Get on the Eye Level: Tailoring the Security Talk

so thank you again coming to my talk we're going to be talking a little bit about how we all know that you have to talk about security and different ways to drift with different people and I'm gonna kind of go over some of the adjustments that we have to make some of the adjustment and how we think is the best security practices and how you make sure that you're reaching the audience I have no idea just right I'm coming up yet but I'm going to just kind of go through the title of the talk it get on the eye level to learn the security talk and the get on the eye level it's actually something that's from my

psychology background the idea is when you're trying to make a connection with a person you physically get down on their level so if you're taller than a person you lower yourself you get down to that your eye level I'm short so I wear heels or I walk around I try to sit down so the idea here really is that when we're talking about security it's not just a physical connection we're trying to make but also you are trying to get to you're trying to appeal to their desire to do the right thing so let's get started I'm familiar ishida I'm the senior managing editor of decipher if you haven't heard from us it okay we're

brand new with a new publication that launched in March about democratizing security explaining security without any fear and if you have heard of us thank you so much we are so glad to have people reading us but I've been reading about security not working and IT for the last 13 years so I actually do have a lot of familiarity with some of the challenges some of the big issues that's in the industry prior to becoming a journalist though I actually spent 10 years as a software developer and an IT admin for a large university so I kind of know again how to talk to different people that's been my job for at the last 20 years or so and figure out how

you make your case resonate with the person you're listening to for here the thing I'm not just a journalist I'm not just a tech I'm also part of a family I'm part of a community I'm also part of a company and because of that my job seems to just come with me I just bring up security and I start talking about it at the most random occasion and one of my closest friend is here actually and I sometimes pick up the phone I thought young I hurt why do you not have a passcode so for me talking about security is something I'm very natural about doing I seem to do it without thinking I'm hoping I'm not the

only one I'm sure all of you have had situations where you see someone doing something and say hey you shouldn't be doing it that way so once I realized that this is something I'm doing on my own anyway I started reaching out to different groups community group public library schools Girl Scout Boy Scouts I started reaching out fashion organization being like hi if you want someone talk about security awareness I'm willing to stand in front of your group and talk about it now what I was thinking about this I'll admit it I had some really really unrealistic expectations I figured hey we all know that these are the things you have to do you just find like the right way to talk

about it and boom you're good to go start it out with that thanksgiving lecture I have a large family I basically held back the pumpkin pie when I gave everyone electrons password security it's amazing how people will listen if they want that dessert but then it's like alright I can't keep doing Thanksgiving every year it's a little bit stressful so that's what I started talking with different groups though that's just stock photos when I first started talking to people I never thought I'll turn it into a talks I didn't take any pictures unfortunately but I started talking with all kinds of people some kids some older adults that my current generation people my generation who are bankers who are technical people

like actual like engineers like civil engineers or not it's engineers and then just local mik group will just put up flyers and say hey come we can learn about security and I'll get a whole range of angels so again you're kind of in a situation where you have to make sure that whatever you're saying you're not getting only one segment of the population that you're hitting all the others and I'm going to kind of give a little bit of a commercial for decipher for a moment here we learned decipher because we said we are tired of security being talked about by scaring people half to death and when are doing the security awareness conversation I feel like the

same thing that I can't be standing up there and say hey you need to protect your account or your bank account but I get hack that's not gonna work so I needed to think about so I will here it's about finding the right examples but picking topics that are relevant to how people are interacting with the technology and I want you to kind of remember that think about it because we're going to be revisiting this repeatedly this is kind of like the central theme of my talk and so as I mentioned we're talking about a whole group whole different type of groups and I turned it to focus on the three major areas depending on age depending on what

the people were asking for I might talk a little bit about being safe online protecting your data what data collection really means what it means when you're filling out that form to join that content to get a cruise maybe just the idea what it means to protect your password what two-factor authentication is so just a lot of that basic authentication lessons and then we also I also just what I would call broad security awareness I mean it's sometimes really hard when you're reading about older then attack on the electric grid there's an attack against the bank what did I actually mean so I would sometimes do just a glossary session where I'll have people hey give me a word and I'll

