2014 KEYNOTE - Dr Jessica Barker - Fear and Loathing in Cyber Security

I'm sure you must be sick and tired of hearing my voice now I know I am love you too sis ya know I as everyone had a good time yeah yeah every two days I should can only open at the end as well so we've saved the best for last our next speaker is a world-renowned you might see her on BBC Breakfast Yorkers will sleep at 5am and so or maybe you've heard on radio and recognize indistinct of Judy answers even the motivation now lives in the works in London

but yeah we have a great time here what I've had a great time here I think the quality of the tools have been absolutely outstanding and I think it was long overdue that we had a conference up north of London for me I live in London everything's up north as on him to invite everything that law I don't clear but we've got a big proper besides air and I think all been fantastic and I hope you really do enjoy the closing keynote people dr. Jessica Barca here who is one of the two females who speak on the circuit and enough women in security I have and we always talk about you know getting back on it

again stuff so yeah I hadn't pointed me

yeah I should have known you know I should have it that's one of the reason I didn't do it all right I never have heat submittals it's always forget one talking back sumith 12 and the title is something the abstract something else and then when i get out there a talk about something completely different but don't really like it's pretty paying attention anyway with the thank you very much it's been really great seeing you octopus on we could have a closing and then I assume and hope you like an issue of bracing you and i'll send you into the very capable hands of dr. Burke

so yes I am yet I am a independence I've security consultant and today i'm talking about fear and loathing in cyber security unfortunately i'm not just playing the film and i'm also is this anointing costume or about the ass and the glasses and the mescaline I've decided to keep badness today and what I'm talking about is about the general or when it is raising in cyber security and that's one thing that I do as an independent consultant so I work with organizations and often it is kind of the general awareness raising starting at the board level and talking to them about the correct and what they can do and having done that for the last kind

of four or five years I found myself thinking a lot kind of about threats and the extent to which we use it in the right or the wrong way to and engage with the web as well as my own organizations and with javon said I do a little bit of media work and so kind of thing quite a bit about the general public and I'm communicating the message to you always told one of the BBC producer rings or whatever they want you to be kind of pitch into your mum and dad or your grandparents so kind of thinking and they were always taking the lowest common denominator and I so I've kind of done some new stuff and I also

use a movie clip of Britain watch ripple everybody familiar on if you not lived until you've worked with Angela return but but but we can we grab operating at the daytime TV around it's about 80 consumer and awareness-raising and something about all sorts of consumer issues and they're finding increasingly that people are worried and scared or the incense and doing things online and so I worked with them a bit this summer and doing them a lot of summer and what it involves is open and engaging the kind of real life problems of the general public and so like summer one thing I did was a pop-up shop that was like filmed and people came in and talking about their worries

or they painting with a problem what I found that loads of people were coming to me and saying I'm scared I've been hacked I'm scared of emails I'm scared to use the internet and I was like what do you why you spend live just down because I told to be so people don't know what they're saying about but they're scared and this is why I've been sort of increasingly trying to think about fear so I've told you a little bit about Who I am I'll tell you a bit more this might be a tad extreme and but I chose this quote obviously partly because there's a lion by peter bretter thompson who is an awesome offer and

fear and loathing was the inspiration for this talk but also i've had quite an unusual routine into this industry so I'm a sociologist really is how I would classify myself my undergraduate degree in sociology and politics and I originally wanted to be a politician and then I work with politicians so then I went on to do some work in regeneration can I worked for the now defunct Northwest Development Agency and I worked mainly on social inclusion so it was a research role and I was looking at the idea of kind of deprivation and poverty and social inclusion however on from there to you that and kind of regeneration the differences and the idea of like clusters and networked

inflation and the role of networked information of regeneration that led on to my PhD I didn't masters and PhD my monsters were in town and regional planning and then my PhD was in civic design civic designers kind of the design of society it says on the team and so that's like a combination of sociology and town planning and what I was looking at was globalization the internet the idea of never ate some information and kind of how that has changed obviously over the last couple of decades and particularly what impact that's had on how we how we regenerate and a large cities and on institutions and on individuals so I did that I had to remind myself to take mine off that

would have been really about I'm now actually turn it off many technical issues with me today so to my PhD and that was as I said design and the methodology was qualitative and some loads and roads of interviews with loads of different people I was really lucky that I should go to different cities as part of my research spend the time in America and and saw cuts the end of my PhD it's over four subjects and was very sick of academia and where you are lose them talking to two people you write at least this and three people read it because they have to because they are examining you on it so I felt like I wanted a new

