BSidesCharm 2024 - Identifying and Securing Psychologically Vulnerable Users

[Music] so let's see where are we um so this is actually the first time I gave this presentation so I'm not sure about the stories I'm going to tell I'm not sure about how good my bad jokes are going to be I don't even know which bad jokes I'll have for this session so you know we'll have to see but let me start telling a story this is actually a true story where and I swear this is a true story um we were once running a fishing simulation against a really large organization it was actually a family run organization where members of the like family were owners of the company and everybody knew these owners and

stuff like that and so we sent a fishing message in and these were some pretty targeted emails and you know one of the messages was specifically I met this owner and he recommend that I contact you for a potential job my resume is attached can you please review my resume and let me know if there's any jobs per the owner and what happened was obviously this was a fishing simulation and so when people would open it they would get the message they would if they clicked on the message what would happen was especially if they tried to open up the attachment they would get like the mandatory training says you know okay you clicked on a

fishing message here's why you shouldn't do that anyway we had somebody actually reply to the fishing message and say I've can't get into your message I keep getting these strange errors can you please resend the message and we're like sitting there think is somebody you know I like you know I wrote you can stop stupid and you're not stopping stupid from existing and you know I always think that the US that the developers who allow users to create damage are the stupid ones not necessarily the users but I'll tell you one thing this was a really really stupid user where they had actual training or forc training that said this was a fishing message and yet

you know we're sitting there debating whether or not they're trolling us and you know we thought no this is actually a real message when we did the research and then there was actually another time so when I would develop awareness programs for large companies there was this 160,000 person type of company and we created the awareness program and what happen and how I do that is I start to interview people and you know see what their impressions are about you know the current the current awareness program and this one woman and I'm talking to her and you know I wasn't really sure what she did or whatever but she sits down and she starts saying okay

well one thing I don't like are those fishing simulations I'm like okay why and it's like well I clicked on one and I felt like I was being targeted I'm like okay you know we do this because you know if you click on a real one this could be bad I'm like by the way what do you actually do for the company she goes I'm in charge of HR and I'm like sitting there thinking if you're clicking on basic fishing messages this company's in trouble because and people just don't realize that so anyway what happened was I've always been fascinated about why some people click why some people you know click others don't and all that

sort of stuff and let's face it when you've been around you know there's only really a few people who really click and do most of the damage the reality is over time everybody will fall for a mess message that's a given if anybody ever says I never fa for a fishing message you're a liar or you don't check your email those are really the only two options now I know I fell in for i f have fell sorry I've been like back and forth 10 hours on either direction but anyway so what happened was you know you've got to understand you will fall for messages now but there are people who consistently fall for messages because

there have been some messages I personally fell for where like so one was it appeared to be from the CEO of my company and he's like I get this generic email saying you know supposedly from him um I need your you know can you send me your cell phone number and I'm like so I just quickly reply because I just woke up in the morning and all of a sudden I realized after I sent it I go why is he sending me that message when he would just get me on teams if he really wanted me and then I was thinking okay let me open up that message again was this a fishing simulation and then

it's like no that was a real fishing message and I know the next thing that was going to happen was likely that the criminals were going to then come to me via my cell phone number and send me a message to try to you know go out and buy gift cards and give him the gift card numbers or something like that that was going to be the next thing now would I have fell for that definitely not but the reality was I still fell for a message and I do awareness programs for part of my job which is a little bit embarrassing I must say so anyway but the reality is some people are those

people who are just going to cause more damage than others and we got to figure out why these people are causing more damage than others and this is going to be kind of sensitive I have this whole thing on political correctness in like a couple slides because frankly a lot of people don't want to know who these people are even though they're going to be the people who caused the most damage so anyway I'll start talking about that and stop babbling and again this is the first time I gave this presentation or have or have ever will give this presentation so my timing might be off or whatever so hopefully I won't run too short or too long anyway so let's face

it users are users and no matter which study you do it is true that users are the primary attack Vector usually the studies say 95% of all attacks you know lately there was one that's at 75% and the reality is whether it's usually 95 or maybe there's an outlier of 75 users are still again going to be the primary attack Vector of just about every major attack out there and no matter what happens awareness programs seem to always be the worst use of money and the reason I say that is they seem to be the worst use of money I wrote security awareness for dummies and believe me I see the value of a good security

awareness program cuz I'll just get this out of the way no SEC no security counter measure is ever going to be perfect it really bothers me when I see cryptographers write about how oh users are stupid and awareness is a complete waste of money and then I'm thinking didn't cryptography break and don't we have a higher Alliance upon cryptographic functions than we do on users and you're complaining about the users it just seems that users fail more frequently and that's okay but the reality is is that any security counter measure will fail and the reality also is people aren't spending that much money on security awareness so it kind of does have one of the higher return on

