Telling People Not To Click Links Is A Terrible Idea by Rebecca Markwick

thanks very much for having me I'm about to tell you basically why all the fishing simulations you do are trash and why your security awareness programs are probably not great either I work in security awareness and security culture which is like the weird niche in a niche that nobody really likes in security and outside of security and as I do it in which case people love it um so yes this talk is on telling people not to click links is a really terrible idea you can find me on Twitter LinkedIn Masters there if anyone really cares come chat to me later so what am I going to talk to you about um what is what is with clicking links

uh what are we actually doing wrong as Security Professionals security Wellness professionals General people yelling at other people and what even is security what are we here for when it comes to end users what Behavior do we really want regards to fishing because it's not not clicking links and what metrics are actually useful because click rate metrics are marketing metrics and unless anyone is running a newsletter here you really shouldn't be looking at them so clicking links I don't know if anyone recently has discovered that there is the whole concept of blaming end users for stuff it's been around for like 20 30 years since the concept of security um but for the last like 15 years

clicking the link hasn't actually been a thing that leads to an actual export um just clicking the link all by itself doesn't do anything the actual bit is the bit that comes afterwards you know the the people doing the credential harvesting adding in their login or somebody clicking download onto something or somebody hitting oh I need to update my software or doing the malicious attachment the actual clicking of the link bit isn't a problem in fact we actually tell people to click links and to share their documentation as links and to share their files with their colleagues as links because the cloud is now a thing and we say oh for you know it's really

important to keep control of versions and to make sure that access controls are on point we have to always share stuff as links instead of attaching them to documents and sending them to anyone because we lose control so whenever you're sending something to anybody please share to the OneDrive link or share it as a Gmail Gmail G Drive Link please stop stop not sending things as links and then when people send you the link you click on the link and you open it and you do your work right so why are we telling people for security and privacy and just auditing purposes to share everything as a link and then on the other hand go don't click links it's

bad can't possibly do that which leads to cognitive dissonance in well everyone who works in security but also the end users so there's a security architecture problem where if there's thing that hasn't been exported for like 10 15 years is suddenly exploited and it destroys your entire network there's an architecture problem there not an end user problem there should be enough things in place that if some random attack does come from taking a link or a phishing email that there's enough steps in place and if that isn't in place we can't blame the end users for that but the real big issue here is telling people to share things as links and then not click on links means that

you're making people unable to do their job and being confused and people are already confused about security uh we'll talk about vanity metrics it's my favorite favorite little buzzword vanity metrics those metrics that are really really easy to manipulate they don't really tell you anything at all and that's where click rate comes in like I said if you work in marketing and you have a newsletter click through rate really important because it tells you how engaging you're being whether you're clickbaity titles are clickbaity enough everywhere else not great I mean telling somebody I wrote a really good clickbaity thing and a bunch of people fell for it well done you you've just upset and disappointed lots of people

and made them hate you what fabulous metrics it rules into this thing called good Hearts lore as well which is a fun thing where the concept of a metric becoming a Target means that the metric and the measure itself ceases to be a useful metric because you can manipulate it and stuff so when we come to a click rate metrics the more clickbaiter you make a thing the more people will click that doesn't really tell you anything other than that you're good at writing clickbait it doesn't tell you anything about how protected people are against fishing How likely they are to fall for a fish it just means that whoever's making your fishing simulations is good

at writing clickbaity BuzzFeed titles um we all love those don't we and the metrics aren't actionable what use is saying somebody clicked a link how is that useful to us we want them to click links in their day job because we want all of our files to be shared as links in order for the access controls and everything so great we can't we want people to be clicking next great but we're telling people not to click link so we've got Matrix on clicking links not clicking links it's useless it's not telling us if people are doing the bad things when it comes to fishing which is giving up their credentials or downloading the malicious software

pressing all the buttons we don't want them to do because that comes after the clicking of the link The Click rate stops at how many people click the link and it's completely useless we can't do anything with it also tricking people is bad this is the only industry where we're like yes I tricked people we win you don't win there's this thing called ethics and there's this weird boundary and I work with a lot of red team people on this where where is the boundary between testing security and unethically tricking people into failing because what a lot of the fishing simulations are is setting people up for failure there is no way that they are going to

pass and people are doing that on purpose and I'm sure many people here have failed at something whether it's a test from school or getting into something supplying talks for conferences and not getting in no one feels great about that and how bad would it be if you tried to do the thing do the test do the exam get that certification and not only do you not get it but they say haha it wasn't really a thing anyway you know not great the ethics there are dodgy right setting people up for failure makes people fail expecting people to succeed having set them up for failure is really really stupid I come from a Behavioral Science

