Don’t Sleep on Human Cyber Performance: Solving Social Engineering Through Lessons from Sleep Tech

Uh, welcome everybody. You made it. Last uh, session of the day. We're talking about sleep and security awareness and cyber performance. So, I'll try not to uh, put you to sleep with this last one here. Uh, my name is Elliot Baker. I work for a company called Hawk Hunt. We are headquartered out of Helsinki in Finland. I'm actually originally from the Seattle area myself, but I've been living in Finland for 15 years. So, uh, as you can probably imagine, I just got off the plane yesterday, so feeling a little bit sleepy right now. So, not sure if you guys knew this, but research out of Harvard back, um, about 20 years ago showed that sleep deprivation can be

equivalent to about four drinks of alcohol in terms of your performance. Did you also know that on international flights, gin and tonics are free? So, let's hope this is not an additive thing, or else this is going to be a pretty wild performance here. Uh yeah, so we're going to go through this and here we are talking about uh sleep and security awareness. What's the you know even possible tie with that? Is there anybody here who manages the security awareness program little bit? Okay. Is there anybody here who uses a sleep tracker who sleep tracks their watch? Couple people here. Okay, cool. So that brings up part of my background too. So before I got into cyber security, I was in

sleep tech with a company called Bett also out of Finland and a lot of our technology is integrated into sleepwatch now because we got acquired by Apple in 2017. And in a previous lifetime, I was a sleep research assistant at Harvard Medical School. I thought at the time I would become a scientist, but um decided not to. Did other stuff instead. So uh we're going to go through the uh the tie with this thing. And it's kind of a funny uh topic and cyber performance is not something you're going to really find. It's more of something that's kind of in my own mind. I've been thinking about for a long time because what I saw from the revolution

in sleep uh technology and wearable technology there. Oh, that sounds a lot better. There are actually uh some ties to what I'm kind of seeing right now security awareness as it becomes um more cool. We just had a conversation over here a little bit where people are actually talking about uh cyber security. Um I'm not sure if anybody watched the recent Netflix show Zero Day with Robert Dairo or Mr. Robot. Like slowly the whole idea of like fishing and social engineering is making its way into kind of the popular conscious. And that happened years ago with uh with sleep. And now I think we sort of take it for granted as people like LeBron James and Kobe Bryant were talking about

sleeping and sleep chambers to improve their performance. Ariana Huffington was writing books about sleep as being integral for uh worker product work productivity. Um Bill Gates at one point 2019 highlighted Matthew Walker's book. It's an excellent book Why We Sleep in 2019 as one of his top five books of the year. uh and said that he regrets um the hustle culture he was in for always just sort of like avoiding or neglecting his sleep uh to uh be more productive when actually that was kind of not a productive way to go about it. And with security awareness I think there are some really interesting ties that uh to that evolution of sleep that you can

really see through the connective tissue of performance. So slide So that's a lot of words up there. But one of the things that when we think about performance, I think probably a lot of us are thinking about it in terms of athletic performance. Uh some people might be thinking about it in terms of u work productivity and that's for sure true. But one of the really interesting uh definitions of performance I've come across is in high reliab high reliability organizations uh such as those that do non-destructive testing uh in aviation, oil and gas pipelines, those types of things because they are looking at performance in terms of the interaction between people and their environment. And when that environment

is very high risk, the performance becomes very important. Are people making mistakes that can actually cause um as much as loss of life and then or just severe problems to your business? And in cyber security uh particularly when we're looking at what is the biggest risk of something causing a cyber breach is uh fishing and social engineering. And all that is is that someone clicked the wrong thing. It's just it can be as simple as that. You do one wrong click and all of a sudden your operational technology is no longer operational for a while. All of a sudden you have ransomware. So when you look at people and how they are the largest attack

surface, you want to make sure that they are performing at a very high level. Okay, next one. Uh so a little storytelling here now for uh my own background. Um, so back when I'm gonna change this a little bit up here. So back when I used to uh work in the sleep lab, we used to do what's called a polyomnography setup, PSG setup, and that was 22 wires glued all over your body attached to 12 different channels. We were measuring your heart rate, your blood pressure, uh, sleep occurs in the brains. So we're measuring your brain waves. Uh we're measuring core temperature via a uh rectal temperature probe, the things we do for science. Uh we were doing all of that.