investments because even though it's not going to like reduce 99.9% of you know potential harm it's still going to reduce maybe 96% of potential harm and if you're only spending a little bit of money that 96% is kind of valuable then there's the other thing which is like 4% of users I think this was a study that was put out by Elevate security it was actually performed by cenia if you know cenia those are really smart people and they did a good study that said hey 4% of people are the people that cause 80% of the damage inside organizations so you have the same people again and again and again who are creating the damage inside organizations

so you know that leads to the question who are those 4% what can we do to identify them and then potentially if we identify them what can we do to secure against these users in general so that's part of it and then since this is kind of like bides and everything like that I'll you know it's more fun to tell you how to exploit those people but again little later so why it matters you know from a defensive perspective like I started mentioning if you know who those 4% are are you can start to potentially isolate the users you can go ahead and put them in a little sandbox you can go ahead and put more filtering around

their emails and so on and I know this is where I'm going to address this just ignore whether or not it's right to do this for now and I'm just telling you what you can do if you're willing to do it you know you can enhance controls because one thing that bothers me and again you know I mentioned you can stop stupid because designers allow Design Systems that a user can click on a message and ruin their entire network and if a user can click on a message and ruin your network your network sucks there's no way around that and you have to accept it so you need to have resilient networks and so on but the

reality is one of the ways to do that is to have the user experience a little bit more nailed down for certain users than others if you're willing to do that and you could also be more alert to their actions because you know if you have a person who's been kind of um causing you a lot of problems over a period of time you can kind of know let's put a few more triggers around that person and so on now it's more fun for me because you know I got my start doing social engineering and Espionage and the like and frankly if you know who these people are you're going to have a higher success rate so if I go out and put a

fishing simulation together or if I'm going to go ahead and try to break into an organization I'm going to figure out first who are the more susceptible users because because when you go ahead and let's say you do a fishing you know you do a fishing attack to start to get your foot in the door what happens when an alert user gets this message the alert user might not just not click they might alert the admins who will then clean those emails out of everybody's inbox before the users have a chance to get it so I'm going to want to Target the messages only to those people I think are more susceptible you know also makes

it less likely to be detected and I could also tailor attack to those people with those vulnerabilities I don't have to go ahead and make a generic message and send it out to hundreds of people I could make a much more targeted message maybe to send it out to maybe a you know like 10 or fewer people where I know I'll get a foot in the door and if any of you have done penetration testing or red teams whatever you want to call it you know all you need is one foot in the door and you should be able to own Mo just about every Network out there so your goal is to get a foot in the door

now actually one thing I realized I don't let me I mentioned this and I should have put a slide in here is anybody familiar with the acronym mice money ideology coercion or ego this is how you know like I worked at NSA one of my best friends was a Russian spy have CIA friends and stuff and there's the way the acronym mice is how they figure out how to Target people so for example I once had my friend Sten he was the Russian spy I'm like Stan how did you go ahead and you know how did you go ahead and like recruit Americans to betray their country for Russia that seems like a pretty much uphill battle

he's like I asked for a cigarette he's like what do you mean you ask for a cigarette he's like I I go to a bar during lunchtime and first off if I'm at a bar during lunchtime and there are people here I know I have a good one anyway and so what he does is he asks for a cigarette and he's like I if I ask for a cigarette with my funny Russian accent and they give me a cigarette and they keep talking to me I know I have somebody who just doesn't care that much and then I ask my friend you seem friendly come back tomorrow I will buy you lunch and then it's like if they

come back tomorrow and buy them lunch with a few more drinks the next day he has somebody again and again and again that he can build up trust with because what a spy does it's sort of like those bad dating books I don't know if you have ever done this but those bad dating books are like throwing out AO fish net where you have these really really bad lines and if a woman says yes to your really really bad lines it means she's looking as well so you've kind of just thrown a broad net out and this is what these people mostly do they put their personality out there knowing that hey somebody who has half a brain is going

to know there's something wrong to this but they keep going on and eventually they find the right people that they hone in on again with money so for example does somebody need money ideology do are they really upset with the US government you know coercion can they get something to Blackmail on if they're having a lot of drinks during lunchtime you have a really good start and then ego obviously you play to somebody who hasn't been rewarded at work is not highly respected and stuff like that and then I asked then I go you great you got all these things and I'm like how do you know they actually have data you need he's like I you can't spit

