The Art and Science of Herding Cats: How to Keep Users from Clicking Stuff

oh well no audio but how many of you remember that Super Bowl commercial from 2000 right or we can talk about the Millennials that he was talking about earlier that he hired that you know that's at this point they were still in grade school they couldn't stay up to watch the Super Bowl commercials all right a little bit about me first of all I'm not a psychologist I don't play one on TV I'm not gonna pretend to be one here but we are going to talk about some psychological things not an animal behavioral specialist though we will be talking about some of that as well I do consider myself a self-proclaimed hacker since the time that I had my TI 99 for a

with a 300 baud modem and you know doing dial pulse strings because we wouldn't pay for touch-tone phone in the house fun things like that I spent many years at hewlett-packard as a field engineer traveling all over this part of the country East Tennessee Southwest Virginia southeast Kentucky visiting customers doing hardware support network support installations a lot of things like that currently working as a security architect for Scripps Networks what now discovery used to be Scripps Networks get to work with a lot of our users do security education their awareness I'm also on the faculty with the University of Phoenix so I get to teach information security courses cyber security courses networking courses with them helped to work on course

development and I'm really passionate about security awareness several years ago I got to hear Jason Street speak at DEFCON in their social engineering village and one thing he said really jumped out at me he said at the end of the day people don't care about your security awareness training they don't care right they've got a job to do their job is to do X Y Z they're there at work to do that job to get that done so they can go home and do the things they really do care about when you take two hours out of their day to make them sit in the security awareness training that's just two hours that they can't be

doing the things that they're important are important to them and so one of the things that he recommended was maybe we might want to change our security awareness training or maybe do some things to make people aware of the things that they can do to protect their personal data or their family's data or or their social engineering profiles and then that would be something they'd be interested in and they might be able to then take those behaviors and transfer those into the workplace and so I started to do some of that over the last couple years in our company I mean have really had some success I've had the opportunity to share some of those with local library systems and

some other folks in East Tennessee to really help to spread security awareness among non security professionals and among non IT professionals and and that's been fun I'm also involved in the East Tennessee is c-squared charter chapter how many of you have heard of that so far okay if you haven't checked with the the check-in desks they're supposed to have information about it Charles Headley is around here somewhere he's the is c-squared East Tennessee charter chapter membership coordinator we've got us a charter chapter we can't call ourselves a chapter yet because we're still getting all of that going so right now if you're involved with is c-squared at all if you're is c-squared certified come see us get your name down

on so we can get you involved in the in the Charter chapter once we've met the requirements over the next several months we'll be able to open it up and anybody will be able to be involved and it should be able to to help to expand our security community in East Tennessee so that's enough about me because you don't didn't come here to hear about me let's talk about what I'm gonna be talking about and let me give you a little bit of background I've got a son and a daughter who are in high school my son wants to become a vet and he's very excited and passionate about that he's my academic my daughter is my social

butterfly she goes to school to spend time with her friend and if she happens to learn something you know that's that's gravy she does work hard at her learning but you know she comes at it from a completely different perspective and they've been bugging us for pets for years and we tried to do the the fish and it didn't work and we did some gerbils and it didn't work and my wife had had cats before we got married but her allergies just got worse and worse and and I have allergies to them and when the kids were born we found it so we visited people they had allergies so this was really something that was not gonna be part of

the equation for us and over the years the kids have asked me what a puppy we want a cat and we tried a puppy breed that was supposed to be non allergenic and it didn't work for us and this past year my daughter said you know I've heard there are some breeds of cats that don't produce as many allergens and and maybe we could look into some of that and I heard from some other people who actually have some some cats that do that that it might actually be an option so I told her okay well you do some research and let me know what you find out well she emailed me a 12 page paper

about the breeds of cats that wouldn't produce allergens and the things you could do to help fight the allergies and all this to make it work and I was really excited right but I'm a college instructor so the first thing I did was scanned or paper for plagiarism and surely she just copied this from somewhere right no she'd actually put the effort into it and as my social butterfly my non-academic person I really saw the value in that and that I said I have to reward this behavior we're gonna be talking about rewarding behavior throughout here I have to reward this behavior so we started to look into it the long and the short of it is a few

months ago we adopted LC and Athena three month old female Siamese cats and I will say that so far they're working well with our allergy issues right now so as that happened that kind of changed our lives a little bit we're having to deal with all the issues that you have with three four month old kittens right and how you adapt them to your family and try to get them to adapt to the things they should be doing and as I've been doing security awareness I to draw some parallels with the things that we're having to do to get the kittens to behave in a specific way and the things we want to do to get our

