Teach A Man To Phish? Designing A Workshop To Address Gaps In Phishing Simulations - Lindsay Wojtula

so I'm going to start very fast and try to kind of get through this a little bit quickly so that we can kind of go back to the main panel but um my presentation starts a few years ago when I was a graduate retrainer coming into cyber security and my first role was in the culture and awareness team uh the task that we were given was to implement and start running a fishing simulation and I was very new and so the more research I did on fishing simulations the more controversial I found that they are in that some people love them and think they're really important and then some people hate them most people hate them and because they

can really be run unethically they can be used to trick people manipulate people twist kind of like the information for it so it tends to be something that is kind of love it or hate it but usually hate it um what we ended up having was a big gap between what security wanted us to do which was run kind of genuine fishing training so that we were creating maybe a more secure company we were better aware of kind of the risks and the exposure that we had on the other side there was a risk of Burning Bridges with the company so we didn't really want to be tricking people we didn't want to go down the

unethical route so people felt manipulated tricked fooled like they had fallen for a fishing simulation and then they were they were the idiot in the room so we had this kind of Gap in the middle trying to figure out what to do um my background is actually um English language teaching so one of the things with teaching is that one I was always for profit teaching so you had to be engaging interesting um people had to want to come to your classes and want to stay in your classes it's also very objective oriented so what is the purpose of this why are you here what are we doing what's the goal and how can I demonstrate that by the end you have

done this so for example you would have by the end of this lesson the learner or participant will be better able to analyze or predict or figure out or identify this and sometimes as a result we'll be able to do this as well and you need to demonstrate this in a one to two hour lesson um so I kind of thought well if we have this Gap that we need to be a little bit ethical and mindful about how we introduce people to fishing simulations and fishing emails but we also need to expose people to more genuine risks that they might see this is a beautiful place for a workshop to raise awareness and kind of get exposure

for people to see um fishing simulations or fishing tactics no so I suggested presenting a workshop and creating this and drawing from my experiences teaching English there are two kind of really fundamental methods or strategies that I would say influenced a lot of U my workshop development so the first is teacher talk time this this is the idea like this is a presentation I am here to impart information very quickly very efficiently but in a workshop it's flipping the script a little bit that you are not talking very much but you can try to get people to come up with the information so you are eliciting things from the audience you are provoking conversations and discussions

or you are guiding them through something that you've already pre-developed and you know exactly how it's going to run and you're pushing the first Domino over and watching the rest go but it's really not about you talking the less you can talk the better which involves thinking about tasks slightly differently the most fundamental structure for teaching English is PPP presentation practice production and it's one of the most Basics but actually quite useful methods in structuring a workshop or a lesson in this context so I used this concept and this strategy to develop the workshop and I'm going to run through how those stages worked so the first thing um the presentation stage is about creating a hook creating

why people want to be interested in cyber security and there really is in my opinion no one better in the world to do that than Jenny radlet she's a phenomenal speaker phenomenal narratives and absolutely insane stories that really work well generating interest and creating a hook for your um participants so I took some videos some stories that Jenny rpip had on YouTube and created a prediction task so the participants in the workshop were given um images for example of Clues to the stories that Jenny Radcliff had had told in this one for example I would give the picture of a coffee and say you know how did she use this to get people to click

on a fishing email link the goal of the prediction task is not to actually predict the outcome but it is actually about expanding what people think and how they can think more creatively about social engineering the task there's two two aspects of it one is just predicting so it's it true and false did you get it right but it's about expanding the potential of fishing like tactics um and the second one is also to introduce people to the uh the emotive triggers that can cause people to click on links for example so you have the prediction and then people watch the video of Radcliffe they love her they're immediately interesting because she is amazing and then you've also introduced

a lot of the actual emotional triggers that people might see for example Authority or Panic again you can elicit this from them you don't give anything because they've actually watched the video and come up with it themselves so you're prepared with the next slide of all the actual answers after this so that is kind of the presentation you've got them hooked you've got them interested in cyber security this is an inous house training so not everybody has experience with cyber in the first place the next one is the practice

so I took a whole bunch of examples and staggered the presentation of them so it wasn't a wall the text but it was genuine fishing email examples um having all of the examples on the board the task was then in Partners so people feel a bit more comfortable discussing things together about what triggers were in these and then also if they had ever seen this or experienced this or knew about this so This stage of the workshop was actually very very difficult because TimeWise it actually took far longer than I anticipated because everybody ended up having a story about a fishing emo that they've seen or experienced or learned about or had personally affected them are their