challenge wanted to be something different and I was very lucky that I was approached by somebody and a six degrees of separation and they heard about my research they were setting up a cyber security consultancy and they wanted someone who could really difficult spective this had a lot of technical skills they wanted someone and with a more social and human and business focus so no very lucky I was trained and worked there for a few years and then about 15 months ago second for my own and now wears an independent consultant so that's who I am and and so I wanted to talk about that music so then an unusual routine and we've talked a little bit about that over the

weekends and kind of the important so kind of expecting a new city people with decreasing and I also wanted to say it because it explains why i have such trouble getting my soon to be showing videos play two things i am not technically i'm talking of here and loathing i have had a lot of fear about this president and i think the organizers now low of me because they really spent hours trying to get this sponsored for me but anyway what am I talking about today I'm talking about what is what is fierce and how do we sounds gear and how has that changed over the last few decades took muscle Michaels beer appeals and that brings in

the extended parallel process model as i said to jerec there's a reason i have got notes today and that is because i'm looking on a lot of psychological theories and they all have very long rooms which i can't store in my head and the theme that will come up a lot today's advocacy and i was basically how you get an intended outcome so how you get people to do things and kind of crosses into empowerment and fear control responses so how do we respond to fear society around the behaviour of plan behaviors or my intentions and actions and translating the to a little bit ever look at climate change a very big problem which we need everybody to

act on and people are kind of in denial about and empowerment and which again has come up a little bit over the last couple of days and i think is really important in this field and Calandra some recommendations but why am I talking about all of this and well one thing that I think we're all aware of is that human behavior in this space is not changing fast enough we all know that users aren't changing passwords they are using secure passwords and they are clicking on fishing links evil and they suspect that machine leaves the sense of people i read recently datacenter people even if they know and they received an email with the fishing me and they were

click on it just out of curiosity so we it I also AM a sociologist so I love theory so that's why I've decided to present you a bunch of academic theories and the weekend but also I think if he is important when we're talking about change my havior in this space we can't just think about the technical we can't just think about the practical we have to think about the context and that's what Furies givers they stimulate their eyes to predict if I was to create and really they have I was to think about the bigger picture and the context so that's why I took night and but to begin with I'm going to show you a video

he was very long the acid is long gone but the mess will become strong good mescaline comes on slow first hours all waiting then I what halfway through its second hour you start cursing the creep who burned you because nothing's happening saying I hate to say this this place is getting to me I think I'm getting this year possum Jimmy remind the American dream hello right in the vortex she want a quick George realized we found the making this one here so I couldn't do it all the reference fear and loathing than afternoon 50 unloading and I figured my slide with enough to give you a migraine and a nice big thick mighty and so he's getting a few but

what is the fear and fear primarily has been studied by psychology and because it's always been seen as an emotion so we feel a physical response to fear and kind of we've always understood it as the sort of Darwinian fight or flight so we've evolved to recognize threats and to react with a physical response where we either fight we either and try and engage and fight off the fear or we run away and and so it's been studied mainly my psychology over the last sort of 10 or 15 years sociology so this guy Tudor was one of the first sociologists to really and look at here and what he talks about is how it's embedded in different kind of contexts

so it is cultural its social it will vary according to the context that you're in and I just wonder also is it now technical and that's obviously kind of what I'm talking about today an example Tudor gives this sort by interesting is about a tiger so he says if you are walking through your journal or Manchester Facebook and if you're walking through streets of Manchester and you come across a tiger and you will only be scared of it if you have a cognitive map to recognize what the tiger is if you don't know what tiger is and you don't know the fear that it represents then you might just think it's this big fluffy thing that you can

go from huddle so you need to understand what it is and the threat represents to translate that interfere so that means its social somebody needs to have told you you need to be educated in it I think you see where I'm getting the subject if you haven't got that cognitive map and you can't balance and curiosity with the danger but then tutor goes on to point out even if you understand what it is how you respond to it will vary depending on your role so if you are just a person and you come across a tiger and you know what Tiger it's we're going to be scared but if you are a hunter and you're there to kill is

lovely animal and you are equipped with all of the equipment you need to kill it and the skills and the training then you might give you might feel the physical response a BF so you might feel the adrenaline but you'll channel that into killing the tire and you will also feel excited you're going to make those money from killing this lovely thing and so long ties feel different to just a person on the street a guide so a guide you can see I think the guy on the top I've decided he's a guide the rest are friends and if you're a guide and you come across a tiger and you're there with people who want to see tigers you are protected by

other people you have the knives and the guns just in case the tiger gets out of control so you have been trained you have skills and knowledge you're in a group where there's a division of labor and there's a hierarchy and go with people if you want to see this tiger so you and your educating the minute so you're explaining what the tiger is you explaining the thread you explaining how you manage that so you don't feel the same fear so when I read through that I decided we are we are the guys so when this guy I wish were within stand with the facial hair I don't think we aren't really prefer the house it isn't

