GT - The Human Factor: Why Are We So Bad at Security and Risk Assessment? - John Nye

okay welcome to ground truth we are really pleased today to welcome John and his talk about the human factor why are we so bad at security and risk assessment we'd before we start we will be taking questions at the end and we have the mic as well so we'd be passing that round I said please could you save your questions to the end and we would also like to thank our sponsors without whom this would not be possible very sprite tenable Amazon source of knowledge and creativity sorry so without further ado we will let you get started all right hello everyone well thank you getting applause before I even start let's see if you feel that way at

the end and I'll be happy so we'll do introduce I'll introduce myself my name is John Knight I don't have any slides up here what am I doing wrong I think maybe this is that's turned off that's what's wrong so anyways my name is John died I started messing around with computers in about 1985 now I was only 5 years old but my dad brought home a tion thousand and it was done after that now I wanted to play games with it of course and the thing takes cartridges but my dad wouldn't buy me one he bought me a book of basic programming with a bunch of stuff in it and I was like I started

putting a game in and realized I could screw it up as much as I wanted and it was never played games after that I was like this is awesome so and I kept messing with computers and now I VP of cybersecurity I'm still not getting any Oh it's slightly coming up yep some of the VP of cybersecurity strategy and it's not a made-up title I swear to God but before then I was a consultant for 10 years so I've been doing pen testing I've been a hacker I've been an auditor I've done all that kind of stuff gotten to work with people and over those years I've really gotten to the point where where the

the human it feels like we're to this point now in security that the human element is literally stopping us is with keeping us removing further that's what I believe the company I work for a synergist tech we're consulting company mostly for healthcare so if you need consulting services you can talk to me so let's talk about wetware in depth so to begin with we are all biased even the most enlightened person you know is biased it is so engrained into our core selves that we cannot be anything else but biased each and every one of you came into this room with preconceived ideas maybe you saw my tweets or my blogs on the topic maybe you saw the

line was as long as others maybe you know maybe you saw my writing on this topic and hope to learn something today or maybe you think I'm crazy and you came here to prove me wrong then as you all came in and sat down you wondered if this hour was worth your time do I really want to sit here for an hour then the biggest hurdle was when you all looked up here and saw me and realized I was a speaker maybe maybe you think I look like a tool or maybe you think I'm cute I am single or maybe you hate my jacket or you think I have stupid hair or a million other things you could say

positive or negative about me on first impression but the entirety of how we feel about people situations risks decisions ourselves others is all directly related to these biases which are very much controlled by our emotions and it appears as best as scientists can tell so far that this is the method by which our minds have evolved to deal with the world so consider this every person in the world at every moment whether they're awake or asleep is receiving a myriad of sensory information you've got your set your your sound your feel your emotions all this stuff is going on well it's more than a computer good process and it's certainly more than we can process

consciously and it's way more it's more than you can imagine it's more than you can fathom and because of this our minds handle the vast majority of all the data independently of our conscious so you're unaware of most of what's going on inside of your head now we don't know what's going on and so we're not inundated at all times and it's only possible because our minds have found a mechanism to stay safe and the mechanism is not trusting us so your brain does not trust you to do things so maybe it's time you stopped trusting your brain too what's the most important system on your network that's what we're gonna talk about today to get you in the

right frame of mind before we dive in let's think think about a recent argument or disagreement you had or another situation where you had to convince somebody of something anything all right how many times does this happened you come into the confrontation with significant strong and irrefutable evidence but despite all logic and reasoning your opponent has dug in their heels they won't budge I seriously doubt this is unfamiliar to any of you we all deal with this all the time it can all think of situations where somebody would not change their belief and I'm not just talking about idiots who believe stupid things I mean I know lots of intelligent people that believe things that I can't

fathom they make no sense to me and I have no idea how they believe it but they're not going to budge and they're not going to change the question on the screens rhetorical but I hope you guys have thought about it at least at some point and in case not the answer is humans the most important system on your network is the people so think of the times when you watch someone despite all the evidence and warnings to the contrary proceed to make an ill-advised or incredibly stupid choice we've all seen it in fact a few user 20/20 vision through 20/20 hindsight I guarantee every one of you in this room can think of it at least a couple situations where

