Advanced Soft Skills: Using Efficacy to Get Sh*t Done

the besides DC 2017 videos are brought to you by threat quotient introducing the industry's first threat intelligence platform designed to enable threat operations and management and data tribe a new kind of startup studio Co building the next generation of commercial cyber security analytics and big data product companies actually a communication researcher isn't in information security I know just enough about technology to be dangerous and so I'm trying to balance that with my expertise in communication I recently received my masters from University of Maryland with focus on crisis communication and over the summer after we graduated I started writing a blog and continued doing some speaking engagements on this subject really applying theories and perspectives from communication and

issues to issues and information security they heard that but as this eight world I was not a seismic Rochester great a man if you can we got there the man had lightning talks these were quick five minute talks where people would stand up and say something that they were working on their thoughts that they were happening naturally to blinking talks that kind of inspired this and one of them was this really excited and Jenna young man talking about how information security needs to do more to get recommendations across they need to find out how to get the knowledge that they have to the people who need it in an effective way and I thought wait I've

known the benefit and so I actually went about you're gonna get my quick lightning talk and there were a couple of really interesting questions people seem to want to hear more and that madman's kind of thoughts also reminded me of a lot of complaints that I heard from my friends and InfoSec of no one listening to us were nobody taste my recommendations and so I decided to make this talk I've got a blog about it as well because advocacy is a tool from communication that I think can be really useful in the InfoSec space to people who have all different roles it's all about getting people to take the recommendations that give and actually run with them and so

another thing that I want to do is help move information security conversations away from crisis communication and there are a lot of reasons for that there are a couple up here the main thing is that if you're only talking about information security when ever crisis is going on you're building a lot of negative associations people don't feel good when they talk about information security because they're only talking about it when something is going wrong you're not building positive associations with the general public with the people in an organization with anyone at all really they feel bad it's like talking about illness or death we don't feel good when we talk about it so we don't talk about

it so we don't do anything about it another reason that crisis communication isn't the only way we should be talking about information security is that it creates silos and so if you're in an organization the PR communication marketing sales that people do in communication the normal communication is completely cut off from the security operations so the only time they ever have to know anything about security is when things are going wrong and they have to learn on the fly usually they don't and communication goes badly think of the case and it's usually the communication team not knowing anything about information security that screws it out so siloing bad if you have stronger ongoing conversations between security

and communication your crisis communication is going to be better everything's handled better let's all just be friends right so the final reason that crisis communication is insufficient is that what if the bad things never happen a lot of the people that I had kind of talked to you and work with in this space are really tired of fear being the main motivating factor for doing something of about cybersecurity so we scare people to get them to change but what if the bad thing we're saying is going to happen hasn't so we see all these companies go through these major breaches but most of them don't go out of business most of them are still operating today most of them still have

customers and when you're talking about individual consumers and end users yeah pretty much everyone in the United States Social Security numbers out there but what does that actually mean to them none of them probably know probably knows anyone who has had major negative repercussions for having their social security number and PII lost that means that they can create distance they're saying okay well you're telling me to be afraid but I don't know anyone who's experienced a negative outcome from that so it's not going to impact me so I want to move us to a more positive side the conversation tell people how they can gain from being more secure rather than scare them about what they

may lose from being down secure gaming versus potential loss that potentially will never happen so why should you care who here has had and I told you so moment at work where you told someone to do something and they said we don't have the money for it or that's not a priority and then you got to say I told you so later raise the Peanuts who's done that and keep your hands up if that's how good you felt really that's more of a personality test but you know you guys have a lot of recommendations you have the knowledge about what behavior needs to change and I'm hoping to give you guys the tools to actually achieve it so you don't have to

say I told you so because your company is experiencing a breach and is responding really poorly so my advanced stop skill saw SEOs are really popular and in from separate now we see a lot of roundup so these are the soft skills you need to succeed they're conversations about humanizing InfoSec all of them are really popular one of the number one item to see on the list of soft skills for InfoSec is empathy I like the idea of empathy it's putting yourself in other people's shoes the term I like that I found in the dictionary is imaginative projection which is just a fancy way of putting yourself in someone else's shoes but you're trying to understand the feelings