friends or family so then you also still get the narrative structure moving through it you've got the Jenny radlick insane stories but then you've also got the real world tangible impact that it has on people who are in the room this also bypasses a lot of kind of like I would never fall for a fishing email so I don't need to do the training because as soon as you hook it into do you know anyone who has been affected then that becomes a little bit more about the actual societal impact of fishing rather than that I'm better than this I would never fall for this so you've got the presentation Jenny Radcliff the practice the real world

examples um that people see and then the the presentation prct production um where the task is then to write a fishing email so this is the outcome this is where you see actually do people take in kind of emotional triggers they get it they understand how this works so you well in the workshop I ask people to write one two examples based on time it depends on how many people are actually in the session two works better because you get to do two different emotional triggers to see a little bit more of a test about how they people in took it but you're also going to add additional aspects to this so yes triggers are one

thing but there's also things to think about like we are I ask them to Target their own function so in this way you are getting very clear targeted fishing emails that we would never have been able to send via a fishing simulation in the first place so we kind of circumnavigated all of the issues about the ethical dilemma by getting people to actually do it themselves and this is also where you get the like twinkle in the eye of people starting to realize that they can be a little bit evil in a safe place um so then you can also ask them to add additional information like think about the time what time do you

think you would be most distracted by and then they actually put that in there what email are you going to send it from and then again eliciting information like how would you change is net.com what are you going to do LW so you're again not really giving very much but they actually can start figuring it out for themselves and putting it into the example email and that is your analysis demonstrating that people have actually taken in all of the things that we train people on after they've fallen for a fishing email we just did it reverse so we pre them for it earlier so that's great they've written their fishing emails it's fun it's enjoyable people

have had a good time thinking about what they're going to do and how they're going to trick basically their own function but if the goal of the workshop is Raising awareness of multiple types of emails then we kind of gamified it afterwards by making this into a competition So within the room um we had them pass around the actual fishing emails that they've written so one is gamifies it people got to Market one two three how effective they thought this was how good it would be at kind of tricking their own functions and then you also get the secondary main goal that they are being exposed to about 10 different targeted emails that is directly potentially impacting it you

get the 10 different time slots you get the 10 different links you get the 10 different emails so people are actually looking at a high volume of targeted examples um so that's great but what happened as a results um very difficult to say if it had actually done any behavioral shifts this is a onehour workshop uh it's not going to have enormous ramifications your company is not 100% secure but it is one thing that people could add and um it raised awareness in a much more positive way than the fishing simulations and we actually ended up having people come to the security team to request the training which I think is quite unusual for security um training

that people actually came and said hey we've heard that you've done this we would like it run for our function as well um and so that for me was a kind of key takeaway that we actually were demonstrating some impact um you can get positive feedback you can have people that are you know positive within your team about it but people are nice it was really that they wanted it and they wanted us to run it for them for their function to start protecting their functions this um I think I did quite well Time Life [Music] done any quick questions because they holding up the panel so none of you miss it downstairs yeah how did you target the

people you really makeit from it so we did I had to kind of sneak in to do this in the first place so the first the first thing I I've got is idea I want to do it but it's very difficult to like launch a graduate idea on the whole company so we had um a little graduate team and that we were supposed to present our information to about what our function did and I actually hijacked that session to use it as an experiment to to run the scenario run the session and then I had actual demonstrable information that I could then bring back to the security team and it was the kind of head of the culture and awareness

team at that time that started reaching out and we did it with marketing first for example so marketing saw what we were doing and then it just kind of like expanded quite a bit from there and then once it started gaining through then people were were reaching out to us but we would always offer it to people people kind of like contact communication we're aware that we had this we did it in some comms but then basically it ended up being um one of the major things of the actual culture and awareness function did at that time you pretended it was a pilot was a pilot then Shey yeah what was a pilot like I would

it was very difficult to say like oh this is my background trust me I can do this but when we had a graduate session well that was my time to run it test it for myself like I didn't know necessarily how it would work it did and then I also had all the examples of fishing emails that had been written by the gr team that I could then demonstrate and through that sorry got whaty yeah yeah oh yeah perfect cool thank you very much