And in the study I was involved with, we kept people awake for 72 hours. And throughout those 72 hours, we would draw their blood. We'd monitor that for cortisol changes, for C reactive protein changes. And what we discovered, this was amazing, 72 hours of not sleeping is bad. Mind-blowing. I mean, the top minds in the field like found this out. So, and and so this was part of a a mountain of research that showed this is that if you have sleep deprivation, if you don't sleep well, it's bad. There's an increased likelihood of Alzheimer's and dementia. There's an increased likelihood of heart attack and stroke. there's poor performance. It's just it's bad, bad, bad, bad, bad bad. And that

was being broadcast by loads of evidence, loads of things. And guess what changed? Absolutely nothing. Like, you can tell people that you'd have to eat your vegetables. You tell people that you should be healthy, but trying to scare people into changing their behavior just um doesn't work. And there's actually that's grounded in behavioral science. It just doesn't happen. or if you're trying to really freak people out with uh if you fail a fishing simulation, then you're going to get fired. Or all these cyber security threats are out there and they're super scary, so you have to behave well because they're scary. A lot of security awareness training to this day uh still operates on that principle. And a lot of

security awareness training just doesn't really move the needle. uh those of you who are involved with it will probably see that is that even if you're doing pretty well, it's, you know, maybe you have 10% engagement, maybe 20 if you're doing really well, um maybe you have some measurable like behavior change happening, some measurable risk reduction, but it's still kind of hard to get out of certain plateaus and ruts. Uh so then back to sleep, what happened was then I got into the uh the sleep tech world later on. Um one thing led to another. I went up in Finland and I met these wildeyed uh founders and they took this really cool technology and they applied that to this really

cool new thing called a smartphone and what we found was that we could actually measure at home people's blood pressure well sorry heart rate respiration whole body movement and their breathing and even their snoring through the phone. So we were able to do is take the lab quality uh sleep measurements and do it from home without a rectal temperature probe also. So that was a dealbreaker for a lot of consumers apparently. That changed everything like that became a real thing like as we all a lot of people raised their hands just now that you actually track your exercise and you track your sleep at home uh because it is so easy and like you know why not it

became you know something that people talk about too like we regularly discuss like how your sleep is actually completely linked to your performance. And so that was the big change at that time is that the messaging became more about sleep as a key pillar for performance and that there was technology that was available that you could actually measure it and measure the right things. And the right things being heart rate, breathing, uh snoring and whole body movement as reflections of the uh of the central nervous system on the autonomic nervous system because if you want to go into the brain, you have to glue stuff on your head. And there was one actually really cool piece

of tech that did that, but no one used it because it was just you had something on your head. So it wasn't very fun to sleep with that. And in the end you had all these influencers, all these very uh celebrities talking about sleep in a completely different way. And that created this upswell of people who suddenly wanted to uh get into sleep tracking. Okay. So next slide.

So the sleep to the performance to the paradigm shift is what I was describing there and you can see it all around you nowadays. Uh around this time when we were in the sleep tracking world, we suddenly found that we were working with um HR programs or organizations who wanted to incorporate sleep into their wellness programs because it was good for productivity. It was good for performance. Uh there was also uh athletic training. We used to work with different uh professional uh sports teams. that was an obvious application for it. Different people would buy the uh the sleep tracking devices. Um some funny stories about that, but I won't get into it right now. Maybe maybe later

on. Uh but uh school schedules like eventually began to change when they started realizing that having kids at a young age going to school at 7 o'clock in the morning was actually bad for their school performance. So they started like pushing back school hours from that. even uh daylight savings time it it's you know has problems with sleep. So even that has been kind of changed a little bit by the mountain of evidence about uh sleep being important and you don't want to damage your sleep at all. Mental health initiatives uh occupational health and safety you see that now all the time. For instance, the military, they started seeing that most of the different problems with like

friendly fire accidents, many problems with um uh operating u equipment in the military. A lot of the accidents there were were very often uh linked to fatigue. So they started having readiness parameters around people um you know as much as they could around people who go out in the field. So the change of that messaging that involved looking at the right metrics, the right things to track and the right messaging around performance, it it we see it all around us now and it wasn't that long ago that this started to happen. Okay, next one. So uh now we're going to get into the whole idea of uh the cyber security uh application of this about security

awareness and fishing training. So, in performance, it's more than one metric. And right now, typically, we're going to be looking in a in a security awareness program, we're usually going to be just uh measuring the click rate. So, you send someone a fishing simulation, they fail it, and that's mostly what you're going to be following is just that. Uh so in sleep it finally became apparent that what we were looking for were these types of things to uh show their uh their recovery and that they were going to be uh ready to uh to perform well. And in cyber what you can do is you can look at there's one behavior uh based upon your