thoughts and experiences that another person without direct input from them and so advocacy using that requires direct application of empathy you have to really think about your other your audience's perspectives and experiences and phears in order to use efficacy so you have to use some soft skills so we're taking it another level beyond just being pathetic to use empathy and then also you have to be a little more than personable sometimes you have to you know release it down and think about how the other person feels and to try and connect with them and that could be a little more of a struggle and it's not as crucial as the empathy and empathy I think can be a little easier so I like

answering questions and why people do things so if you think of it as a problem to solve rather than an interpersonal skill that might make it a little easier if you struggle on the interpersonal things a little bit if you don't connect with people as well think of these questions as problems to be solved and then use research use whatever tools at your disposal to solve them so you're solving the person rather than connecting with them those are kind of two options that hopefully will address most of you all right so efficacy anyone familiar with the term or concept couple shines all right so Erie Webster defines it as the power or ability to produce an effects or

effectiveness which isn't a great definition it's like two steps away from using the actual term in the definition but it gets the point across efficacy is the ability to produce some desired effect and the way we're talking about it today the desired effect is behavior change so that's what we're working with today I want to trace the because that definition wasn't fantastic so we're all get a couple of different disciplines that have used efficacy and talked about how it's kind of done to me talking to you about using advocacy for InfoSec so the first use that I was able to find is as a medical or pharmacological term I don't know why I made myself say that but I did and I

didn't stumble so a medical pharmacological capacity for beneficial change and this is where scientific researchers doctors those sorts of folks are talking about the therapeutic effect of a drug device or procedure I was loosely familiar with this application of the word it's just you know does treatment a solve problem X efficacy there are rates of efficacy and lots of Statistics are there and sort of more technical uses of InfoSec is anything in technology treated with it has an efficacy of 20% with this problem anybody seen it before some purples maybe maybe not well this is sort of where it started and then the concept kind of traveled across campus is how I think of it because

most academic campuses the sciences are way over here and the humanities are way over here complete opposite sides don't talk to each other don't even look at each other but eventually the idea of efficacy travelled from those more scientific and medical departments to the humanities side with a health communication which makes sense you've got the people who are using efficacy to discuss medical treatments and then you've got people in health communication who are trying to then talk to the general public about how to improve health all of those things so health communication and schools of public health kind of broadened over so what are some issues you think health communication has used efficacy for so anytime we're talking

about a public health campaign so get your flu shots stop smoking use condoms get about a tested those are all health campaigns so health communication are those of the people who design between campaigns around health so I listed a couple any other ideas for what health communication uses efficacy to do changing behaviors guess if that's me trying to change any health really a bigger culture change that's a big one too so we've got some cultural changes that relate to health that you know we try and change effort I wonder that I recently saw was actually apparently eating and seafood so like tuna isn't as bad when you're pregnant so the CDC recently released a campaign saying you don't

have to worry as much about mercury we need you to get the omega-3s and the beneficial things from from seafood so you know anything having to do cultural or behavioral change one example that you guys may or may not recognize that I really like does anyone remember these pads with this doctor guy it was about pre-diabetes all right if don't remember where it ran but it's stuck in my brain for some reason when I was doing this and so this commercial is about figuring out if you have pre-diabetes and trying to push you to go to talk to your doctor about it and so the commercial is all about reducing the barrier to the behavior so trying to figure out if you

have pre-diabetes sounds like the job of a doctor it sounds like something that the general person sitting on the couch watching television isn't capable of doing and so they took it to a very simplistic level they made sure that people felt capable of doing the behavior so in this inertial that the guy does is he gives you a list of questions and if you answer yes to the questions he tells you pulled up X number of fingers so anyone in your family have diabetes you hold up a finger there's a chart with different body types it's got numbers underneath so if you have a particular body type you then add two fingers and at the end

of the commercial says okay if you have more than five figures up you need to talk to your doctor here's a link to go find more resources to help you with that station so the advertisement is all about reducing the fear and reducing barriers so that whatever the commercials asking you to do is easy and then gives you more information on how to then act on the knowledge of game so I really like this example I've got a copy of the video in my slides later but it's a good thing to watch you to type in pre-diabetes checklist you can find it it's a good example of using efficacy for a mass communication campaign so the

