The Magical Science Of Cyber

So, thank you very much. Um, yeah, the magical science of cyber. I could probably also talk about the uh the cyber of magic and all the dodgy stuff that some magicians are doing with cyber security technologies, but today I just want to have a a talk about how we can use magic to uh engage users and to try and move away from awareness. Um, and I'll talk a little bit about why. Um, I don't know whether or not you have this nightmare. You wake up every morning and the world looks just the same with all of the same problems and and issues that you were looking at the previous day. Maybe some slight movements, but on the

big picture, not enough movement in terms of the things that you're that you worry about. So, what's the background to this? So information security as a sociote techchnical system deals with technologies, processes and people. But the reality is that in much of cyber security we spent a lot of time we've built a lot of technologies. We've listed endless policies and procedures that people need to follow. Most of which even the people who have dealt with them don't even know what's inside them. But the people bit gets a bit forgotten is the reality. We're very poor at dealing with the behavioral and the cultural uh part of our information security system. So this is not really a

nice evenly spaced uh system. And what you get then is something along the lines of an IBM report that came out in 2014. uh it said 95% of cyber security incidents are down to human error. I hate this statistic. It's his company actually gets it all the wrong way round, but that's probably another talk. But the reality is it's not evenly listed out. We kind of got 90% of our problem being supported by people and yet we're not really focusing on it. We're not focusing on the PE on the key people uh that uh you know if we get if we get to a point where we need our technologies and our processes really actually to some degree you could

say argued we've already failed. So one of the great poster boys of the fact that we think we do people is the cyber awareness campaigns. It's in our standards, our cyber assessment frameworks. It appears in our uh training programs and and even just in case we think that this is all outdated. And uh in the past, last week the uh um DIT and the uh National Cyber Security Center released their governance uh code of conduct to sit alongside the cyber essentials program and again you know we're dealing with awareness but really do we do we really feel that awareness is strong enough? I would argue that if we set our target of awareness, we are setting the

bar way, way too low. And I think the science proves that. So, we're going to have a look at what science says. Uh, and we're going to see um we're going to see why why I think we

need Anybody know who this guy is? Yeah. Yuri G. known mostly for this stuff, the spoon and bending. Yeah. But in actual fact, another thing that he did was he was brought in by the defense uh intelligence agent in the DIA to um do to test out whether or not the US could develop uh a remote viewing uh capability. In fact, actually they thought at the time that Russia had already developed this and that they were behind the curve. So they were keen to kind of catch up and they uh DIA released a program called Stargate. Um and you can go on to the website. It's actually strangely on the CIA website. Um but you can go on and actually all of

the stuff that we're going to talk about in a second is uh entirely factual. It's you could go on there. You can read the documents for yourself. But we're going to try a little experiment. We're going to try uh actually I'm hoping it'll be a miracle, but it might be um it might be an experiment. If it works, it's a miracle. If it doesn't work, um it's going to be it's going to be an experiment. But I need a member of the uh a member of the audience to come up and um assist me with this little test that we're going to. So I have a volunteer. Is somebody going to volunteer for me? Cuz otherwise Cuz

otherwise I'm going to volunteer. Sure. Great. Thank you very much. Round of applause everybody. Hi Andrew. Helen. Hello everybody. Right. Um, I've got in my hand a set of declassified papers. Okay. And it tells the story of that uh uh um experiment that they did with Uriel. And what they did was they put Yuri that's actually you can see not Uriela. It's um it's a a woman in a uh in a but they brought him into a chamber and they tried to uh project images and pictures and words to see whether or not he could by remote viewing he could pick up what these are. But basically through this document here you will see various

pictures that they tried to uh they tried to some of uh what Yuri picked up some of what they actually sought to do. This one here um a bunch of grapes was actually one of the images that they particularly used. And what was quite remarkable. But by the way, uh he was in this chamber. The all of this uh all of the images that they were seeking to protect were outside. Yuri drew exactly the same image with exactly the same number 24 grapes on it. So there's a set of pictures. There are also bits of text. Uh everything you can see was kind of different in here. I want you to come over here and we're going to We haven't got a

chamber for me to be locked in, which is probably a good thing. I know. Um so we are going to do something that tries to um have a sort of controlled uh uh situation for it. Okay. And what I want you to do in a second is I want you to hold up this page here. I'll be standing over there and it will shield from me and from everybody else what you're choosing. And I don't want you to click through, but I want you to just simply go to the document and lift up the lift up the page. See if there is a a set of text that is on there or an image. Uh

and I want you to try and focus on that image and try and memorize it. Okay. Okay. All right, there we go. So, anytime just walk through it, lift it up, have a look. You got one. Okay. Is it uh an image or is it some text? It's an image. It's an image. Okay. So I wonder could you focus is there a kind of a I want you to think about color for a moment. All right. Is there an image in the middle of that picture that particularly reflects a certain color to you? Yes, there is. Um, think about that color. Try and project that. I think it's quite a fiery color. Is it red? Okay. So, red. And now think

