BSidesSF 2025 - The Power of Persuasion: Better Security Through... Manipulation? (Nate Lee)

Good afternoon everybody. We're so excited that you're here. Welcome to Bsides SF 2025. We have a very amazing headliner speaker today, Nate Lee. I I find his uh title of his presentation very interesting. I know this lady right here is very excited. Okay, so the power of persuasion, better security through manipulation with a question mark. All right. Now, I'm not sure if everybody is familiar, but we have something called Slido where during his presentation, if you have a question, you type it out. You can put your name or leave it anonymous. It's up to you. I will read those questions at the end if we have time. Otherwise, we'll forward the questions to him and you can reach out

to him on LinkedIn. Uh, Mr. Lee said that was fine. Also, afterwards, he's gracious enough to meet at the top of the escalator. That works really well. Yeah. um at on level four so you can have some one-on-one time, ask questions and connect. All right, so I'm going to pass it off and take it away, sir. All right. Thanks. Thank you. Well, thanks everybody for coming down. Um you've heard the name of the the title is power of persuasion and and using psychological principles to drive better security outcomes. I end up doing a lot of reading on on neuroscience and and psychology just because I think it's interesting. uh but the more I was reading it, the more I was thinking this

is these things are very useful uh for security and so how can we translate that to drive uh better outcomes by being smarter about how we interact with humans. We have a lot of uh technical controls. We know how to make people do certain things and enforce it technically. But everybody knows that at the end of the day we still have humans and humans make mistakes inadvertently or maybe on purpose. And so we need to influence them in order to make smarter decisions. Uh but we also need to influence within our own organizations and not necessarily to make things more secure. So we need to for instance talk to the CFO. We need to help them get us

budget. If you're managing a team, you need to get them to go along with the strategy that you've set. And often if we're working with engineering or marketing or sales, legal, whatever it is, um you're working with other teams and they don't report to you. They don't have to do what you tell them. So when we ask them for things, you're competing with all of these other priorities. And how do you make it so that it's more likely they're going to go along and and deliver these better outcomes that end up being beneficial for the organization as a whole? So we'll talk a little bit about how to do this. Um there's these heristics and when we say heristics it's

it's things that are kind of hardwired in our brains and that can be through evolution. Some of this stuff is very deeply rooted um and that ends up being things like reciprocity but other stuff is much more culturally based just things that we've had drilled into us for a long time uh since we were were small children and it's just so deeply ingrained culturally that they have a lot of power over us. A lot of times we don't really know that these are working and in fact when we look at the studies most people say like ah that won't work on me. Uh but the statistics really show that it it did work. So um these are

really powerful. We'll go through these and kind of figure out how they're working and then tie them to practical ways you can tie them to your security program. U but first just for these to work there's a couple conditions that that have to be met. Uh so a couple things that really make it so that these horistics trigger and end up being much more powerful. Uh and the first one is you have to not know a whole lot about whatever the subject is. Uh and turns out in security most of our users don't know a whole lot about security. So that one's a good fit. Um the second one is you have to not have a desire to really

learn more. You probably don't care a whole ton about it. Which again probably fits most people's view on security. So, it turns out security is a very very good place to to use these principles because most people don't know a lot about it and they don't really care all that much. Um, and just some quick examples of of the power of this and these are experiments that were run uh over the last few decades. One of them is they had people waiting in line at a at a copier and that tells you how old it is. Uh, but they had someone roll in and say, "Hey, I need to make some copies." Um, and try to cut to the front

of the line. It turns out about 60% of people will let that person go through. Uh but if it is the person comes through and says, "Hey, I need to cut to the front of line. I need to make copies because I'm running late." Uh it turns out like 90% of people will let that person through simply because they use the word because. And that's because humans as a whole, we're we're conditioned to avoid sort of social awkwardness. We're very social creatures. Um and we don't like that awkwardness. And we're also conditioned that it's okay to say no to people if they never gave you a reason. So if it's just like, hey, I need to do this, you

can say no and you don't feel bad. But if someone gives you a reason, it's a little more awkward to say no to them. Uh and so many many more people will just agree with it to avoid any sort of awkwardness. Um so that's the sort of thing where you wouldn't really realize it's happening, but it's a huge uh statistically significant change. I mean 50% more is nice uh if you put that in the right way. Uh, another just simple example is if you want to go get a a gift for your significant other, something special, and you don't know much about jewelry, you don't really care about it, but you think, "Hey, they might like bracelets."