help define it talk about what it means in relation to what they're encountering and even right here I realized that it wasn't enough just to be thinking InfoSec person non InfoSec person business person non-business like that was kind of the mindset I would end the journalists I've been writing for so many different audiences I was used to that and I realize even that too broad when you're talking one-on-one with a person you needed to get even more specific it wasn't just adult versus kids it was adults who use this kind of social media of site they have a totally different set of concern than an adult who is only using the computer in their house for checking email and surfing the

web and maybe looking at their grandchildren photos so just by just the fact that we have to understand what the people's use case was what very important and it's kind of hard to do that when you're just saying hey I'm gonna come to your group and talk about it but that's what I realized just having conversation beforehand with the organizer thing all right tell me more about your group tell me how all the time other people are it helped did it always work especially about going through a lot Public Library gotta say libraries amazing librarians are the most amazing rock stars in the world but then you're kind of stuck in you have no idea who's showing up that day so I

basically came with a whole list of caveats and conditions and I'll just go through it as part of the talk but one thing I realize is when we're talking about online privacy when we say hey watch what you share it becomes really really hard for a lot of people I'm talking to when the entire point of their being on Facebook it because they want to share photos or if their job is they have to share information they're collecting people's entry forms again just not just saying hey this thing he is making things a barrier when I'm trying to talk to them they're just like you don't understand what I need you don't understand what I want to do and I

had to continuously remind myself so not everybody reacted a security conversation the same way it kind of points out to me again at the Charlie this is like a duh of course I should have realized that for avianna I did it I actually didn't think about how everybody has different threat models now I had three main questions that I start asking myself it example relevant it the problem being described something I care about and he advised me on this deck and I'll give you an example I was speaking with a group of middle school kids it was sort of an after-school tech club that they had and I came in and we were talking and we were talking about

Hosford and we were talking about how you should be careful and have good strong passwords and I kind of went on an autopilot and started talking about password managers and two-factor authentication and then I stopped I looked at the kid in front of me there were about 20 of them 15 of them had a phone five didn't so me saying hey you need to turn on two-factor authentication and just use your phone and get your code didn't apply to those five and it even made me feel even worse even dumber when I realized how did that five what my own son I hadn't given him a phone and I'm standing there saying oh you need to turn on two-factor

authentication without the humbling moment realizing that hey the advice that we talked about the things that we say oh yeah security best practices aren't best practices for everyone another example was again with the same group I was talking about how they've been studied where people just drop USB sticks in the parking lot and they saw how many people picked it up and they were like no no no you don't put your thei sticks in the computer and all the kid almost in unison turned around and looked at their adviser because you know what when you're in school and you're using school computers you take your USB stick out you put it in you take your

power you bring it home you're using it everywhere so my advice had relevance if you're working in a company and you know that your but be careful but had absolutely no bearing on this group of kids or kind of going back I would add a library and it was mainly I would say what basically sort of my age group they all had young kid they all had parents that they were being IT support for and we were talking about okay make sure that you're not accepting links that you're not opening attachment from people you don't know about and then I stopped for a second I said hey wait a minute I'm a journalist my entire job is to get information from

people I've never heard of there's HR recruiters whose sole job is communicating with people they've never spoken to so me saying hey you know don't click on links if you get an email don't know if their attachment what already cutting out for people so then I stood there and I said all right people work with me here what do we do what do we say instead of saying open up links don't know click on link don't open up attachments and you know we started putting like well okay I guess if it's somebody I know I can call them I can text them be like it is okay for a lot of people they were saying well I mean