question with health communication is how do doctors and Public Health Organization's convince people to do the healthy things so health is a major area for either change as I mentioned and therefore it's a big area for advocacy research when it comes to health even if we know the right thing we don't really often do it so out of the audience raised opinions who here doesn't do things that they should alright who does things that they shouldn't do and if you're particularly brave I like to hear why it's hard to do great thank you and that you forget so some people smoke some people drink eat junk food and the science I guarantee this is one don't sleep enough and we

all have justifications for not doing the things we should do or doing the things we shouldn't we all have these internal justifications we know that you shouldn't be doing it or should be sleeping more but you don't because it's fun or it's really hard and so efficacy is about taking down those justifications that's what it's really about is finding out what your audience is justification for their current behavior is and dismantling it or making it seem too costly or making me advise behavior seem really easy whatever you're doing you've got to find out that justification and then take it apart so the one thing that I wanted to not actually before this is one lacks

discipline emergency preparedness and this is where I kind of see the overlap of information security because Preparedness communication is all about getting your audience whoever they are to take actions that will reduce the damage of an eventual crisis you're not necessarily trying to get them to avoid a crisis altogether that's the Holy Grail that's what you would love to do but in reality what you're trying to do is get them to mitigate whatever damage comes about because of a crisis that isn't going to happen and so that's why I wanted to bring that it also frequently overlaps with health communication if there's an epidemic emergency preparedness comes in CDC does a lot of emergency communication and I

know really clark's disciplines anymore when you bring something from emergency from health communication public relations all different ingredients in the soup and so we're going to talk about different types of advocacy and how to actually use them so research has found discovered arbitrarily created however you want to call it two-tire many types of efficacy there are maybe an infinite number I'm going to focus on two very specific ones because they're the ones you see general's common in research and are also the easiest to understand so the first one is self efficacy self efficacy is the perception that you can do the recommended behavior so whatever behavior you want your audience to do self efficacy is their

internal belief that they can actually do the thing so if it's about diet and exercise the self efficacy aspect would be well I've got bad knees Antron that's low self-advocacy so the first one is the internal beliefs of whether that you can perform the recommended action the next one gives the response efficacy that is the perception that whatever action is being recommended will actually solve the problem do you believe changing your diet and exercise will make you healthier do you believe that whatever pill they're recommending or whatever shot they're recommending do you think the flu shot will protect you from the flu that's response efficacy so these are the two key components can I do the thing will

the thing solve my problem those are the two never talking about before you can really manipulate these though you have to know a decent amount about your audience you need to know whether or not they perceive that there's a problem so do they know that whatever issue impacts them do they know that they are at risk for pre-diabetes do they know that they're living an unsecure life so what is the problem and finding out if it actually applies to them the second and most sort of important one is constraint recognition recognition these are those justifications we've talked about why aren't they doing this thing that they should and there are a lot of really common constraints that

you'll see in every issue I have I'm too busy with work I don't have enough money they don't have X resource all of these are really comments so complimentary mission or constraint recognition which do you think is the biggest issue for InfoSec issues which one do you think is going to cause you the most trouble one constraint everybody kind of agree that strain problem of hope you pump yes to both of these for sure are not great but it really does depend on the issue in your audience which is which but constraint recognition is the one that stands out to me just because you can have this laundry list of constraints this laundry list of

justifications of excuses so as soon as you get them to accept that one of those constraints isn't there well they've got another one in their back pocket that they can throw out like okay well I made sure that this works for your budget in their legs okay well now we don't have the staffing and it becomes this sort of card trick of running down their list of constraints so if you need to know do they recognize that there is a problem and do they perceive that there are too many constraints to fix it so I want to touch on this a little bit because I did mention the word manipulate and it can be a bit of a dirty word I know in

public relations and communications and generally really try to stay away from the words persuade manipulate influence because we're very sensitive about being looped in with propaganda but what we're doing here we are influencing people we are persuading people or manipulating hopefully it's more their betterment it's to make them more secure it's to protect them I can trust you guys not to use these powers for evil maybe not that question but the idea is we're manipulating certain aspects of their perception and most of that is because people's risk perception sucks so we're trying to give them a more accurate idea of reality and that requires a little bit of manipulation so I just wanted to address that all right so now that we

