online Trends and Risks Digital Consumer s Online Trends and Risks Modern consumers live a full-scale digital life. Their virtual assets like personal photos and videos, work documents, passwords to access social networking and

More information

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Protect Yourself. Who is asking? What information are they asking for? Why do they need it? Protect Yourself Your home computer serves many purposes: email, shopping, social networking and more. As you surf the Internet, you should be aware of the various ways to protect yourself. Of primary

More information

The Unintentional Insider Risk in United States and German Organizations

The Unintentional Insider Risk in United States and German Organizations The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction

More information

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers. Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is

More information

Know the Risks. Protect Yourself. Protect Your Business.

Know the Risks. Protect Yourself. Protect Your Business. Protect while you connect. Know the Risks. Protect Yourself. Protect Your Business. GETCYBERSAFE GUIDE FOR S MALL AND MEDIUM BUSINESSES GetCyberSafe Guide for Small and Medium Businesses i ii Table of

More information

Malware & Botnets. Botnets

Malware & Botnets. Botnets - 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online

More information

Survey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year

Survey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year Survey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year Intro 2014 has created uncertainty for those in charge of IT security. Not only is the threat landscape advancing

More information

Infocomm Sec rity is incomplete without U Be aware,

Infocomm Sec rity is incomplete without U Be aware, Infocomm Sec rity is incomplete without U Be aware, responsible secure! HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD [ 2 ] FASTEN

More information

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Business Internet Banking / Cash Management Fraud Prevention Best Practices Business Internet Banking / Cash Management Fraud Prevention Best Practices This document provides fraud prevention best practices that can be used as a training tool to educate new Users within your organization

More information

Perception and knowledge of IT threats: the consumer s point of view

Perception and knowledge of IT threats: the consumer s point of view Perception and knowledge of IT threats: the consumer s point of view It s hard to imagine life without digital devices, be it a large desktop computer or a smartphone. Modern users are storing some of

More information

Town of Brunswick. Computer Use Policy

Town of Brunswick. Computer Use Policy Town of Brunswick Computer Use Policy Town of Brunswick Computer Use Policy Table of Contents 1. General 1 2. Access 1 3. Acceptable Use 1 4. E-Mail 1 5. E-Mail Attachments 2 6. Internet & Websites 2 7.

More information

Hint: Best actions: Find out more in videos and FAQ: Hint: Best actions: Find out more in videos and FAQ:

Hint: Best actions: Find out more in videos and FAQ: Hint: Best actions: Find out more in videos and FAQ: Game Cheatsheet This is a spam email, an unsolicited and unwanted email from an unknown sender. Hint: Does this offer seem too good to be true? Perhaps you need to know more? Best actions: Delete, Check

More information

Creating a Culture of Cyber Security at Work

Creating a Culture of Cyber Security at Work Creating a Culture of Cyber Security at Work Webinar Why is this important? Cybersecurity is a people problem. Cybersecurity is no longer just the IT department s responsibility. It is everyone s responsibility.

More information

Policy for Social Media Usage in Catawba County

Policy for Social Media Usage in Catawba County Policy for Social Media Usage in Catawba County Adopted March 1, 2010 Revised September 7,2010 1. PURPOSE The role of technology in the 21 st century workplace is constantly expanding and now includes

More information

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE SMALL BUSINESS IT SECURITY PRACTICAL GUIDE How to make sure your business has comprehensive IT security protection #protectmybiz Small businesses come in all shapes and sizes. But in today s world, no

More information

October Is National Cyber Security Awareness Month!

October Is National Cyber Security Awareness Month! (0 West Virginia Executive Branch Privacy Tip October Is National Cyber Security Awareness Month! In recognition of National Cyber Security Month, we are supplying tips to keep you safe in your work life

More information

ACCEPTABLE USE POLICY

ACCEPTABLE USE POLICY ACCEPTABLE USE POLICY F. Paul Greene Harter Secrest & Emery LLP 1600 Bausch & Lomb Place Rochester, NY 14604 585-231-1435 fgreene@hselaw.com 2016 HARTER SECREST & EMERY LLP THE FOLLOWING TEMPLATE WAS DESIGNED

More information

Top 10 Tips to Keep Your Small Business Safe

Top 10 Tips to Keep Your Small Business Safe Securing Your Web World Top 10 Tips to Keep Your Small Business Safe Protecting your business against the latest Web threats has become an incredibly complicated task. The consequences of external attacks,

More information

DOL New Hire Training: Computer Security and Privacy

DOL New Hire Training: Computer Security and Privacy DOL New Hire Training: Computer Security and Privacy Table of Contents Introduction Lesson One: Computer Security Basics Lesson Two: Protecting Personally Identifiable Information (PII) Lesson Three: Appropriate