And so, uh, you walk in, you see these two, you want to get them something special, you don't really know which one to pick. But if you walk into the same jewelry store uh and it's labeled like this, even though they're still the same, you probably have a good idea of which one you want to get, assuming you could afford the $749 bracelet, because socially and culturally, we've had it ingrained that cheap is probably bad and the higher quality one that's not using comic sands is more likely nicer. Uh so that's just shows the power. like these could be identical and there's plenty of studies that show way more people will buy the expensive one

despite it being identical because we use that as a proxy uh for quality. So, first off, we'll talk about likability. And this is sort of self-evident. If you're more likable, people are going to be more likely to do things for you. Um you can think about it, you're you're hanging out at home. Uh a couple of your neighbors come over and they both happen to ask you to help them move. You don't know much about either of them. Uh, one lady shows up. She's super nice. It seems like you hear good things about her. Uh, second neighbor shows up, asks you to help them move. It's kind of at the same time. Um, you got to kind of decide. You don't

know much about either of them. Turns out one of them is going to be moving their own Uh, so likability is very powerful, but how do we make ourselves more likable? And and what does that lead to? I mean, it makes them more likely to do things that you want them to do, more likely to do things that you need them to do. Um, but importantly for people in security, it makes it more likely that they're going to come to you early with the problems. I mean, we want to avoid the whole uh we've been working on this project for 4 months. Uh, it's going live Friday. Did you want to take a peek? Uh so if you're more open to to

working with other people, you're more likable, they're much more likely to come to you with these problems earlier to be, you know, hey, we're going to start working on this project. Can you sit down with us and think about what might go wrong? Um that stuff happens, the more you or your team are considered likable by the other party. Um if you have guidance that might inconvenience them, they're more likely to accept it because you're likable. Um, so there's a lot of advantages of of being likable, but then it leads to the question of what can we do to be more likable? And for that, well, the turns out the biggest thing is being uh

attractive. There was a study in Canada that showed political candidates who were rated as attractive ended up with two and a half times more votes than the people that weren't attractive. Uh, despite everyone saying that had nothing to do with their votes, it just shows up in the statistics. Um, so there's a lot of subtle power here and while most of us can't change how we look, there are things you can do uh to be more likable. Um, and a lot of this just comes with talking to folks. So you could think of similarities. Obviously these people will like each other because they clearly look quite similar. Um, but using language that they relate to. So

if you're talking to finance, do you understand uh sort of the lingo of their domain? Um, if you're talking to other teams in Slack, like do they use a lot of emojis or not? uh because you want to kind of match and mirror those communication styles that sort of breeds the familiarity. Uh it makes you much more likable because they can relate to you much more. Um and that can even be things like um you know someone's coming from or someone lived in a place that you visited before. Just having that small commonality is enough to really build the familiarity. There's lots and lots of studies on this where it can be even just trivial things that don't

matter at all. like uh if you have the same birthday as someone and call it out, it can end up that that makes someone like 50% more likely to agree to do an ownorous task for you. So, it really doesn't have to be anything material. It can be anything. Uh and we're just hardwired uh for that. Less the other thing is just making sure you're talking to people before something goes wrong. Uh in my role as a CISO, I had to learn that I can't just go to people and message them in Slack like, "Hey, I need to talk to you." No, nobody. It turns out that strikes fear into people's hearts. It's kind of

like if HR does that. So, you want to make sure you're actually talking to people regularly and just checking in, see how things are going, can I help you? Um, so that they're not associating you with problems. Because if you only come to people when there's problems, well, that association builds up in their brain and it's really hard to counteract that. It's hard to be likable when people think of you as the deliverer, the messenger of uh of bad things. Uh, so small talk, you know, just don't cut straight to business. That's that's a good thing. It it seems like maybe if you're a really efficient person, you want to just cut right to what you need

