Securing your supply chain by Dustin Sachs

welcome back everyone I hope you enjoyed your break well it's four o'clock Central Time and that means Dustin saxs is up he's going to be speaking about securing your supply chain Dustin it's yours great thank you so much let me share my screen thank you all for uh sticking in there um I know it's been a long day but yeah today we're going to talk about the concept of how to secure your supply chain and some of the threats that exist to supply chains to cyber Supply chains uh and some of the tips that we can use to enhance to remove the rust from our supply chains uh I encourage everyone throughout if you have questions please drop them into

the Q&A try to answer as many of them as I can and if not I will uh certainly be on Discord afterward and I will uh answer as many of the questions as I can there as well so we'll jump right in so today we're going to talk about the current state of supply chain attacks we've heard a lot about them so uh we'll talk a little bit set the stage a little bit we'll talk about some of the current processes that can and are typically used in tprm and in supply chain uh risk management we'll talk about an an area of um discussion that doesn't get a lot of dis uh talk but that's really very

interesting and emerging area um it happens to be the focus of my doctoral research which is the role that cognitive bias plays in the third-party riskmanagement decision-making process and then finally as I said we'll we want to leave you want to give you something to walk away with so we'll talk about how to enhance supply chain chain cyber security so before we could talk about where we should be going or where we can go we've got to talk about where we're at so obviously if you've open seen the news over the last you know few years you've certainly uh seen supply chain attacks they are happening regularly many of the supply chain attacks listed on here I

know are going to probably give some people some PTSD because they wrecked wreak havoc on holidays over the last couple years uh we're hoping knock on wood that uh the trend the recent Trend breaks this year um but you'll see that supply chain attacks are also not a very new thing we've had that they've been around um in the cyber world at least um since you know largely since about 2009 um that's when we saw some of the first major supply chain attacks that affected cyber um some of them are are lesser known some of them are more welln I'm not going to spend a whole lot of time going into the details of each of these

per se but uh suffice it to say it's becoming as you'll notice the uh the consistency with which they're have happening and even the frequency with which they're happening is increasing um every day so what's really interesting is it takes about 26 days to detect a supply chain attack uh from when it kind of first happens to when it's detected um the average cost of a data breach um as we've seen is typ is right around about 4 .35 uh million dollar but the average cost of a supply chain compromise is 4.46 million so that's it supply chain not only is it happening more often is it becoming a more common attack attack type but it's

also increasingly more expensive than having an internal breach or a breach uh a traditional nons supply chain related breach so there are various mechanisms that we see associated with supply chain attacks some of these overlap some of these are very similar um but it's really important that we understand them because they they they set a really interesting story and set an interesting stage for the discussions we're going to have um first is third-party software and this is where a um attacker takes advantage of vulnerability or implants malicious code in the third party software um the example a representative example of this and only because the one that I would have put here is used later on uh is is

Equifax and Equifax back in 2017 it was a compromise of 146.640 personal information of consumers was caused because of a vulnerability in a thirdparty piece of software msps or or or or service providers um managed service providers push out updates or malicious code to remotely monitored and managed computers again uh the one that I would have used as a representative example here hasn't hasn't been used because we're about to talk about it but this was uh the example given here is the attack on CA in July of 2021 and a as you can see the impact was there were victims in at least 17 countries somewhere between 800 and 15 uh 100 businesses so what you what

you'll see is that it's it becomes increasingly easier to impact more um businesses and more victim have have a higher victim count uh as supply chain attacks become more and more sophisticated and as supply chain attacks become more and more regular uh the one that we all probably use as kind of The Benchmark example uh is an IT vendor or other provider of software and contents and this is again very similar to the third party software installing or injecting malicious code uh into an IT vendor and then propagating that down to customers and this one is the solar winds breach the one that I would say probably encompasses a good portion of the uh previous two and in this case we

had you had 18,000 out of 300,000 customers impacted including uh at least nine US government agencies that we know of um again you know why if I can hit solar winds or if I can hit a vitim once but then have it propagate down to thousands of customers um and and impact thousands more why you know why wouldn't you it's the One-Stop shop it's the reason that if you look back at traditional uh data breaches some of the traditional data breaches typically attacked Health Care Financial uh and educational institutions because you have the ability to get a lot more data you know those those locations have or types of businesses have every piece of information you