you did something that you now know was just the dumbest thing you've ever done we've all done something stupid like that whether it's when you're drinking or what in fact there's a pretty good chance you'll probably have something like that happened this week because we're all here in Vegas but due to the nature of our minds we're mostly incapable of actually seeing these seemingly obvious problems when we ran in the moment at the point of decision all the logic goes out the window I'm going to do my best to help all of you better understand people the people that use your networks including yourself through this talk and with the help of security and IT as a whole I hope we can

all make things better we'll see so these are the broad topics I'll cover as best I can I have limited time so I've done my best to try and finagle things so I can get to all the topics I want to talk about right now this talk will introduce you to these concepts but there's dozens of books hundreds of research papers and there is lots of scientists out there who are studying this right now who are going on and trying to understand why the mind does what it does why we think what we think why we make decisions we do so if this interests you please read some of the books I recommend find more we this is

not something that I can do by myself because I'm I'm not even the smartest person in this room I'm sure of that and we live in a we work in an industry that is incredibly full of very brilliant people and if we can actually think about things and come together we could actually make a difference so we could do things like better security tools more successful training modules all kinds of things like Soylent Green wet where is people people are the single most important asset on any network computers let alone networks only exists because people use them we don't have computers just for the sake of having that people use them and despite or perhaps because of their best

intentions people are terrible at decision making and by extension they're bad as security now are all of our use education efforts completely pointless how can we better understand our users how can we better understand ourselves knowing what makes people tick that's the key to keeping them and our non biological systems all secure the best hope we have to move beyond the reactive security model that we are still using is to better understand and embrace the truce of the human component of our networks so but please keep in mind that this is a difficult journey our brains are full of little safety mechanisms to keep us happy and keep us oblivious people do more unconsciously in a second

than they do all day consciously so our brains are working but they're not very and they're also incredibly good at making us believe that we're in charge and this is why people can so vehemently stick to beliefs and concepts that make no sense to anybody outside of their little group and it's also precisely why it's so critical to have an understanding of what perception is perception is a very difficult thing to understand so I'm going to start out this section with an illustrative story set the stage and then we'll begin to to understand our own perception I hope but it's a very difficult concept and again we don't have a lot of time so when I

was a kid my uncle he had and was very fond of horses and he still is he killed he still collects horses like real live giant horses but when I was little he'd tell me about like a horse that was wild or a pony that was getting big enough that it was gonna have to be broken before it could be ridden now I am NOT a country kid I was not and not living the country computers were way cooler to me than any animals so I didn't I didn't worry about it but every time I heard this term whether it was for my uncle or the surprising amount I would hear it on like late 80s early 90s TV really

surprising them out you don't hear it anymore but we did that what I pictured was that the horses owner which is of course like a cowboy ran through type you know grizzly beer and he's only like what you're looking at you know just kind of one of those types but he would have to catch and literally break the horse this is what I pictured so it would be submissive enough to wear saddle carry people so in my mind this Rancher guy is this cowboy from his big stallion you know like a big shiny black horse that way bigger than the one he's he's braking he'd have to lasso this little horse and then he dive under the

horse and of course I pictured like a Hulk Hogan style you know like headlock or something and he'd have to put it on the ground and literally break the horse's back that's what I thought it was then the this cowboy guy would nurse the horse back to health then the horse would love them and let them put saddles and ride kids around or whatever so that's what I pictured every time I heard it none of that is anywhere near what it actually is to break a horse not that I'm an expert in that at all but I do know that that's not what it is but for surprisingly a long time that preconception that my six or

seven-year-old mind made up stuck with me and it's still like if I hear on some random Western movie about breaking a horse that's the first thing that comes to my mind even though I know that's not true so I can honestly say that led to a bias in me against like cowboys horse owners country music I didn't like any of that stuff for a long time because I thought why why would they not just get a car or take the bus why do they have to be so mean you know seriously these are horses they're like living creatures why would you do that you know so you could see how my perception of that act

of freaking a horse led me to have negative feelings about those that trained and rode and were in any way associated with horses and in some way we all have biases like this so maybe you're vegetarian and secretly you think everybody that eats meat is disgusting and horrible or one that's really common and this is one I hear about all the time it is the bias people have against athletes it'll play on their sports ball team and now we're you know there horrible because they play for the other team until they get traded to your team and then they're just fine or they're great so these are these are just a couple of biases that we all walk around

