How do you get your users to give up sex for a year: Security culture engineering

Hi everyone, welcome to this afternoon's session of talks for Besides Edinburgh. We've got Jordan talking about security cultural engineering this afternoon, so take it away. Thank you. Well, I'll give you a hint for any of you who is going to be doing a presentation in a large conference. The last slot you want to prefer is the one just after lunch. For two reasons. One, there's always a lot of stragglers that come in, and two, you're all sleepy. And so one of the things you don't want is to have some boring, stodgy presentation that's just going to put you to sleep right after lunch. That is not going to be a problem here today. My talk, how to get your users to give up sex

for a year. Now, I know what you're thinking. You're thinking, if I had this superpower, then I'd probably use it for something more than security culture engineering. I'd use it to solve world peace or something like that. But there's a reason for the title. Last year Dashlane, the password management software company, published a survey. And one of the questions in the survey was, would you give up sex for a year if it meant that you could be protected for the rest of your life from privacy invasion, data breaches, or being hacked. And 39% of respondents said yes, of the entire group of respondents. Now this is deeply, deeply frustrating for security professionals like myself, because we spend our

entire careers saying you don't have to be that extreme, the problem isn't that weird. There's just some things you need to do and do them consistently. You don't have to do that. And you just know that these 39% are not the people that are also doing the things they need to be doing in their daily lives to help secure themselves. And that theory is supported by the fact that 45% of millennials said that they would give up sex for a year. And we all know how millennials treat their own personal security. Sorry, millennials. So the question becomes then, you have people who value security aren't doing what they need to be doing, but then turn around and say, I'm willing

to give up sex for a year if it meant that I'm secure. So how do we deal with this and this disparity? And this is something I've been dealing with for most of my security career. Who am I? My name is Jordan Schroeder. Hi. I'm an international speaker, I've spoken at SANS, Secure the Human in London last year, spoke at RSA 2016 in San Francisco. I've done a variety of presentations for ASACA events, IC squared events, various other organizations and companies. I'm an author, I've published a book called Advanced Persistent Training, How to Take Your Security Awareness Program to the Next Level. It's being republished in a second edition by APRESS later this year. I am currently a senior security consultant with ECS here

in Edinburgh. Security hasn't been the thing I've done my entire life. I've actually had quite a range of experiences and quite a range of careers. I am a former teacher, actor, singer, director, coast guard officer, undertaker, database designer, tax preparer, business owner, and day trader. Now, when I do presentations and I give this list, one of those items on that list usually causes a bit of a stir, and I'd like to address that right now. Yes, I used to be a professional singer. No, there will not be any singing in this presentation. Thank you. Don't tempt me.

When speaking at Secure the Human and speaking with security awareness professionals in conjunction with my book, one of the questions that kept coming up over and over and over again is that we can teach people what to do. We can teach people what they need to know But that doesn't translate into them caring about those things. How do we get people to care? And that's been a big, big question. And part of this presentation is some of the research and some of the talks and some of the interviews I've done with organizations around the world, is to how they've solved that problem and a model by which we, here in this room, can use in our lives, in our professional lives, in our organizations, even with our own

families, to change how people feel about security and get them to care and go to that next level. But how do we do it right now? What's our typical approach right now? And if we are clever or at least somewhat educated on the concept of communicating these things, we take a risk-based explanation approach. We've got hackers out there, we've got these threats, and this is how you mitigate those threats, here's what you need to do, and the response you get, I can guess, because I get the same responses, and I've gotten the same responses throughout my entire security career, people look at you, and they don't know what you're talking about. So you go back to the drawing board.

Okay, so let's talk about the costs of the threats, and the costs of not doing anything, and here are the costs of the mitigations, and the costs you need to do, and the response you get is, Okay, so then you go back to the drawing board and you try to simplify it even further. And you need to do this, we need to do this consistently, we need to put these checks in and these controls in, and you get the same response. And so then you end up in this fight because in the end, you're just saying, just do it. And they're saying back at you, just do it for me. And that's what the survey results from Dashlane highlights. is that people expect that security

professionals and security technologies or something, some magic, will solve the problem for them. And this is not a problem that's specific for security.