in Washington DC without hitting somebody with a clearance and that's pretty much what we have I'm guessing that a lot of people here have top secret clearances just because we happen to be Baltimore charm with cleared contractors out there and everything like that so anyway that's a little side note I should have thrown in so now let me note on political correctness many people don't want to admit that some users represent more harm than others because that indicates you have a responsibility to act against those people who might have more harm than others and they say singling out users for disciplinary action a lot of companies don't there's this whole thing going back and forth regarding like

should you fire somebody if they keep failing fishing simulation message or fishing simulations and you know I have my personal preferences but a lot of companies this is a serious discussion the large Financial organizations will and I once asked somebody who works for one of these large organizations I go cuz I like he was we were talking he's like yeah I just got one of those messages I hate them I'm like really he's like I go why he's like well the first time you get one if you click you have to watch a stupid video if you click on it a second time then you have to talk to people in the security office if you click on it a third time you

could be fired I'm like how do you feel about that and he's like you know if I click on one of these fishing messages and it's real I could cost the company more money than I will make in my lifetime and that's a good way to perceive it and was kind of happy for the awareness program because they at least drilled in a sense of not gee you will be punished if you do this but why they are concerned if you do this and what might lead to punishment but anyway those are kind of the issues and then users may have restrictions placed upon them like for example if I say you know what if you fail a lot of fishing

messages or I think you're more vulnerable I'm not going to give you as much access to data in the company could that harm their promotional capabilities could that potentially set people back in their careers CU they can't do better research and so on you never know but these are things that come up now many red teamers and I say red teamers because fundamentally the attackers will use this information without a second thought let's all acknowledge that but the red teamers don't want to specifically Target excessively vulnerable people because of ethics and other types of concerns and frankly you know I have this attitude like you know like if I get a zero day when I Wasing

doing penetration tests if I find a zero day I can use to exploit the company what does that prove too many you know pent testers start looking at it like a game of gotas and they want to be a bunch of Nelsons like going haha and like try to get people just because you can't stop it there's no purpose like the job of a penetration tester you're a security professional first you're not a hacker first your job is to protect the company and leave it more secure than you you know found it and even if your job is a penetration test or red teamer and you call yourself a hacker if you think your job first and fundamentally

is to get in you don't deserve to be in that position go out and commit a crime instead you know like seriously otherwise you're worthless so anyway the reality criminals will Target the most vulnerable like I mentioned before and these people do cause more damage these 4% of people will create more harm will let the criminals in more frequently and so so on and the companies already many companies like I mentioned the financial company already have penalties for repeat offenders and frankly I believe a head in the sand attitude won't work like if you say oh well you know we really like Margaret cuz Margaret's this you know the admin for like the CEO and

Margaret knows everybody and we like her even if she keeps falling for these fishing messages I was like Margaret has the most sensitive data and she's making your company incredibly vulnerable this is my risk recommendation for you no matter whether or not you really like Margaret you better take a serious look at the access she has because she's going to give it away to your worst enemy now going back to like how to identify some of these people how do you start identifying vulnerable people you know like there's a lot of different Frameworks out there the one that's got the most attention recently was like the big five personal what's it called personality traits you know that predict

user susceptibility and Big Five personality traits they include openness like how open are you to new experiences conscientiousness how like diligent are you and things like that extroversion are you an extrovert or introvert um agreeableness are you are you easy to work with and so on then there's neuroticism neuroticism are all the negative traits for people such as do they have depressive Tendencies are they argument ative a whole bunch of other things like that those are all things that this Big Five personality traits are supposed to measure and generally you get like you know you're based on you know are you open or like it's pretty much a one or a zero on those five traits like are you more open than

not open are you more conscientious or not and there's gener broad recommendations being made or broad well not a recommendation broad assumptions being made that clearly somebody who's more more conscientious is going to be much more you know a better employee for you and things like that some of it does make sense and they've done studies that have proven for lack of a better term the obvious now so they said hey a Big Five personality trait they said somebody who is has high neurot neuroticism is that neuroticism yeah I I sent that right if I say it wrong it could be really bad but somebody with really high neuroticism is going to go ahead and potentially be more

susceptible to fishing that's a broad Theory cuz nobody previously measured that and trusting people you know trusting people that's another theory people have are more susceptible to fishing neuroticism might be you know IND indicative generic discussions on the matter let's see no definite demonstrations of Truth yeah nobody has really done empirical studies to figure that out except after damage has already occurred so if it's not damage has already occurred they go back and figure it out the one thing about all this I don't know how many people know statistical principles and stuff but all of the day Studies have been correlations in other words one thing and the other thing coexist it's kind of like video game players are more violent

