BSides Glasgow 2018 Keynote - Dr Jessica Barker - The importance of being ernest and optimistic

great hello everybody thank you for staying around for the closing keynote thank you to all of the organizers of b-sides Scotland it is wonderful to be here and giving the closing keynote it's a big honor so I am talking today about communication in cybersecurity so anybody that knows me or that has seen me speak before see me on Twitter you'll know that that's kind of a theme of my work is all about how we communicate about cybersecurity and what we can do to perhaps communicate more effectively and when I say communicate I mean kind of with everybody whether that is in general kind of in the media whether that is with people in your personal

life at home whether that is to kids at school or in organizations doing awareness-raising speaking to the board just chatting about cybersecurity in any format and that's kind of what interests me what really drives me and motivates me is understanding why people behave the way they do and how we can maybe positively influence them to behave in a more safe and secure way online so for anybody who doesn't know me I'm just going to take a minute to introduce myself I'm the co-founder along with FC of redacted firm we are a uk-based cybersecurity consultancy and what we're really interested in is looking at cybersecurity from what we would say are the three main angles physical digital

and human and we are interested in trying to demystify cybersecurity from all of those angles and make it more accessible for the average person so I've worked in this industry for about eight years and I've worked in consultancy roles I've worked heading up awareness campaigns in organisations and I worked for some time with an investigations and disputes team so kind of looking at the aftermath of when an incident has happened and what we can do to mop that up from the human side I also run the website cyber dot u K and that is aimed at discussing cyber security making resources and news and stuff available and to anybody interested security and one thing that I have on

that side that I try to keep up-to-date haven't done such a good job in that lately but it's the events a calendar of all the UK events about cybersecurity so if you run an event whether it's a local event national event send me the details I'll put it up on that calendar so people can see when stuff is happening but that's the kind of boring intro you could find out all that stuff about me from LinkedIn who wants to hear that it's the end of the day we're here to have some fun as well as talk about cybersecurity and so here's a little bit more about who I am as a person I am doctor Jessica Barker of course not this

kind of doctor sadly not this kind of doctor there's time maybe I am of course this kind of doctor so I can't help when something like this happens because as you will appreciate my work is much more serious I work in cybersecurity as you know but I'm not one of these I am NOT one of these and I only occasionally get to go to work dressed like this my background is in sociology sociology and sort of town planning stuff so I am very interested in the human side of cybersecurity working running a consultancy as a consultant people who are not consultants often say what's what does that even mean it's a very fuzzy term what do you actually do on a

day to day basis well consultants we do very important work like writing the word success on a transparent wall doing lots of jigsaw puzzles and I like to hone core skills in giving high-fives and fist bumps I'm commenting on yes good fist bump very good at the high-fives and the fist bumps so that means I get to do lots of stuff like this so I talk about cybersecurity all around the world do lots of media stuff lots of outreach stuff but the media come to me quite regularly hi min Grazia this week thank you very much [Applause] and they come to me because I talk about cybersecurity in pretty much non-technical terms I'm kind of the

middle person translating the technical stuff for a non-technical audience but usually what that means is responding to the latest attack or breach so you might sometimes turn on the TV and see me on there looking shocked you might see me on there looking disappointed of course you're gonna see me looking angry and on a really bad day you might catch me looking sad you all know that working in cyber security makes you shocked angry disappointed and sad on a regular basis that's why I'm talking about optimism today so I think it's important too we're dealing with difficult problems we're all very busy people I think it's good to let off steam in your personal life so I do stuff like this and I do

stuff like this and I make stuff like this alarm clock not bomb and stuff like this an excuse to use a hammer so that is me and as I've said in my intro obviously working in cybersecurity we're dealing with problems all the time we are probably attracted to this industry and we work in this industry because we are looking for problems we're looking for where things don't work we are trained to look for flaws and to think about workarounds and to deal with some difficult challenges but what I want to talk about today is why it's important in my mind to be optimistic and how I think we can be more optimistic as an industry now I'm not I've done I've not

