New Security Awareness Site Gives End Users the Picture

The first clues that this is no typical security education experience are the tap-dancing Elvis impersonators illustrated in one cartoon box, and then the tap-dancing USABank Web Impersonators that follow.

Cryptography and phishing expert Markus Jakobsson and Sukamol Srikwan, research associate at Indiana University at Bloomington and part-time illustrator, have quietly launched SecurityCartoon Website, which uses cartoons to interpret the perils of the Internet for the everyday end user.

Jakobsson, a research fellow of the Anti-Phishing Working Group and associate professor at Indiana and associate director of the Center for Applied Cybersecurity Research, says the idea was to make security understandable for the person on the street.

"We wanted to be very approachable, which is why we selected cartoon media -- it has a take-home message and sound bytes," he says.

Jakobsson, former principal research scientist at RSA, says "Oops... I clicked!" is like the political cartoon in a newspaper that conveys the complex message of the paper's editorial piece. "It only has a moment to convey a complex message," he says. The cartoons depict concepts like Website spoofing, phishing, pharming, and malware.

The site is currently in what Jakobsson calls "submarine mode," where it's online and under development but keeping a low profile as it gets vetted and evaluated by potential users -- including large financial institutions. One of the largest European banks is looking at SecurityCartoon for its clients, as is a major U.S. financial services firm, he says. Several universities, including Indiana, have adopted it for user education. It may also be published as a coffee-table book -- Jakobsson and Srikwan are in discussions with publishers.

SecurityCartoon's creators are also considering going multimedia by serving up animated versions of the cartoons online.

Jakobsson says the trouble with most user-education efforts with security today is they don't tell the users why they should update their AV filter, for instance. "They just say you need to update your AV filter, and it becomes less relevant to the user, because he doesn't know why," he says. "If they understand why, then it's easier for them to take the advice... It's more meaningful."

But not all security concepts translate neatly into an illustration and bubble quotes. "The more technical the issues, the harder it will be," he says. "You have to work analogies."

With AV filters, for instance, the cartoon teaches the basics, using a grocery-store analogy of a list of bad check-writers. "That list is updated all the time... That's how you catch the bad check-writers," he says. "If you don't keep your AV software updated," you can't catch the latest check fraudsters, he says. "And that's the closest you can get to explaining AV technology."

The challenge, he says, is striking the right balance of creating cartoons that appeal to a broad audience -- from the technology-challenged to the self-taught home user geeks. "It's also about convincing technical people that education plays a role in changing people's role in security... It's hard to convince technical people -- who say it's 'impossible to educate users' or that 'users need to try harder' -- that users do need education."

Robert Hansen, a.k.a. RSnake, and founder of SecTheory, is one of those skeptics. "I have never thought that this is a problem we had to get consumers to solve for us," he says. "Making them make smart decisions is a crapshoot. We need to empower them with tools that help them increase their odds. Educate them in the tools, perhaps, but don't rely on them 'getting' technology."

Hansen argues that showing a user what pharming is doesn't actually help him defend himself. "This is a really complicated problem. You cannot boil it down to a drawing with a guy holding a computer... You aren't telling the consumer what to do about it."

But Jakobsson has no illusions about eradicating botnets or malware. "The biggest impact would be a gradual change in people's perception of threats and behavior, so over time, bot authors will have a harder time infecting" machines, he says. "It can't eradicate it, but it can make an impact" on the bad guys.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.