 What do you mean privacy? And I'm Sarah. And after this, if anybody has questions, I'll be out in the lobby kind of hanging around for just a little while and buying some stuff, probably. This is not my computer, so if I get confused on what button I need to push, I may have to ask somebody over there, because I can hardly actually see the buttons. So the next 20 minutes is what we're going to do. I guess we're going to do it very quickly, because it's only 20 minutes. I tend to usually talk very quickly, so that it shouldn't be a problem if we go too fast. And you can't find a long measure here in this little bit. The next 20 minutes are going to explore some important concepts about privacy, and consider some of the ways that technology is impacted privacy. Most of those, you're probably aware of, so we'll just touch on those very, very briefly. Look at the findings of a study that we did on privacy clinicians that's how you think about things and behaviors, what you actually do. And look really at how you stack up against our groups of other people that we've talked to. I'm going to do this by asking questions, and then we're asking a lot of questions, and I'm going to answer them very quickly. You do that by raising your hand, yes, no. It's kind of an anonymous thing, so I don't need to say anything about you, just I'm just kind of looking to see how you stack up against other people. So we're actually turned upside down, and as these questions, yes or no, I have reviewed my browser privacy policy, yes? No, I always delete, and you can look at the word always extra time, unwanted cookies, yes? No, it's cool. I have read my company or school or whatever you happen to be, and I don't know whether it is privacy policy, yes? No, I always read privacy policies, or privacy policies if you happen to be feeling okay as I sometimes do, of worldwide websites that I visit, yes? Or no, you guys need to be here. I always really don't laugh, you use your licensing agreements, I said don't laugh, at least after word before installing on my computer, yes? No, I always encrypt sensitive emails, yes? No, I don't know where you work, do you? I always encrypt the data on my hard disk, the data on my hard disk is currently encrypted, yes? I don't know, you guys work too? No, hackers, I like to control the scores of information about myself and all my transactions, yes? No, okay, so what is privacy anyway? I'm going to take a look at those responses, and I'm going to compare with our three large groups of information systems security professionals in just a couple of minutes. We worked out and first asked a lot of people what were their ideas about privacy? Some people said privacy really refers to information that's about me, my name person is stuff like where I live, my name, which you all sort of knew me. I have information about what you do, maybe what you do at work, where you go, what you buy, things like that. Some people said the privacy really expands out a bit, even to things you know, so I'm talking about the sorts of things that you may use at work, all the data that you happen to be working with, even if it isn't about you. Some people said, my name now, privacy isn't just about information about you, but it's also freedom from being approached by other people. That is, I have the right not to be intruded on my name space, and if people intrude in my personal space, which will differ culture to culture, they're invading my privacy, and some of the ideas we had about unsubmissive commercial email would fit into this sort of analysis area, because if you don't want to be approached and somebody approaches you, it could be considered invasion of privacy, depending on who you are and who you live, and what you think. Then you went out and did a literature review, looked at some cultural aspects of privacy, and some gender issues in privacy. These are pretty interesting. Founded in Japan, the person of distance space is a lot less between people, and so you can be a lot closer to somebody before they feel like they're invading your space. If you're in a doctor's office, it's like, go ahead, if you're in a doctor's office, it's likely that you're going to be separated by a current man instead of an unabated man. That may happen because it's not considered to be a need to have a privacy in that situation. The man who came to me, who I sometimes live, we have traffic cameras, and we have cameras in WC2, they keep track of where we are, so we're off the street to fight against crime. When I was living in South Florida, we had a lot of problems with people going past speed limits and having fatal accidents, and there was a big outcry over the days of traffic cameras, and people in that community said, we do not want traffic cameras and it invades our privacy, so the idea was quickly dragged because the community didn't like it. Where's the UK? The cameras are still there. In Sweden, it's really interesting, here in the US, we don't put information generally about our income tax returns up in public, in the internet for people to read. In Sweden, you'll find much more detailed information about your tax returns, and that could be due in part to the fact that the amount of money people make, the amounts are much more tightly compressed, whereas they're much more disputed in the United States, but in Sweden, you find that information. In the US, you don't. Generally, in the UK, US, there's a difference in how people perceive how businesses handle down personal information. Like, and maybe I remember which one of those things that didn't do a great job, so when you connect, there's a white paper about this topic that I can get for you if you'd like to read more about these cultural aspects. And you saw the array there, which I found