done this talk before there's a few slides if you've seen me talk recently that you might have seen in another talk I've built this talk out of a bigger talk I do so this is kind of one section of a talk I've been giving recently and I've expanded it to dwell a little bit more on optimism so the other talk I've been giving is about human biases and it's about why people maybe aren't engaging with cybersecurity that much and one of those sections was about optimism but I wanted to talk about it in more do Tail sometimes I think people get a bit confused when they hear me talk about optimism and they think that maybe I'm

trying to deny that there are problems I'm being a bit you know trying to be a bit Pollyanna and to say you know everything's gonna be fine and of course that's not what I am doing I work with people day to day I do awareness transit training so I'm very familiar with some of the challenges that we face but for me it's more about how we approach our problems and the mindset that we have and that's what I am trying to get at when I talk about being optimistic so the first section that I'm going to talk about is why we should be optimistic what really I mean I'm naturally quite an optimistic person that's just my

personality but I really became interested in there some people have pointed out over time they'd see me give a talk and I guess looking back most of the themes of my conference talks there is an optimistic element to it people do comment on me being optimistic but I wasn't really aware of kind of why it was important until I started reading up on some of the psychology around optimism and there's been a lot of research over the last decade or so a lot of it led by a neuroscientist called dr. Talley Sharat she works with University College London and MIT and she's done loads of research into what she is called the optimism bias so dr. Sharat was looking at memory

she was really interested in whether people's memory of past events influenced whether they were optimistic or pessimistic about what was going to happen in the future and what she found that was even when she asked people to imagine quite mundane things in their future like putting the bins out or brushing their teeth when she would ask them to imagine it and kind of describe a scenario they would tend to describe kind of very fanciful stuff they would describe sort of something absolutely amazing happening and it would never be just a mundane task that they would describe so she started to look into this more and started to be quite intrigued this idea that we're optimistic so she's

done about a decade of research with various different research teams around the world and what she's found is that most people veer towards being optimistic in their personal lives so for example if you ask someone on the day of their wedding what other statistics around people getting divorced they will know that about 50% of people in their marriages end up getting divorced but ask someone if they think they are likely to get divorced then of course on their wedding day they're gonna say no there is zero chance it's just not gonna happen to me so people think the bad stuff happens to other people and not to them so then the issue with this when it comes to cyber security we

face this kind of issue where if we try and tell people you know however many percentage of organizations get hacked everybody's gonna get breached sometime it's not a matter of if but when the response will always be well why would hackers want my data it's not gonna happen to me why would anybody hack me they're gonna hack the guy next door and our response to that really as an industry is usually to kind of shout louder to confront them with more facts to tell them no actually you are going to get hacked it is gonna happen to you to try and prove it we try and kind of beat the optimism out of them usually

with facts but what this research into neuroscience has proven is that optimism is more powerful than facts so one study that dr. Sharat did with her team was to get a group of people and to ask them how likely they thought they were of getting cancer and what she found is that people generally would answer like about 10% they thought they had about 10 percent likelihood of getting cancer so the scientists would then explain to them oh well actually we all have about a 30% chance of getting cancer and then they'd ask them again so now you know the fact how likely do you think it is that you're going to get cancer and they

would say oh well maybe it's 11 percent so people still didn't think it was going to happen to them they still thought yeah but I look after myself I exercise I eat well they came up with all of the excuses as to why okay that might be the statistic but I'm gonna buck the trend it's not gonna happen to me and of course this is what people do when we talk to them about cybersecurity when we give them all the facts and all the figures they think yeah that might happen to other people but it's it's not gonna happen to me and then another issue that we have the more we tell them that these bad things

are going to happen of course if they don't happen and I'm very happy that both the opening and the closing he noted a we've tops entailed the day by talking about the boy who cried wolf because of course if we tell people that the bad thing is gonna happen the sky is gonna fall in the sky is gonna fall in the sky is gonna fall in the breach has happened data is exposed it's lost but the sky doesn't fall in so people then come to kind of see our warnings as just white noise so we have to be very careful with how we pitch our warnings and our communications because if we're too alarmist people end up just

switching off so the optimism bias the good news about the optimism bias is that optimism actually of course makes people try harder so if we try to just convince them that it is actually terrible the Internet is broken you are going to get breached then of course what people do is they say well what's the point you know where I'm never gonna I'm gonna be hacked anyway so why should I worry about it why should I spend the money on it if we tell people actually there are lots of things you can do there's some quite straightforward some simple things and okay it's not going to remove the whole risk but it's gonna really help minimize your risk and let

