BSidesSF 2019 - Surfing the Motivation Wave to Create Security Behavior Change (Masha Sedova)

okay everyone we're gonna get started I'd like to introduce our next speaker our next speaker is Marsha Sedova who will be talking about surfing the motivation wave to create security behavior change hey everybody I hope you're all nice and comfortable I got your squishy chairs this is definitely the most unique presentation mode I've ever done I can't see any of you so and and all these slides will be larger than I have ever seen them so let's see how it all works out thank you very much for being here my name is Masha Sedova and I get the privilege of telling you a little bit about my favorite professional topic in the world the intersection of human behavior and

security I want to just tell you a little bit about how I the journey I took to get to this particular moment I actually started in a much more traditional security field did security forensic work and then was a cyber analyst for the government and along the way I realized that security at least in my perspective of it was a lot of people attacking other people with a bunch of technology in the middle and what I really wanted to start looking at was the human element of security in 2012 I started the security engagement team at Salesforce that got to build up an amazing team that focused on the human elements of security for that

organization specifically around internal best practices from employees secure development practices and secure coding practices and also secure future adoption for our customers like hey please turn on to FA it's good for all of us from there I left and in January of 2017 started my own company elevate security which aims at creating a platform that drives security behavior change for employees across organization and it really leverages a lot of the work that I talked about here as well as data analytics to provide every employee of every organization a meaningful and custom journey that really helps shift not just what they know about security about how they behave and what they do and at the end of the day the thing that

has been true for me in all of these positions is that I'm really obsessed with this question of what does it look like if we as people can get to the place where we want to do security instead of have to and that's a question I'm really passionate about asking and finding answers about and exploring and and this presentation is a journey and a summary of a couple of my findings in the space so let's get started so often in the security world there is one belief that says the employee is the weakest link there are many different ways of having this presented to us whether or not it's you know wetware or it's the problem between the keyboard

and the chair but no matter how you look at it none of these are very flattering and in fact we don't call them human beings you don't call them employees we call them users and this is one perspective and one that I would actually say is quite prevalent in in the security world there's a second variant that I want to introduce to you and one that I firmly believe in my core and that is that our employees and human beings can in fact be your first line of defense and this is an amazing quote by Jesse Erwin that that really resonates with me and honestly the fact that we haven't changed security behavior in our place

should in fact be a rallying cry and not a comfortable excuse so with that I want to give you a quick overview around how we're doing things now and why I think it should change so how many of you and your organization's employ security training mostly for compliance sakes yeah mmm two thirds or so from what I can see so the thing is the most audio-visual training based on learning studies have about 15 percent retention and depending on report you read we have 90 percent breaches that are due to human errors and if you consider patching as a human error then it's probably even more from than that and so we keep introducing the same approach

and again and again being that if we tell our people what we what they're doing differently they're going to change their behavior but one of my favorite illustrations of this is the last pass survey where they reached out and surveyed a whole bunch of users and found that even though we know our best practices we don't in fact choose the right behavior and so you may even recognize this in your own life where knowing what good is doesn't mean you actually do it we all know that we should exercise and eat lots of vegetables and not and not drink soda and yet still we do these things and so the question doesn't ultimately become was it we no but ultimately what is it

that we do and so one of the things that I like to step away from is realizing that if we keep doing this again and again we're giving people training better training we're going to keep finding ourselves in the same same place and expecting different results is only going to make us all a little bit crazier so I want to introduce to you all the concept of behavioral science so behavioral science is essentially the study of how humans make decisions and how we create habits and my work and what I want to do here is how we can bring that study into security and how you all as security practitioners can start introducing this kind of skill

sets into your customers to your employees to the people that you work with often because at the end of the day we as human beings have a lot of stuff going on and while we think we would like employees to V or our co-workers to be really rational things that we can program and say don't do this and if you do this or else in fact we're all very human and are full of dynamic decisions and so this is probably my favorite cartoon of all time but it summarizes sort of the human experience and and how we can start applying what we know about the human experience to to changing security behavior so I want to introduce the

model of security behavior change components there are three things required for anybody to do something differently tomorrow than they're doing today first of all motivation second of all is the ability and third as a trigger so I'll give you an example as it relates to running let's say I really want to start running regularly first of all I need to want to start running either I either want to lose weight or prepare for a marathon or I have some kind of event coming up but if I don't care about wanting to go running it doesn't matter if I have perfectly good shoes right and that's not going to shift my behavior the perfectly good shoes comes into the number two ability