with all day and they absolutely affect our perception of the world and our perception is one of the most important things for us to understand as humans we have a very unique perception of the world and the default setting of your perception is to be narrowly focused on your own point of view so by default the world does revolve around you and that is the default I'm not joking your brain that's how it works when I was younger again another quick story when I was younger I got to live near my grandfather who he was a professor in sociology unfortunately I just quit living near him when I was about 10 so I'd love to go I have had

nice conversations with him about all this stuff but I didn't get to but one day he he took me out to lunch which was exceedingly rare I don't think I'd ever done anything alone with him ever and he proceeded to tell me all kinds of these you know major life lesson things but I was like eight years old so 99% of them just right in one ear right out the other I got no idea what he was talking about but he did say one thing to me and I don't know why it's stuck in my brain but since then this is really it's been like the secret to my success it's kept me you know it's helping me be a good

pen tester it's helped me be a good person a good father and that is that he said this he said John remember it's all about perspective and if you don't understand if you understand that you can understand anything so if you understand that it's about perspective and that whatever anybody is saying or thinking or trying to convince you of from their perspective it might be the right thing and and you need to show them from their own perspective how that might work now this is a roomful of hackers and I honestly think that this is something that that hackers excel at you know but we don't often get to use this beyond the need to approach

software and systems from the view of an attacker but we do that you know that's why I got depend testing I love the idea of being able to step into the criminal shoes and try and do things that weren't supposed to happen or you know find secretive ways to get through things super fun but the same application of perspective it can help us to understand our friends our families strangers and believe it or not that ever elusive entity the user it's possible rather than berating users with security requirements making it harder for them to do their jobs at every turn it's time to work to understand them better and to present the most important information in a

manner that makes sense to them from their perspective so there are there are many special images videos sounds that severely affect our perception and make us question what we're seeing these images here illustrate perception in the two cartoons they show you know at 6 or a 9 of 4 or 3 you know they're seeing it from a different angle so it looks different to them or they show you something that appears to be something it's not so if you look in the upper left you see these those lines do not look like they're parallel they look like they're askew but if you take a ruler to that all of those lines are perfectly straight and parallel it's

the pattern of blocks that makes it appear skewed or other things method mess with our perception are like the two images on the left there those show how something can appear to be two things at once is that top left a man's profile or a straight on picture with the shadow on part of his face it's probably both and how many legs does that elephant have I think it's like seven so all these things illustrate how perception is not consistent you are not seeing exactly the same thing as everyone else you don't go home at night to the same family as your coworker you don't know their beliefs you don't know their biases prejudices passions or a

million other things that affect their perspective and make them who they are so how can we presume to know how the user will react to something how about training from the perception of those that disease the training it appears to make sense and be compelling and interesting and now to some percentage of the population that will be the case they'll also find it intriguing interesting compelling but not to everyone what about the cashier that works in the cafeteria why does she care about her Outlook account she definitely doesn't care if your organization gets hacked but from her perspective if she could avoid the loss of money or her credit card was safer because of some actions she could take

and if we did something like that that would matter that would affect her immediately she would care she would go home and she might change her passwords so you know setup two-factor and then that starts building habits and habits are the most powerful thing that humans have I know this because I smoke cigarettes it is incredibly powerful and all habits are that way including habits of having good security hygiene our perception rules us but it is also ours to rule and this means that we live in a universe that is well and truly centered around ourselves and if we want to reach the rest of the world we have to consider our message how we deliver it

but we can't stop there because we have to think about how people retain that information human memory while amazing is inherently unreliable and our tendency to trust it is actually the cause of a lot of the problems that our society faces today fortunately we have a long line like a really long line of amazingly insightful scientists and academics who spent their whole lives studying human memory because of this you'd think that all these common misconceptions about our memory wouldn't be so prevalent but they are incredibly prevalent and I can tell you with absolute confidence that you can trust your computer's memory substantially more than you can trust your own and if any of you have worked in forensics

that's not a good sign think about that so memories often mischaracterizes an accurate method of recalling an event but like I was just talking about our perception is unique for each one of us so my remembers have an event is going to be completely different than anyone else that was there so this talk is a great example for me I'm gonna remember all your beautiful faces and I'm gonna remember standing up here and and sweating whatever you know all that stuff you guys might remember this section you might remember one of the gifts I show you or you might remember whatever you're looking under your phone if that's what you're doing and that's totally fine and makes sense so it's