I'm gonna help you do it and then of course they're going to try harder if you think that something is achievable then it's generally it's just common sense but it has been proven by science that people will put their mind to it and put more effort into it the other thing about optimism and the reason that I think the psychology lends itself to being quite important to us as an industry is that a lot of research suggests that being optimistic is better for your health than health and being pessimistic so there's been research around heart disease around strokes around immune systems and some people argue with it but there's been a great deal of research and it suggests that if you're

pessimistic you're more likely to suffer from heart disease you're more likely to suffer from a stroke and that potentially we can being pessimistic also potentially has an impact weakening your immune system so as individuals taking a more optimistic view seems like it has been scientifically proven to be actually good for our health so that is the psychology but that might sound all well and good but that doesn't necessarily mean we can put it into practice or it doesn't necessarily mean it's rooted in something that's actually sort of very helpful so what I also had been reading about and thinking about planning for this talk was other challenges that we've faced so when we are very pessimistic about cybersecurity

I kind of think about all the things we've achieved as humans I look at the world around us and I think really is internet security like the problem that we just can't solve when we've solved and achieved so many other things is that really the case aren't we capable of more than that so I wanted to take a minute in this talk and look at some of the big challenges that we've overcome to think about where the cybersecurity is another one in those line of challenges that of course is difficult but that doesn't mean that we aren't capable of eventually solving it or getting ahead actually kind of it eventually beating the attackers and so

the first challenge that I started thinking about and in terms of this the book homo Deus is really interesting if you've not read it it is about the past and the future of humanity and kind of looks to the Past to think about where we might be going and it's a really interesting read and one thing that the book does is it goes through some of these really big scale challenges that we faced as humans and considers the progress that we've made around them and one of the things it discusses is famine and the fact that we no longer suffer from natural famine anymore of course this is not to say that there isn't a lot of hunger in the

world because of course there is there are millions of people who are hungry there is a great problem around food insecurity nutritional insecurity but natural wide-scale famines don't happen anymore when there is a famine now we recognize that is a political failure we don't just think that it has been sent by the gods and there's nothing we can do about it we actually challenge the status quo and we say this shouldn't have happened we need to work harder to make sure it doesn't happen again if we go back a few hundred years we can look at the scale of the problem of famine and it's phenomenal to think that there were countries a few hundred years ago where

1520 where 25 percent of the population died from famine and then if we look to more recent times we can see that actually eating too much food has actually become worse for our health and more of a problem in terms of public health than having too little food so famine a huge problem and we have managed as humanity is taken as time but we have managed to rid the world of natural famine if we think about cybersecurity and the time frame that we have been living with the internet and trying to secure it then of course we're a tiny tiny part of the way in compared to dealing with some of these other challenges such as epidemics again just

like famine when there is an epidemic now and it spreads we don't see that as something that is just natural something that has just happened something that we have to unfortunately accept instead we recognize that that is a political failure and this quote really stood out to me because I thought this is kind of what we are trying to achieve in cybersecurity you know we all recognize the never gonna be 100% security that's not where we realistically expect to get to but winning the arms race getting ahead of the attackers on a large scale that's kind of where we want to be and again we can look at epidemic sand we can see you know hundreds of years ago some huge

epidemics spreading around the world and at that time authorities didn't even know what caused them one of the main theories was that it was bad air miasma what we have now the the way that we live now a lot of people predicted that with growing populations and with greater international travel that we would have more of a problem with epidemics that of course there would be more gyms spreading faster but because of advances in modern medicine we no longer have this we can go back only a hundred years so there are people who are alive today who were born before the Spanish flu and that shows us just how recent some of this problem still was

more people died from the Spanish flu just after World War one then actually died in the war itself so we can see this as a huge challenge that we actually have overcome fairly recently of course we still face epidemics we still see people dying of horrible diseases new diseases emerging and starting to spread but what we have started to do is get ahead of the game so smallpox the first epidemic to be eradicated by human action polio very close to being eradicated so what we can see that with time with a lot of money with a lot of research a lot of effort these diseases are contained when SARS hit it was expected that that