I may really care about running but if I have a broken leg or if I don't have decent running sneakers I am NOT able to go running and the third one is a triggers if I don't have a reminder something in my day that allows me to it kicks me in the button says it's time to go for a run either first thing in the morning or after lent or whatever it is I need all three of those things in order for me to start creating this habit now all of this ultimately ties together in a really interesting model so this is a model that dr. BJ Fogg out of Stanford University put put out it

several years ago and I want to bring your attention to the X and the y-axis sees that our so motivation and ability have an inverse relationship to each other the harder something is to do the higher the motivation is needed in order for you to do this now if you reflect back on your own life that makes a lot of sense if something's really easy you don't really have to care that much about about it to get it done now something is really hard you really have to care about it or the other way around you might really really care about it and so the fact that it is hard to do is you're able to overcome and now this

blue line is the line of action if the trigger happens something that reminds you that says hey you should go do this thing if the right balance of motivation and ability exist and the trick when the moment the trigger happens that action will happen and if you do not have the right combination of motivation and ability when that trigger happens you will fail to do so so that's a little bit of theory let's dive into some security specifics first and foremost start looking at the x-axis the ability chart if and where possible if something is made if you can make something easier to do in your life you secure to your otherwise you should do it because

motivation is a fickle thing and we're gonna talk about that in a minute but if you can make an action easier to do do so because that means you don't actually have to care that much about it so let me show you some examples so one of the security behaviors that we often ask of our organizations is for your average employee to have secure passwords for all sites now what it is hard to do is to remember 20 unique password 20 unique character across 40 sites that's cognitively a very difficult ask to do and very few humans I know get to do this without writing them down their little password notebook now the way that you can do it easy with greater

ease is to suggest installing a password manager so where possible using technology or systems or processes that can automate that decision and really take the load off of the individual is a huge huge step forward so how about reporting suspicious activity so now there's a popular trend in the education space and to install the security we're in a space to install a reporting button in email systems and often organizations see you see huge spikes in reporting rates because of that some valid some not but if the goal is reporting then that's what you're seeing so it is hard to ask people to report and then put the load on them to look up the email to

send it and hope that they get it right and often you'll find that it goes wrong so if you can make it easy by automating it please do so the last thing is tailgating having shifted an organizational behavior around tailgating it is incredibly difficult to ask someone to say hey stop person I don't know behind me show me your badge most people don't think that that's their job and they feel like there's a security team and there's a lot of social reasons why that's a very difficult to ask it is much easier to install a man trap or some kind of tailgate tailgating device or even hire a security guard that will do that for

you so where possible do do make these security actions simplified but what about the things that are hard to do and you can't simplify them so when I was working at Salesforce and we were focusing on tailgating as the behavior we didn't actually own any of the buildings we lived in we worked in 14 sub we worked in and they were all leased so we couldn't install physical devices and so we had to get people to start confronting each other and we had to get them to care about doing that because I couldn't simplify the action so sometimes motivation is maybe your only choice and this is an area I want to spend the rest of this talk on so

let's talk a little bit about how and where motivation occurs so this is a non-scientific graph as you can see and imagine them but motivation as I mention earlier is truly a fickle thing and if you reflect back on your own motivation to do anything whether or not it's cooked dinner or do laundry sometimes you really care about doing that you really are motivated to get up and go do it and sometimes you couldn't be moved to do it for all the things in the world so the idea here is when we do have enough motivation and we are at a high peak that is a perfect time to ask well either ourselves or whoever our

audiences to do a hard action it is important to realize that this is a fleeting state and should be used and capitalized to its maximum potential so have a list in your back pocket of hard things that you can't get your employees to do on a regular basis and wait for moments of high motivation either as they happen organically or as you can help generate so next question is well when do high points of motivation occur so this is two examples of ways motivations show up for organizations as a whole now I think motivation as at an individual level and can map maybe a little bit differently but because we're talking about influential organizational change I

wanted to break these down into two categories so first is predictable events if we have an event coming up for us on the horizon and that we know we have to do something for our motivation to do those behaviors get higher and higher the closer to the event outside of the security world this could be prepared for a test right or a deadline for an exam the closer we are to to getting up on stage and speaking the more likely we are to prepare a presentation the closer we get the event for example so in the security world what does that look like audits red team exercises that may potentially be predictable I appreciate that red team

extras have different nuances but if you knew there was some kind of assessment coming how many of you have had the experience in your organization that just before an audit things suddenly get patched yeah yeah why is that it's amazing right we actually I've actually seen mappings of that there's like number of patches go all the way down and then back up again and then when you look into like what happens on the lowest patch times it's like the day before an auditor comes in again because see if patching is not automated again if you don't make it easy to do then you need people to care about doing it and and having interred time points when they care coming around