supposedly and therefore people are saying oh video games makes people violent or could it be that violent people play video games you don't know what the case cases are that's you know again fundamental statistical principle so you got to start looking at that these are correlations not causations you can say that people are more who are more neur suffer more depression this is a bad case because I'm going to argue for this in a second but people who suffer from depressive Tendencies are more susceptible to fishing are they more susceptible to fishing because they have depressive Tendencies or do they have depressive Tendencies because they're more susceptible to fishing at the end of the day frankly it doesn't

matter but we'll talk about that later so what happened was one of my friends did a study cuz I'm going for my doctorate degree it's been like 30 years but I'm still chugging away at it and my I I've I've been in and out of the program and the last time I went back in the program my faculty advisor said oh you should take a database management class I'm like oh I used to teach database management for this school she's like okay then why don't you take a data mining class I go let me ask you a question no matter what I do if I come up with a good example am I going to

take a class she's like yes I go okay I might as well stick with the data mining class I should have just shut up and taken the database management class but anyway for the data mining class what happened was I had to do a data mining study where you get lots of data and you go ahead and like sip through it to try to get information out it was essentially a machine learning class so my friend Matt who works at UCF at the time he did did a study that was funded by nist where he went out and actually and I'll talk through it he took 130 students gathered from the generic psych 101 class if you don't know this the

most studied group of people ever are students in Psychology 101 in any college and university but anyway he took a whole bunch of got one of these groups of students took got 130 of them for his purposes he administered a variety of psychological assessments including Big Five Lo locus of control after neuroticism etc etc there were you know in essence by the time we took all the studies out there there were 900 data points so anyway he had all this NIS funding and he went ahead and collected the data and he never did anything with it and luckily I had to do something with it so that's how this whole thing came about we also collected

the obvious demographic information so once we had that um okay so anyway then we sent them I should say then we sent them a series of fishing messages um paricle study down so a few notes about the big five because I'm going to go in that basically we use specifically the big five Neo Neo whatever I don't know what it means he did the stuff but anyway there are 60 Questions that essentially roll into what they call 30 dimensions and those 30 Dimensions roll into five personality traits so each of the personality traits roughly comes out to six questions wa is that the right number no 12 questions and then you can start working it down and do like you

know cut down the data so anyway we then sent or he then sent fishing messages he sent it after the data was collected they knew over the course of a semester they would get four fishing messages of what I reviewed and I would classify it as medium sophistication basic sophistication is here's your UPS tracking number you know you are you know here's your package please contact us cuz there's a problem delivering then what I call that's a low sophistication medium sophistication means you're being targeted as a group so for example if I send you know people to the bsides charm mailing list I would Target people with generic cyber security related questions like click on my future conference

things like that in this case we said okay your class you know class registration is coming up things like that if you're going to graduate or whatever or you're going to you to advance to the next grade you have to go ahead fill out paperwork or something but basically medium sophistication High sophistication would be pretty much spear fishing where you know for example a person is involved in a very specific thing and you send a very specific message but in this case these were medium um medium sophistication messages and tailored to the students environment now in the initial analysis and how we had to start breaking it up for a variety of different reasons if

somebody clicked on zero of the four fishing messages they were considered low susceptibility they clicked on one message out of four was considered medium susceptibility and two three or four messages it was considered high susceptibility so the initial findings were females were more susceptible to fishing than males were with a statistical significance of actually it was pretty high in this case now I should say that also had U male female and non um gender specific in there and non-gender specific also came up as barely significant but anyway females more susceptible to fishing I want to say before I go on this number conflicts with some other studies on the fact but you know in this case the number was

pretty high then one of the studies we gave was Locust of control I'm going to dive into that in a little bit but people with low Locust of control were very very highly susceptible to fishing messages and neuroticism was close to being statistically significant but it wasn't statistically significant and statistically significant in the world of Statistics is 05 or less in other words it have to be less than a one in 20 chance for that number to be considered somewhat worthy of study attribution whatever but we didn't get to that so when I look at this and I don't have a laser pointer and hopefully you can see but this was the Locust of control and this is on a scatter plot

thing and um I don't think my mic will go that far but you can see the people who clicked on zero messages have a Locus locus of control roughly 55 or above but then when you start looking further out on the chart for one message two messages and three messages anybody who was basically below the 55 level clicked on multiple fishing messages or I shouldn't say you know nobody with high locus of controller Locust of control above 55 did click on a fishing message which was interesting in this case but anyway as you go through it it makes sense I'm not saying it the right way I've got to go back and tune that like I said first time I gave