users to behave in a specific way and that's kind of where the foundation of this talk came from I kind of threw it out there as a fun topic and I was really surprised they accepted it so I hope you all enjoy it let's get started our goal is to modify behavior and to do that you have to initially start talking about attitude right attitude is important if you go into it with a bad attitude things aren't going to work if you're trying to to modify the behavior of somebody that already is having an attitude you know you're gonna have some some issues so you have to take into account the attitude of the target and

what perspective they're coming from and and take that into account I'll give you an example again I was a field engineer with HP I was responding to a lot of people that had stuff that was broken right by the time they called me they were already aggravated one of my customers up in Johnson City was American water heater group and I got to work with them over several months with an ongoing issue with HP DDS for tape drives that were failing on a frequent like once a week basis and you know they'd get ready to do their their afternoon tape processing and backups and things like that and the tape drive would fail regularly I got another call

from that you know tape drives failed again you've got a half an hour window to get our this replaced we can take an outage right before that before we have to start all our backup jobs to get in there they came in to with with a bit of an attitude because they had an issue I was able to come into it with a bit of an attitude as well I was able to go okay American water heater group is about two miles from Greg's pizza so I'm gonna go I'm gonna call in an order how many of you are from tri-cities are familiar with Greg's pizza in Johnson City all right awesome place if you've

never tried it and you get to Johnson City give it a try you can't eat there you have to take it out somewhere but it's very good so I stopped at Greg's Pizza had already called ahead the order so I brought in a stack of pizzas so the IT staff was was enjoying the pizza and and we could get that going and eventually HP figured out their parts problems and and got the issuer's but you have to deal with the attitude in order to modify behavior so what kinds of behavior are we looking at or what would we want to do we're wanting to reduce or eliminate undesired behavior right in this case you know in

the case of your cats this is one of the behaviors you want to eliminate that destruction of everything coming and going from natural things that they want to do what are some of the user behaviors that we want to get rid of yeah obviously clicking on links or opening attachments in emails picking up that USB stick that they found wherever and plugging it in you know downloading installing software circumventing your security controls what are some of the other behaviors that your users have feel free to shout out that you might want to change there you want to stop yeah letting people in buying that laptop at the yard sale and bringing it in and plugging it into their desk so

they can figure out if they got it work don't you hate it when your your IT admins do that and then they go well I'm gonna get on the network with my administrative credentials yeah so we want to try to work on modifying behavior and of course we initially respond negatively right don't do that well before before we go there let's talk a little bit about operant conditioning there are a lot of different ways that we can modify behavior and here's where some of the psychology stuff comes into it they call it operant conditioning one of the first ways is positive reinforcement I'm sorry that's so small the positive reinforcement is where you give something good when good behavior is

it's a reward type thing right positive reinforcement in the case you see there so the jog is not jumping up on her so she gives the dog a treat passive dog and had that positive reinforcement type thing the next one we have is negative punishment negative punishment you're taking away something good in order to change the behavior so the dog jumps up on them and and they turn away they take away that they're not gonna pay the dog attention anymore this is one I use a lot with the cats they've learned that when my alarm goes off and morning they can jump up on the bed and they'll get a little bit of petting before I have to get up and take a

shower and what-have-you but they can't tell time and they may not necessarily hear the alarm but they may think it's it's got to be time right they'll jump up on the bed is it time to get petted you know if I roll over the other way and ignore them they've learnt no you know it's not time yet and so that's that negative negative punishment where you're taking something away then you have positive punishment where you're adding something when the negative behavior has so you know the dog jumps up on you you may be you know BOP it on the nose or the classic with the cat set water bottle right you know so that's a

negative punishment where you're providing some sight some type of a feedback to reduce negative behavior and finally negative reinforcement where you're taking away something bad in order to stop behavior so the dog starts jumping up on you and you're pushing them down and then when they stop dumping you or stop jumping you stop pushing that's negative reinforcement we often times will err on the side of negative reinforcement or punishment when it comes to security controls and when it comes to modifying user behavior right has anyone seen the the bad human bobble so we can deal with our users so what are some of the things that we do that are providing those types of feedbacks right you get the user pop-ups

that say hey you shouldn't do that or we're blocking certain activities or or when users start to do something repeatedly you know what we're gonna take away their privileges your machine has been infected three times so you don't get to be a local admin anymore we're reacting to that and making it look like we think our users are bad giving them that negative feedback again leading with negative reinforcement rather than positive reinforcement and users can see the attitude that communicates with that there may be times when we have to isolate their system and they can't do their job are we communicating that you know this is being done for a reason to protect the network or are we communicating hey