different for each of us and how we remember he's really important understand to better understand I'm actually gonna talk about a really interesting study that was done it was done at the turn of the century this last one so in 1999 the these two cognitive psychologists Daniel Simmons and Christopher Shaw Burris they did a study to prove that when people focus hard enough on one thing they get with called in attentional blindness not intentional in attentional which is not actually a dictionary word but it's it's in the medical dictionary in this study participants were shown a video of a group of people passing a ball around and that's it and they were asked to count the number of times the ball was

passed by one of the teams either the team in black shirts or the team in white shirts I'm sure many of you have seen this heard about it it's definitely you know it's common and it's a big deal now at the end they asked him how many passes were made and universally they were right they got it or at least within one number they were all able to guess that but after the first question they then asked a series of questions that led with what about the gorilla and every single person in that did this study was like flabbergasted what are you talking about what gorilla nobody had any idea but halfway through the video of Google not really a gorilla a

person in a gorilla suit does walk in to the middle of this and if you don't know about it you don't see it they were all confused they didn't know what to do and it has if you think about it this has major implications for like witnesses and victims where there's no other corroborating evidence we often miss remember even the most unique things we do and the most unique things we see and we almost always add details usually in our own favor so this study is like the epitome of the counterintuitive nature of our minds so they've done tons of pulls since then I mean we're talking like 20 years since this happened in those polls 90% of the

people that responded said that they absolutely would have seen that gorilla now having the knowledge of the gorilla I'm sure they would have but I'm gonna play this for you this sound doesn't matter

I hope you're counting

and there's the gorilla but you all saw because I told you about it but this is when he made in 2010 so there are some slight differences so 16 maybe you guys got it right and that's great and you saw the gorilla but oh okay so about half people miss the gorilla if they haven't heard about it but did any of you guys notice this the curtain changing color or the player were in the black shirt walking up you did okay so a couple of a couple of you did most of you did not now watch it and even just in rewind you can immediately see it it's orange it's red there's three people there as soon as the gorilla

walks in she walks off now there's only two people so again inattentional blindness we're not seeing things you know did you see it all maybe a part of that is if this is new to you so our memory is being trusted as an agent of the truth is the biggest misconception about memory there is it is not so there's an organization out there called the innocence project which I'm sure some of you have heard about what they do is they're dedicated to helping people who they believe are innocent to become exonerated people who are in prison but did not commit a crime in at least they believe so so they look into this and they've actually been

really successful through the use of DNA testing according to their website they've released more than 350 wrongfully convicted people from prison also on their website it says that the average time these people spent in prison for not committing a crime was 14 years that's just like I don't even know how to react to that so I mean just think about that know know somebody home to talk about a second doctor Julia Shaw she said faulty memory played a role in at least 75% of those cases those people went to prison off of witness testimonies and things along those lines and as you can imagine so the one thing to keep in mind also that's really

interesting about this this is only in the US and it's only in cases where there is DNA evidence available so let's just I mean you can't even guess how many thousands of people are in prison right now that never did anything wrong or at least not what they're in prison for you know that's pretty scary so this this woman dr. Julia Shaw she released a book in June of last year that is called the memory illusion and this book rolls together decades of academic research scientific studies and it's actually really entertaining to read she wrote it very well it's a very entertaining book so she spent after she did these studies with this Innocence Project

she spent a quite a bit of time trying to figure out how the phenomenon of like false memories works and she was let's see her colleagues and her research the method by which false memories are formed and to better understand how they impact our perceptions and how they work so this study is my favorite in this study they gathered a group of subjects which of course is a bunch of college students because that's what they study on and and they brought them in and they got their parents phone numbers first before they ever had them come in and they called all their parents and they said hey tell us about a couple of like really outstanding things that happened

in your child when they were when they were young and they picked things like you know going to Disney World or whatever and they got photographic evidence of two incidents something that happened in their life then they created a third image that was completely made-up and they were without fail able to convince every single one of these people that that fake thing happened to them and they believed it not only were they able to do this these were not like you went to dinner with your grandpa and it was made up no this is this is stuff like one of them was a picture of a kid hugging Bugs Bunny at Disney World if you know anything about Disney Bugs