the presentation but essentially anybody with really low Locust of control 100% likelihood that they were going to click on not just one but multiple messages so anyway that was interesting I'll talk about why that's significant then what happened was um given that this was a class and I'm studying for my doctorate my faculty advisor said well let's try to delve in a little bit more actually this was a little bit before that when we looked at neuroticism like I mentioned it was 0.056 but also like I mentioned previously neuroticism and all the other categories were composed of six subcategories as I would like to call them so what we did was we reran the Anova analysis of variant on all of

the 30 subcategories and what happened was we started finding in this case some really really interesting findings where obviously you can read it there but people who were Cooperative were tended to be more likely to click on a fishing message people with depressive Tendencies more likely to click on fishing messages people who were self-conscious were and self or self-consciousness again more likely to click on fishing messages ironically self-discipline the reason self-discipline is there because that seems to be a good trait people who were self-disciplined with high self-discipline scores if they clicked on one message would never click on a second message so they felt like they were tricked they felt like this and they didn't want to fall prey again and

they were more careful after they received or fell for the first message then again for one versus many people who were self-conscious again there was a difference in that that those categories of 0.6 so self-consciousness resulted in again higher susceptibility for fishing as well and I should say that one of the people we showed the data to because we're like wow we have these really good studies he's like well you have 30 categories there and statistically 30 categories means one out of 20 is statistically going to randomly come up with a number that's below one you know one in five uh sorry one in 20 of being significant just randomly as an error so anyway we considered that but we had

four categories and then we proceeded to act on that hopefully am I making sense here because I'm trying to go through and you know discuss statistical principles and I don't know your backgrounds I don't know if I'm presenting it right but anyway if I'm not just stop me and say you're making no sense and I'll try to make better sense so anyway it's not you it's me so anyway but useful results but you know at the moment they're not predictive there was no way we could say well you know like I mentioned there were people who clicked on multiple messages and they had high Locust of control you know it wasn't an indication I can't just say if you have locus of

control and I have a measure I can tell you exactly where you'd fall if you had a very low measure me I could say you're going to be susceptible but I can't say if you have a otherwise a locus of control score that might be kind of medium whether or not you'd click on a fishing message you know so it did have some practical uses for purposes moving forward I'll talk about those but you know for a attack purposes and I'll mention why that's important in a little bit but you know again it's useful but it's not predictive and that's critical then my faculty adviser made me start looking at machine learning algorithms and let me talk about machine learning

because there's way too much hype about machine learning at the end of the day machine learning algorithms are just math AI are just is just math and as opposed to a mathematical formula or traditional statistics that gives you you know a flat number or something like that machine learning algorithms kind of give you a fuzzy is number it's almost like a Quantum Computing thing or something like that it's not necessarily an exact number it just uses and categorizes information better and we are using machine learning and AI on a regular basis if you go to Netflix all those predictions that say here's the movies you want to watch that's all machine learning algorithms just mathematical algorithms you know

there's vager to it it comes up with probabilistic answers and so on Machine Vision Machine Vision really like you know self-driving cars they're essentially just making probability calculations based upon the in front of them and if the formulas are wrong you're going to have some really bad problems but again this is why machine learning is an evolving field and you don't have to be worried about math you just have to be worried about how it's being used but in this case at a high level we attempted supervisor learning techniques because obviously we already knew by this point who was more susceptible to fishing and so supervised learning basically means I know what category these people fit in now let me

see if I can manipulate the data into how I can manipulate the data to make predictions on what makes people fit into those categories generally I couldn't do that you know use different methods of basian decision tree and a whole bunch of other things and some generic unsupervised techniques unsupervised techniques basically say I can cluster people and I'm using that you know at a high level I can start making guesses based upon where people fall out but you know I'm not guessing and then I have to apply the math to figure out the categories I know to figure out if they're useful so anyway notes on machine learning again an algorithm is just a start if I tell you I'm which I am going

to tell oh yes go

ahead the rules of machine learning versus the skills of machine learning oh tools rules versus the skills so you the tools ideally just implement the algorithms it's like you take the data I hope I'm going to I hope I'm answering the question you have you know I used the tool called wiah which is basically I have put all my data into the wick a database and then it automatically has programs as to which algorithm I want to run against it so we took that knowing the rules and tools is like I'll be honest with you if you ask me even though I patented I did come up with a patent for this even though I did