and training background you want to set people up for success some people up for failure is unethical it's just a thing to think about I've managed to convince quite a few renting people it's great um and also when you fail you get Negative emotions you particularly with fishing people feel a lot of Shame and a lot of guilt because they think they have destroyed the company because everyone is telling them that they are going to destroy the company if they click a link you know so not only are we saying share stuff as links and use the links in your day-to-day business also don't click the links and if you do click a link you're destroying

everything we can't put that on end users it's not ethical for us to say a security failure is an end user failure you know we don't get in a car have a car crash and the airbags fail to explain go a lot was obviously your fault was the driver you know that's a manufacturing fault from the manufacturer of the car that the airbags didn't go off and there's this weird thing in security where we love blaming the end user and I think it's because it's easier to do that than to say actually that was a security architecture failure we should have had some tools in place maybe there was a bug and it wasn't really working

and using the excuse that I'm a one-man band and we don't have budget does not give you the leeway to blame your end users you just have to say really sorry we don't have the budget there's not in a whole bus that's security as a concept failure as an architecture failure is not an end user we can't just shunt all of the blame onto people who have no expertise in that area because what are we here for as a security here to help people to keep people secure and safe to keep organizations secure and safe to keep data secure and safe information security we're here as a support system and a protection system we're not here to blame people we're not

here to yell at people for asking for help we're not here to trick people into failing you know we are here to help people be more secure to be better to be more secure and it's an ongoing ever increasingly difficult fight that we have training at the point of failure as well I don't know if anyone has ever failed an exam or a test or anything even if it's just like one of those weekly math quizzes that you got given when you were like eight but when you fail something you feel really bad and you get annoyed at yourself or upset or whatever it's a really bad time and it's been proven in a load of science and research training

at the point of failure is a terrible idea people aren't receptive for it people don't like it and people don't learn at the point of failure what people need at the point of failure is reassurance and support and say oh that's okay next time you'll do better next time you'll pass that exam next time you'll spot the fish and nothing bad's gonna happen it's fine we want to train people at a point in their life where they're feeling good about things they're more receptive to being trained and when they fail we go ah it's okay don't worry you're good nothing bad has happened especially because in the vast majority of cases we'll talk about this a little

bit later but if you can get people reporting stuff they're actually part of the solution so even if they've failed they're actually helping you fix it because it's really important that we have trust from our end users as a security team over the last 20 30 years a lot of people hate the concept of the word send me uh the word security and the semiotics which is like study of science when applied to the word security if you do that in your end users they tend to not like it they think it gets in the way it's difficult they yell at you we don't really like them they live in a little cave somewhere and we don't want

to be anywhere near them that's a bit scary I don't like them people don't know a lot about technology people don't know a lot about security and they feel that it penalizes them and the way traditional fishing simulations are set up that horrible trippy trackie how hard can we make it for people to get set up for failure penalizes people there are companies where they have a three strikes rule or if you fail a phishing simulation three times they get fired Ally in America you can get fired and you have two weeks notice or you can be fired at will that day you know that is a huge burden to be putting on someone if you're setting them up to fail you're

giving them no opportunity to spot that and you'll just go yes I got 50 people clicking on my fishing Sim I'm amazing you might have got somebody fired that might ruin their entire life you know people don't necessarily think about that and that reduces the trust in the security teams from the end users and trust is really really important because without trust you undermine not only the security team but the whole concept of security in your organization people stop coming to you for help people start working around you people stop telling you if stuff's broken and people stop thinking that you're there to help them at all and that everything that they report to you they're going to

get told off so they'd rather not report anything at all which means that over time your security gets even worse because you don't know of all the problems are you don't know that there's a development team over there doing a bunch of stuff that really needs security controls because they don't want to talk to you and you're not going to find out until two years later when suddenly you see a public repo on the internet you're like well I didn't even know that existed that's not great and this leads to something called a negative security culture and unfortunately for us most people have a negative security culture because people don't like security so their view of

security is bad they don't want to be engaged and phishing simulations that are done in this horrible punitive attacking kind of aggressive way really really don't help improve that so we're already working really hard to get people involved in security and to be thinking about security and doing Security in their daily lives whilst at the same time yelling at them and telling them they're stupid because they clicked a link that last week we told them to do because we have to share all of your assets digitally with a link you know it's this whole mismatch of underlying things that are all reinforced by these very traditional negative security phishing simulations which unfortunately a lot of the big