if I'm on the library computer do I really care if I end up opening on a malware attachment let me tell the librarian cared but again so that's when we started talking about okay what do we need to have what do we need to do a support and that fir'd a whole different conversation which we wouldn't have normally had if I stayed with the dogmatic don't open attachment don't click on links and kind of going back to the entire idea of it this problem something I care about if I am talking to someone and saying hey you need to make sure that you're selecting a proper user account that user name and you're not like giving out your personal

information online again the kind of people I'm talking to that vice sound jefra for younger kids there were the group of second graders at this point they love being online they love going to pbs.org they love going to Nick jr. and they look just surfing the web and doing stuff a lot of them had accounts on minecraft and musically and there's all these other accounts where they're basically doing stuff scratch was another one where they were doing coding project and I said hey what you to name do you use you know most of us tend to do first name dot last name or some combination and we said yeah you know if you're a kid you might not want

to do that so a little girl she said okay my cat is Muffy I love Muffy that's my username and I'm like yeah but do you really want somebody knowing that you have a cat named Muffy she at the time seven years old she couldn't understand why I'm asking her dad yeah who cares it's my cat like what's anybody gonna do with that so I was just like all right you're seven I'm gonna let it pass I asked her mom I said hey how would you feel if your daughter had I loved Muffy and the mom five I don't see what the problem is and I said do you know what a security question is she said yeah and as I put

the most common security question what's the name of your pet and I said okay if you're not thinking about what username you're using you're suddenly giving someone a chance to get your account so again that started a whole conversation because not something that they were thinking about and it's the kind of conversation we're talking about Karen compromised people doing bad things and that's not always relevant to people people are just like well why do they care about what I am doing so another time when I hit those moment I said you know what let's talk about privacy let's talk about privacy of your information and your safety as opposed to the nebulous idea what can someone do within

account because you know what for kids they don't have Bank okay they don't have a lot of account other than next a scratch on minecraft they're not seeing it but the parents do but the second I start saying hey that person over there who's saying they love minecraft and there are 15 years old from Seattle doesn't necessarily mean they're 15 years old and they're from Seattle and the first question I get people I yes people I but just understanding that the conversation that we need to be having and making it realistic to people who are listening because otherwise talking about the big broad issues really doesn't help now this was probably my most interesting experience the cut out speaking with an

engineering group so a lot of times with professional engineering organizations they have to do continuing education classes in order to maintain their license and this local group it's like in civil engineers mechanical electrical computer or not if all these people who keep the planes flying the bridges going the cart and they came to me and said we want you to do a security talk and I'm saying these are the smarter people what can I possibly talk about that they don't already know and would actually qualify for their CD credit and I'm just sitting here like okay maybe I'll talk about the Bangladesh Bank and a swift attack and why Swift did now doing the special guideline for banks figured okay

technical enough I have enough detail from BAE Systems I can probably do that and what I'm putting through that I had a conversation with the person who invited me and he said if banks and governments are getting hacked what hope is there for the rest of us and I suddenly realized that again I out making the mistake of assuming a certain baseline a lot of times when we are seeing attacks when you're in the industry like what do you mean you didn't have to factor authentication what do you mean you're reusing Hart's word and I realized hey these people in this group they're brilliant but they're a baseline that are assuming is not necessarily what they had so I decided you know what

forget the Swift it was a very fascinating way of how everything happened but maybe I'll talk a little bit about passwords and that's why I decided to have a password party and am I gonna give a shout-out to Jesse Erwin of tournaments a lot of the ideas came from just listening to her talk about how she had been doing security awareness with a lot of people and it's really helpful if you don't follow her on Twitter like follow her she's always talking like great stuff about how to engage with people who are not immersed in security the way we are and so during that talk I had about 40 engineers they were all significantly older than me so I come

from South Asia which means every person aldrin you did uncle G or auntie G so I'm standing there like okay uncle G I'm gonna have to talk to you about security and you have to listen to me because this is important the most intimidating thing I've ever done it was so great but they were sitting down so how they would do the whole like getting down and doing the eye contact thing but so we start talking about threat models more like I what what is the danger of getting a password stolen and people just like oh yeah so they're gonna find out what I wrote to my mom last week they're gonna see my shopping list

