November 1, 2017

The 'Olivia' Experiment: A Personal Security Crash Diet

Throughout October, National Cyber Security Awareness Month (NCSAM) has been in full-swing - an annual campaign designed to raise awareness of cybersecurity risks to improve online privacy and safety habits for public organizations, private companies, and individuals. If you’re in security and have pretty much any family, you’ll probably appreciate how difficult it can be to inspire more secure habits when interacting with connected technology. Most everyone I know insecurity has a friend, a kid, a father-in-law, or another family member that, despite their most patient education efforts, refuses to lock their social media profiles, pick good passwords, or learn what 2FA is.

So, this year, Rapid7 probed the boundaries of this consumer/infosec divide by running a month-long experiment in designing a “crash security diet,” where we followed one lucky(?) employee (dubbed “Olivia”) around to try out all the security advice that is commonly espoused, regardless if it’s followed or not. Our goal was to identify some easy, quick wins that are useful for regular, non-security-nerd people, as well as learn what’s realistic for normal people to actually adopt. Below is the first installment of the six-part series – stay tuned to follow along.

About Olivia
Our candidate for this security diet is “Olivia,” (not her real name), a mid-twenties professional in Boston, Massachusetts. Now, while Olivia works at Rapid7 -- a company that does promote a certain level of security tech savvy -- she’s not a researcher or hacker or anything like that. Her job functions, like most everyone, have some technical components, but after going over her day-to-day attitudes and lifestyle, both on and offline, she looks to be a pretty typical young urban American. She goes to work every day, uses a pretty standard complement of social media services, and is constantly tethered to friends and family in the online world by her smartphone. That said, she pretty squarely fits in the WEIRD demographic, so some of her experiences will be atypical for someone with a different personal and cultural background.

Setting Security Expectations
Rather than try to predict what’s useful and what’s not ahead of time, our plan here is to throw pretty much every bit of security advice at Olivia so she can test drive it all over the course of NCSAM. This will include things like making sure that internet-connected devices have the latest software and firmware, password management and password picking strategies, being mindful about location-based services, and reviewing social media sharing habits.

For every exercise, the goal will be to start off with the most secure possible configurations, and then ease up until things get reasonably comfortable. I expect that we are going to find some new habits that are pretty easy -- no conflict between security and usability -- which will imply that the product or service in question is designed for actual humans with privacy and security in mind. Other exercises in securification will undoubtedly be frustrating fights against defaults that “just work” that is quietly leaking personal info all over the internet (social media defaults leap to mind) or provide poorly designed user experiences (I’m looking at you, anything-involving-encrypted-email-especially-PGP).

In the end, we’ll review what worked, what didn’t, and hopefully, have a handy list of what you can do over the coming holidays to help level-up your own friends and family with respect to sensible secure default settings and behaviors. It should be fun, frustrating, and enlightening -- pretty much exactly like how I experience the security industry every day.

To get things started, I did a quick Q&A with Olivia to see where she’s at, and here’s what she had to say:

TodSo, how “secure” do you think you are today, compared to the average person?

Olivia: Of course, working at a security company, I’d like to think I’m a bit more security aware than average. But alas, I know I also have a good deal of blind spots, which I’m sure these diets (and Tod) will be quick to point out. I’d say a 3.5/5.

TodAnd how “connected” do you think you are today?

Olivia: I’d say I’m pretty well-connected… I’ve got a lot of apps running, social media accounts (most of which I use actively), iPhone, laptops. You could say I’m a (cringe) typical millennial when it comes to connectivity. However, since I live in the city, I don’t own a car or home which rules out most non-phone/computer internet connected things (so no internet-connected cars, home automation, refrigerators, etc.). 4/5

TodIs there anything specific that you’re concerned about?

Olivia: I have a feeling there will definitely be some aspects of the security diet that will all but eliminate usability… and make life really difficult – so I’m very interested to see which of those I’ll expect and which will be a surprise. Stay tuned!

TodWhat’s your mother’s maiden name and the name of the street you grew up on?

Olivia: Nice try!

Tod Beardsley is the Research Director at Rapid7.