about is there another object on there? Yes. Okay. This is more of a kind of straight line or something like that. Yes. Okay. Keep thinking about Keep thinking

about. Okay. Could you describe the image that you have been thinking? It's like a tattoo of the heart with an arrow through

it. Thank you very much. Thank you for your help. Okay. So, how does this help us with cyber security? So obviously I might be fooling you. I don't know how you did it. I know how I did it and I might be fooling you. You you you might think that I might not be 100% trustworthy that I have somehow engineered that situation to to emerge. So if I was doing this within a a a training environment, we could be talking about social engineering. We could go on and talk about confidentiality integrity uh availability, the CIA triad, not the same as the CIA there, please leave me. Also very interested in uh the emotions that that we get through this and the

fact that um you know this system one, system two, the Carnean system one, system two actually the majority of what we do is automatic. very little uh is actually this uh uh very thoughtful system too. They actually work in conjunction with each other. But actually we can using certain tricks or whatever we can actually um uh trick people in the lane that we just got done. By the way, this is the this is the brand. This is the MI brand for magic uh for the magic stuff. But what's the science behind this? Why should we be uh I think moving from pure awareness, cyber awareness into cyber engagement because science is really clear. Science is really clear

about this behavioral science to start with. Um there is no point in just thinking that we can work and and develop our capabilities by purely looking at skill base at our capabilities. actually behavior change is quite clearly uh known known to need other qualities. There is a um uh a particular brand I should say of uh behavioral change science and behavioral change model which was done by Robert West and Susan Mickey and it says basically we need comp uh capabilities opportunities motivations lead to behavior change. So have a have a look at that. But there certainly the cases motivation is is super important. We've got to look at um uh we've also got to look at and in fact

actually this is both a kind of educational philosophy, educational psychology. the more that we can experience things. If we're sitting down and just getting our users to uh to uh go through a tickbox exercise once a year uh and even maybe some more in depth stuff that is largely going to be uh text driven I suspect I've seen so much of it um actually that experience is is not being is just not being received by the user it doesn't help in in terms of the embedding of that knowledge. uh and also uh something called constructivism. Again, it's about active learning. Uh that actually we build these up from kind of our from our actions. So we've got behavioral science, we've

got uh educational uh psychology and then the other one is the sematic marker hypothesis. This is around essentially uh biom neurosytes and it says that actually uh when you are seeking to embed knowledge um actually that comes if you can engage the amygdala the uh the kind of the emotional part of your brain that passes up through to the higher uh higher and really embeds various learning and everything as well. So we've got all of this science but we're just not following it. So what does what would good look like if we were to transition from a cyber uh uh awareness to cyber engagement program? That's what I'm asking us all to do. It becomes much more engaging. We

talked about that. Often it's about making it more specific. um that actually potentially maybe the longer programs need to be supported at the very least by some smaller smaller programs that people can pick up and carry on doing through a year. Um ensuring that actually we're not just dealing with the threat of um uh disciplinary action. Um we build this into our programs and stuff that actually we have very little about positive enforcement. um actually we need to gather one of the big problems actually why I see that we don't do a lot of this behavioral stuff is that actually we've not been collecting the data not in any sufficiently comprehensive way and not with a a kind of uh strong foundation

and running real world simulations. Although be careful um if you think that we can just do those fishing simulations all the time, there is actually a point to which things become uh a bit of a problem actually. It actually diminishes our um our abilities as well. So just some examples quickly. Um we ran um uh practice safe sex around um the Barbie film. We took that and we kind of ran with it as a means by which to kind of produce something that was a little bit more engaging than let's just do the the tick box and and everything like that. We had a practice safe sex uh hashtag running throughout it and we were asking as a strong female

um character. Um what would Barbie do in this situation? It had emotional triggers. It generated emotion. It it proved that actually we um we we actually got a lot more kind of learning from from that cyber escape room code. Um highly recommend them particularly they have uh things called escape rooms uh cyber escape rooms. Um you get sent basically a bag. Um in this particular one um you it has inside it a laptop has some other bits and bobs clues. you actually work through with your team and you can hire it out for a period of time. So you can do it several times with different teams. Um uh but you get again you're engaging

with experiential learning. Um and then also uh this company um so there's kind of various brands of this uh value improvement projects um they have a a noanwilddo.com uh website so you can go and have a look at that. particularly this and this is actually often in a wider context of behavioral change, cultural change within organizations, leadership um uh but you know strategic orbits exercise again we're dealing with something that is actionbased uh and gified and is a much more engaging way for people to um to kind of instill the learning that that we're trying to Yeah. So this is the old way of doing it. Again, you know, we could argue where those pillars lie, but it's a very