know about their problem recognition and their constraint recognition we have done our research we maybe have talked to our audience so if it's an internal audience if it's your executives you can talk to them directly and ask what are your constraints why won't you do these things I'm telling you to do you might however not have direct access to your audience or your audience might lie to you when you ask those questions so do some research do some imaginative projection think of what their constraints are think of why they aren't doing the thing and that's point a you know where they are now what you then need to figure out is where they need to

be to act what is the minimum threshold for action with whatever behavior you're recommending that ideally would come from empirical research but we don't have time for that right now so you're gonna have to again do some guesswork figure out okay how far do I have to move the needle to get them to do something and then you're moving them from where they are to where they need to be hopefully to get some action and so what we're going to do now is go until on that process alright so first off you've got self-efficacy it may be as simple as telling them they can do the thing it might be as simple as just straight-out telling them this is

something that you can accomplish however if their problem recognition is low they might not realize that the problem is there so I see problem acquisition coming in two different forms either they don't see that it is a problem or they don't see that it's their problem and I think for certain executives and end-users in particular that second one is more important they're passing the buck we see that especially when it gets to the level of crisis people pushing it off saying it wasn't my fault it wasn't my job pushing that problem down the chain so what you might be doing is a little more aggressive you might have to say you have to do this

this is your problem you own this problem don't be that aggressive but maybe a little more aggressive so what you're trying to figure out is why don't they perceive the problem is there's that was a little easier because probably they will tell you it's either they don't know I didn't know that was a problem or it's a well someone so in such-and-such its dealing with that and then you just come back and say no no no no no this is yours you own this now it's a puppy you have to take care of it I'm gonna watch you so self-efficacy is really closely tied with a problem recognition they have to recognize there's a problem before they

start to think about whether or not they can solve it it is really as simple as just saying you can do the thing but hopefully you run into issues like that remember at this point you already know a lot about your audience you know where they are in terms of problem recognition and constraint permissions so now you have to remove your perceived constraints and that really depends on your audience and what kind of constraints they're proceeding so the focus with both problem recognition and to a certain extent constraint recognition has been fear and I think what we can really do is move this in a more positive direction rather than trying to scare people about what will happen if they

aren't more secure trying to think of positive feelings that would come from being more secure so maybe you have a competitor and you have a company that you go to and you say okay will your competitor who's basically exactly the same as you experienced this so you're definitely going to experience this issue most likely your organization is missing no no no that won't happen to us we're special and that's really come that's why risk perception is so bad even if your identical twin experiences something there are internal mechanisms in our brain that will make us say I'm special I'm different that's not going to happen to me so fear can be a bit of a crapshoot but if you move in a more

positive direction and for the example that I gave say okay well here's how you get a supply pop on your competitors here's how you look better than everyone else this could be a selling point making a more positive conversation and makes me feel good while you're talking about security that's gonna open up the conversation more and make them more receptive to whatever you're saying instead of saying if you don't do this bad things will happen okay but if I don't think about it that sort of think about the bad things and then the done things will never happen right that's that's how this works so more positive framing I think is a really important key for this that is

missing and I think can be pulled in all right so you are trying to remove whatever constraints they perceived and I've put up a list of the most common ones that kind of Park across all different issues you're gonna run into individual ones for all of your audiences and problems the first one that I think is biggest especially for security is that this is really unfamiliar territory people aren't talking about communica about security on a regular basis it's not something that they run into in their day-to-day lives so it is scary and they want to put it away so there are ways you can make that unfamiliar behavior more familiar that will hopefully remove those constraints one constraint is

commonly I've never done this before or that's not how we do things and so if you can tie whatever you want them to do to something they're already doing that's a really useful way to overcome that common barrier so any dos are really useful here you've gotta be very specific with your anecdotes you don't want to just slap shot them everywhere but if you got specific you know doing this particular behavior is like getting the oil changed every three months or getting your annual checkups that's the language that they're going to understand and it will remind them this is something you don't do one and done it is routine maintenance so time thanks to something