necessary how many weapons but he's thrown were people with weapons and he is facilitating this kind of knowledge and understanding so that's why I think furious it's kind of a mixture of psychological and social so i mentioned before the idea of fewer feels so it's anybody know what for your girls so hear appeals are you will all see them they are persuasive messages and to arouse fear so basically as well bad and wise moving is perhaps let me see the horrible lungs and things so this year appeals on every packet of cigarettes that is sold now and public health messages offer my fear appeals and we were kind of drunk driving drive safe you see seatbelts all of these

often and rely on fear appeals so wait and Alan are some psychologists and they looked at fear of years fear appeals have been around for 50 or 60 years with an allen looked at over 100 psychological articles and that were all addressing your fear of heels going back to nineteen fifty three and they looked at three concepts and look Donna it looks or perceived threat and received efficacy so efficacy I mentioned earlier it will keep coming up and in the talk today efficacy is about producing the desired outcome so it's about getting getting what you want and be motivated to to get that and efficacy has two signs it is response efficacy and there's personal efficacy so if you're

trying to get someone to do something you have to show them that what you're trying to get them to do is a good thing and we will work and you also have to show them that they can't do it so it's the wider thing and it's a personal thing and but what they found overall is that a sphere reveals increase in strength so does resistance and denial so the more we scare people the more they will bury their head in the sand so when you're using pure appeals you need to use court now psychologist who I really like called lemon hall he looks at fear appeals but he kind of extended and the analysis of it and he came up with this

thing called and again this is why I have the lows extended parallel process model I don't know why it's called that but II ppm and he and said that basically to get people to engage we love you repeal there's a few stages so fiercely and when we look at a fear of feel or when weeds or see you are confronted with one and we will appraise it subconsciously in a couple of ways and that will need to a couple of possible outcomes so basically we will appraise the pier appeal in terms of severity so how bad does it seem and then also we will look at it in terms of susceptibility so how likely an eye to

be susceptible to it the more severe it seems and the more susceptible we are or we feel we are that will lead us to look at the efficacy so if we don't convince people that it is that what we what was scaring them with is bad and it's likely to happen to them they'll just shut off and they won't carry on but if we can convince them that AJ's a severe threat and that they are likely to be susceptible to it then they will appraise how to respond to it and then how they perceive the efficacy and leads to them to consider whether to control the danger or control the PM so if they think that the response Ian suggested is

rubbish it's not going to work or if they think that they don't have the skills and the knowledge and to engage with that response and deliver that response and then they will just control the fear so they'll go into denial but if they are convinced that the response is a good thing and we'll have if they're convinced but they actually can enact it and then they'll control the danger so I think about this in terms of Lord selling information security or if you kind of talking to the board about why they should and improve their information security you have to convince them that a threat is real that the threat applies to them but the response being sold or offered to

them actually is going to solve the problem and that they have the power they have the knowledge they have the skills to a knapsack response so then 11 for who I mentioned came up with this theory he learned tested it out so one thing he was looking at it was the early 1970s and tetanus was a big problem lots of people were getting a tetanus there was an inoculation about but people weren't taking up people weren't on it for the injection so he got my chest units in and to try and scare them into getting the inoculation so to begin with he showed them really horrible pictures of people experiencing tennis ball shins with lesions with all the horrible

things that come from tetanus and he was really pleased the students already scared they went away saying tennis is our thing and I should get that injection but then they didn't go and get the injection just went off to the pub and they see aliens not being scared so he got them bathroom he's open the pictures they look scared he then gave them a map of their comfort that said this is where your lecture fears are this is where the library is and this is where the Help Center is and these are the times that it's open when you can go and get the injection and it increased from and he was just under four per cents that students forgot me

an injection the first time and they were just scared to over thirty percent who they had a map they already knew where the health center walls they already knew what time it was open but they were handed a map it shows from about four percent over thirty percent of people actually going in handy injection so you can see he made them feel that the threat was to the air he made them feel that they were they were likely to get it but they were susceptible and then he made was their efficacy so he made them feel like they could control the danger rather than just patrolling with you so via control responses for fear control responses you

feel paranoid you feel scared you feel like you're just got to get out you've got to run away and basically what VA control responses it's a psychological defense tactic and so in terms of EPM it's all nothing about controlling the fear rather than controlling the danger the more scared you are the more likely you are to put your head in the sand so the stronger as I said before the stronger and Thea message the fear repeal the more likely you are to go into denial now has anyone a fan of parts of my creation hello it's a mark or someone's gotta call Swanson and the people that laughing is Watson obviously boom hey bro listen I was trying to buy this