would be the new Black Death you'll remember a lot of the news about that a lot the panic about it and in the end of course is it's tragic it's awful that people die from these diseases but it didn't spread the way that people expected the same with Ebola and then of course we get to and AIDS of course has killed millions of people on a much more challenging epidemic to try and deal with as humans AIDS was a unique challenge to the medical community because when somebody got the virus they didn't present with symptoms immediately so the disease was spread without people knowing that they were spreading it without people knowing that they were ill so it spread very

quickly but also when people presented themselves with the virus the virus of course doesn't kill you it weakens your immune system so some people were dying from cancer some from pneumonia from other linked diseases so it's quite hard to find the root cause so it's a really big challenge and yet within ten years of it being identified AIDS was got to the point where it was managed as a chronic condition as long as there was the money there to do it then AIDS is actually manageable if we think back to whether AIDS had emerged hundreds of years ago the impact that that would have had on the global population would have been much starker so as humanity we

have managed to really get a grip on epidemics and limit that the impact and the spread that they have another big challenge that as humanity we have faced and managed to massively overcome is around global violence traditional warfare what we now see is a great reduction in violence I think people still think that you know we live in a violent society of course violence does happen people do die from violence but it's been greatly reduced and again we can see you know everybody worries about terrorism obviously terrorist attacks are awful but we can see the small percentage of people that die from terrorist violence compared to something like obesity and now we conceive of peace in a different way so when World

War one was brought to a close and people would say we now have peace in Britain and Germany what this meant was that we were no longer at war whereas now we talk about peace as being war is inconceivable we can't imagine being at war with Germany so we've really moved on in terms of violence and peace on a global level we can look a little bit closer at World War one and particular the Battle of Verdun lasted a phenomenally long time killed a huge amount of people and part of the reason that World War one killed so many people is that it was a 19th century war using 20th century weaponry and I think this

is quite a nice analogy for cyber security thinking about how we can keep our tactics up to date with the attacks that we're seeing just before I was on Twitter looking over my slides stuff like that and I don't know if people saw the news that has emerged today I don't know if people saw the handshake the historic handshake this morning we were getting ready and saw it on Twitter phenomenal to see the a peace deal has been struck between North and South Korea and I thought it was quite amazing timing just before I start to talk about the fact that we are overcoming global violence to see that this these two countries have managed to strike this

deal of peace and what's particularly interesting is that King John owning Ian's things things I can never say his name sorry yes him when he came to power everybody said it's gonna get worse he's gonna be worse than his father or we can expect more violence more war more statements of power there's been lots of discussion in the last couple of years over North Korea and cyberattacks and then what we've seen is actually reached out for peace and I thought the most amazing thing to see in the handshake this morning was when he took the leader from South Korea back to stand in the demilitarized zone and to pose for a photo there and for him he obviously

wanted or him and his team decided that getting that image was a positive thing so we have a lot of evidence from human history to show that yes we face big challenges big problems but we're capable of overcoming them so if we can overcome famine if we can overcome epidemics if we can overcome global violence to such an extent of course the challenges are all still there but they're much more manageable then can't we do it with cybersecurity so I started to think about things we can be optimistic about achievements that we have made and I tweeted the other day about how I was giving this talk and Quentin I don't know if people in the

room I know some will know Quentin and he's a see so and he came back saying he'd been having a similar conversation thinking about the achievements that we've made in InfoSec in the last 10 years so why are we not optimistic I think one reason is that we focus so much more on breaking and I don't mean to criticize that of course it's good that we talk about flaws it's good that people publish their research it's good that we have an awareness of where there are problems and flaws and issues but what I think would be beneficial for the industry is to focus more also on achievements on solutions on where we have fixed things we don't often take

stock we move on to the next problem without acknowledging that actually there's a bunch of stuff that we have fixed or improved so one thing we've this is very recently we've started to put together in redacted is a timeline in preparing for this talk I was looking for a timeline of security achievements I can't find one online like three of us were looking for it and none of us can find it you can find loads of timelines of malware and ransomware and attacks and worms and viruses but there doesn't seem to be anything chronic rhinology probably I can't my speech today there doesn't seem to be anything capturing the achievements that we've made thank you Andy