I've had this thought, I must admit. I've had this thought. Wouldn't it be so much easier if we just ripped out all of our teeth and replaced them with dentures? Wouldn't that be so much simpler? and easier. We wouldn't have to worry about things. And the dentists reply, no, you don't need to go that far. You don't need to do that. All you need to do is some simple, cheap, inexpensive habits. You need to do them every day. You need to floss. You need to brush every day. You need to do all these things every day. You don't have to deal with that anymore. And oh, by the way, dentures aren't a one-shot, no-more-cost solution. They take up, keep it. The technology itself needs money.

habits supporting it to make sure it's going to continue to do what you need to do. So this is not something that's unique to security. This is human nature. We don't want to adopt new habits. We don't want to adopt good habits or healthy habits. We just want the solution solved and we don't want to have to think about it anymore. When it comes to security though, I know for those of you who have been in the field for any length of time, You've probably run into the situation where you've got a senior management of a large organization saying, build me a security infrastructure worthy of Mordor. And they start cutting fat checks and they bring in teams and they bring in

consultants and they do all this stuff and they create all of this infrastructure and you want these things done and in place and that's great, that's wonderful, yes, that's fantastic. But then what happens? What happens is that from my experience, you end up with senior management saying, oh yeah, we really like this new anti-virus, anti-malware technology. We want it in there. It's great. The threats have been shown to be mitigated. This is great. It's going to protect the company. Please exempt my account because I don't want to have to deal with the inconvenience. Please, thank you. I've had CEOs say this to me multiple times in my career. I'm like, but, but, but, but this doesn't make any sense. And when you've got somebody who

knows what they're supposed to do, be it a senior management, be it a co-worker, be it a family member, it doesn't matter, you've got someone who knows what they're supposed to do and isn't doing it. The reason why is because A, they don't care or don't care enough or they care about something else more. and that something else more can be really hard to define and really hard to catch and correct. So you end up with this fight where you're saying, sure, I can put in all this technology, I can put in all these things for you, I can run the security infrastructure for you, but I need you to play ball with me, I need you to also be doing things as well, and they're

saying, but I thought you were going to handle that for me. So what do we do? How do we handle this disconnect? Because what people are naturally going to value is a one-shot, one-time solution. And they're not going to value changing what they do. And we as security professionals, and what a lot of people here and the presenters at B-Sides, what we're saying is change is the solution. And all of this technology, all this code, all these consultants, all these processes are there to support the change in habits and the good habits that we need to have in place to secure ourselves, our families, our group, our department, our organization. That's what it's there for. It's not a replacement. It's a support. We can put in two-factor authentication.

Yay! But it doesn't do any good if you don't use it. Doesn't do any good if you don't implement it properly. All of these are habits that need to be implemented by everyone in the chain. So,

what we want is some method, some way of getting people to care enough about security, care enough about the problem, to willingly accept the challenge of change. Now this sounds like I just went from InfoSec security technical and I went completely airy-fairy on you and it's all woo-hoo. And really it's not because there have been ways that this has been, where these things have been solved and implemented in a way that is truly, truly doable and that's why I'm talking to you today.

The measure of care is the measure of culture. So what we're wanting to do, and it sounds impossible and it sounds big and it seems a little hard to define, but what we want to do is change a culture. And that seems really, really big. And it is, but it starts small and it goes into fantastic places with just the right amount of guidance. How do we normally change a culture? I would deal with security awareness professionals and other security professionals and they want to talk about security culture engineering, security culture design and how does it normally play out? And it's what I call, I've officially dubbed the Schroeder cycle of sticks. You start off printing off stickers. We need awareness,