Bunny doesn't he's not work for Disney and he would not be in a Disney park I've been to them trust me they are not gonna let some way I don't even know if they let you and wearing a Bugs Bunny shirt you know it's very serious another one they do was they convinced a guy that he had went to England when he was like 5 years old to have a picnic with the royal family and showed him a picture of the Queen Mother and Prince Charles with him in like the mid eighties and he believed it and they and they thought it was real so they were able to convince all these people that these made-up events

happened and at the end of this study they were able to say without a doubt in planning false memories is trivial it's incredibly easy to do and we do it to ourselves you didn't really have to try you just kind of have to lead people a little bit now all of us have your social engineering already know that it's pretty easy to trick people so another subject she covers in depth in her book is how to get through to subjects how to make things memorable and then I'm gonna go into this a little more late later but what it comes down to is really interesting it comes down to arousal and I'm not talking about

sexual arousal that's a whole different thing but it does come down to so in brain science arousal is defined as the state a state of responsiveness to sensory stimulation or excite ability or a state of behavioral or psychological other words your brain is active it's it's you know piqued your interest and that's really important it's a very powerful tool we can use we can improve others reactions to training awareness and all kinds of important things we need them to know so I'll go into that a little bit more but first when you talk about decision-making - so this is the the third main major thing that all people have to deal with every day so

our brains they are evolved if you believe in evolution I hope you do our brains are evolved from animal brains but they still evolved from animal brains so in the moment our fight or flight instincts tend to take over especially at the point of making a decision regardless of whether you feel it now some people are a little better at recognizing these effects and can offset them a little bit but decades of study demonstrate that decisions made by people are as likely to be logical as the flip of a coin period so for years the security industry has been trying to figure out how to mitigate some of the issues that stem from the wetware that makes IT so

insecure now IT can be considered new relatively compared to other technologies and cybersecurity or you know security and for IT is also relatively new but none of the concepts we're talking about here are new since as long as people have had something to be scammed off of them there's been somebody out there who would scan it off of them take advantage of our natural you know jumping to conclusions our own stupidity if you will so scams are nothing new and neither is the desire to understand why we're so terrible at so a lot of psychological experimentation and research one of the biggest reasons we're so terrible at identifying scams is the part of our brain we share most

closely with animals the fight-or-flight part of our minds that's the mechanism that makes you jump to conclusions make assumptions see patterns that don't exist and then we confidently use this misinformation to make decisions leading to many of the problems we all face like every day this part of our brain is controlled by our emotions and physical impulses so your glands and how you feel that day has a major impact on your on the fight-or-flight portion of your brain and so it doesn't matter how much planning how much logic we put into our decision-making process when it comes down to the actual moment of making a choice we our subconscious makes that choice your fight-or-flight makes that

choice and it picks the choice that it feels catch how it feels doesn't logically understand this it feels is least likely to cause regret and by that it means like you regret not doing something I mean regret is a is a pretty big term but that's problematic in a lot of ways for one none of us are safe this is a condition that literally affects every single living human all of us there's shine some light on this let's take a look at some groundbreaking discoveries that a neuroscientist named Damacio made a few years ago he and his team were studying the parts of our brain that generates emotions and what they did was they found a bunch of

subjects to study who had had brain damage to that part of their brain so they could not feel emotion which you might think that's kind of cool it'd be like a robot you know but it wouldn't be they were they were all of these people in in the studies were able to see logic behind decisions they could come to reasonable and optimal choices they they could they could talk it out all day long and in theory in their minds they could do it but when it came to the actual point of making a decision almost all of them couldn't make one and I'm not talking about buying a house or a new car I'm talking about eating dinner

what not what to eat even just should I eat they could not do it they had to have somebody like guide them along so they're literally unable to make decisions and it's because their emotions aren't there so that shows that despite all the logic all our careful metrics measurements our emotional system takes over and it delivers the choice that it feels is likely to result in the least amount of regret when it boils down to the actual appointed decision emotions emotions control our decision-making and if you watch this movie it's a great one alright so much of the foundational research for all this was done by a psychologist named Daniel Kahneman and his colleague and friend Amos Tversky