branded security awareness things they go with the super punitive training they yell at people they tell them off they just tell them what not to do you don't know of any of you have ever learned a new skill but I'm sure you were told how to do the thing as opposed to don't do this because if someone just tells you what not to do it's really hard to get good at actually doing the right bit you're like oh I just I won't do that or that or that I don't know what I should be doing but I shouldn't be like I'm just not going to do it you know I'll just not bother there's loads of

fabulous stories on a bunch of subreddits on articles all over the internet where people have had horrible horrible experiences with nasty fishing simulations that are promised bonuses or have said here's an update to our health insurance policy you have to do it within the next week or you're fired kind of thing in America where people then report everything as fishes people stop opening their emails full stop and people have there was one I think with the one of the training companies that said there's like a bonus thing that they actually had to pay the bonus to everybody because it was so aggressive you know people are getting so excited in our little security houses going I'm really great at writing

clickbait fantastic instead of thinking how are we affecting the end users how are we improving security who is the security for it's not for us insecurity it's for the end users it's for the companies it's for the information those companies hold it's for the customers that we work with as sort of like Supply chains the security isn't for us to feel good about it's for everybody else to feel safe and trusting that there's a team of people or one person or like our Global group of people who are there to help them not coming around to trick them and yell at them because they will just stop doing it so what Behavior do we really want and

I'm going to throw this out at you and you'll get like five seconds to think because I like talking what is it that we are testing people for when we do fishing simulations report it we want the behavior as reporting right we want the report Behavior I set you up for Success right I don't set people up for failure seeing everyone's now going oh my god did she do that on purpose yes I did I'm good at this if we give them a fishing simulation what is the point of the simulation what are we trying to get people to do what is the behavior that we want what we want is for people to report

things they think are fishing we want to tell people anything that you think is a fish please support it to us and you will be rewarded for reporting we want them to be doing this constantly you know every time they see something mildly suspicious report it report it report it until there's a new thing that they go oh I don't know I'm going to report it to security and they're going to help that is the behavior that we want so why are we using our phishing simulations to help people practice that behavior say hi I'm a phishing simulation can you remember what to do when you see something that's a fish and also here's a Cool Fishing simulator here's a fish

that someone reported last month and you can usually get some really cool fishes that people have reported and people are really nosy and they're going to go oh that's cool or oh I saw that but I didn't report it maybe if I report one that I see my fish could be there next month next quarter however regularly huge simulation and you can put in every so often like a real fishing simulation in inverted commas that's super duper easy and so easy to spot that everyone is going to say that is a fish because what we want is people to go that is a fish and Report because it's that next step that behavior to take an action that's

so difficult for people it's especially in a big company ask someone else to report it what if nobody what if everybody thinks someone else supports it no one reports it yeah we want you need to reward reporting reporting you do reward reporting wait for the next slide security and then seen as a support we're helping people get better at spotting fishes we're getting active participation because people are engaging and sending us fishes they're responding to our simulations in a positive way because we're setting them up for success and that means they're more likely to spot a fish and Report the fish rather than squash a fish and do nothing and we get engagement the more people

are engaged the more they're likely to report things that aren't even fishes they're going to say here's a security thing that I saw someone's put a Post-It note of the door code next to the door is that like should that be there and then you can go that shouldn't be there that's fantastic thanks so much for telling us they're gonna go and spread it around themselves and push into this more positive security culture and this is all things that come from little tiny things that people aren't thinking about other than people like me that all comes back to things like fishing simulations which is the main contact people have with their security teams with metrics the metrics you say my

senior boards want metrics they want vanity metrics because everybody knows phishing simulations come with liquids and no one's actually sat there and gone quicker it's the marketing metrics completely useless we can give them good metrics we can give them report rates I love report rates because you can get report rates at different stages you can get report rates before any activity has been taken with the email you can get report rates after someone's clicked through you can get report rates after someone's potentially giving up their credentials and then reported all of those are great less good that they've done the credential or that they've downloaded the software or they've opened and run the attachment but

they've still reported which means we can do something about it and this is where it gets a little bit difficult for security people like oh they shouldn't have done it in the first place ah but they're going to do it and wouldn't you rather they tell you after they've done it so you can go and reset all of their account passwords boot everybody off you can run a big scan on their machines you know good times report rates are fantastic because you can track them over time you can track them by department and you can come up with rewarding systems your report rates after attachment and credentials is really important because especially with the the uptick in

credential phishing having people report after a credential fish has been successful is really really effective you can do account remediation really quickly as a security it's not too difficult It's relatively easy and people feel like they are part of the solution they go oh my God I made a mistake but if I tell the security team they're going to help me and they're going to fix it and nothing bad is going to happen that's what you want what you don't want is going oh they yelled at me last time it's not gonna say anything and then two weeks later you find that there's been someone in your system for two weeks and this person just has