why is this why have we not why is nobody being interested enough to say these are the things that we have done these are the foundations that we've built in terms of security so we've started putting it together it is certainly far from complete there will be some glaring holes in it which i think is great news because this is about what we could fit onto the page quickly and there's loads more and the way I look at it is to see 60s 70s 80s 90s we start to build kind of the basics of kind of technical security we start to put some of the measures in place in terms of encryption in terms of

firewalls in terms of PGP bug bounties we start building up a little bit more and kind of the community stuff Oh wasp and then we get a little bit more sophisticated we get VPNs two-factor emerges and starts to be pushed it was only in 2011 that Google introduced two-factor to Gmail then very recently this year last year Google decided of course that there are issues with two-factor SMS and so they have made the default to be Google prompt where you don't have to get a code by SMS you just have to say yes I'm trying to log in on your phone so what we can see in the last year or so is a move towards a more

holistic approach to cyber security so we've kind of built up a lot of the technical stuff we've solved a lot of the technical problems what that has done is that has pushed attackers into making more human based attacks and so we're starting to build up some of the more human based defenses so looking at attacker heuristics and how we can identify accounts being hijacked and also looking more at the physical stuff and how the physical stuff can be compromised to carry out a larger cyber attack so I wasn't really familiar of this with this until recently but the Internet Atlas which is the first really large-scale mapping of the physical structure of the Internet sadly it's

flash-based I'm hoping they're gonna sort that out because none of us have looked at it yet to see if it's actually as good as it seems to be but in theory that's a great thing all moving in the right direction so we've achieved loads of stuff but we don't really recognize it and we can consider why why we tend to be cynical and why security comes late why it isn't built in from the start and for this I found a really interesting talk online and by Alex Kampmann at Qualcomm and he was talking about the fact - that he's worked in the industry it seems for decades and he used to be nicknamed dr. evil he said he

spent about 10 years predicting the next terrible cyberattack the Doomsday you know die hard for scenario where the lights gonna go out and we're gonna be doomed and catastrophe is gonna rain down on us so he spent about 10 years predicting these and making these comments and then it would never happen so he then kind of flipped it around and he realized in his words that there is a natural evolution of technology and that actually technology we build it and we think that we we can control it we think that we are the gods of technology but actually technology takes on its own evolution and as a community we build it and we make it stronger so he actually

now has the nickname mr. positive because he's completely changed his frame of mind and one thing he talks about one thing that the article says is that when innovation slows security grows so he makes the analogy with the car industry and he says that all of the kind of convenience and nice features in a car were in there first the radio the aircon all of that stuff was put into a car first and then only when all of those nice convenience features started to be stabilized and all cars had them did the industry look at seat belts and putting seat belts in and so he draws that reference with PCs and says that in the 1990s early 90s PCs

were changing being upgraded so often you'd buy a PC you to get at home you'd set it up by the time you've done that it would be out of date so when you got a virus you were kind of glad because it meant you had an excuse to go and buy another one by the 2000s firmware started to stabilize people wanted to invest and keep their PCs longer and so they started to be more of a drive and an emphasis on security around this time Bill Gates published the trustworthy computer memo to Microsoft employees saying you know we've had lots of nice stuff with pcs what we now need to do is look at how we can make them trustworthy

how we can make them secure so this is all kind of quite recent cybersecurity is I mean the digital age is recent I agree with Paul's point this morning though we don't really know where we are with it we haven't really considered the pace of Technology the influence that that has on our lives and the fact that security hasn't been built in the fact that we are still having to struggle and fight actually with kind of still at day one or two maybe day two we're so early on as an industry we've got a long way to go and that feels frustrating but I think we just have to accept that that's the way it is and what we can look to do

is make incremental gains improve as we go get in the right direction not expect that this can be fixed overnight one thing we certainly should be optimistic about is that we have more money than ever before so I'm gonna check my stats Gartner has predicted and that security spending will reach 90 billion dollars this year with 90 billion dollars you can buy every sports team in the world not just in football every sports team twice over it's a lot of money so we have a lot of money and everybody of course feels like they want more budget that's not to say every organization has a good budget but as a whole we're getting money and we're also getting