More information

DON T BE FOOLED BY EMAIL SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam E-Mail FREE GUIDE. December 2014 Oliver James Enterprise

DON T BE FOOLED BY EMAIL SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam E-Mail FREE GUIDE. December 2014 Oliver James Enterprise Provided by: December 2014 Oliver James Enterprise DON T BE FOOLED BY EMAIL SPAM FREE GUIDE 1 This guide will teach you: How to spot fraudulent and spam e-mails How spammers obtain your email address How

More information

kelly Global workforce index release: JUNE 2012 when worlds collide the rise of social media for professional & personal use

kelly Global workforce index release: JUNE 2012 when worlds collide the rise of social media for professional & personal use kelly Global workforce index 168,000 people release: JUNE 2012 30 countries when worlds collide the rise of social media for professional & personal use business or pleasure? social media in the workplace

More information

Outbound Email and Data Loss Prevention in Today s Enterprise, 2010

Outbound Email and Data Loss Prevention in Today s Enterprise, 2010 Outbound Email and Data Loss Prevention in Today s Enterprise, 2010 Results from Proofpoint s seventh annual survey on outbound messaging and content security issues, fielded by Osterman Research during

More information

DOMAIN 1 FOR SOCIAL WORKERS: PLANNING AND PREPARATION LEVEL OF PERFORMANCE COMPONENT UNSATISFACTORY NEEDS IMPROVEMENT PROFICIENT EXCELLENT

DOMAIN 1 FOR SOCIAL WORKERS: PLANNING AND PREPARATION LEVEL OF PERFORMANCE COMPONENT UNSATISFACTORY NEEDS IMPROVEMENT PROFICIENT EXCELLENT DOMAIN 1 FOR SOCIAL WORKERS: PLANNING AND PREPARATION LEVEL OF PERFORMANCE COMPONENT UNSATISFACTORY NEEDS IMPROVEMENT PROFICIENT EXCELLENT 1a: Demonstrating knowledge of School Social Work practices, theory,

More information

Basic Security Considerations for Email and Web Browsing

Basic Security Considerations for Email and Web Browsing Basic Security Considerations for Email and Web Browsing There has been a significant increase in spear phishing and other such social engineering attacks via email in the last quarter of 2015, with notable

More information

Don t Fall Victim to Cybercrime:

Don t Fall Victim to Cybercrime: Don t Fall Victim to Cybercrime: Best Practices to Safeguard Your Business Agenda Cybercrime Overview Corporate Account Takeover Computer Hacking, Phishing, Malware Breach Statistics Internet Security

More information

Why is a strong password important?

Why is a strong password important? Internet Security Why is a strong password important? Identity theft motives: To gain access to resources For the challenge/fun Personal reasons Theft methods Brute forcing and other script hacking methods

More information

High Speed Internet - User Guide. Welcome to. your world.

High Speed Internet - User Guide. Welcome to. your world. High Speed Internet - User Guide Welcome to your world. 1 Welcome to your world :) Thank you for choosing Cogeco High Speed Internet. Welcome to your new High Speed Internet service. When it comes to a

More information

The Auditor's Responsibilities Relating to Other Information

The Auditor's Responsibilities Relating to Other Information Exposure Draft April 2014 Comments due: July 18, 2014 Proposed International Standard on Auditing (ISA) 720 (Revised) The Auditor's Responsibilities Relating to Other Information Proposed Consequential

More information

Everyone s online, but not everyone s secure. It s up to you to make sure that your family is.

Everyone s online, but not everyone s secure. It s up to you to make sure that your family is. TrendLabs Everyone s online, but not everyone s secure. It s up to you to make sure that your family is. We live out our digital lives on the Internet. There, communication is quicker and easier, and our

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

2013 NORTON REPORT 13,022 ONLINE ADULTS AGED 18-64

2013 NORTON REPORT 13,022 ONLINE ADULTS AGED 18-64 2013 NORTON REPORT 2013 NORTON REPORT 24 COUNTRIES AUSTRALIA, BRAZIL, CANADA, CHINA, COLOMBIA, DENMARK, FRANCE, GERMANY, INDIA, ITALY, JAPAN, MEXICO, NETHERLANDS, NEW ZEALAND, POLAND, RUSSIA, SAUDI ARABIA,

More information

Social Media and Cyber Safety

Social Media and Cyber Safety Social Media and Cyber Safety Presented to the National Association of REALTORS by Andrew Wooten Safety and Security Consultant andrew@justbesafe.com Social Media and Cyber Safety Our instructor today

More information

STOP.THINK.CONNECT A NATIONAL CYBERSECURITY AWARENESS CAMPAIGN OLDER AMERICANS PRESENTATION

STOP.THINK.CONNECT A NATIONAL CYBERSECURITY AWARENESS CAMPAIGN OLDER AMERICANS PRESENTATION STOP.THINK.CONNECT A NATIONAL CYBERSECURITY AWARENESS CAMPAIGN OLDER AMERICANS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department

More information

Website Privacy Policy Statement. 1519 York Rd Lutherville, MD 21093. We may be reached via email at julie@juliereisler.com.