Kahneman actually won the Nobel Prize in Economics despite the fact that he's a psychologist specifically for his research in the psychology of decision-making so it's real simple to see how this research can be related to the field of economics but it can really be tied anywhere you know you can tie it to marketing security warfare all kinds of basically any vertical but obviously we're here to talk how it relates to our field and so security as the whole exists pretty much exclusively because of the people that use these networks and systems if the system is designed to interact with something in a certain way it's not gonna try and find another way to interact it's not going to circumvent

that so a computer talking to another computer is going to follow that rule people not so much they're the ones that attack networks and systems and people are almost always the reason that attacks are successful whether it's an insider or somebody clicked on a phishing email or somebody put bad code you know for whatever reason it boils down to a person in the end and somewhere down that line so condiment Tversky their insights were a major wake-up call for the world of economics when they first start published their findings the the second the world of economics the economists all worked on the assumption that people are rational and will make rational decisions they honestly ran the economy that way and

they were doing terrible and they couldn't figure out why nothing made any sense and why people were doing the opposite of what they predicted constantly and it's because in reality we are completely irrational people are not rational is what it comes down to these guys talked about a lot of stuff so much stuff that I couldn't even get into it they've written they Kahneman wrote a book called Thinking Fast and Slow that goes into all the details about this stuff highly recommend it some of its controversial but that's what you expect from this right so common sense that is about as real as rational decisions so Annette Simmons she's the author of a book called the

story factor which I highly recommend talk about that in a minute she says people are unconscious of most of their behavioral choices if you ask someone why he or she did something they will give you a good reason a rational sounding reason that has nothing to do with the real reason as a rule humans are not aware of making choices much less why we make the choices we do that way because it seems obvious we've always done it that way someone told us a long time ago to do it that way or we consider it the right thing to do but like I said earlier once habit is in place it rarely comes up for review

so if you can get good habits in place and makes a big difference so there is no such thing as common sense I need you guys to stop saying that stop expecting it you you know just it's not there every single person is different their brains don't work the same as yours you don't know them as a person so these revelations among a whole lot of others that these two came up with that we just don't have time to go into today or the reason for the Renaissance of economics in the 70s and the paradigm shift in the art of negotiation because negotiation before this before decision theory was again they thought that people were

rational and that didn't work it changed how policy especially like national policy things like that were written and how they were applied and how it applies to different verticals but you know why why do we care here in InfoSec so I believe that there is a an overwhelming and pervasive misunderstanding of human nature in the world of IT and security and I'm not trying to say this to dig at the industry I love I love security I wouldn't want to do anything else but I am trying to say that we can do it better if we seriously want to move the industry forward we have to begin to accept a few facts of life and to work

in sync with them but first we have to break security down or at least part of it so what is it really well it's a way to protect people their property their livelihoods from entities that may cause them to stress or harm now I hope we're all seeing a common theme emerging here or protecting people not really protecting of yours so I want to reiterate I'm not telling you guys anything new here know that I'm trying to show you why we need to change our focus and there's so much more information out there about this it's not news people are the core component of all the aspects that there are in IT insecurity people are that core

now we can look at the most analytical things like big data or threat analytics what's going on now that's fine all right PowerPoint just crashed I broke it sorry about that I broke PowerPoint dude that takes some skills no it doesn't what am I tired of that it's Microsoft all right so I think I was here oh yeah so if we look at like analytical aspects like big data threat analytics it's still driven by people so someone came up with those algorithms that are used someone wrote that software you know people manage the databases the information and they handle the reporting and ultimately a person has to like verify confirm that the analysis is right

so people are driving every component from the users that we're securing to us that do the securing and if we don't figure out a better method of influencing our users and our peers then we can expect to continue and the groundhogs day endless loop like this gif here it just keeps going we all know quite well the vast majority of attacks start from the inside and that it's done with social engineering in most cases basically every single type of social engineering attack uses tactics we've talked about that take advantage of people's humans emotions and natural tendencies and I'm not the first person to talk about this stuff if it's been talked about for years but we need to

figure out how we can better adapt how we can make it work so for all of human history we've been trying really hard to make our lives better with technology it began with wheels paper printing presses plumbing electricity those are old technologies and they're all ingrained parts of our lives we couldn't live without them anymore none of those had any friction becoming irreplaceable to most of mankind at least and even less trouble sticking around we're not getting rid of electricity anytime soon or plumbing they all they all have one thing in common these were all invented specifically to deal with the problem that basically all people face like going to the bathroom or seeing at night