to do. Uh, it's much better to actually just get that rapport, build it up with people, um, because that lets you find those similarities and just kind of be a human to them. Uh, it makes you more likable. Uh, compliments, uh, ideally genuine ones. But it turns out even that doesn't matter. uh if we know someone is kind of blowing smoke and just saying nice things about us for whatever reason, uh it turns out that doesn't even matter. It makes you more likable to that person, even if they know those weren't totally genuine compliments. Um so things like attributing success to other teams, like maybe they didn't do a whole lot to contribute to the project,

but if you call them out uh as being really helpful builds likability. Uh it also, we'll talk about reciprocity, but that's a sort of thing like you gave them credit for something in front of other people. that's a thing you've given them. Um, and when it comes to reciprocity, it ends up that is an extremely extremely powerful force. Um, it's something just deeply ingrained in in human culture because humans are social. You know, even going back to to tribal days as an individual, you wouldn't give energy or food or time, shelter, whatever to someone else um if you needed that to survive unless you were really certain you were going to get something back. Um it's reflected in

language uh just all over humanity. If you get something, you now have this deep obligation to to give something back to the person. Um like stores like Costco when they're giving out free samples, it turns out like they get 300% uplifts in sales for whatever the goods are. Uh just because they gave it to someone. People have this well maybe we should buy it. I mean they gave us one. Um and so it's really understanding that this is a deep-seated thing in people's brains. Uh hopefully it helps you also understand when this is being used against you. Um because if you frame it in your own brain as as being manipulated, it's much easier for you to

turn off that moral obligation that would otherwise uh be sitting there. Uh so some ways you can use it. Negotiating is is an easy one. So if you're working on your own salary, you're working trying to get pricing from vendors, um any of those things, even giving that concession. So you throw a high ball or low ball offer and when you come closer to their uh their offer, you're making a concession. you're giving them something, you're doing a favor, and that means socially they really need to also make a likewise move. So being aware of how that works. Uh and it can be even small favors. They don't have to be the same size. And so if you're

running a security team, having your team set aside time just to do small favors for other teams can be really beneficial. Um it could be just helping them fix a bug. Uh it could be helping clarify things. It it doesn't really matter. just by being generally helpful, um you're building up this goodwill that's going to make it where other teams when you do need something more material are much more likely uh to want to go ahead with that. They want to help you now because they like you, you help them, you kind of have done stuff for them, so they kind of owe you. Um and even if it's a much larger ask, like you

need them to run this whole project now, they're much more likely to say okay to it. Uh this is much more powerful even than likability. So, it really is worth it to keep it in mind and and to keep in mind also that even helping others while it seems you might be not getting anything back um you're kind of planting this seed uh which again if if used correctly can deliver better outcomes for both parties and can help make the the platform they're working on more secure help make your job of getting them to do that easier. Uh so some other things you can maybe consider special exemptions to the rules. There's always things, right,

where you have a policy and like someone can maybe do most of it and it's fine. Um, so if you can give them a little exception here and there, that's a favor you've done them. And if it doesn't materially affect security, that's great. You've you've kind of now built up this goodwill you can use later. Uh, again, the thing with recognition and acknowledgement, that's you giving some something to someone. Um, and one thing to be note is just if people thank you and you end up saying it's nothing, it ends up negating uh sort of that that obligation people have back to you. Um, so it's different if you say that's nothing, don't worry about it versus I'm

sure you'd do the same if you were in my shoes. It it's two totally different outcomes and it's it's wildly different statistically how people react to that. So, it's a lot of just little twists of language to be aware of when you're talking to others, uh, when you're sending emails and just how you interact. So, we'll talk about authority. Um, this one really there, I don't know if people have heard of the Mgrim shock experiments. Uh, they were done in the '60s and basically that's where these photos are from. Uh, but basically, we have this deference to authority deeply ingrained since, you know, we're children. You have to obey the teacher. You have to do what the