you know it's it's a cognitive loading that you have to push on people so that the quickest way through is tell security there's having tested they're not going to yell at me really important macros for a minute people in finance run all their Excel spreadsheets with macros because otherwise they don't work you can't tell them not to run that post you know again it's like the link clicking you have to understand what people do as part of their job and we can track accuracy this is one of my favorite things with phishing reporting that goes with simulations as well as external random real-life fishes it's tracking accuracy so you can set up accuracy tracker someone supported 10

fishes this month each of them were real someone supported 10 fishes none of them were real they were all safe so you've got a leaderboard at the top of the top 10 people who've got the highest accuracy you can make this public in your company so that people can see who's really good at it and then look at the bottom because the bottom doesn't necessarily mean that people are bad at squatting fishes sure there might be a few people that when you look at the emails you go yeah they're very not fishy is there something happening with them do they need a little of extra support with some smaller workshop training that's not just computer training it's

an actual instructor there so they can ask their questions all those emails that this person at the bottom of the leaderboard is doing they've done 10 emails this month they've reported as a fish and when you look at them they're all look like phishing emails but they're all from safe senders is there a vendor that sends really rubbish emails I'm sure a bunch of you work with lenders who send emails that look like fishing or you might have a colleague who's not great at sending emails and they look like fishing and this person at the bottom is reporting them because they look like fishing you know and you're just saying oh no that is a real email

but actually they shouldn't be sending you emails that look like fishing vendor can you stop sending emails that look like this can you make them look different so those people at the bottom can actually be really helpful because they are spotting fishes they just happen to not be real fishes you know so you can look at the top and the bottom and accuracy changes over time as well which is another metric that you can gather so I hope we've got better ideas for how we can actually do fishing simulations fishing training yes yes we do we have so many better ideas teach people how to report how many of you have got systems in place for people to report and how many

of you got attached to things that tell people how to actually report stuff yeah that's that's like not even one percent of people in four hands right how are people supposed to know how to do a thing if you don't tell them how to do the same and they go oh they're not reporting stuff because I couldn't bother to tell them how to do it how dare they not report stuff I mean I haven't put anything up on how you do it or where you go but hey they should be reporting it anyway we don't put somebody in a car and expect them to be able to drive without having lessons on how to drive I go oh no they couldn't

start the car what an idiot go yeah you haven't taught them how to do that that's on you so teach people how to report make reporting really low friction make it as few steps as possible have on your central Internet site have a button for reporting a security incident I have another button for reporting a fish have a button in your email client that says report fish okay so that's step one make it easy to find step two create onboarding videos for all of your new staff and all of your new staff and every year have people if they want it have a little reminder saying we've got this available if you need it for

everyone that gets on boarded you say here's how you report stuff to Security in our organization because every organization is different huge organizations way different to Tiny organizations tiny organization it might be email Greg insecurity and he'll fix it for you that's how you report Big organization might be a service now ticket or like some random button somewhere some people have three different buttons in their browser because in their browser in their email client because they've got so many tools which one do I use you know and some of them you can't get off because they're like weirdly embedded and Microsoft or Regal with the whole you can't change how it looks so teach people how to do

the reporting if you say this is how you report this is what you should be reporting fantastic somewhere really easy to find so people go I really need to report this but I don't know how they can go to this Central area and go oh that's how I do it there's the butter you'll probably see an uptick in reporting of stuff and you'll see so my go oh my God you go no no no this is great because those incidents have always been happening people just haven't been telling us about them so the more we know the more we can put in place so that over time they'll go back down but they'll actually stop

happening as opposed to people just not reporting them we can do leaderboards love leaderboards people love leaderboards people are weirdly competitive even if they pretend not to be if you give people points or you just match how much people are doing you can track reporting stats you can track how many people squat fishing simulations you can do on an individual basis you can do it on a team basis you can do it on like a business Silo directorate division Chomp however you split your organization so you can end up putting entire departments against each other saying that this one they've found like 80 of the fishes that we've sent out this year they've all reported them and

then someone's like well I think we can do better than because we have a feud with marketing over here in finance we're amazing we're going to do better and it doesn't have to just be on phishing simulations this can be on literally anything that's security related behavior that you want to do you know if you're running random workshops or talks you can run leaderboards of how many people are coming to those you know most companies these days really love professional development for people so why not make some of your security talks professional development to people people love learning new stuff people really really really love finding out how people actually break things the amount of times that I've shown