the corner will drive that motivation and as soon as that event happens drops down right now how about unpredictable events so these are the things that we don't see coming and things like breaches in the news into either ourselves or people in our industries incidents even even if you again back to red team exercises that you didn't see coming and there was a readout and all of a sudden when people learn of some kind of activity they have really high motivation like oh man Equifax just happened really Mon make sure it doesn't happen to us what can we do right so the the Monday after that hits the news and if you didn't know about the head of

time you will organizationally have more momentum to start to start shifting those behaviors so right great that's nice to know what do you do about that one of my favorite quotes and one of there's probably been a handful of books that I have a lot read along the way that have been incredibly influential and helping me understand these concepts and one of these is a book called the power of habit by Charles Duhigg and he says in his book good leaders sees crisis ease to remake organizational habits and so taking the opportunity for events like these predictable or unpredictable to do hard things is probably one of the greatest superpowers I can offer you one of the things that I

have seen done in an organization that I've worked with in the past was we waited for what we really wanted to roll out multi-factor authentication across a huge number of parts of the organization and we it was difficult to get emotional and mental and financial buy-in to do that because it was going to cause a lot of process changes right as a natural for any new organization and so I don't know that we did this logically but but it ended up working really well but we waited until an incident occurred that got up to an executive level and the next day the are the executives came to the security team and said oh my gosh

how do we prevent this from ever happening and we pulled out of her back pocket a well-designed plan that said great we would like to roll out multi-factor authentication to all of our users across the organization and we did it in 40 days across several tens of thousands of employees which is again was a very hard thing to do and so waiting for moments like that either at a smaller scale for your particular team or department or for a larger scale for your organization can be an incredibly powerful move so what about the times when you don't have really large-scale breaches coming down the pipe you can't predict him how do you generate motivation so one of the

things I've learned along the way is that we as human beings are kind of wired to care about the things that we care about and rarely do people come out of the wound be like I really care about security really that's my thing right if that happens you're probably in this room for the rest of the organization that's not really that's not really the thing but we as human beings care about many different things and so the goal for us as security practitioners is to tie security to the things that we already care about as human beings so I may care about recognition and acknowledgement in front of my peers can I do that through security yes the guy I

listed here praise and punishment and money as being less impactful than than intrinsic reward but those are still powerful motivators and so can you reward people for excellent security behavior we do plenty fine job with punishing people for security behavior I don't think that that's an area we really need to be focused on but can we tie things like interest achievement curiosity to something like security and another another book that's been really influential for me is drive by Daniel pink and he says this really well people will do things because they matter they're interesting and part of something more important so can we tie security to this punch line yes we can so one of the things that I wanted to

tell you a little bit about the the last thing on the previous slide that said social acceptance and social belonging for many of us as human beings being socially accepted is important so there's a concept in behavioral science called social proof this is something that I I come across relatively recently in my work and it again feels like another superpower so social proof however has been around for a long time there's two different ways that I displaying here on this chart and very fuzzy print okay so the first is Kourtney Kardashian which may not be your version of celebrity social proof but imagine there are people in the world who look up to her from like a

beauty perspective and say oh well if Kourtney uses it then like I should use that lipstick again someone I respect and admire and I look up to is doing this there's also an element of social proof of everyone else's doing this and so there must be something to this I don't have enough time to judge whether or not this is good or bad for me and so if other people have have the influence to do that then or have the time to do then their influence is good enough for me so what does that look like in the security space so sava Casa of Georgia Institute of Technology did a really cool study that he presented an enigma

of last year where he presented these prompts at fate on Facebook log in for a variety for a subset of users to see if we could drive multi-factor authentication adoption in their usage and so you can see in the control I don't know I couldn't do that okay you can see that in the control he just said secure this is a good security move please do it and in the social context he said you know X amount of your friends a hundred eighty of your friends use extra security settings you should too he's also and he actually found that in the social context here how he was able to get one point three six times more

installs than just normal normal settings interestingly enough he also found that the celebrity proof there's like hey someone in your network is also using this could sometimes backfire if it was like not a person you respect it or whose opinion you liked and trusted I don't want to be like that guy I guess I shouldn't install too if a that seems like a dumb idea so careful who you who you draw analogies do so that's one example a way that this is showing up in my work right now is by showing how people specific security behaviors relate to their team to their department to their organization to their best in class so as you can see on the right

