Hackanory: The Power Of Stories by Janette Bonar Law

yes great thank you good morning everybody um I hope you've all got your Ferrero Rocher they're very important for later on um so if you've already eaten it you'll be needing another one so this talk is a talk about how we can use powerful storytelling techniques to improve security culture and drive down risks through a secure Behavior change we're going to look at how we can best work with the way humans are wired to best achieve our security objectives rather than being thwarted by the capricious nature of humanity and I'm a senior specialist in people's cyber risk management and this is basically a talk in four parts who wrote sciency bit that also includes pause hello a bit on tools that we can

use to weaponize human wiring in our favor a bit with a couple of examples of stuff that has worked really well across different organizations and with a look at why that might be and the finale is um a free Christmas Carol download for a spot of Christmas in June [Music] but before we crack on can anyone recognize this who knows what this is speak it's a spell for Harry Potter right so this is one of the unforgivable curses in the World of Harry Potter and this curse bends someone to your will making them do what you want them to do when you want them to do it sadly this Imperial model is also the way many execs believe culture and

behavior change Works tell people to do the thing and they'll do the thing well I'm here to report that in the Muggle world people seldom do what you tell them to do just because you told them to do it because Muggles are complicated that's the bad news the good news is that while wizard magic may not work in the model World there are some things that do

this bit of Model Magic is dopamine dopamine is part of our model neurochemical pleasure and reward system and it has a kind of magical role to play in the way we form memories dopamine ensures that memories are stored in a way that makes them accessible for future adaptive Behavior a concept we refer to as adaptive memory and adaptive memory is crucial to culture and behavior change because it helps us want to want to do the right thing and to recall what the right thing is this adaptive memory function of our brains is a hangover from the Survival Systems we developed in prehistoric times way back then the three things basic to our survival were food drink and sex

actually I was out on the Lash in Leeds last night and I'm not convinced that times have changed that much to be honest anywho in the absence of deliveroo and Tinder the supply of food drink and sex in prehistoric times could be unpredictable so in terms of evolution developing a way to remember where this good stuff could be found was really super helpful the drive to survive helped us develop a reward circuit involving dopamine and three key areas of the brain the hippocampus the nucleus accumbens and the prefrontal cortex I'm going to play a little special present for you now this is the cyborg security bit

don't understand the power of adaptive memory we need to stop and think about prehistoric people and boars so this is how it goes prehistoric boar is wandering around the countryside doing whatever boards do a prehistoric person or PHP hunts down prehistoric boar and finds it absolutely yummy the circuits in php's brain responsible for reward and pleasure released a Cascade of dopamine that encodes pleasure so-called yum yum response at the same time as the Yum Yum response php's memory is triggered to remember where they are so they can catch more yummy balls in the future this is the Adaptive memory part so in terms of the brainy stuff so far we've seen the nuclear circumference tell PHP that boars are yummy and the

hippocampus tell PHP to remember where the yummy balls are and the last bit of this amazing circuit is when the prefrontal cortex Clips in to help PHP make plans to come back for more balls in the future so what in the heck does any of this have to do with this talk well it turns out this prehistoric brain function is super useful that cyber security culture and behavior change because we can hack the same yummy Wars mechanism essential for survival back then to harness the power of the Yum Yum response and the associated adaptive memory response to help us recall the right security behaviors when we need them and help us to want to want to put them into

practice all we have to do is ramp up the dopamine in our security Communications and weaponize our adaptive memories so how do we do that

well how do we do that well there are at least four dopamine hacks we can use to help trigger that wonderful adaptive memory response actually there's an obvious fifth one but I'm not convinced it will be appropriate in a business setting oh so let's stick with four and those four are music storytelling laughter and food now these hacks are by no means a magic wand to deliver culture and behavior change all the other usual com stuff still applies messages must still be targeted they must be timely and they must be relevant but what these hacks can do is harness human neurochemistry in our favor so that messages land better are retained longer and have an

increased chance of being acted upon so let's take a look at these hacks one by one foreign

music is a really powerful way to pump up the dopamine and kick in the Adaptive memory bits of the brain just think how we learn our ABCs as children how do you learn your ABCs somebody you sing it for me