that they already do you guys have the experience so when you're going to come up with much better anecdotes that I will but think of it in that term if you guys who live in this space all the time they are probably hearing about it for the first time and it's scary so tying it to something that they've heard about before will reduce some of those barriers trust why are you recommending the specific thing why this one thing why are you telling me to do this now all of those questions and so the solution I see to this trust is actually showing your work walk them through your reasoning tell them why in the simplest language you can because

like I said it might be brand new but show your work they made you do it in high school and elementary school for a reason we need to know how you got to this answer and when you're doing that with your audience in persuasion it allows them to see if they agree with your reasoning and they can question it and you can have that open conversation so if you're telling them why you made this it'll make me feel a little more empowered and again remove that constraints of not trusting your recommendation finally money this one I don't have a solution for if I did I would be on an island somewhere simple money is the

biggest constraint and the one solution that I see to this is you can't afford to have a reach and that sort of become the narrative of the the money that it takes to recover from a breach or some sort of major incident is way more than the money you would spend to prevent it I have no idea if that's true because like I said I only known about technology to be dangerous so you guys will have to kind of work in your own individual cases to break down the money argument but you know it is it can't be tied into other things it can be tied into trusting the organization one of my friends recently tweeted that our

university you don't pay me enough to use mandatory two-factor authentication

but it was very true of if your end users are the one you're trying to persuade and there's a bad corporate culture they're going to resist anything you try to do because of a cultural thing if they might say this because of money but really it's because they don't like the company so some of these might get tangled up but that's something to keep in mind I just really like that because as a grad student you really get that of like you want me to do another thing with this salary but that's a total different story all right so then you have to prove that whatever you're recommending is the best action and this is one again that I think

inputs neck struggles with a little bit just as kind of an outsider and mark the consumer there are so many recommendations about what the best action to do is to be secure do I need a lot password should I pull them through the dictionary can I'm not use dictionary words do I have to have symbols do I need this do I need that and that's just passwords that doesn't get into anything complicated so trying to convince them that this is the big the best action and why I think is something that the whole community can work out a little bit more but you're going to have your own individual cases so it might be easier and the way you

can do this is statistical evidence if you've got it if the vendor has you know this particular tool prevented this particular problem 20% of the time whatever statistics can be persuasive so use those with you've gotten anecdotes like I said if you are consulting and another client deployed that technology and it work for them use that but the last one is also showing you you have very specific knowledge of their audiences so that can build rapport can build trust it shows that you know what you're doing and it will hopefully break down those you don't know my legs you don't know my choices push backs you got it you can tell them this is your system

and here's how this will improve it that can kind of break down this barrier of why is this best actually it's like okay well I know everything about your system and I keep fists so trust me showing personal knowledge of their situation I think is a really good way to get over this that can kind of stir it around some of the other issues all right so I did want to touch on a couple of specific things with InfoSec that excuse of problem the first is before an incident making the risks real we talked about problem recognition it is an issue people don't realize there is a problem and that is mostly about public awareness communicating the risks with

whoever is in charge in a way that they'll understand there's a lot out there on versus perception I encourage you to look it up if you can't by making the risks real is something that InfoSec have struggle with it's been in the dark for so long that the instinct is to go big when you've been kind of pushed off in a corner as well those are the tech guys they're kind of scary so put them over here and then when you have to say something you have to shove it it has to be big and loud on fire you've gotten so used to that that now that people are paying attention they're like oh you're

here and I need you here so maybe stepping back from those big fear appeals might get you a little more traction because we're developing this perception of Chicken Little of you said all these horrible things would happen and then nothing did so get more positive conversations of here's good things that will happen if you take this behavior next like I said it's linking security behaviors to things that they are do and also avoiding unfamiliar language it's really important when I was in college my brother who works IT for an IT firm so like Inception levels of IT and so he became our friend was IT support and he would walk me through problems on the corner like okay well

taking back three steps and then define what this word is because we're 10 minutes ahead of me and I don't know what the first word you said was so think about the words that your audience isn't going to know don't use them or if you have to use them just find them in advance and I know this is a lot of work on your part so if you want to talk one-on-one how to make it less work for you I'm available because like a lot of this is falling on your shoulders and I understand that's not fair but it's going to be a bigger conversation to get other people actively reaching out to you guys for