static, very linear process. I developed a a a new model and it's about it actually was built on some research that was done here at Lancaster University in military design and it's about bringing in much more complexity into the model recognizing that we should not be sometimes we do need to be more technical technicentric but we've got to make sure that we also include some of the humanentric capability as well and we need to be thinking much more carefully about that and then from is sometimes we can make it really simple. We can control you know quite at a quite detailed level but sometimes it needs to be a bit more holistic and a little bit

more flexible a little bit more radar. So it might appeal to you when you get back to your offices when you engaging with other organizations and everything like that please just get your find and replace tool out and let's change security awareness into security engagement and that's just a change of language but I hope that in some way you can actually then go on from that to start thinking okay well actually how do we turn that program into something that is more engaging that actually involves more active participation from our people and that actually begins to deliver on some of the security uh uh improvements and strengthening that we really need alongside the technologies and the processes for sure. I understand

I'm not saying that those are not necessary. They absolutely are. But we've got to do much more on the people side of things. So engagement creativity uh, human centered and perhaps a little bit of magic in there as well. Thank you very

much. Thank you. Check it out for Andrew. That was great. Right. Um, we've got time for a few questions. I'm sure you have many questions. Um, yes. You would like Do we have anything? No, I can't answer the question of how did I do it. I'm sorry. Ask me to give away big big picture. So interesting in terms of like tribalism specifically in security. Yeah. So I've been using the analogy of why um like hardworking well practiced um magicians don't get on well with sort of lazy mentalists. Um what was can you give a specific example where this approach has worked? Um yeah, I mean we've uh I mean I've gone and done these uh gone and done

these presentations magic presentations to various people and we've done actually some of you know the the ideas that uh are listed down in the in that slide uh before where we've talked about u the the kind of CI CIA tribe. It's generally been a it's generally been for me a launch pad. By the way, experiential learning doesn't always have to be about active experience. It can be just something as I said to you about engaging the emotions and that it's just a much more engaged we we've got a lot we've had a lot more engaged people who have um who have taken that and they've sort of run with it and and seem to the in terms of some of the

behavior also within the organizations that we've been working with. We've seen a a shift is it does it solve all of our security problems? Of course not. But um if you accept and I don't but if you accept the 95% human error uh situation if I can if I can make a 10 or a 20% difference to that I'm making a very substantial difference to the overall security posture of the organization have you specific well we we we so yeah we've worked in a we've worked in a um uh facilities management company um and uh we were doing some training with them on uh engaging with uh kind of processes and and cyber security stuff

and we were measuring they had actually got a uh system to sort of measure some of the cyber security behaviors and we saw a shift it was about 5% uh shift in terms of the change so it wasn't actually hugely dramatic but it was only it was actually the first time that we had tried that program So it was and we didn't we we we we didn't we haven't done further ones of that nature. I'm not saying it's a it's not a it's not a complete solution, but it's a part of our armory and I think we're dealing with it at the moment with our hands now at the back. Yeah. How do you quantify behavior change when

you monitor and that's one of the big that is really one of the big questions and the uh and part of the problem is that the metrics on it are really not collected. So, uh what you can do obviously you could be looking at the obvious things that that that uh that we could um look at at the moment would be things like fishing links and and you know are people living on those links or they not so are we are we having more uh incidents that have been deemed to come out of social engineering. Um uh but actually it is it's really it is really tough and part of the problem is that the um that the

the science on the data collection is is really poor. So all we can do is go in we can measure uh some of the you know it depends on what target is that we're dealing with but we can measure some of these statistics prior to a uh to a situation and after and sometimes we could also do some sort of AB testing where we've done sort of different types of training in in different uh in different situations. Um but actually one of the things that I think we need to do it's actually been something that we've been in discussions with about the university here because this is based here at the university has a development

office here at the university is actually you know can we build a program we need to be talking to some of the government agencies as well. Can we build a program that actually begins to kind of uh capture some of that behavioral data maybe using something like the comb framework? Um and looking in more depth at the just one other thing quickly is that we um we also did uh some did some interesting research on does our behavior in one context reflect our behavior in another. In actual fact it was around the COVID 19 behaviors. So when in COVID 19 we were asked to take particular behaviors that were to protect our own personal health security

but the network in which we operate and that seemed to be to be uh quite similar to what we ask our users to do in a digital environment. And we were looking at some of the uh what's called process behaviors between the two and we actually uh found an early research that we actually found some that there are some links between that and it might be that some of those other behaviors are easier to measure. So then we could probably get to a point whereby we profile a little bit the some of the individuals and actually then direct particular interventions towards particular groups of users within within a network. Follow round.