could possibly want uh Partners in the physical supply chain this is something that we've seen a couple times uh We've even seen it recently um is implanting is we implanting a malicious chip or a module on the physical uh insides of a product um can then facilitate a supply chain attack and we saw this a couple years ago with Chinese the Chinese and motherboards um being put on to to systems that had chips that allowed uh the Chinese actors within the Chinese uh infrastructure to remotely access computers that they otherwise wouldn't have had access to it's the re it's it's a lot of the same um stuff behind the recent uh Huawei attacks and the things

that have caused now Huawei to be kind of almost effectively banned in the US um we've also seen we've also seen this you know the attack of the mother on motherboards affected at least 30 companies including Amazon Apple an unknown big Bank multiple government agencies and even contractors the other element of supply chain attacks that while on the face on face value might not seem like cyber attacks but are nonetheless absolutely vital are the non-it Contracting vendors it's where you use a vendor as a springboard to gain access to privileged resources of a Target organization and in this case the the the real good example is Target Target was breached because of the lack of security of cyber

security in place for the HVAC the air condition conditioning vendor for Target and we all kind of know what that breach did um and we started to see some of these happening more and more um you know it could be a third-party vendor who has nothing to do with it but that has access to your environment and gets an MFA fatigue attack you know a barrage of MFA attacks and then gets a message from whatspp on WhatsApp that says you know hey I'm from it please um please approve this so that I can help fix your computer and it doesn't even have to be a it vendor of yours that's doing the work or an IT contractor

that's doing work for you but if they've got a anyone who's got access to your environment is a potential entry point for a supply chain attack um which is why thirdparty risk management is so important in today's world and especially in the kind of post March 2020 covid remote work from home uh remote work world where we are relying a lot more on supply chain vendors where we're relying a lot more on cloud vendors where we're relying on uh putting data in places that we may not have full control over um all of the pieces of the compute environment in the way that we used to in a traditional everything is stored on a Mainframe or

server uh within the organization another area that has laid out some really good explanations about various supply chain attacks is um in the uh in in the communications uh information Communications um technology area and this is a a a um graphic from uh SAA that actually they put out as part of a report um into some of the communications it supply chain risks and they lay out a lot of the same um types of um attacks the other one that's really uh that the one that I'll jump to because I'm not going to spend a whole bunch of time on this specific one is sensitive data spillage um it's really important to remember that as part of

your supply chain uh if you're disposing of computers and you have a a vendor or you're donating them or you're working with somebody Downstream uh that's another potential area for a supply chain uh for a data data breach to occur is you you failed you know you failed to properly clean your computers or you gave it to a vendor to do disposal and they didn't properly wipe the devices so that's a that's a really important one so when we talk about you know most organizations I know a lot of organizations ha have for many years kind of struggled with the tprm process they you know usually there's not enough resources uh Personnel Resources it may

be one person doing that in addition to five other jobs or it's one person who's dedicated to tprm but you've got an inordinate number of vendors in play um and it can be a very big process that can often times be viewed as a bottleneck if it's not organized and and and built correctly so one of the best ways to kind of shake the rust off of your tprm process is to look at what process processes are out there what existing things are out there so you don't have to reinvent the wheel um I had a discussion actually just maybe an hour ago with uh my siso about the fact that the questionnaires that we're using

for example may need to be optimized because they are they are not the most effective uh tool that we could be using or they're not in the most effective format so there are some really good standards documents um I'm going to talk about both nist and I'll talk a little bit about ISO and some other ones I focus on nist not because I have any Affinity uh for or or affiliation with the federal government in the US or that I have any sort of um preference for the federal government but I use it because even if you're not the in the federal government many of the guys guidelines that are in some of these documents are really

really good for anybody who is looking for at least a starting point or doesn't have practices in place and wants to do it quickly the first is nist special publication 800-61 this is a document that is specifically focused on how to best do supply chain risk management um again geared towards federal information systems but but very much applicable to The Wider organization um or The Wider industry beyond the government of course everybody I think tries to leverage in some form or fashion the nist cyber security framework or that's how you're reporting things to the board um or or to outside Auditors and while the N cyber security framework is just that it's a framework it is built on on the

on the controls that exist within n special publication 853 uh we're currently on re uh revision version five um unless you have nothing better to do or you're really desperate for uh sleep I would not advise trying to read the entire nist 853 document um it is a bohemuth and you will fall asleep more than one time but what is really important about it from a supply chain standpoint is that it has become now it is now really at one of the big additions was more focus on supply chain more focus on controls and guidance around supply chain so if you're measuring yourself against the nist cyber security framework or against nist special publication 8853 you will need to be dealing with