people a little video screen grab of somebody cracking passwords and I had like a little highlight words of the brought to you text that runs through for people so there's no nasty words in it and people sit and they go oh my God that was amazing it's so fast and you just you just press go and it went because they think it's so difficult to do a lot of the workshops that I run are on like how to do open source intelligence gathering how to find where pictures are taken that's why Angus is here Angus goes to all the conferences Angus goes where's anger some people suddenly goes I think he was at base on step station you're

like yeah well done here's a batch and they're like I got a badge I found a cow fantastic um he's a tiny crochet cow in case anyone has not seen him um he's part of a whole mascot collection we have a little penguin with a chicken hat that fishes the chickens it's fantastic but you can lead aboard all sorts of stuff how many people are doing the training how many people are doing the extra training is there a prize at the end I do make a fish Workshop s so I do a bit of extra training a little bit more in detail about 45 minutes long to an hour depending on how excited people get

the fish on half fishing actually works the psychology behind it urgency heightened emotional state anything that does that probably a fish reported if it's additionally unexpected from a safe sender then probably might also be a fish and that works for all social engineering rather than going this is the fish that we've been seeing a lot look at this fish don't fall for this fish all people will be looking for is that fish and they won't steal the other fish you know if you teach them how to see all fish way better and then at the end of the workshop and if that works virtually and it works amazingly well in person like people get very

competitive you make a fish you pick somebody usually it's Angus or like one of the chickens or something and you say what kind of fish would work for this person what are we going to steal we're going to steal money we're going to steal credentials information what are we going to go for and I'll make a fish and then people present their fish and we vote on which one we think is the best and you can do this as an annual competition as well where people send into the security team the best fish that they or their team can come up with and you pick the best 10 and then you get the whole company to

vote on which ones I think are the best and people are learning how to spot fishes because they know how to make fishes we're not giving them fish kits or anything they're not actually fishing people they're just coming up with ideas and people get genuinely thrilled and you say that idea you came up with that's an actual campaign that's out there in the light in the world live right now so well done you're thinking like a real hacker people love putting little hacker hats on because they think it's so difficult and scary and when you make it a little bit more personable people can practice and they can do it and they have real good fun it works amazingly in person if

you respect people into groups because the people get really judgy about other people saying I don't think he would fall for that I think he I think he would fall for this and he's like well you present your fish in a minute chill rewards positive reinforcement is scientifically proven to be the best way of training people it works for dogs works for horses works for cats it works for people because we're all animals rewards are amazing and rewards come in a variety of different things we have low value rewards we have medium value rewards we have high value Rewards high value are really really rare medium uncommon low value common things like your stickers your digital badges

then you go up into things like swag and then for example where I am you can win a tiny Angus I will crochet you a tiny Angus if you are one of the people that has done all of the additional bonus training for the year you can be in with a chance of winning a tiny Angus there's only one of those available every year if people want a tiny Angus because he's very cute but also it's rare but people also really like stickers I mean we had there's a sticker thing out there for everyone we love stickers people love stickers so digital badges sticker certificates fantastic you also do things like little shout outs people

love recognition whether that's private recognition of an email from the CSO saying you've made a real big difference this year thank you or if it's on an all staff announcement news they're just saying these people have made a real big difference to security this year this month this quarter fantastic there's a lot of ways you can reward people that are really low effort on your part that are really high impact on their part that means that not only are they more likely to engage with security to have a positive view of security but they're way way more likely to actually do the security behavior that you want them to do so we've made our cake now we want the

report rate not the click rate we don't care about clicking we need to stop telling people not to click stuff because we want them to click stuff because that's how they do their jobs because they need to do their jobs we can't make security get in the way of people's jobs people won't do it we want to integrate security into their jobs so that it's easy for them to do and they are going to do it we need to stop with the cognitive dissonance stop thinking that how we want things to be is the only way they can be and start thinking how do people work how do people think how can we work with them to create a better way of

thinking as opposed to telling people not to do things that they need to do like don't run macros I work as a accountant I use macros for my spreadsheet to work don't click links well I spend all my day sending stuff to other people and in order to control who has access to that I send it as a link you know we need to stop and think about how we're telling people to do this and reward people for doing great stuff make sure when your security team responds to things or the auto reply from your fish is fantastic great job we really appreciate you reporting this or telling us or letting us know making sure that

we're not accidentally yelling at people because the way people are very worried when they report stuff because they think they've done something really bad you'll have to help them say thanks I mean yeah it's bad but you've done a great job telling us and we're going to help you through it this is really really important reward people do not punish them and stop please stop telling people not to click on links thank you foreign