we need posters, we need fancy stickers, we need to get this program in place and get everyone on board and excited and make it cool. Great, yes, awesome. You try to dress up whatever your policies and procedures are, no matter how inconvenient or confusing they might be, and dress them up so that, yay, we love our policies, yay. No, no, no, we don't. But we're going to give it a shot anyway and try to rally people behind something they don't like, but okay. And then, frankly, there are a lot of organizations that stop at this point. and say, well, if you're not on board now, you're never going to be on board, the more clever organizations will go so far as to then go through actual training and say,

this is what you need to do. These here are simulations. Here are phishing attacks, simulated phishing attacks. How do you respond and go through that training, which is great. This is beautiful. This is wonderful. But then what happens? If the culture, if the organization, if the people have already been set up to accept all this and to streamline it in to what they already care about, it comes in, they absorb it, it comes into something they normally do, and we're great. If it doesn't, then we're left with frustration, anger, yelling, punishments, HR gets involved. We have a whole bunch of things that then pop in because everyone's frustrated. We've done all this work, we had the security awareness campaign, we

brought in all the security training, nobody's doing it, nothing's changed, we're just gonna start fining people, we're gonna start impacting their performance reports. And while some of these things can work, and some of these things have a place, it's not going to stick unless it already fits within their culture and what they care about. Let me give you an example. You're here. You're here at B-Sides Edinburgh.

Now, for Thomas Porna, I went to his, yes, yes, I went to his presentation on Bear SSL, and when, for the attendees attending, he did not have to convince people that encryption had a value. He didn't have to convince people that using SSL TLS was a good thing or what it could be used for. He could assume all that and say, here's an implementation that is going to be useful and you can accept it or not or whatever. And it's fine because you're all working from the same standpoint, from the same foundation. On the other hand, you've got training. You wanna learn how to sail, you wanna learn how to play the piano, you wanna learn how to swim the English Channel. That's great, that's no problem. You

then go through that learning process and you add those skills to what you've already done, what you already know. Learning and training are additive. You take something new and add it to what you've already done and what you already know. And that's great and it works if you're willing to accept it. What if you're not? Change, on the other hand, is subtractive. You need to remove things from what they care about, that thing they care about more than doing what they're supposed to be doing, you need to change those things, remove what they care about, and replace it with something else. That's big. That's huge. And that requires empathy. That requires an awful, awful lot of

empathy. And I've got really bad news for you. You suck.

empathy. Now here's the reason why. Now you've probably heard this phrase, I've heard it a thousand times in my life and I want to punch someone every time they say it to me because it's not true and it doesn't highlight what's actually going on. Technical people are people people. Technical people, well, okay, there are some technical people that just simply aren't people people. Barring personality issues, you know, just because you're technical doesn't mean you're also not a people person. What people are perceiving in this is what's known as the curse of knowledge. We security people have been steeped in this for a long time. I was hacking computers in my parents' basement when I was in primary school. So in the early

80s, on my Commodore 64, I was hacking video games, right? brought me into this entire mindset of how to find the weaknesses and things and how to exploit them and then how you defend against that. And I've been in security for over 15 years in various forms. I'm steeped in all this knowledge and it's very, very difficult for me to then remember what it was like when just remembering all these things and just learning these things and put myself in their shoes. So it's not that I'm not a people person, it's just it's really difficult for me to rewind so far, so much information, so much experience to remember what it was like in the beginning and me and you spend a lot of our times

when we talk about security being embarrassed for the other person. We're going, no, no, no, you don't need to be doing that. And it's this, response and this little bit of attitude which propels this idea that we're not people people. But we are. We could be. It's something we can do. But when it comes to needing to change someone and change a culture, change a department, change your peers, you need an awful lot of empathy and it can be really, really difficult to get that level of empathy. But there is one group of people who is really, really good at empathy, who's really, really good at knowing what your target audience feels, thinks, what they care about, and what they

want to do next. And that is your target audience. They know what they care about, they know what they want to accomplish, they know what their fears are. So what you need to do then, if you want to change them, is get them on board first.