come up with a patent I can't tell you what the difference is between basian and decision tree at a high level you know I just know their mathematical algorithms do I have to understand that the answer is no I just know I can try these algorithms which have been tested you know you know very well tested and come up with data that might be potentially useful and then that's why also have this slide because having an algorithm is one thing and I'll tell you why that's important in a second it'll make more sense but once you know you have like the algorithm then you have to figure out where are you going to get the data because if I don't have a good

source of data it doesn't matter how good the algorithm is it's not going to be good data so it's not going to you know garbage in garbage out then if I assuming I have a good set of data then what I have to do is I have to choose the attributes so for example I could have just gone when I did machine learning and said okay I'm going to have openness conscientiousness extroversion Etc and those are the categories I put in and with those categories I put in I would have got no useful data you have to experiment once you have an algorithm you have to constantly experiment with which attributes which categories of data are you going to try to put into

the formula and then once you do that then you have to figure out okay how do you tweak the application of the algorithms and you know again I what we did was we Ed K means clustering and with K means clustering as an example you have to define the number of clusters you want like I could say I want a thousand clusters I could say I want three clusters I zero one cluster and so on so what happened was you know it's an unsupervised technique which means you don't go in knowing the category of the data and then it required choosing the right attribute of the 900 different attributes that we had available to us you know the number of

clusters and then randomly how I randomly chose the attributes after pretty much about probably close to a 100 different attempts I finally chose the attributes that were the most obvious the ones that gave significant statistics based on the previous analysis of variance that we did and I randomly chose six clusters I remember being on the phone doing this and then the magic happened as I say cuz what happened was and if you look at the chart there are three colors on that far graph there so the three colors are high medium and low high is gray medium is orange low is blue and when I came up with the six clusters randomly they were homogeneous they were

pure in other words every data point in each of the Clusters was completely pure for people of that level of risk and one of the things that comes out of this and the reason why machine learning is different than generic statistics and how Cam's clustering came out there were like I mentioned five different categories we put in locus of control we put in self-discipline self-consciousness self um all the other ones that I mentioned before and what happened was putting those in with six clusters it's not one thing makes the difference it's not just locus of control which made the difference think of it like a sound balancing board if you've ever seen like DJs where they

have those little sliders that you know they make raise the base you know lower the alto whatever the cases are that's essentially what the machine learning clusters did because I can give you the data later but for example we have people who have high levels of depression who fit within a category like that's high that's basically high risk but then we also have people who fit within low risk who happen to have high levels of depressive Tendencies and the reason is is that they have other attributes like self self-discipline that help balance that out so it's not just I have this trait therefore I'm highly susceptible it's I have a combination of traits that makes me

susceptible not susceptible or medium susceptible to fishing or other types of social engineering attacks it's not a very oneon-one thing which is what machine learning allows you to do and it's what allows the Clusters analysis to do as opposed to standard statistical algorithms which will say well if you have that you're kind of like 94% likely to be susceptible to fishing this was able to Cluster people with 100% accuracy so that again people are calling [ __ ] on me on a lot of this but literally it's even if you put the numbers out the probability of this is 3 to the 113th power of it not being somewhat accurate so that's pretty high even if you want to call [ __ ] to

some of this so anyway implications fishing susceptibility is not dependent on a single trait but a balance of multiple traits so you can potentially predict with high C depending on how much you want to use this type of data you could potentially choose who or determine proactively who's going to present more risk to indivi to your organization like I mentioned individual traits are not predictive um gender was significant in the study but other studies find differently so take that with a grain of salt in this case but still something to consider moving forward as far as the notable findings I did patent this algorithms and stuff like that and the combination something that was interesting that was different

was we analyzed what I call the little 30 as opposed to just the big five breaking the little the big five down into the um composing components and then um another thing we did was we combined locus of control with data out of the big five assessment which you know people don't typically combine psychological assessments to come up with an individual measure and this is something that other people should start considering in the future as well if they're going to start to look at this type of stuff and here's something that's interesting simula fishing cuz there's a lot of arguments about this but simulated fishing can decrease fishing susceptibility in your organization again those people who

clicked on a message who are self-disciplined are significantly less likely to click on another message there's a principle in Safety Science if you look at you know human nature across different disciplines like in cyber security we think we're this special Snowflake and we have these problems nobody else deals with like we're the only profession that ever deals with human error or things like that you know there are other people I know it's hard for some of you to like realize but you know PE Sciences like Safety Science even things like accounting and other disciplines have to deal with human error on a regular basis and in Safety Science there's this principle of complacency where if they create some

safety scientists refuse to create a perfectly safe environment even if they think they could do so and and the reason is they want to allow minor injuries or minor harm to be created because if there's no harm being created you just become too complacent and you become careless I don't know about you but when I so I can't mention former employers but for variet variety of reasons but I've worked in companies where I received no fishing messages except for the fishing simulation and there are people who basically had when they were hit by a fishing message they're like you know I thought you guys were supposed to prevent this and it was the only fishing message they received