you know really problems that everybody faces with computers they were invented to solve a problem but not a problem we all face if you think about it you know they were first invented to crack some codes in World War two so that's not something we deal with every day some of us might have to crack codes in a regular basis but normal people like the break killer population go they don't deal with that so you know we've done a great job of like interjecting computers into our lives and all of its reiterations I mean I couldn't live without it anymore most of us couldn't live without the internet without our smartphones but I think there's been too

little focus on the human element so we you know they made computers or like oh well people have to interact with these let's make a monitor and a keyboard and a mouse all right we're done people can use it yeah obviously we've gone beyond that you know we have user experience we have operating systems that are attempt to be foolproof they're not but they try so it affects all of us networks that were charged with securing and the users and that includes our friends and loved ones something to think about so con artists have been using these flaws of the human for as long as there has been humans ones are then people who can

communicate there's been con artists out there what they're really good at doing is fooling people into thinking that something is their own idea or that the con or the the idea is much more beneficial to them than to anybody else so either way they've convinced them of something that's not true and it's virtually indistinguishable from the tricks that worked for centuries for all the con-artists and thieves and in the primary key to success of these methods is to convince the mark that whatever the plan they're being swindled into is their own idea or it's much more beneficial to them and and in that's including the person instigating it man why don't happen all these problems

today anyways there are yeah it died again this is insane I've never I practiced this thing like 50 times you didn't have this problem sounds about right yeah yeah somebody hacked into my computer right I have all the radios turned off how they do that I'm just kidding alright yes that's exactly right alright so I think we were def in that one we're almost done alright so what we need is we need some remedies so we've been building our security solutions on false assumptions for long enough now how can we expect to secure something as irrational as people the answer is easy we do it the field of economics did 40 years ago when condiment Tversky first

shared their findings with the world we change our assumptions we no longer build our models our software and our computers on the assumption that people will make logical choices now it doesn't mean we have to change everything it doesn't leave us in the lurch because basically we're not completely screwed if you think about this all of us I hope have had that feeling that something's not right that like hidden itch that's what it is we're not dealing with the human element right it seems to me at least the latest tactic that most organizations do to deal with the human aspect is to either put their head in the sand which is sorry we're not going

to do any SEO on this engagement because we know we're gonna fail at that which is BS stupid you if you're going to fail at it you should be doing it even more so or they throw more technology at the problem you know like remove capabilities of users like you know we're EVMS or whatever other crazy measures you guys have seen out there but we got to change our baseline assumptions we have to accept that people all of them are fallible and probably not paying that much attention so maybe we need to approach the problems we're facing from a different angle the most obvious area to which these concepts are applicable is of course the

evil words user awareness training and I know every organization I've ever worked with or for everyone the users and the security team hates the awareness training that they might do annually because it doesn't really matter it doesn't really make a big difference in most cases we all know that's marginally helpful maybe and I know from talking to users that I'd say at least half of the users I've talked to cheat on those tests they get the answers like they don't want to watch that stupid video and answer those questions so maybe we should take a cue from how humans actually think we can make people do that we can't make people do things but if we're honest people are really just

worried about themselves of course you know they love the company and they inherently know that the enterprise of security is linked to their own happiness right know that is sarcasm in reality people are most concerned with number one and those that directly affect number ones happiness so their friends and loved ones not their place of work unless the paycheck stops they don't even if they act like they care they don't really so logic anti users happiness to their employer success their livelihood is relying on it but not many outside of the c-suite actually see those benefits and really people aren't rational anyways so we can't expect that we've got to stop with the assumptions so instead of teaching users

how to protect company assets what if we taught them how to protect their own information and data and devices let the security start with their homes teach them why rather than demand that they do something tell stories make it interesting show them how to protect their home Wi-Fi does that help the organization anyways because you never make them work at home and so that's also helpful but it also helped keep them safe their families safe keeps everyone happy so I'm sure there are a myriad of other ways that we can apply this that I definitely haven't thought of like I said I'm not the smartest one here and it's gonna take all of us to