Now, what I'm going to show you is a process that has been used not only successfully for information security and cybersecurity to change large, old organizations, but it's also the same process that has been used in developing nations in order to teach farmers who've been doing the same things for generations to adopt completely new practices. This is the same thing that's been done in small scales, large scales, and just about every culture around the world because it is the process, and there are some cultural engineers and cultural scientists that think that this process is the only process that will work to change a culture in a short period of time. Without it, a culture will change in about three to ten years, according to studies. With

it, culture change can happen incredibly quickly. How, whoever you are, whether or not you are the CEO, or an intern, or a junior member of the programming team and trying to get the rest of the department to do more secure coding practices, or trying to get your parents to do proper account management, How do you, whoever you are, get a group of people to care so they'll embrace personal change when you lack the required empathy and leverage? Now, this is not about your lack of empathy. I'm not saying you don't have empathy. I'm saying that for this situation, you lack the empathy to make this particular change. And it's this. The three-step plan to change a culture.

First, find intrinsic value in an idea. recruit and connect volunteers, and three, tell their stories.

Let me unpack this a little bit and show you how this can work. First, find intrinsic value. Now, this is the intrinsic value for them. Not you, not best practices, not what the guide says. This is the intrinsic value for them. It's not communicating, you should value this, it's figuring out what they value and connecting to that. How do we do that? There's a process I've used quite successfully over the years with a variety of different people, including the European Patent Office and one of their leaders in information security, to reach the patent application reviewers and analyzers. You imagine that's a tough crowd to try and empathize with. It's called the three whys, sometimes known as the five whys. You propose a statement to

yourself. If you've got someone, game to play with you, you can ask them too. But you start asking them the three whys. I'll pick on passwords because it's easy, not that I think that what I'm about to say is necessarily true for everybody in all situations. But I'll just pick on passwords. So, use strong random character passwords. Why? To strengthen access into the account. Why? So that malicious people don't gain access to your account. Why? So that they don't take money out or change your information or steal your information and use it against you. Why?

Because... And that next answer, however you answer that in your head, that voice in your head, that's the answer you want to get to. And that's going to be different for different people. What I care about is different from what you care about, and what you care about is going to be different from what they care about. You need to find that answer.

Let me give you an example of how I did this. I was teaching security awareness for an insurance company, and specifically, the company identified that their claims call department was not complying with security. And these are the people who answer the phone. So you get in a car accident and you need to call up your insurance company and you call them up and it's them who answers the call. So there's high churn rate in the department. Most of them are straight out of university. A lot of people didn't have a lot of experience in the industry or in corporate environments even. So it was a really tough crowd and compliance was low. And the office was on the 16th floor. And I'm

walking in the lobby to do an initial presentation to these people. And I didn't have this initial hook. I didn't have this, why might it be important for them just quite yet? At least not on a level I was comfortable with. And I get in the elevator on the lobby floor. I hit the 16th floor. And by the time I got to the 16th floor, I had gone through the five whys. I said, I bet we'll try it out. We'll test it. We'll see if this communicates with the group. So I walk into the conference room, got a whole bunch of people there, and I say this. He says, you deal with people who are

having the worst day of their month, their year, and quite potentially, the worst day of their lives. You do not want to be responsible for making it worse by leaking their information or infecting them with the virus. For that group, I had everyone's attention. And forever, I didn't have to get buy-in. Everyone wanted to get involved. I had volunteers to take extra training. I would walk up to people and it became the catchphrase, let's not make their bad day worse. That phrase has nothing to do with security, but it hooked into what they care about because they deal with crying people on the other end of the phone, frustrated people, stressed people, all day long. And

they have this natural connection with them, and I just tapped into that. And that's a process for going through three whys or the five whys process. Find out why something is important to them. And you need to ask this question of yourself and others to come to an answer. And you need to test it out to see what's going to fly. The idea should be so compelling that everyone would want to get on board. So it's something that is going to have universal appeal, it's going to care for everybody. In the claims department situation, I had a defined group of people, 90% of them, easy guess, 90% of them were able to resonate with that particular statement. And

the value you come up with is not going to necessarily be the value you expect. For instance, I did this with the European Patent Office guy, and we're sitting it down, and I was trying to imagine, I was filling in the questions in my head as I was asking the questions why, and he took things off on a tangent I hadn't even expected, and the end result, the message then, he then left to go work with that organization. was completely unexpected to me. People care about that? Oh yeah, it's their biggest fear, it's their biggest care, it's why they work. I'm like, okay, I totally didn't think about that. And it might not necessarily be anything having to do with security either.