supply chain in some form or fashion the other one that's really a really interesting one is um is nist ir7 7622 which is titled notional supply chain risk management practices what this really is is this is a really good way for anybody who is trying or who who wants to take a more qual quantitative approach excuse me to supply chain risk management similar to some of the quantitative methods that are being used for internal risk management this document lays out a really nice framework and a really nice set of practices for anybody who is looking to try to implement that and doesn't know where to start all of these documents what's nice about all of these documents is if

you're not in the in the federal government or there's not a mandate somewhere that you abide by nist you can tailor these documents very much and use them as a as a guidepost to developing your own program and I will say my my own organization I'm I'm looking at in my role as you know the head of GRC I'm looking at ways to um increase our usage and Reliance and and and uh leverage the pieces within nist 161 and nist IR 7622 to enhance our cyber security um of for our supply chain for those of you who are fans of iso um you know obviously there's ISO 2701 and then there's and the companion very similar to kind of the nist cyber

security framework where this the the framework is separate of the controls nist 270001 or I'm sorry ISO 270001 is the n is the equivalent of the nist cybercity framework it's you should set up a management system this is what it should look you know what the guiding principles um NIS 27 or ISO 270002 is the equivalent of nist 853 it's all the list of uh of Co of um controls and suggestions and things that you need to do if you're looking to try to get certified under ISO 2701 and then the other one that I that I point out is uh ISO 27,36 information security for supplier uh relationships this is another really great document for anybody who has a

global reach um beyond the US and wants to um wants to um leverage the iso framework in order to uh do their standards you know in an Ideal World in a perfect situation you can pick and choose and leverage the best from nist and the best from ISO and create the best program for yourself and for your organization what's really interesting is and this is a bit dated but is still very much I think largely still very true is the types of practices that most organizations are using when it comes to supply chain risk management most of that you know most organizations are doing at least some sort of review on the Personnel that will be um or or

leveraging the the the vendor that they're working with to do Personnel Security reviews um or or are looking at way at enhancing their own perimeter um or are trying to create a more standardized process but they're doing everything but kind of tracking very well tracking supply chain risk it's kind of one of those things that you could put it together and you can give some metrics you may be able to talk about which vendor the highest risk or the lowest risk but you're not we're not tracking supply chain risk in the same manner that we are are for internal risks where we've got a formal risk register now certain organizations will do that a lot of organizations are

trying to start to do that but it's still an area that is really lacking so we've talked about kind of talked about the state of cyber uh of supply chain attacks we've talked about current risk management processes what's a really really interesting element of and adds quite a bit of of of what we'll call rust for the purposes of this discussion a lot of problem to the third-party risk management process is some of the subjectivity that it's given and I know that over the last couple years there's been a lot of work on the internal risk management side to take things from a qualitative subjective um system to a more objective uh cyber risk quantification methodology

the problem with Cy with cyber risk quantification in a thirdparty risk management world is good luck getting the cost of a data breach um from some of your vendors or you know having them truly peel back the onion for you on the met the numbers that you would need to be able to do a good cyber risk quantification the other problem is for many organizations s that you have you may have hundreds if not thousands of vendors that you're dealing with and to come up with a the impact that a vendor might have on the organization is a very tricky thing so but one of the real kind of interesting areas is actually in the

decision-making process itself and some of the challenges that we face with how we are evaluating our vendors if you think about most of the vendors that for anybody who does thirdparty risk assessments or does thirdparty risk management on a daily basis some of the rationale that is used for selecting a specific Vendor by key decision makers and even by cyber security decision makers what you find is that it's oftentimes not a risk a truly risk-based approach but it's got elements of bi of cognitive bias so to talk through that I think it's important to lay out what do we mean when we're talking about bias because bias is a very very much I recognize a Charged

word bias is by definition is just the disproportionate weight in favor of or against an idea or thing you can actually be positive have a a positive bias towards something um you know the example the example I will give is you might have a POS you we most people have a bias towards not getting injured they will do things to try to they will make decisions with a bias towards not getting hurt or not putting themselves in positions where they could be hurt that's a good bias to have um that certainly probably Mak makes um you know family members a lot happier but on the other end there is bias against something or and that can often

times be um be viewed negatively um but when we're we're talking about what we're talking about we're talking about cognitive biases so they're not necessar they are not necessarily good or bad regardless of which end of the Spectrum in favor of or against a thing they fall they are a systematic pattern of deviation from the norm or or the rationality in judgment anytime you're making a decision that is you know not the normal decision to make in that situation if you analyze the decision it it often times includes some element of cognitive bias now another concept conep that is really important with cognitive bias is heuristics and heuristics is a process of using mental shortcuts um when I talk