hand side here what what we've been doing is pulling in data set an analytic since showing how every individual compares to their department and in places where they're doing below average we tell them how many times more likely they are to compromise based on their own performance and places where they're actually great we give them a badge and say you're actually doing a great job carry on and then on the left hand side we actually call out social influencers and here and if we go up as high up in the organization as it makes sense so and if you're the CEO of this company using it please insult laptops we actually found that we did a

company-wide organization we found that for the last pass roll out like 28 percent adoption in 48 hours because of this type of notification so really exploring how we use this to drive motivation this is interesting because people may not care about security they no matter how much I really want them to but they do care about belonging so what about other types of motivation and when if you saw in the previous a couple slides back which said this punishment and there's reward why should we use reward instead of punishment why is it more effective now I want to share with you a study that Don dr. John Gottman did out of Harvard University in the

early 90s he interviewed 700 newlyweds for 15 minutes and with 94% accuracy he was able to predict which of those couples were going to get divorced the next five years and the secret magic ratio that he came up with is that those couples had five sets of positive interactions to everyone negative in order to maintain a successful relationship now if you think about organizational departments as having relationships in order to have a trusting one where you're willing to say I made a mistake could you maybe help me clean up my now infected laptop or I need advice I'm not really sure how to architect this if you want to build a trusting relationship if you have spent

the rest of your time saying you're doing all this wrong what are the chances that you're your fellow employees are going to come to you and say hey can you help me this has also been done as a business study and the and there was a there was a study that came out in 2004 that found that the highest performing teams had five point six times more five point six times positive feedback to every one negative so median performing teams had one point nine so almost two pieces of positive feedback to every one negative and low-performing teams had a third as many positive pieces of feedback to each other to every one negative so they were

or one positive so they were criticizing each other almost three times as much as they were rewarding each other and so the idea here is it's not just for the relationships but it's also for high-performing teams and and organizations as a whole so then how do you create positive engagements with your with your employees so these are five categories of motivational types that I'm going to walk through some examples of what it would look like to roll out positive motivating campaigns to your organization again that drives people's desires to engage with security so the first thing is status we really care about getting on top of the board I find this works really well for

executives and for salespeople there's competition so capture the flag in bug bounties I really like to compete and I like to win altruism this is an area that I feel like security people really can maximize and say you know your work contributes to saving the day you stop this attack you have saved us this much money but you have saved this much data from being leaked for example and your actions have this type of impact and champion programs are a great category in this access this is one of my favorite to use like things that money can't buy so because you did this now you get a lock-picking class or parking spot or lunch with an executive whatever works

for your culture and then achievement again this is not true for every organization or even department but elements of accomplishments or recognition emails thank you email store your management hey you reported a phishing email that no one else caught replying that to your individual and then see seeing the manager gets you things that and say money could never buy so wrapping this all up if we look back at the motivation verse ability chart yeah it's really important to remember that both of those things are really critical to have when we have when we were trying to ask someone to do something differently and where possible we absolutely should try to make that ask easier for them to do

and understand why are our customers our employees whoever we work with are potentially finding blockers and help them unblock those so making the action easier to do and in places where we can't make that make that action easier to do we really have to focus on motivation so really leveraging the tides of motivational Peaks in our organization as the normal process of business takes us and we're where those the gaps there are introduced generating motivation tying it to things that we already care about as human beings can be used to really get someone to show up and take security action and again we're possible do balance that the number of times we say negative things and and and

I balance it with at least five positive elements of recognition for security action and with that I think I probably have like two minutes for questions yeah oh so one of the challenges I always have with motivation is how do you get the company to care about contractors or parts of the company that generally don't aren't allowed to access so many of these programs that would you know provide you know a piece of schwag or something yeah do you have an example of what you would want a contractor to do that any number of security behaviors all of it and really comply with all the normal security behaviors because they generally do the same kinds of work as

full-time employees yeah that's that's a good point contractors are a slightly tricky yeah they're they're less resourced the yeah I the thing that comes to mind naturally is is punishment like if you'd like your contractor to keep reward as you keep going then you should keep doing that and that's not great you could turn it around and find examples where contractors who have exhibited excellent postures whatever that looks like so completed their training on time keeps their patches of today and give that feedback back to your employment organization say this is a contractor that has done excellent work can we give them some kind of security badge or status and so that I as an employer will

continue to want to keep hiring those people and so you are incentivizing their future work based on their past performance and if it doesn't cost they're like the the secondary like if there is a hiring firm or somewhere that they can have this accreditation held and doesn't have to be a formalized accreditation you it could help their get them future jobs which which can incentivize that I think we're at a time thank you Asha yeah absolutely this presentation will be available I'm around for questions thank you thank you