to be the most interesting. You are tasked with protecting your neighbor's privacy. You need to build a house. You need to build that house so that within your house, your windows do not look up on personal areas of their home. So you won't protect your own privacy that way, but you protect their privacy by your own behavior. It's a very, to me, very interesting cultural difference. I don't know why all these things exist because we didn't go that deeply. We just were interested in what the differences were. We looked at it just a little bit at one. Who you are makes a big difference, and I mean, you can tell I have a big budget for graphics. We're in a real difference in how they perceive their privacy on the internet. There's some very interesting studies done that show women tend to feel about half as safe as minorities of privacy on the internet. Children seem not to have quite as many rights of privacy because you can go on the internet, of course, and look at children in daycare centers and schools, and a lot of places don't have the permission to do that if the children are just put up there. And I found that, I remember the cartoon on the internet where one knows your dog. You can go on the internet and look at people's dogs, you can look at dogs for sale on the internet, the living creatures dogs, and you can also look at people's dogs as they're boarded, and you can see when people are away because you can tell when your dogs are boarded. The dogs that we don't have just are cats or ferrets or whatever's been boarded. Not under the name of the camels, but I was taking a look, very interesting. You can see all the different dogs in the camels. I guess dogs don't really have rights of privacy. What's changed? You know most of this stuff, and so we won't talk about it too much, except to say that things have gotten a lot worse as far as technology has been introduced. We used to have filing cabinets where we kept information, now things can get exploited without any big effort. We used to have walls of concrete that held information in it, now you can access it remotely, much more readily available. We used to get liquid brochures or information in grocery stores or places where we shopped. Now people can track with RFID or spyware, cookies, whatever, see what it is we want, what we like to do and track our preferences and do whatever they like with that information. And of course there's always inferences because there are really, really huge amounts of information out there on the internet. It's much easier to collect that information out together and find out something about one specific target. Things are getting worse. I think you probably know that a lot of websites collect personal data and do what they're well with it. Now usually they do tell you in there on site web privacy policies that are printed up there what they'll do with that information. Of course if you don't know those privacy policies you're not likely to know and that information can change pretty much at will. They'll usually tell you it can change but if you haven't read it you wouldn't know that. And some websites give away or sell the information. And of course there's malicious disclosure. One of the, I guess the biggest increase we've seen in our work is the read and run exastrogens and the outright theft of data viruses, warm splendid threats and such that export data are set up back door so people can come in and grab the data. Now there are technical solutions. For the browser privacy thing they're not perfect solutions, right? But you don't have personal platform for privacy policies at P3P. Enterprise security management tools. You can get all this stuff software that destroys cookies so you don't have to manually do it yourself. Or even too much know what you're doing. You know there are licensing agreements you can read and privacy policies on websites that tell you what they're going to do with your information. And there are antiviruses firewalls and all this sort of stuff to protect you against not all but most of the Trojan viruses. Trojans viruses that are out there and blended threats. I wouldn't be from semantic. I didn't use the word blended threats. I haven't used it twice. Thank you. Thank you very much. So how are we doing? How are we doing? Well we did a study and the study was to determine if privacy was important to information system security professionals. And then to determine if the function of data behaviors related to specific acts that might take reflected that importance or lack there that science speak for do they walk the walk or do they just talk about it? Of course because there are so many different definitions of privacy we had to come up with an operational definition how are we going to see if they value privacy if we don't really know what they think it might be because people have such a wide variation of what they think it is. So we said okay for this study and we will operationally define privacy as control over the disclosure of information about yourself or your transaction. Then we first administered this to a focus group of 67 security and antivirus professionals. Somebody from the hearing who took the survey and told me that they radically changed their behavior after being asked these questions. We refined the survey changing P3P to browser privacy policy because no one had heard of P3P and on cookie site privacy policies, encryptions and licensing agreements. And then we went out and we administered this study to security professionals at three security focused type conferences and the study questions that the surveys did meet the test for validity, reliability and statistical significance in the selection of the population that was sampled. And all the stuff about how that works is in