largest risk that you can really try to center on and that's reporting a threat. So the ideal outcome of a fishing attack uh whatever it's form whether it's fishing through voice whether it's fishing through team slack email uh whatever it is the best thing that you can really have happen from that is a threat report because that's going to screw a response and it's going to accelerate some kind of a response to remove the danger from the system or to eliminate spread. So once you start looking purely at uh sleep in terms of behav looking a little sleepy over here once you start looking at this in terms of uh performance with security awareness it becomes behavior and the

key behavior here being threat reporting what you're trying to look for is the reporting rate the miss rate and then the click rate and like any performance you're also looking at speed. Speed is essential in security. uh the faster you can get to some kind of an incident, the less damage it can cause. And ultimately, the ultimate killer victory here in performance, you're looking at things in terms of like wins and losses. You're looking at things in terms of like your big stats. The big one, the big victory here is the real threat detected and being able to monitor that. How many people actually caught a malicious message and reported it? Okay, next one. So here we are again. Uh we're in a

world where we're thinking about things in terms of not such a negative thing. We're thinking about terms in positive terms. And the way that you can look at that is uh if you sleep more and you thrive. That was Cheryl Ma out of Stanford. uh her research on basketball players at Stanford in the early 2000s were that they were 5% faster and n 9% more accurate shooters and then NASA research showed that a nap improves performance by 34% and alertness by 54% and there are just loads and loads and loads of research around this now like in sports world alone the actual betting lines changed about 15 years ago that became a thing where they're monitoring which team was

actually traveling and therefore likely not to be performing at their peak uh awake hours. And that actually changed the line of a of a sport contest as much as a home or away uh as much as any kind of like another kind of advantage that might happen with a sport contest. So you look at in terms of performance, it becomes something that you can actually see the difference as opposed to just be afraid of not doing. you actually look forward to doing something because you're going to get some kind of a result, some kind of an outcome. Uh with cyber security, you can actually get a 10x rise in uh real threat reporting if you start teaching people how to report

a threat uh and rewarding them for that. Okay, next one. And this is what the old negative type stuff used to look like, you know, and and there's there's dozens and dozens and dozens of uh more stats like that about how not sleeping gives you problems uh doing Oh, and by the way, this is kind of a neat thing that we found too at Hawk Hunt. uh if you are uh on your devices either very very early or very very late and you're four to eight times more likely to click on a malicious link. Okay, so treat security like a high performance sport and then you got game on. So you want practice, repeatable behavior that will instill the

organizationwide cyber habits and embed a security mindset in a business culture. Uh so practice most people would probably look at the traditional model being either yearly security awareness training and maybe a quarterly uh fishing exercise or something like that. Some people might go up to maybe even once a month. Um, we found that you you can have 36 a year if they're short and if they're interesting enough. So, it's that repeated practice that gets you better and better at doing something. Uh, you want to be able to measure that. You want to be able to track it correctly. And you want to motivate people. You want people, you can't expect people to change their behavior and to improve their

performance by scaring them with the stick. Using the carrot works a lot better. Different ways to do it. It could be awesome content. It could be great videos. Um, I think Ninjio has really neat videos. Uh, there's other approaches to it. The one that I happen to work with mostly is gamification. It's working with people, uh, pressing something, doing a behavior, and then immediately being rewarded for that behavior. Okay. So, now we're looking at the stats. Uh, and this is kind of what it comes down to. This is why security awareness exists. And we're all probably pretty familiar with these types of stats. Uh the Verizon DBIR put it last year, 68% of breaches contain the human

element. That was a little funny because it actually it would have been the same as the year previous which is 74% but they changed their criteria and uh I'm looking forward to it this year. The DBR is coming out next week and research that I um that my team did is going to be in the Verizon DBIR. So, I'm kind of excited to see how that's going to translate because it'll look at actually separating security awareness training from security behavior change. Uh, Comcast business report, 80 to 95% of cyber attacks begin with a fish. 4.88 million is the average cost of a fishing breach. And there has been a 4,151% increase in fishing attack since