help and then overcoming fatalism this is one that we're seeing more and more recently particularly with consumers of I mean Mikey is gone it's gone like me times who cares I can't do anything you keep telling me that I'm gonna be breached no matter what I do so why am I going to spend the money to do anything so overcoming that fatalism I think can come from those more proactive positive framings of okay so you can avoid the crisis but you can sell it to your consumers you can you know how it as part of your reputation that you did this thing or you can get a leg up on your competitors taking it in a more

positive way because they're like I mean and then I know I mentioned crisis communication isn't the ideal place to do this but it's gonna happen so you want to know a little bit about how to use this in a crisis so during an incident you're really trying to highlight protective powders you're truly really trying to say this thing that I'm telling you to do will mitigate the damage you're focusing on the mitigating damage at this point not preventing risk because the risk has already happened using again statistics and anecdotes to prove the response advocacy so showing them how things will be better if they do the things showing that that response will actually work and then small digestible actions when

things are going poorly you really have to break it down into tiny little steps because their brains are already moving at a thousand miles a minute they've got 18 well that they need to be talking to all at once so the smallest step can be very important and then finally throughout all of this is embracing that certainty as far as I know there is no silver bullet and third information security there's no one solution that's going to fix all of your problems so you're gonna have to incorporate X Emily this is probably going to work for you and then be prepared for when it doesn't and being honest with them you know a lot of

times you want to go in and say this is definitely going to work this is going to fix all of your problems that can get some pushback because people know that that's not reality so embracing an uncertainty and showing people that you know to the best of my knowledge this will work however things go awry will actually build trust we trust people when they admit their faults so if you go into a company or an audience or whoever you're talking to and admit that not everything is going to be perfect they'll trust what you say down the line more than if you came in and said I am perfect this is perfect we're going to

be perfect let's go that people are a little sketchy with that okay so we're innocent get this and go straight to this is my overview and now I'm going to take the last five or so minutes for questions if you have any they are very they want it's not your job yeah so that's definitely a constraint or a barrier so he was asking about crime when you go into someone and they want to be the smartest person and that's a really difficult one and that actually my recommendation might be if you've got a comms person that you know order works in your company try to talk to them and see if they can help you with your

presentation because we've spent a lot of time in public relations trying to figure out how to protect the return on investment for an intangible thing and that's something in Cossack struggles which as well but we also have to deal with a lot of executive staing I think communicate yeah and so yeah well I'm talking what I'm talking about is the communication and interpersonal skills they might be able to help you if you go to them and stay all right I got this guy this guy Joe whoever in there like oh hi Joe let me work with you so they might have those interpersonal skills but a lot of it is also trying to kind of get them to come up with the

because that's a very personal thing and you're never going to convince everyone so it does come down to probably the hardest one to overcome so thank you but it is something where it is very personal so if you can find something to connect you and something that can make them feel even more frightful so you can find a way to frame your recommendation in a way that will give them more pride that's probably the best way

so are you asking how do we get them to be more intellectually curious that's a tough one because again it is a very personal thing but it can be put in terms of empowerment so if you're if you put that have to put it in terms of well I can tell you how to do this but if I show you how to do it you can then show your friends or you can protect yourself when I'm not around so putting it in terms of empowerment making them feel safer and ongoing matter or make them feel smarter or prideful all of those things I think is a good way to kind of encourage that intellectual curiosity of saying okay

well I'm going to teach you and then you go teach your friends and show them how smart you are those sort of personal quirks that everybody has may be nice that is question exactly yeah if you can get some of the things they're all idea you were golden so it does really find out you okay how do I pack his brain so they came thinking he came up with this idea first alright anything else yep it really depends we see here used fairly commonly with public health campaigns so actually it wasn't the blogger about this but I wrote a blog about sphere field and so seatbelt advertisements major uses fear fuels drunk driving huge female who use it as well which there's

get a kit make a plan be prepared campaigns they'll show a house completely in shambles and say now is not the time to have a plan I don't know any specific cases for InfoSec but they might exist but usually it's there is one hundred percent chance that catastrophic didn't will happen that's what fear might happen why don't see if you haven't end up wait a little bit more vigorous alright cool so thank you guys so much for your time I'm gonna be around all weekend I'm on Twitter I have a blog business card love talking about this so thank you guys so much for your attention [Applause]