So be prepared for what they care about to be something unexpected. The other thing in that initial idea with intrinsic value is tie it to some sense of urgency. This is just gonna increase your chance of success. You wanna find the value in how they would respond in a regular behavior, in a regular pattern. For the claims departments, every time they pick up the phone, they could be reminded of this. If it's something that they're doing every week, it's gonna be a hard sell because they're not gonna be reminded of it. It's easier when the value that you find is actually concrete and definable. And for the sense of urgency, why is it urgent? Why is it urgent? Why is it urgent? Why is

it urgent? And mesh these two ideas together. It sounds more complex than it is, but if you go through this process, you will come up with really, really cool ideas, I guarantee you. It's worked with everybody I've ever worked with on this one. You also need to tie the value to goals. If you are a CEO or a leader or a senior manager, it's a lot easier for you you to do this step because you know what the goals are of the business, the organization, your department and you need to tie into what the momentum of the company or the organization is doing anyway. If you work against that, you're going to fail. Whatever you're going to do is just going to

be cut off at the head because management, the rest of the business is just going to shut it down. Which means that if you are not management, you need to find that intrinsic value, those three or five whys, you need to do it for management too, to get them on board, to help them understand what's going on and to get them to change and consider a change as well. If you are not senior management, get approval and support from as high up as possible. The CEO is best. If you can get the CEO on board and bought into this value that he or she wants to bring to their organization, you are miles and miles

and miles ahead. But I've seen it work and I've seen it happen even if you're not. You have seen an intern shape an entire company's culture from the bottom, right? And Sometimes that support that you need from senior management, especially if you want it to have long-term effect, that support can sometimes only come after you've shown that it works a little bit, that people are involved, it's showing positive results, and things are actually happening. So don't be afraid if senior management's saying, I don't understand, or I don't get it, or I'm not sure if we want to do this. There are ways that you can move forward and get that support later. Salesforce, for instance.

They wanted to do a culture shaping exercise for security. And they tried this new program where they're getting people to report certain types of security events. And that was great and I was going well, but participation was low. And then one of the security folks sent a thank you email to someone reporting and CC'd their manager. Participation rates went to nearly 100% in less than two months. Because even though they tried to do this big culture thing, getting that visibility from management, that CC, the carbon copy of that email, provided its own value people saw different value and how it could connect to business goals and it just took off by itself. Salesforce has probably now one of the

best security culture programs on the planet. And it all started from one email and one carbon copy. Secondly, the second big step, recruit volunteers. And you need to be picky on this one. What you're looking for is People who can be change agents or early adopters are natural leaders. These are the type of people, this is my litmus test, if I walk up to them and say, do you want to learn a new way to tie your shoe? And if they go, okay, and start taking off their shoe, those are the people you want. Those are the people who are willing to try new things and try new value and they're open. Those are the types of things you want. You

want to aim for a broad spectrum of volunteers from as many different parts of whatever your community is that you want to affect. If it's an entire organization, you want from as many different areas of the organization as you can. These need to be people who are not already doing what they are doing. So just all the security people from around the organization doing security things? No, that's not going to work. You need the people who are going to go through a change. Get a pessimist on board, and you know who I'm talking about. The people who would be, yeah, let's change things, but I'm only going to be okay with it if it's the change that I've put forward. Those sticks in the mud, those people