about this the the best example I can give you is heuristics is what helps you make decisions quickly and get to the a decision that is the best or you know good enough good enough to satisfy some criteria because to if we did if if we as humans did a full true risk analysis of decisions we make in a given day the only decision we would make is to not get out of bed because that is the safest decision for every other decision we would need to make in the day and but we see heuristics used often in situations of uncertainty and that's where when we talk about third party risk management and we talk about the

easiest way to apply rust or or or have an have a flawed uh thirdparty risk management program is when we introduce some of these mental shortcuts and let them Drive our decision making instead of understanding them and controlling them I'm not going to go through all of these I don't expect anyone to be able to see this really well I share it because I think what it demon rates is first of all this is known as the cognitive bias codex and it is a listing of the 180 known cognitive biases out there this is put out by Wikimedia which is an offshoot of Wikipedia what's really nice about that is if you were to go in and

click on any one of these um biases listed it will actually take you to a whole Wikipedia page that will explain a lot and provide a lot of good reference reference material but it will show you the the the way that biases are often grouped there are over 180 cognitive biases out there and we're not going to go through all of them we're not even going to go through all of the ones on this page what we're really going to talk through what we're really going to go through is some of the key ones that we see often in thirdparty Risk Management that are really good to to be aware of because they can be kind of the

easiest place for a nonrisk based decision to be made and the first one I'll go to is anecdotal evidence how many times I don't know where everyone is but how many times have you gotten a recommendation for a movie or a restaurant that somebody else told you you've got to go to this restaurant or you've got to see this movie it was so great or this restaurant was so great the service was impeccable and then you go to that same movie or that same restaurant and have a horrible experience and you're like what the hell was that person thinking telling me that what you've been become the victim of unknowingly is you've unknowingly become the victim of anecdotal evidence you've

relied on the on on the information and the the experience of another person to make to to make your decision and when we do that in a cyber in in in a supply chain scenario we may pick a vendor that other people have told us is great and that and and we we do it because so and so recommended that I reach out to you and you end up becoming blinded to that and you're not looking at the things that could potentially be risks um the bandwagon effect everyone's using them um I hate to bring this one up but the bandwagon effect is largely why so many victims of solar winds occurred everyone was using them

they're the the one to use they're the they're they're they're you've got to use them or else um that's that's where bandwagon comes in um I'm gonna skip the Dunning Krueger because that although I will call it out because I think anyone who suffering from impostor syndrome would really benefit from learning a little bit more about the Dunning Krueger effect um it's a really interesting one um but it's it could be its own presentation on its own uh separately I will mention False Consensus False Consensus is the bias or the idea that I'm making the decision that I'm making because I believe that's what the rest of the group would decide if they were faced with the decision or if I were to

go ask for other people this is what they would decide um it it can often be considered or or or or analogized to a people pleasing I want to please as many people as possible so I'm going to pick the decision I think they they would pick it may be true but it may it likely is not true or may not be completely true um first impression uh you know that one I think is a fairly obvious one but I'll call it out as well uh frequency you know the more often we see something the more likely we are to think that it occurs more often um ransomware is a great example we see a lot of talk about

ransomware ransomware is certainly a major EP you know epidemic within cyber security but there are plenty of other things that are as dangerous and as bad and happening as often that we just don't see so we believe that the frequency of ransomware is higher than it is a higher risk than it really is um motivated reasoning that's that's where um you allow your emotions to play into things um the one that I'm going to jump down to because I really want to talk about this one is sunk cost fallacy this is for those who are not familiar this is the bias or the belief or the fallacy or the the um pre the the predetermined nature to

say well we've already spent money on this and we've already spent time on this and we've already expended a bunch of effort on this so we're stuck with it because it would cost more to go deal with to do it the right way or you know what should what might be the less risky way because we've already spent so much money on this um it's one to be very careful of because very often yet the if you look at the true cost of things over time um the sunk cost fallacy goes away unfalsifiability I like to use this one because this is the the anytime you've heard somebody say well this is the decision I you know

this is the decision I've made unless you can prove me wrong and usually when they say that it's something that you have no there is no possible way for you to ever prove them wrong um you know how can you prove to me that you know that you don't beat your wife you know I can't ever prove that but so then I'm gonna say you know I'm G to say that you know I'm going to make a decision based on that or you know until you can prove me wrong I believe this and therefore I'm gonna stick to my guns um the I I like to use the I'm gonna jump back up to the peltzman effect for