in 7 years of employment and so the thing is when you prevent too many things people become complacent but if you put in simulated fishing messages again people become less complacent did you have a question

personally I recommend you do it on a decreasing frequency because if you do it too frequent frequently it's like an insult to their intelligence you know and you don't want to insult somebody's intelligence if you do it like once a quarter maybe once every six months when I run fishing simulations I like to statistically sample unless somebody previously fell for a fishing mess message so for example we'll break the company up into like six cohorts and fish that like once a month in each of the six cohorts unless somebody clicks on a message and so on and then they obviously get it every month instead of every six months or so on so there's different ways to do

it but you know to your point if they click once probably want to refresh it a little bit later um but you know you just have to see the the new M the new fishing simulation tools that are out are using machine learning and you could start doing that like tools like what are they hawk hunt as an example um cyber ready and a couple others have the capability to do what you're saying um let's see so indications of susceptibility like I mentioned and this is going back to how to make it useful because short of actually giving Stu giving people psychological assessments and running them through the Clusters you know for your purposes you you know

you have to start to figure out how to take action on this and despite the fact I'm saying you know maybe they're just correlations you start to take the the lessons learned and start to break it out people with low locus of control you can start noticing if they're susceptible now this is where monitoring social media becomes sensitive to people but how do you know somebody has low locus of control you know via you know just by looking at them if somebody frankly goes ahead and says you know what are you going to do it's just life if they have comments like that it's like yeah you know I'm always going to be on the losing side of the issue you

know no matter what the system's rigged against you think comments like that are indicative of people who have low Locust of control they don't believe they have control of the environment around them they think that whatever they do life will happen the way it's going to happen no ma You know despite that so anyway that's one thing if they start posting conspiracies and how events are out of people's controls again that indicates low locus of control then there's the depressive Tendencies these are more you know like this is the neuroticism again not totally predictive and somebody's going to say I post a lot of selfies my wife said that she was right when I T

started telling her she wanted to kill me but I go no you're highly susceptible to fishing anyway but the reality of the situation is people who post there's a lot of people I'm not saying it's the only one but when you start looking at the studies that are out there and looking at Cyber psychology people who post a lot of selfies are do frequently doing it not always doing it and this is why it's not necessarily predictive it might be indicative but not predictive because people who post lots of pictures of themselves tend to have lower self-esteem they tend to want to go ahead and convince other people that their life is wonderful and maybe

they'll convince themselves their life is wonderful you have to look on the research to find this but you will find this type of research because you know people who work out a lot people who like you know like are you know OCD is when they come to their workouts where they're posting a picture every day of themsel doing the same pose you know to put out on social media how wonderful condition they're in you find a lot of these people tend to have depression and they're just again doing this for the approval that they don't get in other aspects of their lives um a lot of these people also sometimes State you know having being open about your problems is

invogue you know I don't want to sorry I don't want to make it sound like a negative but you know people who have problems who have depression who have other issues are posting this proactively on social media so that's a potential way of targeting people and so on then there's other people who have statements of isolation where you know nobody's my friend nobody has this nobody has that now if somebody is in the cyber security profession CU there are a lot of people in cyber security who do have some of these traits they are more well aware of what they're going through they are more well aware fishing and are less likely to be susceptible again indicative be you know

indicative signs not predictive signs but again you can start to use this when you're starting to Target people so if I'm going to go ahead and do a red team I'm going to go ahead and go to LinkedIn like you know for example what's the joke um LinkedIn is the People's liberations Army bestest friend you know so you go ahead and they go ahead and they come up with Target list of everybody that's out there then you could start going to places like Facebook Twitter Instagram and start to see the type of post that they have you know some of them like for example Twitter is a lot more useful in these cases Instagram you know not necessar

neily as much but you know if you look at people's Twitter accounts you could start to see who has traits that are indic indicative of susceptibility like I started to mention and then um once you have this and you know who is more likely not guaranteed like I'm going to weed out the people who don't have a large social media presence as an example but then when I see people again who are starting to post lots of selfies you know who there's a lot of people for example they looked at who post lots of selfies but don't smile in their selfies that's a major problem that's something to look for as well and if I'm going to

be a red teamer or I'm going to be my old adversary days I'm going to start looking to those people and focus fishing messages to those people out of all the other potential targets that I have now like I mentioned before you know K to their ego for example if you have somebody who's has depressive Tendencies you can go ahead and reach out to them say I see for example you're in my profession can you please review my resume you know I look at you you're posting really good information you post up you know if they have depression you bump up their ego a little bit it makes them a much more likely to click on your