mark booze sing it for me yeah a b c d e f g adaptive memory color yeah that's exactly right we learn our ABCs as children as a song There's a second benefit me works as a powerful psychological prompt and is so often strongly associated with some of our most powerful memories so for example for me Gloria Gaynor I Will Survive instantly transports me back to my first kiss in a sweaty School disco so I'm sure you all have your own version of this possibly not Gloria Gaynor possibly not the sweaty School disco but some version where music trips a memory for you foreign example we weaponize the power of Disney and we wrote The Jungle book's Bare Necessities

song to use as the intro and outro on a series of short Behavior bombs let's have a listen

look for those cyber Necessities as simple as I by Necessities protected or future cyber strike I mean the Cyber necessities of Microsoft teams use of ease that brings about necessities of online life do you ever have to attend online meetings or calls in shared spaces you do cyber Necessities number two goes out to you when we have to join meetings or calls from shared spaces we have to be really careful about privacy concerns not to mention background noise and conversations can be very distracting for us and for the people we're talking to fortunately there is a magical solution to this dilemma in the form of headsets headsets do away with distractions for us and our callers cut down on the

strapless to our colleagues and help secure the privacy of any conversations we may have that is why cybers wear headsets not only is it more considerate to our colleagues and callers it also ensures private conversations remain private side airsware headsets and we should too protect yourself protect your colleagues and protect our members be cyber aware and show colleagues you care by reminding them to wear headsets in shared spaces stay tuned for the next cyber Necessities update coming soon [Music] and on and on and on so these bite-sized videos were really well received because the fair amount of in-off is humming as you can imagine thank you for the earworm Jeanette bonal and prompted online discussions about

which cartoon bears were the best winners by some margin were the hair bear bunch I don't know if you all remember the hair there so they were super cool foreign

next up we've got storytelling now storytelling is something that's happened in humans from the earliest times cave paintings depicting the story of a hunt stories of myths and legends and religion used to transmit cultural values across time and more recently who hasn't binge watched a Netflix series we get caught up in the story and want to see what happens next and how the story ends and it seems we're neurochemically wired to enjoy stories too telling and listening to stories not only causes our brains to release the marvelous dopamine but also oxytocin which helps us relax and make easier social connections great for growing security cultures right and cortisol which is a mood protectant and helps

reduce negative emotional responses now I'm not saying everyone exposed to security messaging experienced as a negative emotional response but let's just say it's not unheard of and every little helps in this retelling of Goldilocks and the Three Bears familiar characters and elements of a traditional story have been used to carry a security message about ransomware attacks we'll just take a quick look because it is quite long and I'm not entirely convinced I've got time but we'll just start it out and you can kind of see where it's heading welcome to hakanori and today's core flurry tale of Goldilocks and the Three Bears this is Goldilocks Goldilocks works as a Trader at the Three Bears Bank

Goldilocks loves porridge the Three Bears bank is where all the characters for our beloved fairy tales store their digital porridge Once Upon a Time Goldilocks received an unexpected email in her inbox inviting her to test a new range of porridge flavorings from a company called just right that three bears bank had had dealings with before in return for testing the flavorings and recommending them to her friends she would receive a lifetime of free products even if none of her friends went on to make a purchase a great deal all Goldilocks had to do to Avail herself of this tremendous offer was to download the attached JPEG and post it to her social media before noon with a

link to the product and the hashtag just right next to zero effort for a ton of free stuff from a company whose products she already knew and loved perfect excited to be part of the new product launch Goldilocks downloaded the image and opened it to check it out or cute picture before she could share the image to her social media and claim the Fantastic just right offer something bad happened something very bad Goldilocks screen was filled with a ransomware demand from the big bad wolf crew hand over all the digital porridge in the Three Bears Bank client counts or all the Three Bears Bank clients data will be sold on the dot web the Three