a minute because I like to talk about this one for both personal reasons and because I think it's a it's an interesting one in information security but the peltzman effect is the idea that if the perception is that we that you are safe in a safe place or safer you're more likely to take risks you would not take the example I always like to use here is my wife is a registered nurse I am not a medical professional nor do I play one on TV however I S always joke with people that I have a get out of jail free do stupid stuff uh excuse because I have a medical professional who can increase my safety

you might see that in the same in in an information security standpoint with well we've got MFA so we're safe so we're not a victim until you have an MFA fatigue attack so let's talk about some of the models of heuristics these are really important as well because it's important to understand because you will see a lot of these decision-making models in the decision making and the analysis that is often done of third parties the first is what's known as satisficing and that's kind of the the um the the the gold standard or at least the the basis behind heris sixs it is the idea that that you are that that humans make decisions to satisfy a level of standard

that they've set up this exist this this was first developed back in the mid1 1950s um and exists largely to help people make quick easy decisions elimination by aspect that's where you talk about a lot of the breaking you know make decisions based on I'm going to first I'm going to look at cost and I'm going to eliminate the item that is the highest cost and now I've got maybe three three solutions left and I make those three solution I look at those three Sol those three uh decisions that are left and I go now I'm going to get rid of it based on the number of people who work at the at at the vendor company and and what have you

and you continue to do that until you have a single vendor we see this often or a single decision and we see this often in the RFP process where we're eliminating not based on which is the riskiest but based on some other facet they screw you know which one gave us the best demo which one has the most new features coming in the next six months uh the recognition bias or recognition heris I like to use I like to to the example I like for this one is if you my grandfather used to as a reward for us when we would do something would would give us an option and he he'd show us a

$2 bill and he'd show us a $1 bill and he said you could have either one that you want most people most young kids don't realize don't recognize that a $2 bill is a real thing therefore they take the $1 bill because they recognized it more readily they they understood it more read readily and they actually in doing that gave up 100% of what they could have had the last thing is the take the best and this is where this is essentially um where you create a a decision tree but you create the decision Tree in almost a bracket tournament style kind of setup I'm going to take two decisions and I'm going to make the decision and I'm going to go

okay which of these you know I've got five decisions okay I'm going to narrow them down to three then I'm going to narrow them down to two then I'm going to narrow them down to one or it's I'm gonna take this one and I'm gonna compare it to an to to another thing and you go okay I like option A not option b think of the example I'd give here is if you've ever gone to the eye doctor where they go which one's better the left or the right one or two one or two and then they give you they take one of whichever one you've chosen and then another they go okay what about two or three it's the

same kind of concept of decisionmaking so how do we enhance our cyber SEC our cyber supply chain um how do we take all of this knowledge that we've learned all of these things that we've identified that cause rust how do we apply what what can we do to help mitigate uh the effect of them and I say mitigate because cognitive bias is like when you're a little kid trying to stay up till midnight on New Year's you say I'm going to stay up until midnight I'm going to stay up until midnight and at 9:30 you're passed out because you tried as hard as you could to do it and you're never going to be able to beat it it's

the same thing you may be able to mitigate the effect or recognize that you've introduced a bias but you're never going to be able to El fully eliminate a bias and there are certainly situations where completely eliminating bias is not a good thing so there are a couple of really good resources the first that's out there is uh the nist IR 8276 why do I bring this up because for any organization that's looking or any group that is looking for an easy framework to put in play and to put in play quickly this has got a really good layout and structure for ccrm or cyber supply chain risk management you leverage what's out there um don't try to reinvent the wheel the

problem the the place where organizations that I've seen have struggled the most is they've struggled the most when they try to do it themselves from scratch you can make you can make a good cake doing it on your own from scratch you can make it even better cake if you use a recipe that was done by you know Julia Child you know or or you know Emerald legasi or somebody like that you wouldn't so why not leverage what's already out there there are a couple other really good tools I'm not going to spend a whole lot of time because I want to give time for questions um but uh some other really good tools happy to talk with

people about any of these tools the one big thing to keep in mind is as part of supply chain risk management is don't discount the importance of thinking about business continuity and Disaster Recovery because as many organizations now have outsourced a lot of their critical functions to thirdparty vendors they don't have a good contingency plan in place and the example I'll give on this one is the Kronos sprech that happened at the end of last year Kronos for those of you who don't know is a major payroll provider and about two weeks prior to Christmas almost exactly two weeks prior to Christmas they had a massive ransomware attack um I know this because not only was my Company the