doctor says or your parents say. Um, and these Mgrim experience experiments basically they had a professor looking person in a lab coat and they had a person being experimented on. They had shocking wires hooked up and they would tell the other person to kind of turn the dial up and shock them more and more whenever they got an answer wrong. And they assumed most people would stop before it actually hurt the other person because you know you don't want to hurt people. Um, and the other person being shocked wasn't actually being shocked. They were an actor, but they were they were did not expect the outcome, which basically was that they could get people to turn it up to harmful levels of

electrocuting the other person and he's screaming and, you know, acting in pain just because someone in a lab coat was telling them, "No, no, don't worry about him. Keep doing it." Um, so even though people felt really uncomfortable and they were hurting someone because it came from authority, 65% of people would still do this, which was very very out of the ordinary for the types of people that they brought in. And so how can we how can we use this? Well, there's a few things. It turns out if you're appropriately uncertain, it makes you authoritative. Uh, so if you come in and you say, "Hey, this is the way to do it. I'm sure of

it." Like that might give you some level of authority. But if you say something like, well, I'm not totally sure, uh, but I'm 95% certain that if we do it this way, it's going to cause problems. That appropriate uncertainty uncertainty actually makes you seem more like an authority. So, just being careful about how you talk about solutions when you're proposing them to others uh can really lead to better and different outcomes. Uh, having knowledge outside of your domain. And again, this gets to understanding the other teams you're working with. So, if you're talking to legal, if you're talking to to finance, you know, if you can talk about uh the difference between cost of goods sold

and an operating expense, they're like, "Oh, oh, this person gets it." Um, that makes you more of an authority because they're like, "Hey, if he understands my domain this well, you know, what do they know about their own domain? They must be very, very good." Um, so really using that insider language, demonstrating uh knowledge of other domains is really helpful. Uh and the other one here uh and this is one I I certainly struggle with myself, but having a strategic silence, it it really it signals a careful consideration. It helps things really sink in uh and and really drive home an idea. So, if you're like me and that maybe is is hard for you, it's worth

practicing and thinking about the fact that that silence actually speaks a lot more than many of the words you could use instead. So, we'll talk about commitment and consistency. This is another one um uh to no one's surprise, most of us want to be consistent with things we've said, with things we've done in the past. Um they did an experiment here. They had uh cancer awareness pins and they went out on campus, passed them out to a bunch of random people. Uh and then they went out 3 or 4 days uh later and they started asking people for donations for like the the cancer society. And it turns out the people that were wearing the pins

donated three times uh more often than people who didn't have the pins because they felt like, "Oh geez, I'm wearing this pin. I probably should be donating." Um so having that that initial small step led to a very very different outcome at the end. Uh so for us it's how could we get some smaller commitments and tie that to larger projects larger efforts that that we want to to bring to the program. Uh and some of that can be building self-perception. Um a good one would be if you're talking to an engineering team you can say things like ah you you all you're you're just so good on code quality. You you all care so much about

quality. Uh, by the way, we're rolling out uh new static analysis and because you care so much about quality, we want you to be in the pilot group. Uh, so now you've given them a compliment. Uh, so these things start compounding. Um, you've set it tied to their existing values because now it's the logical next step. Hey, you care about quality. So obviously you should be doing this next thing. Um, that really again drives different outcomes because you've framed it in a different light. Uh so being aware that of this consistency and how to get commitment from people uh can be really helpful when you're trying to influence them to to do different things. Uh the last one getting people

involved in creating policies. It drives uh ownership of those same policies. So the more you can have people involved in uh building some of these policies especially ones you know you might get some some friction and push back uh that's really very useful so that uh they now own it because it's harder to push back against a policy you helped to form. And this one social proof which we all probably better know as peer pressure uh ends up being really really powerful. It's it's why when you're looking at Netflix uh it doesn't say we recommend this show. It's a very mindful decision that they show it as these are the top programs people are watching.