attention we're getting attention from the board of organizations we're also getting attention from people at home cybersecurity is on the BBC more than ever it's on Sky News it's in all of the mainstream media and it's also reaching women's fashion magazines one of the best resources for cybersecurity guidance is Teen Vogue in America and I picked out their two-factor authentication article but there are so many more they do so much good stuff around cybersecurity and we've seen profiles of women in cybersecurity so they've got Zoe Rose in Vogue magazine recently I was in grats yeah we're seeing people who would be non-traditional audiences being interested in cybersecurity and that's an amazing position to be in a lot of

other social causes a lot of other causes that are looking for change looking to improve things in society they would give their eyes teeth to have that kind of awareness to have that kind of attention and we've got people coming to us asking for it asking for information asking for help so I have argued that optimism would be good for us as an industry it would help us enact more change it would be good for us as individuals I've argued that we have reason to be optimistic because Humanity is able to overcome big challenges and I've also argued that we have reason to be optimistic because actually there's lots of good stuff happening in the

industry that's all well and good but how can we practice optimism how can we actually change what is quite a cynical culture in our industry to be a more optimistic one and one thing I was thinking about was around athletes and the Olympics so 11,000 athletes took part in the Rio Olympics they all go into it thinking that they're going to win thinking that they're gonna get a medal and a handful of them do so how do they have that kind of optimism because they need that belief to do well to do as well as they can they have to believe in themselves and what they are coached in is very much not looking at the big picture not

trying to not doing their training they put a train for four years not doing their training in year one year two year three not even going into the Olympics thinking about the big role that they have instead they're trained to think about the next goal and the next goal and to build up bit by bit and I thought this was a nice way of thinking about cybersecurity we often kind of look at the big picture and we often worry about the fact that the Internet is broken but instead if we think about smaller goals and if we try and focus on just getting some achievements bit by bit that's going to be our best way of maintaining

optimism because this is not how success happens it is not lined process that always goes in the right direction we have to accept that it looks more like this more like it does on the right if not with more dips downwards and I think somewhere where we could improve in cybersecurity is to have more of a culture of failure so to acknowledge and accept that things go wrong that we make mistakes that there are attacks and not to always point the finger and victim blame and call out companies and be so quick to pile on and lay blame more of a culture of failure would help us to learn from the mistakes and would help

us to not feel like it's the end of the world when you know there is a breach or when something happens but instead to acknowledge that we are going to face setbacks that doesn't mean that the whole world is doomed so if you are if you get a block of marble and you want to carve a statue you I can't even imagine how you conceived of that how do you conceive of making something like that chipping something like that out of a big block of marble what you do is you just have to chip away at it you're not gonna get to that overnight but you have to trust that the process will win out

and you will end up achieving what is your vision and this is where I think we need to be we need to think about how we can make improvements bit by bit how we can chip away at this problem without worrying about trying to solve it overnight so this slide is from the work by Carol Dweck who is a psychologist who has looked a lot at mindset and she talks about the importance of a growth mindset so she contrasts that with a fixed mindset a fixed mindset is the idea that you have to have talent to do something that something is either gonna work or it's not the growth mindset which has been the work has been pioneered by

Carol Dweck is really to understand that actually if you work at something if you keep going at it you will achieve it we're all capable of that and that failure should not be seen as the limit of what we can achieve but actually an opportunity to learn and grow and what I wanted to leave you all on was a quote from an article that I saw a few months ago and by Bob Covello and he's talking about why it stood out for me is he's talking about the InfoSec industry being young and he's talking about some of the issues that I've mentioned in this presentation that actually we've got a long way to go compared to other

industries we are very new and one thing he says is that instead of us trying to think about solving this problem immediately what we should be thinking about right now in cybersecurity is how we're laying foundations for the future generations we are not going to solve the issues of cybersecurity overnight but what we can do is lead the way in creating an industry and a community that puts it in the best possible position for the next generation and the generation after that if you've not seen the article I'd highly recommend you to go and look at it it's a really interesting and really optimistic approach to cyber security and to the industry and so I thought that was a

nice way to end my talk today if you've got any questions I would be very happy to hear them now or you can contact me email Twitter Twitter's probably best and I would look forward to having a conversation with you all thank you for your time and attention