handcrafted mahogany wood model b-25 Mitchell Panchito aircraft for me don't sass me and I went to this website and this ad popped up that said hey Ron Swanson check out this great offer what's her question my question is what the hell like how I mean everywhere yeah okay um there are these things called cookies where like if you go to a site by something it will remember you and then create ads for other stuff you might want to buy so it learns information about me seems like an invasion of privacy dude if you think that's bad google and type in your address

so if you don't already know what parks and recreation is if you don't already watch it obviously true and that's what that superior I'm just going to leave you with the lovely as you know from in advance of those and that's a fear appeal that's what happens so April gives from the fear appeal this is google it and he what we do he just goes into the mile and he throws his computers in which lovely the worst thing that you do because do we think that he securely destroyed his data did that no we do not for those of you could go with water for those of you who don't watch Parks and Recreation those with

the DVD who is Ron Swanson anybody some items some of you watching so someone tell me something about Ron Swanson no one was gonna help me out here he loves breakfast food in us bacon yeah but actually he doesn't I creepies he does not like he works with the government but he hates the government and he stores all of his wealth in gold he loves chopping wood so basically the short answer is healing hero of our times and you either wanna meet him where you want to marry him he is also skeptical he's not particularly anxious person he's skeptical and cynical so why am I telling you this I was going this person of parks and recreation and Wisconsin

there's my shoe morn actually into every talk that I do but also I'm telling you this because psychologists live at the extent to which individual traits in here and in terms of your level of anxiety a fear appeal makes no difference so whether you are an incredibly I'm sure special peers on my nature or whether you are not anxious at all it makes no difference to highly respond to a fear of you'll wear it does make a difference in terms of efficacy so efficacy is unaware your individual beliefs matter and the extent to which you think you are skilled and knowledgeable and trained is the extent to which you will engage in changing your behavior the theory of planned

behavior so what is this give you a plan behavior is quite straightforward basically says with human beings of the other by their personal attributes and social norms and the sense of control or efficacy so by a social norm its social norms what we mean is kind of how they see people around them acting and behaving and the label kind of follow suit then people will pay particular attention to significance individuals so people who they think are important although and the extent to which they an act so the relevance of individual or individuals matter is the extent to which they are seen as important or knowledgeable will and have an impact on the extent to which I decide to follow

the social norms and but it also varies according to context so what my boss says about work things matters more to me than what my mom says about work things but what my mum says about what clothes I should very much more to me anyway and so all my mother things about only nine Madison or even what my boss thinks about my early life so varies according to context and basically what the theory of planned behavior is about is how to turn intentions interactions and so how to make for go from thinking something as peers to actually doing that thing that they think is good so um the theory of planned behavior is so absol without love a perceived

behavioral controls so perceived behavioral controls they turn intentions interactions and it's the extent to which individuals feel that they can actually engage in a behavior and this will be internal as I've said the expense which they think that's feel full knowledgeable they're equipped to to engaging this behavior but also external so there will be thinking about time thinking about stressed you thinking about Polly's we're thinking about money and and this can have a divergence so people can say I want to be more secure online and but then they can engage in behaviors that are not at all secure because they don't understand what the and in terms of planned behavior there is little ideas around classes of social

norms so I talked about social norms and kind of how they are however people are acting and the extent to which we might follow suit and there's two different types that's descriptive which purely describe and how you should be behaving how other people are behaving and then there's in genetic an injunctive are symbols and and so it is kind of a tick or a cross or smiley face and then they don't have the same effect so descriptive norms my people are told and everybody uses their mother's maiden name as their password article or someone on the news telling them that then people will take on that behavior so if somebody goes on a TV and says the

vast majority of people are just using their mother's maiden name as their password and then for the people that are using their own surname as a password they will improve slightly and they'll use them as a smooth name but for everyone else they all know amazing I don't need to use all these complicated passwords there's no one else there is I'm just going to use my mother's maiden name so descriptive norms can be helpful but they're often not because they kind of just made everyone average out so the people who are doing really really badly and we'll get a little bit better but the people who are above the line and we'll just lower their behavior but injunctive

norms enhance all that out so people really like pictures so some reason research by constantly all these names but shorts at our they looked at energy consumption and what they were doing looking at energy consumption members and trying to get people to use less energy so they measure the energy consumption and then they send communications around saying you are using more energy than your neighbors who are using less energy on your neighbors when they just send that found around of course that the people who were using and more energy brought it down a little bit and but the people who were using less for it up but when they put a smiley face or people who were

using less energy those people kept it down because people wanted to keep getting their money fixes I think they did it at the longitudinal study and people kept OMG do something down over a couple of months and the people who got the Sun pieces they of course improved their behavior because they had about board next door who's kind of a smiley face and they wanted a smiley face so amazingly simple and weird and but I sort of think we can use this again and I wonder you know when you put your mass wedding and you create a new concern in a website and it gives you the strength indicator and you see it go from