Website Privacy Policy Statement. 1519 York Rd Lutherville, MD 21093. We may be reached via email at julie@juliereisler.com. Website Privacy Policy Statement This website juliereisler.com is operated by Empowered Living, LLC and this policy applies to all websites owned, operated, controlled and otherwise made available by Company,

More information

Information Technology Acceptable Use Policy

Information Technology Acceptable Use Policy Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not

More information

Scams and Schemes. objectives. Essential Question: What is identity theft, and how can you protect yourself from it? Learning Overview and Objectives

Scams and Schemes. objectives. Essential Question: What is identity theft, and how can you protect yourself from it? Learning Overview and Objectives Estimated time: 45 minutes Essential Question: What is identity theft, and how can you protect yourself from it? Learning Overview and Objectives Overview: Students learn strategies for guarding against

More information

Avoid completing forms in email messages that ask for personal financial information.

Avoid completing forms in email messages that ask for personal financial information. INTERNET FRAUD Online scams and viruses are constantly evolving and they threaten the security of computers worldwide. As criminals evolve their tactics, you need to keep your PC's security software (virus

More information

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE SMALL BUSINESS IT SECURITY PRACTICAL GUIDE How to make sure your business has comprehensive IT security protection #protectmybiz Small businesses come in all shapes and sizes. But in today s world, no

More information

Activities for Protecting Your Identity and Computer for Middle and High School Students

Activities for Protecting Your Identity and Computer for Middle and High School Students Activities for Protecting Your Identity and Computer for Middle and High School Students Overview There are three posters about protecting your computer for this grade span. We recommend that these be

More information

Reliance Bank Fraud Prevention Best Practices

Reliance Bank Fraud Prevention Best Practices Reliance Bank Fraud Prevention Best Practices May 2013 User ID and Password Guidelines Create a strong password with at least 8 characters that includes a combination of mixed case letters and numbers.

More information

Website Privacy Policy Statement

Website Privacy Policy Statement Website Privacy Policy Statement This website ( CRSF Website ) is operated by Cal Ripken, Sr. Foundation, Inc. ( Company ) and this policy applies to all websites owned, operated, controlled and otherwise

More information

Practical guide for secure Christmas shopping. Navid

Practical guide for secure Christmas shopping. Navid Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security

More information

North Carolina Office of the Governor North Carolina Office of Information Technology Services North Carolina Department of Cultural Resources

North Carolina Office of the Governor North Carolina Office of Information Technology Services North Carolina Department of Cultural Resources North Carolina Office of the Governor North Carolina Office of Information Technology Services North Carolina Department of Cultural Resources Best Practices for Social Media Usage in North Carolina December

More information

State of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved

State of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved State of the Web 2015: Vulnerability Report March 2015 Motivation In February 2015, security researchers http://www.isightpartners.com/2015/02/codoso/ reported that Forbes.com had been hacked. The duration

More information

La Cañada Unified School District Personnel Use of Technology Regulations (AR 4163.4) Also known as the Staff Technology and Internet Use Policy

La Cañada Unified School District Personnel Use of Technology Regulations (AR 4163.4) Also known as the Staff Technology and Internet Use Policy LCUSD Personnel Use of Technology Regulations (AR 4163.4) Updated 08/21/08 p. 1 of 5 La Cañada Unified School District Personnel Use of Technology Regulations (AR 4163.4) Also known as the Staff Technology

More information

Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library

Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library Why should you be concerned? There are over 1 million known computer viruses. An unprotected computer on the

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

The Benefits of SSL Content Inspection ABSTRACT

The Benefits of SSL Content Inspection ABSTRACT The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic

More information

The Hidden Dangers of Public WiFi

The Hidden Dangers of Public WiFi WHITEPAPER: OCTOBER 2014 The Hidden Dangers of Public WiFi 2 EXECUTIVE SUMMARY 4 MARKET DYNAMICS 4 The Promise of Public WiFi 5 The Problem with Public WiFi 6 MARKET BEHAVIOR 6 Most People Do Not Protect

More information

Computer Network and Internet Security Awareness and Responsible Use. Indian River County School District 2014-2015

Computer Network and Internet Security Awareness and Responsible Use. Indian River County School District 2014-2015 Computer Network and Internet Security Awareness and Responsible Use Indian River County School District 2014-2015 1 Through the availability of electronic resources provided by the School District of