all right let's talk about what you you don't email account for what other you email account become your login and that's when they started getting it they're saying oh well I use my work account to log into that I don't use my personal account but I'm saying yeah did you like fold your employer and again you have lightbulb moments and the ones we started kind of going on a path and what can happen with the stolen password they got it and then we talked about password managers we talked about the fact that you know you don't want to have the same password but it's so hard to remember all of them I mean I don't

know about you I have about 30 account that I used on a very regular basis and there's no way I can remember any of them so we talked about password managers pointed out that Jesse could you have a strong password doesn't mean the brute-force attack might not be able to get it I had to tell you I got so many people telling me but I'm in foreign languages so I'm safe I'm saying yeah sorry not all hackers are english-speaking they just because of languages that a popular song that you're using that lurk they might know this so then we start talking about multi-factor authentication and this is where I actually made a mistake in that

talk because I started talking about the pros and cons of which scheme to you know when you're doing these be as hyper focused as possible because it's so easy to go down a rabbit hole and then you run out of time and you're just like great but we talked about the different type talked about phones we talked about UD keys and hope that a lot of people in the audience for a government they all had the RSA hardware token so they kind of had an idea of what we were talking about but they hadn't realized you could do that for your own personal account that there are ways to do two-factor authentication for personal accounts so

again we started talking about that and then the most important part was actually talking about where to enable the second factor because no matter what we would like not every account has support for two-factor right now and some account offer multiple ones which one do you do one makes sense so then we went right back to the threat model all right which is the one that if this gets ever compromised you're completely gonna be heartbroken and your life is over let's go ahead and make sure we have a very strong two-factor or am we kind of talked a little bit about that I had a lot of thought why can't I just use my fingerprint like I do on my phone the

first thing I did I gave them a round of applause that somebody had actually turned on fingerprint lock on their phone and then we start talking about just doing the screen lock so we talked about how it doesn't always have to slow you down doesn't it have to make you say this is too complicated I need to just use it so once we started doing that I was getting more and more feedback they were just like okay we can talk about it I was lucky for that session I actually had time so we said I don't know we just kind of went around and we help people set it up he could I think that part gets missed and a lot of the

security awareness conversation and that we talked about the other things you should do we get people homework go home and download this password manager or create an account do it but if you can do it with the person right there it's extremely helpful because done oh so this isn't something really complicated that I'll do later I can't right now and I already have it so just taking that time so one thing I realized with this group having less time doing the theory and a conversation and spending more time on the actual implementation made a huge difference I happen to have a couple UV keys in my pocket so we did like trivia and whoever got it right I

threw a UV key they got one the other for kind of jealous so they were like I'm gonna go get my own Vicky now so the spirit of competition is a great way to get security conversation going but one of the things I realized as we go and we start talking to different people different groups that there's a lot of prep work involved it's not just a matter of knowing security well enough and these are some of the questions I started thinking in terms of preparing for the top reaching out to the initial person saying hey I'm gonna do this talk and the first thing is what tools app and technology do you think the people

who are going to be coming to the top you this is a great way to find out like okay are most of the people who are gonna be you know the ones who are always doing everything their lives are entirely on their phones okay that's a different conversation than someone who probably had an old laptop that didn't heard it from a different family member or it again a totally different conversation from someone who primarily does everything when they're at work so just understanding what kind of stuff they do again this is actually another important part make sure your example reflect the site they are says talking to someone my generation of a snapchat is a hit and miss talking to

a teenager of a snapchat they're gonna be like okay yeah what do I do to make sure my snapchat is okay the reverse you talk about Yahoo or AOL to a younger generation they're gonna say it what's that I use Gmail but then there's a lot of people on the other side of the age spectrum who still use the entire yahoo portal to get their mail and get their news so you have to know which site to you when I first started doing it I had no idea what musically was and apparently you musically just got shut down so it no longer exists but the kid would raise their hand and say hey I used musically it that okay and I had to

