Security Vaccination Ransomware Experiment

By: Amit Rechavi, Tamar Berenblum and Rutger Leukfeldt

Nowadays, the dependency of business processes in information technology (IT) is stronger than ever and keeping on-going well-functioning IT systems is a must. Securing them from outside and inside threats becomes a business process on its own, and within the context of information systems security, human behavior has a fundamental role. Training and awareness are used to improve the social component in IT security. However, these training are based on storytelling and explanations of the risks, and the user does not experience any personal harm. We believe that the long-term effect of these training is weak, and soon enough users return to their bad habits.

Our model is based on vaccination model, where exposure to real limited damage is highly effective and might change the user concept, and behavior concerning security issues for an extended period. We suggest exposing the users who do not follow security procedures to a semi-hostile ransomware screen and right afterward to data access denial, which will significantly delay their working processes. All damages can be fixed in no time by the local IT department. We expect to find significant differences in the security-oriented user behavior before and after the experience, in the participants of the experiment and also in the surrounding used in the company organization.  

Mapping workers mindsets concerning security issues before and after this new vaccination approach and measuring the robustness and the real effect of such an approach over time will help in planning IT security policy and procedures.