stronger to weaker a nice kind of an injunctive norm and I sort of think if we can maybe start just a feeling some a child a little bit more the child or the raver I don't know and apparently that makes a big difference another thing I'm in terms of receipt and received behavioral response intentions expressed more than once and written down are more likely to lead to a change in behavior so I think about this a lot when I am designing sort of training packages for organizations because I know if I go in and then to look at the trade in once and I get every willing to say yes yes I'm going to get much better and that when I go

away they will quickly forget about it so you kind of have to keep going back and keep getting them to express those same intentions over and over again and only when they kind of keep doing it and keep writing it down we keep coming it out and will they actually change their behavior so I talked a little bit there are energy consumption and I think imma change is quite an interesting comparison to information security because we kind of face a similar problem so when I'm talking placed on some research by the American and psychology Association a big report 80th few years ago private range and they found 75% of the US and the UK population think that climate change is

a big issue and that what should all do something about it but only a few people actually do anything about it so anybody working climate change faces a similar problem to us and then they just can't get people no matter how much they scared change their behaviour and this American psychology and Association report identifies the key barriers and I think we will all recognize these as key barriers and change in behavior and information security so unserious me to the extent to which people think it actually is a big problem or is it not and I convince myself that it's not and also in season 2 you in advance so when i'm going back to and hard lead and

people got very confused about you know when they should be changing them how they achieve their mean what should they be doing and i have lots of people getting in touch with me saying we don't understand this and we don't know what we should be doing so we're not going to do anything and i think when i was thinking about this i was thinking about last night so there's a sociologist called glassner and who talked a lot of our culture of fear he had a book as about 10 years ago more culture of fear and basically says that we are living in a time where we're all just really really scared and blames it on the media

and the United says the leading a kind of points up all of this fear but they don't really under canopy which fact or and how to actually change behavior and I do some work with the media and I always try and kind of think about this when they do because I don't want to be one of these people that is just kind of whipping up the fear without actually explaining what it means and what people can do about it and so I would say that's why actually monsters on my original be engaging more in media and to try and make as a subject that is actually broken down for people to understand and mistrust so mistrust is a

big problem climate change people don't really believe what the government is telling them they don't really believe thority and sort wonder about snowden and NSA and gchq and the extent to which people may be alba mistrust and around town information is used and around information security and if that is a bit of a barrier in terms of kind of denial social comparison our morning and talked about in terms of yours and so to the Lord and kind of the perception of what is proper behavior people will look around them and look at what other people are doing so in terms of social comparison that's where I think injunctive rather than descriptive lols notice that smiley face rather than you

are very that I'm undervaluing risks and so this is kind of a similar thing to uncertainty and basically in and the valuing risks what this report on climate change found is that when people were told and climate change is going to be really big problem in 25 years well that translated to in people's head was yes anybody's and I sort of thinking about so similar problem here that people undervalue risks some people think until it's open to them it's not going to happen to them and only but I know you only if I get hacked what i wrote i like of control so again these times into epica see so the extent to which people think they actually you can

and change their behavior now have the knowledge to and they actually think that it will matter and receive manual control I've talked about a lot but this is kind of a collective action problem and so kind of getting people to believe that those individuals matter and that they behaviors count and can change and have it and people don't like changing their habits it takes a long time to change those habits and I think we sort of have a similar problem in information security people aren't used to having a number of different passwords they don't know how to manage possibly as they don't know how to engage and they're used to clicking on links and being able

to go wherever they want on the internet and they don't really like suddenly having to think about the risks with that this report found a few things in terms of what we can do to improve behavior and one ties in a bit i've been to the smiley faces and one is the power of immediate feedback and so when you've got a big problem but it's kind of delayed and where you don't often see it or you don't see until after the event and then immediate feedback this kind of is a really important thing and they also within quotes and the psychologist or bluesman right and who talks about and paralysis tooth the size of a

problem so the bigger problem is the more people will be scared and paralyzed and going to denial and one thing leads when talks about his victim blaming and she says and that in terms of climate change and we all kind of blaming individuals a lot and people don't like to be blamed and they like to be empowered and so by blaming individuals and we're just making them feel mad and we're making them feel stupid and we're not changing behavior and it's something I'm talking to steal con in a couple of weeks and I'm talking a little bit about victim-blaming because I think I know I sometimes do it but I think we all sort of doing it

industry and we will point of users they are hiring a pretty stupid we should be and that's why you act when people are very aware of that and what lloyds minh says is that if it was health problem climate change information security then people kind of look at empowerment a lot more so some of them contracts and illness and doctors and medical researchers will more point your finger and hang up saying haha you're such a big girl power that's got very nice so moving on from victim blaming to empowerment lexi talks about empowerment a very clear earlier empowerment i think is stupid wheel that is really important and empowerment is something that has been looked at even in technology in