think about this another thing we can look at is people and processes what about our processes workflows I think it might be possible to change our approach to the plethora of processes that our organizations collectively rely on to ensure business continues effectively and safely right we all have these and instead of simply making a detailed list of steps that people must follow maybe there's a way to design these processes in such a way that the user can learn or that leads to the most appropriate solution without browbeating them into doing it so people want to feel empowered and they want to feel that they've made a contribution so I I do want to put one more quote here and this

is another one from Annette Simmons and this is great most policy statements concern me if you want to do the thinking for someone because that's really all a policy statement is designed to do at least story invites the human being - you wish to influence to participate in that thinking process so mandatory rules don't allow participation and they tend to influence people into either mindless obedience or gleeful malicious obedience which we've all seen ok you want me to do that you got it I'll do it so and that can definitely make things worse alright so let's wrap this up because they're telling me I'm out of time back there in the arena of human interaction

we are all equals users admins non-users babies there's a baby back there old people everyone we are all equal it is like the ultimate in inclusion our humanity is the one thing that levels the playing field we're not better than the user who downloaded a macro virus last week we are all in this together whether we like it or not the only way we can actually get the ever-elusive user to be more secure is to start by humanizing telling them stories making the habits you need for them like good security hygiene directly and exclusively applicable to them and their sphere of influence well and then they'll make the changes to keep themselves their loved ones their families anyone they care

about safer and that forms good security habits those habits carry over to work and they bring it back to work with that so again none of this is news and I know that we don't as a collective consider it consciously nearly enough but we are all fallible and I am NOT talking about a particular group I mean people are fallible and that tendency to err is what allows us to keep our jobs especially us in security and what allows some of the greatest beauty like art to be created it's also the root cause of most of the most colossal screw-ups in history and I say that's not to paint an ugly picture of people or anything I want to bring this topic

to the forefront of our collective consciousness I think that as a group and now I am talking about security people in particular we have some of the greatest problem solving and creative thinkers in the world in our little tiny community and if we all work together and we can make our goals concrete we can as a group actually make the world safer so let's get to work and if there's time you can ask some questions [Applause] is there time for questions okay there's a hand hopefully I can answer I'm not a psychologist no worries SMTP for your company you've probably been responsible setting the direction of probably some of them some or many of these uh more of eight they

call me ask me I do stuff like this gotcha gotcha I don't manage anybody kind of nice but with that in mind I mean a lot of times for companies specifically at the higher levels it always comes down to cost analysis of some sort right you can't possibly Annam and us every possible way for every person to be able to optimally learn right but you know you could make your training so that you have a training for maybe your helpdesk and a training for your cashiers and a train you know so you have to if you focus it to those particular type of people but you're right and there's another big problem when you bring this to the c-suite and

you say hey we want to train people how to keep their home Wi-Fi safe they're kind of laugh at you and be like why the hell do we care because they don't care either you know and and that's where you got to convince them yeah well I think she wants to use the mic oh yeah thanks I just want to add it might be a good idea to look at the targets of a specific person has yeah because security is irrelevant when it's contradicting his targets and these targets are affecting his personal game yep absolutely that's a very good idea I agree

and you guys can find me on Twitter at end is nigh underscore comm find me there ask me more questions so just make sure I understand when we're given our security awareness training rather than telling users you got to use a strong password Storify and give them and tell you why exploit or talk about some kind of facts or even bring it somewhere else like you know you wouldn't you know leave your doors unlocked and you would put a decent lock on your front door of your house you know something that they can really relate to and that's that's what's important so humanizing it and making it so that it's personal and that makes that makes the biggest difference

mm-hmm exactly and that's where that book just a story factor and net Simmons I'm telling you if you guys do security training of any sort read that book it's fascinating and it's and it's true all those stories work anyone else I just want to thank you for saying that common sense doesn't exist because I have been like cursed with it's telling me it's common sense dude why how hard could it be it's just common sense and it drives me nuts and then that's the thing is this isn't a way to train my children so that they can like when I asked them why they did something they can actually know why they did it that's and that's something

I've been trying to figure out too you know I mean that's that's part of what got me so interested in this is having kids you know and getting to see how they react and how they act to things and yeah it doesn't make much sense because they're irrational just like all other people you know kids just can't even express why they're irrational you know of course we can't either we don't even know we are that's alright we're all gonna go make some irrational decisions and drink punch right so we're in Vegas gamble a little