supposed resume which can have whatever malware you want to put in it and start to go after them and I'm not saying I've ever done this but um it can be done um then there's defensive applications proactively identify your vulnerable users now this is a little bit sensitive to what companies are willing to do if I see somebody that is Potential Threat I am going to go ahead if I have the ability to do it to start to minimize possible accesses make sure that you know there's the concept of lease privilege and then there's the enforcement of the concept of lease privilege a lot of organizations say they have leas privilege but they don't so I'm going to start to look into it

and then I'm also to start to look into what additional protections can I put on those people and start to go ahead and look at better anti-malware look at potentially more tuned data leak prevention software on people like that and so on maybe go ahead and make sure they go to a higher filtering on web content filtering than might otherwise be done maybe like you know going to machine uh what is it generative AI systems and so on going like chat GPT and others you can put better filters on that as well then you can also do more positive things like increase the frequency of awareness for those people and potentially you can go ahead and

tailor the awareness to their psychological needs because I'm telling you how to do this from this perspective there's also ways of using this information to make the information more relatable to people and that's a lot more expensive but if you're going to go ahead and realize these are the 4% of people in your organization who are your biggest threats it's a lot better to go ahead and maybe say hey if these are the four people who keep clicking on those fishing messages and keep saying hey um you know reply back to my fishing message asking me to send it again I might go ahead and sit down with them personally and start to address the

information with them personally and so on and then on the downside do I really want that woman in charge of HR who doesn't like fishing messages because they make her look stupid I'm like it's better a simulation than the real thing you know you got to consider if you're giving somebody in a position with a lot of sensitive information and you know they're potentially susceptible does that make you negligent if they do things like that anyway it is worth exploring a little bit more admittedly this was one study but the reliability of the study was one over like probability of like 1 and three to the 113th power which give or take is 0.00000000 like 13 zeros out there so it

is worth looking into a little bit more readily um some of these results admittedly are intuitively obvious like I said people were already you know making assumptions about neuroticism in the past this is putting a little bit more definition to it and again people have to be willing to make use of the information um buy my books my books are awesome [Music] um uh go to my company website and thanks if you have questions I'll take them [Applause]

that mostly is an IT system so for example for some companies like I also get called in to investigate and prevent against these attacks and companies like that one of the biggest problems are that there are now companies like if you send them an invoice they have to put it through the official system if you send a resume they have to put the resume through the official system you can't just get an email directly it has to go and be submitted officially which hopefully filters that out on the other hand like I mentioned if a user can click on you know an email and ruin your network your network sucks and that then goes into how much of a containment do

you put around not just a vulnerable user but any user do you have good anti-malware do you have the ability no user should have permission to download files and install executables on their system if you take that away you start taking it you know other things away too so it's it should be part of a layed approach I'm just focusing on this little snapshot of what makes a user more susceptible

here that one I don't know that's a different study but frankly um it when it becomes obvious they not be a rock star anymore but yeah uh which the St which study oh this one this one hasn't been formally published yet it's in the process of being published so I could send you the date if you want and the initial writeups okay just send it to me when you have yeah

right

yeah in this case the messages were very generic there wasn't anything I mean frankly I looked at intuitively of all the messages and it was like it's time to register for your classes it's time you know fill this out for this event or something those things cuz frankly you know when you're mentioning women men are as susceptible in many other cases as well but when you're looking at women are active on Instagram where they're highly communicative which again was another IND you know one of the other categories there's so many factors at play where they're on there and I'm not going to say those people on Instagram are highly self-absorbed I I frankly approve I I

appreciate those women because somehow they've managed to create a living doing absolutely nothing different than if they had a real job and so I appreciate that but that my those personalities traits that allow them you know to be open and to put out that information that I would I would kill a daughter for putting that up on the internet I don't have a daughter that's a bad example but I would be like are you kidding me that you'd put that type of stuff up that's more indicative of their personality that allows them to be so visible and then there's like a guy like there was this guy he hacked um this is a true story this guy was like out his his his

Twitter handle was nft God and he was out there promoting nfts and his account was he fell for a fishing message and he still kept doing it despite losing supposedly millions of dollars he did not get back so those are people who just have this really bad personality that makes them susceptible but I don't think the data we had that's a good question but the data we had was again generic to just students it was they they actually used real messages but they took out they they made them into fishing uh okay I'm at time sorry to the next speaker thank you thank oh sorry