quickly I sit there and be like what the heck it does oh okay the app where you share music video all right let's talk about it so just trying to do a lot of the homework beforehand to kind of get a feel for what example sites you can use what apps you can use makes a huge difference in making that initial connection because when you're making the initial connection if you don't get them that first time that oh okay you're gonna give me something useful you've lost them and it's really really hard to get them back sometimes I matter sometimes I don't but the second one it a question I ask myself am I gonna talk

about privacy my mother talk was security now if you're in the industry we know that the two are intertwined that you need both you have to have privacy to have security you have to secure data privacy but for a lot of people when you try to have that conversation it becomes really overwhelming it becomes really much like okay wait am I talking about my personal information now or am I talking about my phone like which one is it saying both does it actually help so I actually sit there again try to think about what site I'm going to be using answering phones what tools I'm gonna be talking about and I start thinking hey okay am I gonna

focus more on sharing information online what kind of information can be collected by you or am I gonna focus more on hey make sure your passwords are secure am I gonna make sure that you're putting strong passwords will come complicated password mean so you kind of have to make that decision during the talk you can still reference the other but one should be the primary focus over the other and then the third question that you kind of want to ask yourself is what are they doing with the technology because kind of going back to the original point I made we're telling people don't share information about yourself don't post pictures or selfies it's kind of pointless if the entire

reason they downloaded that app or they downloaded that they're going to that site specifically so that they can share so you have to understand like what is it that they're hoping to do and then meet them halfway so Facebook if they're specifically on faithful tour that they can post pictures talk to them about the different privacy settings tap them about what kind of settings what it does what it means I am actually always surprised the fact that people who are like yeah I totally know I make sure that I change the setting from public to friends I'm good it's fine and I'm saying yeah but do you know what happened is someone tags their you know

what happened there that people can like those friends or the person that got tagged now can see you and they don't realize that so there's always implications of what happens that people really need to be educated and once you know what it is trying to do attack you can teach them how to do it safely how to do it securely another thing that I realized again when you're talking about what do they want to do attack if they're looking for ways to make their life easier and you're setting like okay yeah there every time you want to check this you have to fire up your password manager and you have to get the two factor for your fingerprint sensor on

that and then get the code and then type it in all right my fingers are extremely dry fingerprint sensors always mean I have to like do like six seven times and then I have really like bad thumbs so typing in the code always takes forever I get frustrated so then it's like okay I get it this an entire mechanism is super frustrating super difficult what can we do to make it easier now for the most part I generally don't recommend people writing down their password especially not putting it on the post-it but if you're talking about someone who is younger a school-age person or even someone who is a little on the older side having a notebook and writing it

down and keeping it far away from the computer if the kids keep password and then give it to mom and dad and mom and dad keeps it far away that's not a terrible idea because again the idea is you want to meet people where they are not where we think they should be and the final question that I really wanted to emphasize is what do they need to know now you're having this security conversation you're gonna be talking with them for I generally time it between half hour and 45 minutes depending on the age and the setting you can't do everything so what is the one thing you want them to walk away with do

you want them to walk away with okay I got to make sure that my password is long do you want them to walk away with yeah you know what maybe I'm gonna stop entering all those contests and then complaining that I'm getting telemarketers calling me all the time find out what is it that you want their key takeaway to be and emphasize that [Music] and that's kind of like the last point stay focused it's really really easy to go down a rabbit hole get down on tangents the most common one is when I'm doing a talk on password what I'm talking about password is authentication and do not reuse your password inevitably I get someone raising their