It's why when you go to Door Dash, it doesn't show you the chef's recommendation. They show these are the most popular items. Uh we are very heavily influenced by what others think. There's a lot of experiments that showed they asked people to value a certain object um and they would value it at whatever the price was. But when they put those same people into a group, uh, and then the other members of the group were actually actors and the other actors in the group give their estimate first, um, when the other actors gave a much much higher estimate, it turns out people would then estimate that value at three times higher than they originally thought just because they would base

their ideas on whatever the other people were thinking. Um, so ideas around social proof, the security champions, very great. Um, you want to make sure when you use examples in training that you're using examples that are similar to other people because if you're say at a startup and you're using examples of how JP Morgan does something, um, that isn't going to resonate the same way. So when you're using social proof, you need to make sure the other parties are in a similar group in order to have this effect. You also want to make sure that you don't showcase popular negatives. Uh, so things like, hey, look at this password list. Look at how everybody picks terrible passwords. don't be like

them. Pick something strong and showing them how to do that. That actually has a negative effect because people will take away from that like if everybody else picks bad passwords like why should I care? So you need to be careful that you can actually use social proof inadvertently convincing people to do the wrong thing. Uh and that's where showing stats of like here your peers are doing this 95% of engineering has gotten their vone backlog down to whatever number. Um using peer quotes in awareness training. All of these things can help influence uh and drive people to think um that hey well if everybody else is doing this that must be the right thing and I need to kind of go

there. I'll let this sit here for a second. Uh a very reasonably priced uh San Francisco menu. Um and the only reason I'm leaving this up yeah I mean it's that ravioli looks good. Uh, the reason I'm leaving this up is because when I go to this next slide, then suddenly a $30 hamburger doesn't seem as ridiculous anymore. Um, and so this principle is called perceptual contrast. Uh, and we we've all seen it. Um, but really what it means is our brains evaluate things in order. You don't look at them in absolute terms. It's what you saw first and then what comes after it. Um, so if you think about it, you can use that contrast to make things seem

achievable rather than than really big. Um, and you can do things like show full standards first. Like, ah, here's the whole NIST cloud security framework that we could do. Um, here's the giant list of things that we've decided we need to fix, but for you, we'll do you a favor. Uh, we've got it down to these three because we wanted to help out. And suddenly, even if you wanted them to do these three in the first place, it seems like a much much lighter lift. uh and you did them a favor, you cut the other seven. So again, we can compound some of these uh some of these horistics and compound some of these benefits. Um other things

you can think of are like putting the biggest spend first. So if you have to go ask for multiple items for budget, if you start with the lowest one and start getting more and more expensive, like the person's eyes are going to keep getting bigger, uh like when is this going to stop? But if you start with the most expensive one, everything else starts seeming much more reasonable after that. Uh so being aware of how you present things and and what order and relative to other things uh can again lead to very very different outcomes when it comes to your security program. Um the other things uh showing a vulnerability backlog and then you know

here's what you need to fix. Uh manual processes if you want to really make your automation look good show how bad the manual process was first uh rather than just showing the automation. It'll have much much uh more impact on people. And lastly we got psychological ownership. Um, and this really is just letting people come to the decision on their own. So it's, you know, if people own their decision, you're going to get higher compliance. They're more likely to follow through on it. Um, so you want to guide people to the solution rather than telling them what to do. Like, oh, we have these plain text keys. I wonder what we should do with them. I mean, you

could tell them to put it in a secrets manager, but if they come up with that, you can be like, ah, that's such a good idea. You thought of that. That's that's so cool. uh and now you've given them a compliment. Um they're owning the solution since they're the ones that thought of it. Um and again, you're driving better outcomes for your team. Um so it's really worth thinking about again when you're interacting with others, how can you present this in a way that's going to lead to the best outcome. Uh and just being aware of all of these different principles is really what's going to allow you to improve what those outcomes look like. It it's

very subtle. Um and it's, you know, can be hard to measure, right? because it's not like A or B, you won't know what would have happened the other way. Uh but these things are all very deeply backed with lots of research. Uh and so being aware of them lets you use them in order to influence others to drive better outcomes for everybody. And that is uh mostly it. And so now we have our questions that we can pop up here. All right. Fantastic. Wasn't that amazing audience? Wow. Nate Lee, our CIZO locally here. Fantastic. Okay, we have some great questions for you. Love it. Um, what are a few recommended books on persuasion psychology that you can