company I was at at the time affected but it was the day before payroll for my wife's hospital and they used Kronos so it turns out they had to come up with a contingency plan because they hadn't actually effectively planned for what happens if the payroll system goes down a day before um payroll is due and oh by the way it's also during the holidays season so it's not like we can go well we'll get it to you in a in in an EXT in a week you know people were really relying on that money and people rely on their paychecks being delivered when they're supposed to be delivered so don't discount business continuity there's a really good

document again this is focused on the communication sector but this is put out by uh SAA it's the vendor supply chain risk management template if you're looking for good questionnaire or good forms to to use with your vendors this is a really good starting point probably overkill for most organizations but again it's another good way to be like hey did we did we forget to include something we should have included what are the tips for debiasing for getting rid of for minimizing bias well the first is to be aware the fact that you're aware of it is it makes it makes it harder to ignore it it goes back to a concept that I that I've

talked about in other presentations of in in in physics the concept of the Observer principle the idea that once you look at something you've changed it and you can't un you know you basically can't unsee it educate yourself attending sessions like this learning about biases figuring out which are the biases that you might be more susceptible to or may be the victim of um consider current factors that may be influencing your decision um I I didn't talk about it but there's a concept known as noise that that I that is a really interesting topic to look at uh Nobel prize winning Economist by the name of Daniel Conan and a couple others um came up with or talked about noise

and noise is the idea that things that are outside of bias outside of heuristics may play an impact um how many people think to yourself but how many of you make a good a great decision at five o'clock on a Friday as opposed to at 2 o'clock on a Tuesday when you're making decisions about security or work rated topics reflect on the past look at what you've done in the past and where you might have made mistakes in the past be willing to look for disconfirming evidence be willing to to look for things that might explain that might go against what your beliefs are or what your conclusions are if nothing else it will help either strengthen your your

decision making and say hey I considered the alternative and the alternative doesn't work or you're GNA hear it and you're gonna you're gonna see it and you're gonna go oh crap I didn't even think about that and that goes with practicing intellectual humility you're NE you're human hum are human decision- making is flawed it is it just is it's it's impossible for humans to truly make the right decision the exact optimal top right position decision we make the best decisions we can so be willing to accept that your decision making may be flawed um I don't have time to talk about it but I would also encourage anybody who's interested in looking at things other ways to per perhaps debias

your decision-making there's a whole area of research being done right now on automated decision support um I would I again this could be a whole presentation in and of itself um you know if if bides uh asks me to come back next year I'd be happy to present on automated decision support because it's a huge area of um of advancement going on and there are a lot of really interesting uh techniques that can be used to leverage a lot of the existing artificial intelligence you're aware of machine learning and what have you to make better decisions because as all of us know the human brain computers actually have better computing power now than the human brain and have since uh

about 2010 so um don't be afraid to let the to let automated decision support be a part of your system now there are certainly questions about it and flaws and um concerns about it because automated decision support is being used in Limited Format on loans and credit based decisions but there are ways that automated decision support can also Le uh analyze Big Data better than humans can there are any questions I'll entertain them now uh I will also pop over to Discord and see if there are any questions over there I'll answer them over there um if there are please put your questions into the question and answer um I've included with in slides that

will be included afterward or get shared afterwards um some references uh the reason I use even though I'm I'm a doctoral student and an academic and don't like to uh reference Wikipedia in an academic setting I reference Wikipedia here because it's got It's a good jumping off point for these topics to other areas and other groups um and other things I've got the Codex there uh cognitive bias and how to overcome it and then here are here's my information please feel free to reach out I've given you know all of my email addresses my personal website my LinkedIn I'm I'm always excited to talk about this with people um I love talking about these topics and talking about cognitive bias

third party risk management GRC cyber security in general so thank you all for attending I know it's later in the day um and if you're outside of the central time zone it's it could be even later in the day uh appreciate everyone attending and uh I don't see any questions so uh I will hand it back over to our moderators thank you for an excellent talk Dustin um you're right there are no questions here but um we've had a lot of a lot of Engagement over in Discord so I would expect to see people there instead yep I will definitely be over in Discord as soon as we're done here excellent thank you two screens opened at the same

time so yes all right well thanks very much um we're GNA take a break until five o'clock Central Time uh and do come back because our next two presentations will not be recorded so you're going to want to catch those live at 5 o'clock and 5:30 Central see you

soon