Sandy Clark, University of Pennsylvania
The Honeymoon Period and Secuity Development

Bug identification models don’t work for vulnerability identification.

Casinos have developed good approaches to patching exploits in their systems (general systems, not just computer-based systems).

Scams are the “buffer overflow errors” of human consciousness.

Attackers adapt, so defenders must adapt.

Evolutionary Biology model for Parasite/Host competing evolution (the Red Queen Hypothesis everyone must run in place to maintain the best outcome, which is not a perfect system).

Modelling the defender is not enough. We need to model the attacker. More importantly, we need to model the interaction and the violation of assumptions is one of the key eleents of this.

 

Richard Clayton, Cambridge
Devo estar falando Portugues? (Should I speak Portugese)

IM Worms.

Portuguese-specific short IMs for infection have significanly higher numbers of click at peak than “language-independent” ones.

 

Cormac Herley, Microsoft
Fraud

Anything I do with a password can be repudiable.

We should be teaching check(cheque)-clearing rules instead of Byzantine security tips.

 

Markus Jacobsson, PayPal
What are password strength checkers actually doing?

Strength checker? Fast Runner? Has Tail, Has Black marks, Has Yellow surface, Has Dots? Result is a budgie not a leopard.

Determine the user’s mental process for creating (strong) passwords.

Comment by Richard Clayton: passwords for porn sites need to be enterable with only one hand.

 

Eric Johnson, Dartmouth College
Fraud in Healthcare

US healthcare costs are $2.5T. Farud is estimated at some hundreds of billions of dollars.

Medical Identity Theft?
The US medical system is setup to provide opportunities for fraud. Particularly dueto the pay-and-chase model.
Very easy to join medicare/medicaid as a payee, just a bureaucratic process.

Geting hold of identity ius not hard. The monetisation model is the keydevelopment.

Grainne Kirwin, Inst of Tech, Ireland
Psychology of Cybercrime

Interrested in victims of cybercrime. Why are they targetted, how do they react?

Trait anxiety, rather than state anxiety (Big-5?): how does it compare to susceptibility to fraud?

Victim facilitation and precipitation. Insult someone and they hit you (precipitation). Leave your keys on the bar (facilitation).

Considering how facilitation relates to liability. Most people will indicate that faciltative victims should be more liable.

David Modic, Exeter
Risk and Internet Scams

Ego-depletion, materlialism, marketing (susceptibility to being scammed).

Ego-depletion has no effect on falling for a scam.

No materialism measure has ay impact.

Appeal is very limited effect.

Scammers offer money not goods and intangibles.