the white paper. We got a bunch of numbers which you wouldn't be able to read. Okay, basically this says we ask the questions if you said that you like to control this disclosure, it's important, if not it's not important. Remember yesterday, you can see people are pretty much split about it and people are pretty much in a bad way of thinking, I guess. The analysis which you can read much more easily than all those numbers. But the thought I like to control disclosure of information about myself and about my transaction is not reflected in the behaviors related to browser privacy policies. The nation of unfriend cookies, reading the privacy policies, reading the licensing agreement, encrypting sensitive emails. And the reason I had the question about the sensitive emails, I hadn't really thought to ask it, but as I was doing the survey and I was doing, some people, I got quite a few comments like, well, you know, I know I'm not supposed to send emails from home as I go about doing my job, but the boss says I'm going to be able to do this quickly and I'm going to get in trouble if I don't submit it in time and nobody's reading my email anyway. And I know I worked for the unnamed agency, which probably consists of letters in some country, which isn't the US, but you know, I'm just going to do it just this once. And I know it's kind of being tried, probably shouldn't do it, but who's really going to be looking at my email? So I got quite a few of those sorts of responses. So we had a new question about encrypting sensitive emails. So why is this? Why do people say they value the disclosure, the control over the disclosure of information about themselves? Why do they say they value it and not do it? I think that there's something called cognitive dissonance, which I saw someone else was actually speaking about at Black Hat Briefing, so I don't know how many of you heard about that in depth, but again, there's more not this in my paper. This means that you tend to focus on the benefits of the act you've chosen to do. You're going to save a lot of time if you send an email at home really quickly, even though you're not supposed to. You're going to save your company money if you do this or that. You're going to accomplish a lot more work if you don't waste all your time reading those policies. And you dismiss the benefits of what you didn't choose. You say that's really not so important. And you know that it really is yours. I mean, I said, do you really, you let's everybody guess how it kind of laughs about it. No one would read my email. I'm not likely to get a virus. I don't have time to do any cookies. You're not going to do anything when that's really important. So that's cognitive dissonance. And you attempt to resolve it by doing these sorts of things. So what are we supposed to do about this? When, even in this population, the responses were pretty similar in most of the areas to the responses that we got from the people that are working in the information system security field. So what are we supposed to do to get our behaviors to match up with what we say we believe in this particular area? The problem with other areas of life where we have the same thing going on but this is the one that we're talking about now, that we need to educate people that are in organizations and just people that are thinking and learning about security, about the time loss, the money loss, the work loss, credibility security. All the real problems that's kind of not doing what you say can toxic. I told you I'd be done way around. So you plan to work in security field and you're already working in it. What do you need to do? What can you do to try and make these changes? I think probably the key thing here is to plan and encourage healthy cultures of security in organizations. Discourage what we say is inappropriate group. Thank you. If everybody laughs, cause some poor schmuck in your organization is going out to look at getting his penis enlarged and so you're all laughing about that while it's clicking away on this stuff which is letting your corporate data dance out the door. You're not having a healthy culture of security. You're not really taking it very seriously in your organization. You need to really encourage taking it seriously. So if that's what you're going to do and either you work in that field now or you're planning to work in that field, you need to really think, is this something that really matters to me or do I just kind of like to sort of do it and maybe not take it too seriously and ask yourself, are you really going to be a leader? Are you just going to have whatever culture happens to evolve in your organization? Because as the security people in your organizations or in your schools or whatever, you have the opportunity to make real difference and get people thinking about what it is they're doing, not just going down into the motions and have laughing at the jokes and watching the data dance out the door which is not very cool cause there's lots of problems. So conclusion, privacy is really, really important no matter how you define it or how you think of it. Most of the people here, maybe four or five people here said they don't want to evaluate that disclosure but most of you said that you value that. At the same time, maybe if not most of you didn't do some of these things, they actually can work toward protecting that sort of privacy. There's certainly impediments to privacy. Technology helps in P-Proposy by the speed with which it develops and then people have to catch up with how to do the protection. But that's the privacy people like to find out things about people and there are solutions out there. So if you have any questions, I'm gonna be out in the lobby and I can answer them and I'll then, bye-bye.