Defensive Maneuvers

Norman Sadeh

Norman Sadeh

While conducting research on phishing, Norman Sadeh and his colleagues at Carnegie Mellon University noticed something surprising. A significant percentage of their volunteers, tech-savvy university people, fell for their test attacks.

"These people are very smart, they know what a phishing email is. The fact is they don't apply that knowledge in context," explained Sadeh, professor of computer science.

The researchers, including fellow CMU faculty members Lorrie Cranor and Jason Hong, knew that traditional security measures weren't enough. They knew that training end-users was critical. Yet, when it came to cyber security, industry seemed to have given up on the idea of being able to successfully train people. Some experts would compare it to trying to nail Jell-O to a wall … It just would not stick.

"The first step is to get people to pay attention to your training," said Sadeh of their solution. "We've found that the most effective way is to send them fake phishing emails — right in their inbox."

He explained, "If they click on a link in a fake phishing email, you pop up some training and tell them how they can avoid falling for similar attacks in the future. At that point, they realize that whatever they knew is clearly not sufficient."

Sadeh added, "You've humbled them just enough that they will pay attention to the training. Customers who buy this solution today have reported major increases in the number of employees who take the training: from less than 10 percent to 95 percent. It is all about the creation of powerful teachable moments and learning by doing."

Customers were already lining up before Wombat Security Technologies was formed.

Sadeh turned to CMU's Center for Technology Transfer and Enterprise Creation (CTTEC). The center is part of Carnegie Mellon's Greenlighting Startups — a consortium of incubators designed to accelerate the university's impressive record of turning campus innovations into sustainable new businesses.

"It's been an absolute pleasure to work with Tech Transfer," said Sadeh, an entrepreneur who has been working with CTTEC for 20 years.

"We really have something here that works. It's no accident that CMU is first among all U.S. universities without a medical school in startup companies created per research dollar."

"So many of us who do research are eager to see our results being used in practice," he added. "You feel successful with technology if you see it adopted, see people really using it."

Patrick Kelley, a doctoral student on the original Wombat research team, agrees.

"Norman has been a wonderful mentor. Because of Wombat, I have been exposed to not just coursework and research, but to how academics can improve the reach of their research and launch a profitable startup."

"CMU's support of students and professors is one of the facets of life here that creates such a strong entrepreneurial culture. I hope someday, I too, can successfully make the jump from an academic lab audience of dozens to having global impact."

Today Wombat offers the most comprehensive suite of anti-phishing training products as well as a particularly effective anti-phishing email filter that organizations can deploy alongside their existing anti-spam and anti-virus solutions.

The company is fast growing with customers coming from sectors as diverse as government, finance, energy, telecom, retail and education, to name just a few. In September, it launched a cyber security training platform through which Wombat now offers a comprehensive suite of cyber security training modules that extends well beyond phishing and includes smart phone security, social networking security and more. 

The company's many clients translate to millions of end-users around the world.

While the co-founders continue to play an important role, they are now helped by a team of seasoned executives. Over the past year, the company has hired a number of CMU alums and is adding monthly to its staff. "We continue to welcome CMU additions", noted Sadeh.

"There are so many great things to say about Carnegie Mellon," noted Sadeh.

"I love the city. I love the university. I love the students — they are just amazing. The university's reputation, the focus on impact, the entrepreneurial spirit, the quality of the people and openness to collaboration across different fields — that combination is truly unique."

Related Links: Greenlighting Startups | CTTEC | Sadeh's page | Wombat | Dept of Computer Science

Homepage Story Archives