who are going to be resistant if it's not their idea. You want one of them on board. It'll be a lot easier, trust me. Then you need to make it worth their while for the volunteers to be involved with you. For the Salesforce organization, that recognition to their managers That became its own value. Storebrand, we'll see in a second, Storebrand in Norway, they would get signed letters from the CISO if they volunteered for the program for security awareness and security information. And within this group of volunteers that you gather, the organization needs to be able to see themselves somewhere in that group. So you don't want, you know, really strong or unique personalities that are a little on the weird

side. You want some of them as well, but you need a broad spectrum. And secondly, you need to connect those volunteers. Get the team sharing with each other. We live in a world of connection technologies. Pick one, use one, doesn't matter. Get them connected to each other so that they can bounce ideas off of each other. Supply the users with encouragement and support. Materials, make yourself connected in that social network. Provide extra materials, extra ideas. If they say that they need something and want to try something, enable that. Try to make that happen. And provide limited edition materials just for them. This goes back to trying to provide the value for being involved. To say, hey, we want to teach secure passwords.

Here is, for instance, a password cracker. Here is a free year's subscription to a password manager program, for instance. Allow something a little extra for them so that they can identify even more closely to the idea that you want to get across. And then tell their stories. If they succeed, Broadcast it. Say, hey, here's somebody who is in this state. They met this challenge, they changed, and now this is the result. Communicate that success. As the intrinsic value becomes reality, broadcast it. When failures happen, and they will, don't hide it. Turn it into a story. This is what happened. And this is what we learned from it, and this is what that person did differently next time. Don't overshare. Some people have run

into this as well. They want to broadcast something every day. Too much, too much information. Once a week, great. Once a month, perhaps too few. Your organization, your community will have a natural pace for that. And these stories act as social proof. This is just pure advertising. You want to tell these stories, you want to share the change in values to the rest of the people, and the rest of the people need to see that it's okay, and things aren't going to be completely bonkers if they decide to change. And every once in a while, check in with management. You might get more support, they might love what you're doing, and they might want to continue it or provide extra resources, which is always good. The last stage.

Invite more volunteers and accept them in stages.

That turned out to be far more momentous than I meant it. You don't want to have a small core of volunteers and then invite the rest of the organization. No, you invite five people, you invite 50 people, and then invite five more, invite 50 more, and allow this new group of volunteers to adapt to the change.

Get them interconnected, get their ideas, allow it to renormalize, and then invite another five, another 50, however that works for pacing, whatever makes sense. And you just do this until you reach a tipping point. Now that tipping point can be around about 40%. If about 40% of the organization or 40% of the community are volunteers, guess what? The rest are considering themselves volunteers too, most likely.

and people will just naturally start acting like they're volunteers, even if they're not accepted. That just happens. When that starts happening, you know you've been successful, and now the walls around the in-crowd of the volunteers and the rest of the community, they start dissolving. And once they're dissolved, and everyone is bouncing ideas off of each other, renormalizing, communicating, getting their stories from one another, you have now changed the culture.

You just rinse, repeat until you reach this tipping point and the culture will form itself. Some general tips. Culture grows organically, don't force it. You cannot predict in which direction the culture is going to go. Don't even try to guess. Support people. We're here, this is about people, not about making sure the culture looks the way you want it to. It's in their hands, not yours. Remember, they're the ones with the empathy for themselves. Keep the focus on value, though that value can change. We came up with an intrinsic value. Then as more people came in and the group of volunteers grew, a new value emerged. Great. Embrace it. If it's a value and in line with management goals, perfect. The idea is king, not any one person,

not you, not some leader who starts to take over the group. Make it all about the... the idea and make it all about communicating that outside. It's all about other people. It's not about everybody trying, it's not the group being internally focused. Find ways to increase intrinsic value. You start off with a carbon copy to a manager, great. Get the manager CISO to hand sign a letter, right? Increase that value, find ways of increasing the value. And then as you go, you simplify. And you enhance, and you simplify, and you enhance, and you simplify and enhance. Making sure the culture can grow organically in a way that's going to make sense for the people involved. Store brand. I've got a couple quick case studies,