apply to cyber security? Thanks. Yeah. Um, so Robert Chelini, uh, he wrote one, I think it's called persuasion. U, but that that is a lot of he covers a lot of these same principles. Um, and you can read much more about the studies there. Um, I think that that probably would be the one I would really give people if I were to point to one. Fantastic. Um, when giving to get, is doing it after the fact like a reward relevant? Uh, I think it dep it's it's different. So, if you give something afterwards, they're still going to feel obligated to give you something. Uh, it's just you're kind of paying it forward for next time. Um, if you do it

beforehand, then they're more likely to do the thing that whatever it was that that you would do. So, I mean, I don't think it necessarily matters. It's something you should be thinking about doing at all times because the more you can give, the more ends up coming back to you. I mean, and and it's it's not just insecurity, right? Like in life, if you're always out helping people, people are going to want to help you and, you know, do nice things for you as well. I love it. Okay, let's This one is from Dan Hart. Nicolina mentioned that you are a headliner presenter and also a CESO. How long have you been in the industry and what would you recommend

for someone who is starting out to get on a leadership tract? Great question. Um I'm I'm not sure how I ended up uh here uh in the headliner role really. Uh I was actually so humble. I was actually asking her that same question before we started. But if you are getting started in security and looking to go uh in a leadership track, I mean I think the big thing is first get really good at whatever it is you like. find out what you like and and really dig into that because it's a lot of hard work. You're going to need to do a lot of things and it's much easier if you like what you're

doing. Um the other thing is really related to some of this is getting to know all these other domains like understanding how finance works, understanding all how legal gets involved um with your sales teams. Make sure you understand the sales cycle and how do you as a security person fit into the business. Like you're you're not there just to make the business secure. you're there because security drives some broader business outcome. So what does that look like? How does what you do tie to that and the more you can kind of show that uh the more you'll be kind of seen from the other departments is like oh you get it. You're not just a

security person who knows how to harden a server. You understand the business and and the more you can do that uh the more likely you are that when some of these spots open up that you can go move into them. Amazing. Okay, final question. He has a plethora of questions. Thank you so much for participating on Slido. We greatly appreciate it. Um, can connecting the importance to a specific team improve compliance? For example, a cyber security training for the finance team that emphasizes saving money. I mean, that's perfect, right? Because you're you're talking about similarities and you're showing them, hey, you understand their domain. You understand what's important to them. Um, and the benefits of doing something like that. Like, yes,

you can teach them the important. It's probably good to do those those targeted tradings anyway because the concerns of the finance team are very different than what the support team faces day-to-day and very different from what engineering faces. Um, but also you're building rapport with the the finance team by being there by showing them attention. You're giving them attention. Um, you're also showing off that you understand their domain. Um, so all of these things are going to tie into each other and and really it's just it's being mindful that this is how people's brains work. And so when you're thinking about um efforts like that, you know, how do you kind of maximize the impact it has, the effect

it's going to have on those outcomes and try to layer on as many of these things as possible. Fantastic. I'd like to uh thank two special guests that are in the audience. We have Tony and Milton. Uh very very special guests. Thank you for coming. And also we are so grateful that you were here today that the staff wanted to give you something a little special. This is from BIES SF 2025. Just a little little something for you. And and audience bars, right? Don't don't say what's in there. Not everybody gets the same thing. Um all right, audience, if you wouldn't mind, give them a great round of applause. Thanks everybody. That's my LinkedIn. Feel free to hit me up if you have

questions. Um and remember, if you have more questions, there was so many at the top of the escalator on level four. is happy to connect with you in person for a lot longer, which we greatly appreciate your time. Okay, definitely. Well, thanks everybody for coming down. Um, and hopefully we'll chat. Yes, of course. Uh, just a couple of announcements, too. Um, let's see. We do have head shot available if you would like to update your LinkedIn or your portfolio. Uh, that's free and it's sponsored by Opal. So, we're very appreciative of them. Um, we also have a raffle running. Uh, it goes until I think they're doing the drawing at 2:15. You do have to be present to win, so

just keep that in mind. All right, we look forward to seeing you at the next presentation. Thank you so much.