Bears Bank was experiencing a ransomware attack by the big bad wolf ransomware crew so how did this happen well it turns out the cute pick Goldilocks had downloaded ready to post to her social media contained cunningly concealed code in its pixels which launched the attack the instant the image was opened the image of the bear Turned out in reality to be a big bad wolf could this have been avoided well let's take a look at the email Goldilocks received and see what Clues are in there I'm going to see and you all know what to look for in a phishing email so I won't pants off you by doing that or maybe I will [Laughter]

okay what's interesting about this approach is that by taking a well-known story and subverting it to youth in a different way for a different audience we trigger the pattern recognition an anomaly detection bits of our brain which allows us to think creatively and more easily lay down new information also the neurochemical response to the unexpectedness of a subverted story is almost identical to the response triggered by humor and we know when we laugh we trigger mirror neurons in our brain the same mirror neurons which make us laugh when someone else laughs which is why TV sitcoms have the life tracks don't need to get you well to laugh along with them you know the science behind that Madness

and bad TV so um mirror neurons very important and they leave us more to going along with whatever ideas are being presented to us which frankly is a win-win because for us funny is a really serious business

well no now the important bit food I hope you've all got your Ferrero laches you should eat them at this very moment unless we're talking about this and if you haven't got one please do have another anybody require an extra one you know forever Russia they might be the answer it's like everybody wants to get engaged

you can eat this now yeah absolutely you can [Music] is [Music] this

so when it comes to food as a dopamine booster chocolate is a triple whammy it triggers the release of theobromine which shortens our attention so you're all like on it now because you've just heard your Ferrero Rocher the magical dopamine and serotonin to the feel-good factor but actually food generally I have found makes any kind of security messaging events go better even if it's just in terms of attendance for example I've doubled the attendance at lunchtime event by providing not only sandwiches tea and coffee but crucially chips once chips appear on the invitation attendance doubles it's like a blooming Miracle frankly sometimes though it's the simple things that make a difference

and finally we get to the thing that said I was going to talk about in the first place but it was kind of a long lead up there A Christmas Carol The Insider threat Edition the click free to scan the QR code and download a copy so this is a modern retelling of a very old story with characters drawn from the security team a ghostly audit team and a malicious Insider threat bent on crippling Tiny Tim Technologies Network can download this digital pantomime and I'll warn you watch out for the Balkan donkey that's the highlight it is a bit long so sadly well it's like over half an hour long I outdid myself it's a bit long so we don't have time to

watch it together but what I can do is give you a little bit of context for when you do get around to watching it yourself so this was produced as a lunch and learn event across the entire business and it had two main objectives first was to begin a dialogue amongst colleagues about what constituted an Insider threat that it's not just that you know skanky Hollywood version of some malicious actor in a hoodie somewhere this was in response to some behaviors that have been observed amongst colleagues by management and they wanted to start people talking about it the second was to a sneaky one but it was to raise and improve the image of the security team and a bid to counter

their unhelpful for no police reputation and improve cross-function Communications and this event succeeded in both objectives and was Far and Away the single most successful events that I've ever staged to that organization originally it was going to be delivered in a live panto style performance by the entire team but a last-minute catastrophe meant some members of the team were unable to take part so it ended up basically as me telling the story and this also accounts for why one of the characters turns into a frog part way through sometimes time pressures impact production values what can I tell you my apologies oh on the day the event kicked off with Put a Little Love in Your Heart from the

film Scrooged playing as colleagues assembled to the session and as colleagues arrived they're asked to vote on their favorite film version of Scrooge using mentee this got people chatting before the session engagement everybody and also ensured everyone could use mentee before we got to a menti-based activity in the session itself is anybody wondering about the favorite film version any guesses about which one won yes it's it was the Muppets it's always the Muppets right um so this event encompassed all four of the dopamine hacks we've been looking at it had music humor a subverted narrative and food and it was timely targeted and relevant and as it turns out it was a total winner so if you can emulate

something like this in your own voice obviously I strongly encourage you to do so now I'm not for one minute saying that we need to tie people down force feed them chocolate stream loud music in their ears and talk to them with funny stories because that would just be rude but we do need to understand the human operating system and these are best tactics and techniques to make sure it's working in our favor if we want to affect the security culture and behavior change the too long didn't read version of this talk people who feel good are more likely to do good so we should make people feel good thank you

thank you any questions yeah thank you that was an absolutely wonderful thank you and cultural change is one of those quite hard things you should found any useful ways of doing so to demonstrate value you're right it is very difficult to measure um and currently people are doing it on like a an annual survey basis on people's perceptions around security and the behaviors of themselves and their perceived behaviors of their colleagues I don't think there is a single metric that can measure security culture it's something really that you observe in interactions with people as a team from my experience although if anybody else does have a metric I would absolutely love to know that thank you hand it over

anyone else cool foreign