and I'll take questions at the end. Store brand. 250-year-old company. Financial services, real estate, they're a lot of different areas. They're based in Norway. They've got offices in Sweden and Lithuania as well. brand new security program, not a security culture program, they didn't really have a security program at all in order to educate people. The initial goal, you know, the number they pulled out of a hat, 66% voluntary participation in the new security education. They had full senior management support, including the CEO. They had an idea to get non-security employees to lead the rest of the employees to the education. that was provided. They identified the natural leaders in the company. They did this in a

really unique way, which is not going to be totally reproducible by everybody, but they had a special technique that worked really, really well in the organization to identify who those volunteers that needed to be in the team. They identified them before they even started and then crafted the intrinsic value to them and special messaging for them. And they provided specialized material and support for those volunteers. within nine months they had an 80 to 85 percent voluntary participation rate in a security education program. That's unheard of. The other benefit was that the security department, the brand new security department, was invited to business meetings. They didn't have to ask. They were like, security is important. We have

accepted security is important. Please come. We need you in this meeting. After 12 months,

The non-security employees started off with 20 people from across sales, business, developers, a wide variety of people. They started their own security guild where they talked about security topics. The security team was invited to attend but were not necessary. That's bonkers. That's how much the culture changed and shifted and adopted this thing to care about.

It's an incredible study. I've been working with a security leader.

Case study number two, I can't get into any details right now. 40

person department and the goal was to get them to do extra work. Yeah, guess how that was gonna fly. I was working with this particular group. And our goal was to get 33% participation. If we get a third of people to do some defined extra work, great. When I surveyed and asked people, they saw the value in the extra activity, but was getting some challenge in getting that participation. I was seeing only about a 10% participation rate. Couldn't figure out why. And in fact, even though they said, we really, really like this extra work, we want to get involved, in the actual doing of the work, the opinions were really, really low. So what happened, almost by accident, almost by accident,

was that the framework that was put in place to help these volunteers scrapped it. Scrapped it all. Replaced it with the loosest of guidance. To say, if you do this work, you should be able to, at the end, you should be able to do these, you should be able to answer these five questions if you've done the work. If you've answered these five questions, you know you're done, right? And then the intrinsic value of doing the activity was proven in practical terms really, really, really quickly. Within a week, we had higher than 10% participation rate from this group, and then after four months, we have seen a 100% participation rate in the new activity, and everybody

has jumped on board enthusiastically. And we used the same model. We identified the volunteers, those who were those who weren't going to do the activity naturally. We had people who were going to do the activity and were experts at it, and we had those who weren't. We took the people who weren't the experts and put them through a bit of a hand-holding exercise, and when the value was seen, everybody piled on board. And that's all it took. Again, this worked as effectively as it did because of the intrinsic value. that the people saw in the activity. If it wasn't for that, there's no way this would have worked. But because we found what they valued and what they cared about, it worked brilliantly. It

was really, really great. I'm really proud of the people and what they did. So in summary, how do we initiate security culture change? Find intrinsic value in the idea, the activity, the subject. Create a sense of urgency, understand the sense of urgency, and communicate it. Align to the business and personal goals, Seek volunteers. Connect those volunteers. Publicize success, turn failures into stories, and invite more volunteers into stages. This has worked in a lot of different areas. I've got way more material than what I've just presented. I can happily answer questions. Gaping Void, which is a culture design company who I've been in contact with, they said this, culture jamming is a trillion-dollar industry. Get in early while you can.

It's not about the business opportunity here. It's about people want to care. People want people to care about them. And if you can provide that, if you can provide that support and that empathy, you can make enormous change. And that's the point.