chat GPT November 22. uh according to uh slash next. So a lot of scary stuff and I think that that's kind of why a lot of people who are in charge of securing the human element, they go for a punishment and a consequence-based approach is because there is so much at stake and there's a real concern about something happening and um you you didn't scare people enough to prevent them from doing that something whatever it is. Okay, next one. So this is what performance looks like. Uh and this is this is our data here. This is based on two and a half million global users uh all all around the world too. And so what'll usually happen is that the

global baseline for a uh fail rate meaning you fail a fishing simulation that was sent to you. Uh mis rate meaning you just neglected to interact with it. or the reporting rate where you actually report the simulation is going to be somewhere around 7% 10% uh of the reporting rate and then real threats that are reported per user per year is usually almost negligible not tracked or it's very small uh so post enrollment once people I'm sorry here post enrollment what happens is that once people learn how to interact with a button, a simple button that you can press and get rewarded for pressing it in some way is that this immediately shoots up. The and the the fail rate goes down and

it's a result of behavior as a result of people actually doing something repeatedly that reinforces a behavior that you're trying to um coach them to do. And over time, if you see the way that happens here, it's really cool. It goes from being the undesired behavior, which is clicking, was actually higher than desired behavior reporting in the very beginning, and eventually there's actually an inversion of your misses and of your successes while failure rate stays at a very nice stable level uh even over months and years of interacting with this program. And on the blue histogram, you see how the real threats detected uh continually go up over time. Okay, next one. And the cool thing is that what you

see is that you get this incredibly robust data where you can look at people by their job role. You get to see people by their geography. you can find people within your own organization who was actually risky at this point because people are interacting with something so much that you have a completely different level of data around your risk profiles of individuals and of groups. Um you know and this is pretty pretty common usually uh all people in sales communications and marketing are not like the most uh awesome performers. Uh other people for us it was legal and finance typically does really well. It does really well. I it can kind of cheat though there. Everyone here in it, you

can kind of just sort of do some rules on your email and then you can it'll actually catch the simulations when they come in. So you don't even have to interact with it. But uh not judging though. Okay, next one. Uh so the pillars of cyberforms this comes down to what you're looking for are you got to find your key behaviors. You have to find the key metrics to track those behaviors and then you need to be able to adopt uh technology and the technology piece is uh really exciting these days and we'll get to that a little bit more too in the next slide or two but the key behaviors I've already described here being

uh start with reporting and there's much more than just social engineering in terms of cyber performance but social engineering and being able to report a social engineering attack it's a really nice neat behavior. It's it's it's not trivial technically to like integrate the right button into your program, into your platform, into your email gateway and be able to track all the uh people who are clicking it or or not clicking it. But the actual behavior itself is very simple. It's very it's really quite straightforward. Uh once you get beyond that then you're talking about um the term it's become popular ever since uh Forester in August came out with their first Forester wave report on human risk management and

human risk management it has kind of a negative connotation to me uh people call insider risk people call it human risk uh anything with risk with people but that that's the term that we're using right now uh but that involves the gamut of behaviors that people have online and uh MFA use patching and updating ating safe web browsing, uh, information sharing and storing, uh, all that stuff. And that you can track also, uh, just it's a little bit less behavior focused and reward based when you're tracking those behaviors and meaningful metrics as we described. Uh so technology with AI, this is where it gets really neat because one of the problems with typical security awareness programs is that it's

mostly very manual and it's going to be not terribly dynamic. So it's very hard to if you if you have a smaller company, if you have a smaller group of people of like let's say 10 to 100 people, you kind of know uh who needs what type of training uh and on what and you can separate the different people from the different departments and give them department specific type training. uh background specific training. But when you have uh a group of of 500, 5,000, 50,000, 200,000 people, it gets really hard. It's it's a it's a big lift trying to uh develop training this dynamic with those people and dynamic with the threat landscape as well. So with AI, it gives

you the opportunity now to do all the heavy operational lifting, which is nice. But what's crucial is that it also with AI, you can kind of um be a social engineer with your own people. You can get very advanced training based on the same types of stuff that we're afraid of that social engineers are doing to us where they're using OSENT data and they're automatically uh sending targeted attacks at people. And we can do the same thing by sending targeted training at people uh based upon their skills and their background. Okay. Uh so as we said earlier, one of the ways that you uh do want to get people motivated to engage with training is

make it fun. And uh one of the ways that uh I I just happen to have seen work is making it gamified. Uh there's a whole behavioral science principle behind why gamification works. Uh Ukai Chow wrote this out in his uh in his gamification principles years ago. Uh, but you get people to engage with a mundane task with the same kind of enthusiasm and engagement as they would with a game. And it comes down to it's not as simple as just stars and badges. I know that a lot of people think of gamification just sort of being that. There's a lot more to it than that. But this is something that works and people will actually look