terms of community psychology so looked at as like a collective thing in a community and as i've got a quote there by Rappaport I just like saying nothing empowerment is a process and by which people organizations and communities gain mastery over their affairs and I think that's a really important quote in terms of information security because there's about what we want and so empowerment varies according to context and empowerment is about being inclusive rather than blaming individuals and it is about it contains a community psychology they look too late a lot in terms of health and in terms of mental health and wrap up or talk a lot about how you can combine prevention with

empowerment because of course we can't talk about information such as you were pointing out the things that people shouldn't you do it and it sounds like that is fun mentally opposed to an empowerment so how can you tell people not to do loads of things at the same time is telling them but you can do it and so it's quite a tricky thing to balance from empowerment in community psychology throughout heavier competence building a confidence-building i think is something we come across a lot in information security and but it's very individual focused whereas empowerment in about the kind of bigger picture and sociologists called Zimmerman smoothie amazing things yet and but Zimmerman talks about empowerment and kind of stairs and that

it is positive and the more you're in control the more you're engaged and the more responsibility you have the more empowered giraffe so Zimmerman looked at a mental health and support group and found that people who were just attending did not feel at all empowered and it was a lot harder for them to change their behaviors and but people who and we're offering some level of support for a little bit more likely to change their behaviors people who had a formal role or more likely to change their behaviors really suffering some support and the people who were leading for the most empowered so when I am delivering training is raising and one thing I always try and get the

organization to do at the same time if they haven't already is having a governance structure and to think about kind of how they are governing information in the organization and the different roles that everybody will have because everybody likes to have a role everybody likes to know that as opposed to be doing and when they have a role they are more likely to act and in the way that you're telling them to

so recommendations so in terms of recommendations I've talked a lot about different theories to spend just a couple of minutes pulling out and what I think are the most important facts because I realize I've talked a lot of theory and so empower as well as prevent me from feel that they can engage in these from being offensive and communication matters so we in terms of communication there's a few things that they kinda came out of each different and I get two different bit of research that I've talked about and so vivid language and consequences and are really important in getting people to change their behavior being visual so showing people pictures like going back to

Leventhal and the pictures of people with the compulsions and with the lesions and people really make pictures for the more visual you can be in communication the better and being personal so instead of saying and there is a huge danger out there you face a huge danger so just translating that into how it impacts on the individual and I'm not passive so I often wonder a rather tame user it's a very kind of passive Tim it's not empowering it's like using this thing and you have no control and so I don't know what better way it is but I'm not sure about user and immediate feedback so going back to that thing about symbols and kind of

really simple and many people feel like that what they're doing actually matters and making a threat seem serious and likely and so severe and that they are susceptible to it I think the most important thing is that strong fear has to be backed up and strong advocacy so minus of course in terms of response efficacy so our solutions will actually make a difference and also personal inadequacy so you actually can do it and you're you are knowledgeable enough you do have we're going to give you this training and we're going to make you understand what you need to do and give you that poverty of map and all that canvas that level format and finally

assess and evaluate so getting feedback and especially if you are using fear as a kind of a way to change behavior you can't do that I'm not evaluated because you don't know if all you're doing is getting people to bury their head in the sand so thank you very much for your time today thank you very much romantic three sides and for asking me to speak and thank you very much for their lasting and at the end if anybody has any questions I'd love to hear them as my contact details so please get in touch I'm young Peter thank you very much for all the technical at health that allow me to show you the wonder

that is awesome

I actually another question so as a suspension with a bowl certain skills for assessing risk in a physical sense so we won't take risks in gathering food which either wear my dial break a leg or something like that when it comes to technology we're not going to do and assessing the risk so how do we address the dichotomy of the user under estimating the risk and as the information security professional and overestimate movies okay question and so I think it's one thing kind of communicating the risk and I think that I think we kind of do that quite well and I think you're right we need to make sure we don't overestimate eggs as soon

as we own recipe but I think it so it's and they're going back to kind of thing of efficacy so it's not just communicating the race place what you can do about it and I think my pipe game quite good at communicating the wrist and but we're not telling people enough about what they can do and how they can do it I mean I'm kind of why they should do it so I sort of think it's it's a to have to be done hunting around and but i also think we forget that this is quite a new industry really and the internet haven't been around for all that long and people are still learning and it's

moving really really fast so it's quite hard to kind of balance that pace and with any sort of and deep change and changing kind of cultural behavior I don't think to carell but