Any questions? Yeah. So you mentioned 40% being the tipping point in the culture. Why is that? I would assume that in psychology, 50% of people would be with the majority. So why is, we're going to repeat the question. Why is 40% a tipping point? It has to do with group dynamics and sociology. If you've got that large of a group of people, it doesn't take half. It's just enough activity going on and that activity is supported. And if that activity is also outwardly focused, people just naturally sort of glom onto this movement that's happening. And it doesn't take a majority to make that happen. It takes a dedicated few and statistics, surveys, And studies have shown it's around 40%. So you don't need to

aim for 80%. If you can get to 40%, it usually will take care of itself. Yes? See how it says about the noise from management being one of the key why people do stuff. Would you say that's one of the highest commonly used ones, or is there one that trumps it in the program that's done? I had mentioned that it was the support and the recognition from management that was a huge motivator. Is there something better or something else? You have to tap into the value that they see. If recognition from management is what's going to motivate, if it can be rolled into performance reviews at the end of the year, if it could be tied to pay raises and others, all these things added value to the management

recognition. If that's not true for your community, your organization, then it's not true. You have to find that value in whatever it takes. And for some people, it could be enough just that the activity is fun. Or the activity could be done together with the group. And they could do something cool together. Or, or, or, or. I mean, with the claims department, the only motivation I needed to give them was, don't make their bad day worse. They're like, hey, yeah, yeah, yeah, totally on board. Yep, we're in, we're in like Flynn, let's do it. Any other questions? Yeah. You said get a pessimist on board, you don't taste it. Can you expand on the value of it? Get a pessimist on board. In the volunteers and the people

that you're scoping out, you're going to have somebody that is going to see this change. They're a change agent. They are a leader. They're a natural leader. and they're gonna see all this change, you're gonna see all these things happening, and they might feel out of the loop if they're not included, and they'll become a barrier. They will make themselves a barrier for whatever personal reasons that they have. They'll make themselves a barrier. Or they just like being negative. If something's being successful, they like being negative. If that person is also a change agent, a leader in the organization, you don't want them against you. You want them with you. You don't need to get all of them in, That would be disaster. But if you could

at least get one, then the rest of the pessimists, the rest of the people who are unsure are going to have resistance, will say, okay, well, at least they're okay with it, right? Even if I don't like it, right? It's not all the up with people who are doing the change. It was like, oh, well, he's there, so okay. It gives it some legitimacy. Remember, everyone should see themselves in the volunteer group as much as possible. So yes, the pessimist, bringing in that pessimist, has a lot of different value involved. Yeah? So you talked about the program. How do you sustain the program? Because one certainty in all organizations has changed. New initiatives have come

along, and they have more value to the individuals. And so how do you maintain the value of your program? How do you maintain the value of the program? How do you sustain the program over time? That is a fantastic question. I had more time to answer it because I could do an entire 45-minute presentation on that alone. Let me condense it to say this. The whole point here is to change the values and change with the care. It's not necessarily about maintaining the program and maintaining the structure of this culture initiative. It should become natural. The barriers to structure should naturally dissolve away. How then do you maintain those values in an environment where values are constantly changing. That's why it's very important

to understand business goals and organization goals, the goals of management that's in place, and try to provide something that's going to be durable from the start. It's not going to be cut off at the knees shortly after. But then you then have to continue in this cycle as a habit. You need to then, if values start shifting because of all these competing pressures, people back to say, hey, remember these ideas, we care about them, I need some volunteers. Who wants to volunteer to... and just do it again. It doesn't take... what I'm talking about doesn't take a lot of money, doesn't take a lot of structure, doesn't take a lot of organization. The more organization it takes, the worse it'll become, the greater your chances of

failure. The whole idea is that it should grow naturally and should dissolve naturally. leaving changed values and changed people in place. And you're gonna have to do it in a cycle as just a natural part of dealing with people.

Any other questions?

Okay, just before go, I would love it, I would love it, love it if you use the B-Sides app to rate the presentations, if you didn't know that was possible. I love feedback. I'm not looking for adulation. I want to know if I'm not doing well, if there's things I can improve on. I would love that feedback as well. That's something I value, and I would love to get your voluntary participation in providing that feedback so that I can improve. Other than that, thank you very much, and enjoy the rest of the day.