forward to uh a fishing simulation and they'll actually be mad if they miss one because they, you know, they might lower get a lower ranking on the leaderboards or whatnot. And from that you can also uh message cyber security as a core wellness benefit. This is not so common, but I've talked to some companies that do a really cool thing where they actually work with their HR department and they started to look at and HR um professionals 20 years ago. That was kind of where we're at now with cyber security is where like health and wellness was 20 years ago with HR departments who started uh uh giving out health and wellness uh benefits and

programs to their workers to improve productivity. uh that was part of the sleep there's a sleep piece that I was discussing earlier but cyber security is something similar where some people many people once they start getting into it and understanding this very scary complex topic they realize they can take it back home and they can keep their friends and their loved ones safe and if people ever have like some kind of a security um issue then uh it it happens at home and it also happens at work.

Okay. Uh so this is what the uh this is what happens when you're looking at uh focusing on success. If you focus on failure and just the failure rate, it's a failed approach. And by focusing on failure, you can actually see uh look at the su the success rate, which is actually reporting rates. You can see how it improves uh every uh every month and very dramatically too over over the first year of training. Um let's skip forward a couple more slides here because I think I'm about out of time. How about one more? I want to stop with here actually. So this was really cool. So the reason why I wanted to stop on here, this is

the newest technology that's out there. So, this is a study that we just released uh and our team has been developing these AI fishing spear fishing agents since 2023. And um this stud has gotten a lot of pickup lately in the media. But in 2023, we did an experiment where we looked at the failure rates that were induced by a single prompt uh chat GPT 3.5 experiment versus elite human red teams. And these are elite human red teams. They're really these guys are really these are Finnish cyber warriors. Um we're we're constantly kind of uh on top of this stuff because of our grumpy neighbor to the east. Uh so these people really know what they do. They know how

to create a really compelling uh fishing simulation. And so back in 2023 uh there was a clear uh clearly higher uh failure rate induced by the humans. That gap narrowed in 2024 in November and then we kind of reached what we're calling our Skynet moment in March 2025 where AI completely autonomously outperformed human red teams uh using the spear fishing agents that we created. And now the reason why that's important is that this we're not a nation statebacked group. We're just we're just a bunch of you know there's a bunch of smart people who like did this. And so right now, what also the some more of the research we've seen now is that most of the fish that bypass

filters and get in our inboxes, they're still mostly written by humans. Mostly, it's really under 5% of fish that actually get into our inboxes are actually written by AI from what we can tell, which is way less than what you would think based on media reports. And maybe it's a bit more than that. Mcast put it at about 12%. But it's it's a lot less than it um you would think it would be. But that's going to change sometime, very soon, more than likely eventually. There's this kind of technology out there kind of waiting around to be used where uh the threat landscape and the cyber crime as a service, all the different kits that are out there,

they're going to be using AI spear fishing agents that uh will just h have a much higher uh conversion rate than the typical fishing kits that are out there now, which are in, you know, they're typically not very good. The ones that get through, some are amazing. the ones that are very advanced. Uh, but they're oftentimes the ones that get through is just pure volume. You you send out millions, a few get through, and then there's about, let's say, a, you know, two to a 20% click rate on those. But eventually that's going to get a lot uh more difficult to uh to spot and report. But the reason why this is uh exciting is that the exact same

technology can be used to defend people. So the exact same technology here that can be used to fish people, you can train people on it too. So then they get that fishing simulation, they click on the link and then you had the platform say, "Hey, you caught a fish. Congratulations. Awesome. Well done. Okay, that's it." And yeah, I think we can and that's what performance looks like uh as a result. But I think I've run out of time here. So if anyone has a final question for me. Yes, please.

Yeah. Uh we played a lot of board games. Uh watched TV. Uh it was just Yeah, that was it. It wasn't Yeah, you can imagine how crazy the conversations got sometimes after 72 hours of being awake. And the problem with that too, and there's a lot of problems with that too, is there's the laboratory effect. When you have someone inside of a room for 72 hours, you can't get up and take a walk like you normally would. You're just stuck in this, you know, kind of bed and sitting situation. But we didn't torture them, though. It was not more than we had to. Okay. Well, thanks everybody.