hand they say oh I you sign-in with Google or sign in with Facebook it that okay because I'm using my password for everyone and I'm sitting here right do I want to go through the entire conversation about OAuth it and how you're not actually or should I just make a very short version and explain that no actually you're not giving your password you're just letting someone else do it and that's a judgment call sometime if you think the audience will actually understand what it means to have the token being tasked and back and forth by all means go for it but if you think no this is a really really complicated dis explanation just say hey that's a really great question

why don't we show that I'll come back next time and we'll focus on that or come grab me don't get distracted from the main core of your conversation because again you have them for such a short period of time you don't want them going away would confuse what their what your core message was so that's pretty much it at this kind of journey in learning how to talk to people about security took about a year I've spoken with about 80 people to this point I have a couple more good coming up I'm continuously learning continuously refining and I'm always kind of like give me ideas what did I miss so yeah if anyone had any questions

about things that maybe I kind of had issues with I'll be glad to answer if you think there's something I missed and obviously I should be talking about this with the groups I talked to I welcome feedback so I think you said we have microphone so anyone else yeah [Music] hi first of all thank you for giving this talk it's people are hard and this is definitely a good thing to know you covered a lot on in regards to people who maybe are more removed from tech or are less in a security background but generally speaking those people who are students or people who came to a talk what advice do you maybe have for

talking to people who or maybe above you in a corporate ladder or maybe incentivized in some situations to maybe put security as a secondary priority without sounding alarmist or making them shut down the word I you this shrill thing and also in a way that they can still understand because people tend to when faced with things they don't understand sometimes smile and nod to not seem like they don't know as opposed to asking for clarification so what advice do you have for getting people who are maybe not really coming to you for this advice but need it anyway so the that's a really tricky situation because you have to kind of get past the initial reluctance of all why you're

talking to me I'm okay and the first thing that I've actually kind of found that worked specifically for me was coming in and just being like hey so I am right now talking about security because and I picked something that's specifically important to me so kind of going back to the initial point of getting on I level I find something that I think that person might be concerned about and then they can relate to if I say I'm concerned about it so in the case of someone who's maybe more senior who is someone more the new stuff is really useful being like hey so I was just reading about how this company their CFO got an email apparently

pretending to be from a CEO and then they lost all this money I'm kind of freaked out that this might happen to my company that you know I might get an email pretending to be from you what do you think we should do about this the second you kind of move person in into the what do you think we should do about it you get that initial buy-in that initial buy-in that you would have normally gotten if you say hey come to my talk so once you get that initial vine like yes yes they don't want people thinking that he's sending out emails saying he's stranded in London and needs money so once you have

that buy-in then you start going again with the same conversation that you might but it's always again being like so how do we make sure this doesn't happen to us it's a little bit trickier because I feel like it's a more conversation it's not a director as hey so you need to do this and you need to do this but human being what we are we don't like being told what to do I had to it took me a long time to learn that I don't like being told what to do and that me telling someone you got to do this doesn't work my kid told me that many many times but though it's kind of

like the same way you make that initial established connection that yes this is something that they care about as well and then kind of looping them in like so okay can we make sure that you always have a Yubikey so that we know that you're not doing it and if they're like you know what the UV Keys are little like frustrating what if I lose the Yubikey all right well you have your phone with you all the time can we have Google authenticators installed on it so it becomes again a conversation for someone who is more above you and rank in terms of social class one on one is a little bit better Nick I've done there's less

defensiveness but if you're in a corporate situation and you're kind of doing our class for the senior management again just being like hey so we need to make sure that we're not gonna be emailed that we don't want like you know what we don't want what happened to the Sony and our personal email thingy what can we do to make sure we mail just a so I don't want to say you the misery of other people but it also does help being like this is something that's happening we know it's happening and yeah we are carved a little bit of delight and reading some of the silly does silly the email to Sony executive role we kind of enjoyed

it but we also don't want that to be us and another strong motivator thank anyone else so thank you again thank you so much and I don't really post a lot on Twitter but sometimes I do if you have any questions if you are ever kind of curious about stuff we were doing on decipher please follow me thank you [Applause]