More information

Email Marketing in Ireland 2011 Email Usage by Irish Consumers and Marketers. April 2011

Email Marketing in Ireland 2011 Email Usage by Irish Consumers and Marketers. April 2011 Email Marketing in Ireland 2011 Email Usage by Irish Consumers and Marketers April 2011 89 Harcourt Street Dublin 2 Tel: + 353 1 475 9286 Email: info@circulator.com Web: www.circulator.com Table of contents

More information

NC DPH: Computer Security Basic Awareness Training

NC DPH: Computer Security Basic Awareness Training NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Reducing the cost and complexity of endpoint management

Reducing the cost and complexity of endpoint management IBM Software Thought Leadership White Paper October 2014 Reducing the cost and complexity of endpoint management Discover how midsized organizations can improve endpoint security, patch compliance and

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Anthony J. Coronado and Timothy L. Wong About the Authors Anthony J. Coronado, BS, is a biomedical engineering manager at Renovo Solutions

More information

2011 NATIONAL SMALL BUSINESS STUDY

2011 NATIONAL SMALL BUSINESS STUDY 2011 NATIONAL SMALL BUSINESS STUDY The National Cyber Security Alliance has conducted a new study with Symantec to analyze cyber security practices, behaviors and perceptions of small businesses throughout

More information

B2B Email Marketing Effectiveness Benchmarks, Insights & Advice

B2B Email Marketing Effectiveness Benchmarks, Insights & Advice Benchmarking Report B2B Email Marketing Effectiveness Benchmarks, Insights & Advice Navigating the Minefield to Inbox Placement Sponsored By: 2013 Demand Metric Research Corporation. All Rights Reserved.

More information

Evaluating DMARC Effectiveness for the Financial Services Industry

Evaluating DMARC Effectiveness for the Financial Services Industry Evaluating DMARC Effectiveness for the Financial Services Industry by Robert Holmes General Manager, Email Fraud Protection Return Path Executive Summary Email spoofing steadily increases annually. DMARC

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR

ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES 01 One must remember that everyone and anyone is a potential target. These cybercriminals and attackers often use different tactics to lure different

More information

Acceptable Use of ICT Policy For Staff

Acceptable Use of ICT Policy For Staff Policy Document Acceptable Use of ICT Policy For Staff Acceptable Use of ICT Policy For Staff Policy Implementation Date Review Date and Frequency January 2012 Every two Years Rev 1: 26 January 2014 Policy

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. 2001 2014 EdgeWave. All rights reserved. The EdgeWave logo is a trademark of EdgeWave Inc. All other trademarks and registered trademarks are hereby acknowledged. Microsoft and Windows are either registered

More information

Protect. Manage. Organize. Three Steps to a More Secure Digital Life

Protect. Manage. Organize. Three Steps to a More Secure Digital Life Protect. Manage. Organize. Three Steps to a More Secure Digital Life As you move more of your information online, here s how you can safeguard your assets, preserve your good name, and assist your family.

More information

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.

More information

National Commission for Academic Accreditation & Assessment. Standards for Quality Assurance and Accreditation of Higher Education Programs

National Commission for Academic Accreditation & Assessment. Standards for Quality Assurance and Accreditation of Higher Education Programs National Commission for Academic Accreditation & Assessment Standards for Quality Assurance and Accreditation of Higher Education Programs November 2009 Standards for Quality Assurance and Accreditation

More information

State of Mobility Survey. France Results

State of Mobility Survey. France Results State of Mobility Survey France Results Methodology Survey performed by Applied Research 6,275 global organizations 43 countries NAM 2 LAM 14 EMEA 13 APJ 14 SMBs: Individuals in charge of computers Enterprises:

More information

Global Manufacturing Company Reduces Malware Infections by 46%

Global Manufacturing Company Reduces Malware Infections by 46% Global Manufacturing Company Reduces Malware Infections by 46% Wombat s Security Education Platform is changing behaviors, reducing infections, and lowering remediation costs The Challenge A large international

More information

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business S 2 ERC Project: Cyber Threat Intelligence Exchange Ecosystem: Economic Analysis Report: An Analysis of US Government Proposed Cyber Incentives Author: Joe Stuntz, MBA EP 14, McDonough School of Business

More information

PANDA CLOUD EMAIL PROTECTION 4.0.1 1 User Manual 1

PANDA CLOUD EMAIL PROTECTION 4.0.1 1 User Manual 1 PANDA CLOUD EMAIL PROTECTION 4.0.1 1 User Manual 1 Contents 1. INTRODUCTION TO PANDA CLOUD EMAIL PROTECTION... 4 1.1. WHAT IS PANDA CLOUD EMAIL PROTECTION?... 4 1.1.1. Why is Panda Cloud Email Protection

More information