yeah really good question and it's something that again I sort of try and try and do with organizations so kind of doing stuff why when I was in training and do a lot of like quizzes and pop quizzes and ask a lot of questions and like throw out sweets and so and that's dangerous because I didn't want to hit a woman smack bang in the middle of her head the chocolate eclair only dreaming so what was it was deep that's meant to be inherit but but so kind of little rewards in terms of that so that that has two events so one thing when you're delivering training and/or and when you're trying to deliver any kind of

knowledge you have to test it because if you don't test it then people don't take it in as much and so a that's testing it but then be that sort of rewarding and i will also came out like sweets for anybody and asks a question about anything and just to get people to kind of engage and and then i want to a wider scale i will put in place things like and they will have a like a monthly thing where somebody goes away and either prepares like a little one page article on a certain topic and and then they do that and they get rewarded for that or brief things you know it to you

meetings again I'll click there with materials so they can do quizzes and get into girls for that and get rewards for that and then also I work with organizations that give out certificates so for one people and engaging the behaviors like when they stopped someone tailgating or when they do whatever like that and they'll be kind of pointed out as a as a change agent and take the curve and get acknowledged but also in terms of the stick and psychology says quite a lot of stuff about that about how to kind of punish people effectively and if you're going to punish people effectively you have to and make them understand why they're being punished and have respect when he's punishing

them so if they don't think that the pace or punishing them is really a respect and if they don't think what they're being punished or is something that is actually a bad thing and then it will not change our behaviour at all and you can actually have the opposite effect and make them engage in so it kind of goes back to this thing of like a zebra haverhill response and activism in that if people don't understand why they're doing something and if they don't think that it actually is worthy of doing yes the chocolate stuff definitely works and I got a kind of follow on which is sometimes we're in situations where always want to

apologize people were training because the solution with current imposing is really a band-aid because the saying don't click on things were kind of sorry that the Israeli base allows you to click on things in this situation we really shouldn't be in a situation where you've actually prevented this information but we're not smart enough to solve the problem how do we kind of get that over that's really tricky one because what you're saying if you're apologizing for the solution and you're saying the solution doesn't work and so then they will not engage with the solution and that's kind of a theme again and legacy and so we need a solution everybody and but also we have

to stop apologizing and the problem is not our fault the solutions that we have and I think as long as we're apportion it in sort of educating with those solutions as long as we don't expect people to be ridiculous and to have ridiculous levels of security then I don't think you should apologize for it and I think we should be more positive in general I'm trying to be really positive when I'm delivering training and awareness-raising because I think we can be a big negative and we can be a male apologetic and we can kind of feel a little bit fat and then that's no good for us and it's no mood for a profession but it's even worse very users about to

try in reality like what does affect us cost some people I know you've got stuff for like some people after driving really like in general at what cost yeah I thing cost is a huge problem and I know when I work organizations and did it bring any in hangman and change in this space if it's not well resourced and if it's not supported at the highest legoland so you have to have the bourne level engaged and you have to have the person holding the strings with the money and they have to be pushing it because if they're not then people don't have that trusting authority that I was talking about earlier that they use actually

change and their behaviors and if they don't sleep they don't think the big man or woman at the top actually has about eight to throw some money at it and they're not going to change their behaviors so yeah thing cost is a huge problem and but also when you're kind of trying to sell it and you have to convince the person you're selling to about response and efficacy so you have to convince them to what you're selling is actually gonna work and so again that ties into not being apologetic and having some confidence but what you're selling is at least kind of better than one thing I'm not exactly like selling oil but if you're if you believe in what

you're selling and you believe that it's the right thing for that organization which you should do it for selling it and then you can't be apologetic you have to convince the peers when you're selling to that it is a something that will work and be something that that organization can take on board and then you get their engagement and having them engaged does I've seen it in organizations that have those engaged in that don't have the people are the top engaging to have a huge

yeah I think you're absolutely right and it's anyone waterways I'm okay so right and so it's easy to talk about fear and it is harder and and that the threat and it's easy scare people and it's harder much harder to get them engaged with what they can do and feeling like they can actually make a difference and and I think it's kind of a it's a multi-faceted solution to a multi-faceted problem but basically and I think you sort of have to start off with an outdoor talk about that the governor's so you have to give people roles make them feel empowered and then give them that kind of cognitive map of all the things they can do not overwhelm

them but i found when you use the fear and you have to back it up immediately with the solutions and we making people understand what they can do then i often find that people really taking on water people kind of really run with it especially if they've got wrong they really like that and and if it's supported at the top so it kind of all these different things have to come together and then it is as you say I think it's building so you can expect them to change their cultural their behaviors overnight but you'll get them to change one or two and then you build it up and build it up and if you kind of have people in the

organization with the roles doing that then as I've got ideas and rubbish phrase but they become like the change agents and they become the ones where behaviors kind of lead out from another people see them and take them on board while often found and is that sometimes people who are most resistant become the best change agents so when I do training is often at one or two people in the group who are very resistant and usually very resistant to the fear they don't think it really exists and but once you've sort of turned them around give them a role and they will be the ones that will really take it on board and if people see that Jane you used to be very

skeptical you've turned here opinion around you've changed them in here behaviour and will think wow Jane used to think this was revelation now Jane is Batman so I'm going to so it's about social normal thing and but also people who are kind of well respected and sort of important in an organization where max for people with the money and changing their behaviors and in terms of social norms the more importance on when we see into being and the more relevant they seem to be one else some users both want our help this special it comes to getting faster so your usual though you know in terms of educate users if these boot you don't give users without a good

pass with a badge and everyone else in here by so you know there's a bright orange is a new feature do we find out beauty but when you go off within you can like green bar or a red bar yeah yeah so I said that earlier you rank the strength Bob I think it does help and I hear people say that they do respond to that a bit I stupidest is colorful psychology sides like this laying face and I don't think I badge on for everyone else to see there's something that the name yeah for example of the excuse a new feature only people do class work yeah but I would you see a mission you know especially

parenting you hope oh before edging

if I could solve a cosmic problem i would be never inarius a nightmare and when an ebay have a problem while ago a month or whenever it was I went on a few news programs and aunt of our air and I wrote an article for Sunday Times about passwords and it's a nightmare because he put it's a really difficult problem because how are people supposed to and they as opposed to have incredibly complicated passwords for each one and you're not persuaded down and so you're asking people to do something that's really difficult there is no better solution will get said like over 10 years ago the password will soon be dead and it still isn't because there's no

about a solution and as we've talked about in a couple talks today and so it's a huge problem it's not easy to fix but I think why trying to do particularly with the article was explained why so going back to the Leventhal thing and tetanus and so it's about not just kind of sorrowful the woman depends it so getting people I think we often don't join up the dots in this so we love you don't get people to really understand what the problem is and all they hear is you should do this thing that's really hard and really complicated and it's going to take time and mental effort and you're really busy and stress about other stuff so we're

asking a logging and so kind of explaining the hell and the wine and also giving them a simple advice and kind of what they need to do and so really laying it out for them and but passwords are actually doing because it is just a bit of a nightmare and the interviews I gave in particular around you laying around they all wanted to know about hazards and so I was on and radio for talking about it and I was going to be passwords and both of them ended up saying like roll by it's a nightmare isn't it what we want me to say solution and but I think the more we can get people to understand that is there are

serious effects out there that they do apply to them you know they are going to get hacked and why they shouldn't why they don't want people accessing all of their accounts and what I having the same rubbage pass me that every count is a bad idea if you give those people I think we often take the ground to the level of knowledge and waking people will just automatically get that having the same rubbish password for every accountants that as soon as that password to access and lost all your accounts but if nobody's actually explain to someone they'd ever sit and think it through they don't care about this stuff as much as we do and so kind

of making sure you actually explained it and then trying to help people come up with a system or a way of having better passwords why did you like destroying police were using really yeah and again specifics on loans things so people that have respect for him or and people who think that he you know so kind of choosing people that people can relate to so that will impact on so I think that he is cool and I as I to be like him then I am more likely to engage with that morning so we've got Brittany and I can't but one of them got hacked and so she is always talking about it because she

knows that saving demographic she knows it sucks she also knows it demographic and we'll listen to it was they respect her and she's an influential figure to them so the more we can get different people to engage this subject and spread the message about it the better and that's why someone who was in RSA Conference and Miss Teen USA went she had her webcam hacked and I was really disappointed sings as it's like when the security issues are but on Twitter people were going like crazy sort of snogging they're all going and be imagining the security conference and I think that is a really negative thing like we should be encouraging more married people to engage with eggs and

people need to have relevant experience because a bunch of teenage girls in America like suddenly me hiding their webcam because they have seen someone that they aspire to be like Facebook danger

we've got one email one block resting the far corner of them both have two and finish this she's had a hand up for

that's a really great point and then you articulated something that I was sort trying to save for when you want to play too much better than me which was kind of starting off with just changing some behaviors or just getting people from nothing to a bit better it's much more important than trying to get into go back because trying to get the perfect Pillsbury their head in the sand and so yeah I totally agree i think its own that's a really good point I'm kind of get something is better than nothing ask me often we judge us by our standards and monies and help it makes them feel that they don't have any personal I think asleep because they

will never understand the subject in the same way that a professional does and so they kind of look stupid being told to do all these things that they don't even understand and but also will never get them to do it yeah okay thanks Jessica

you