you're bad you did something bad again and you know now we're smacking you on the hand are the times when we have to call the users how often are we interacting with the users in a way that's positive or how often are we communicating to them idiot what are you doing even if we're not actually saying the words we're setting ourselves up for failure and it's not gonna work so what are our options well we can look more on the positive reinforcement side where we try to reward the behavior or we try to redirect behavior in a positive way again I'll give an example with the cats one of our cats Athena likes to burrow she likes to dig in

among covers and things like that so in the middle of the night if you're sleeping and she hops up on the bed she may try to crawl in between the the comforter in the blanket or the blanket and the sheet between my wife and I and then get that's no way to get a good night's sleep you know in the first couple times get out of there don't do that that doesn't work what we found is we were able to very positively take her out put a little blanket at the foot of the bed set her down there and cover her up with that blanket she's got the same effect she's in there with us she's now got her

little comfortable area under the covers it changed the behavior so it's not doing the bad thing anymore and it's meeting both of the needs so you have to kind of look for those examples as you're having your user interactions and the ways that you can do that but again you have to have the right attitude about it and people can perceive attitude cats are smart they'll be able to tell how you're interacting with them and the attitude that you have along with it Smithsonian did a recent study they published it in 2014 about how smart cats are and at the end of the study they found that they said all we can tell you is cats are smart we can't tell

you how smart because their individual individuality becomes such a factor in it you can't really evaluate intelligence you know with dogs you train them to do something you tell them to do something they do it with cats you tell them to do something and they may choose to they may not there's no way to evaluate if it was because they just didn't understand what you didn't want or they didn't care right because because they're individuals right our users are the same way our users have other priorities our users are intelligent our users are not stupid right and and they're gonna have other priorities so you know we may be telling them constantly you need to do this you

need to do this you may need to do this of it and they've got other things that are factors in that that we're not considering it's not because they're stupid it's just because of the other factors that are part of the equation how many of you show of hands how many of you have fallen into this this trap here right where you talk about the the pencak error problem exists between chair and computer or the ID 10 t stuff right we've all done it we've all fallen into that trap of evaluating our users and our people that we're supporting through that filter of well they should know this stuff I mean we know this stuff they should know this stuff well

maybe they shouldn't or maybe we shouldn't have those expectations or maybe we should stop with these type of perceptions that end up communicating more than we expect even when we're not saying that directly to their face it's important our users aren't morons they're not idiots are not dumb they're not stupid than are clueless all right they're trying to do the things that they're trying to do to get their job done and it's our job to support them and to do it in a positive manner the other thing that's part of the factor is that shame and embarrassment are not effective motivator so that's been proven psychologically time and time again you can read various different things

there's a reference in here because you know a college teacher you've got a reference in sight everything in those references with you but it's not an effective deterrent here's an example intermedia they're a business cloud provider did a survey last year a thousand office workers and in the survey they they asked them about different things and one of the things that they found out was 59% of the employees who were hit by ransomware paid the ransom out of their own pockets rather than contacting their IT departments or their security departments let that sink in for just a minute we're talking about payments $300,000 a pop that these users are paying because they're too afraid of

being shamed by their security department or by their IT department or possibly losing their job or other things like that what type of negative reinforcement have we done what security posture does this put your environment in if users are going to do that type of thing when they've got ransomware instead of letting people know so that they can intercept it and this could spread through your environments and who knows what else is left on their computers after they've they've maybe paid and yeah we've here's the key to unencrypted it and we're not going to get you again you don't know but we've set up a culture in an environment where our users are afraid to report you know if they called in are

they gonna get a positive response or is that helpdesk person why did you do that is a security to person gonna say why would you click the link you know there is no prints there that's gonna give you money if you click it's how often are we responding positively I had the opportunity to listen to start up security weekly back in August of last year and Ronnie Feldman was on there and he does he works for Learning and entertainment and he does security training and he does it from an improv standpoint and if you ever get a chance to listen to again it was start-up security weekly in August you can look for Ronnie Feldman or what have you but

it's from an improv perspective are you familiar with improv how many of you watched whose line is it anyway who can tell me what the main key of improv is there's one small phrase that's the main key of all improv yes and that's exactly it I've got it up on the screen duh uh I'm like where is it that's supposed to be on my next slide yeah yes and when we can start to put our our training and our security awareness and even our interactions with our users into that yes and posture we can change the equation so a user says well I need to be able to install software don't you yes you do need to be

able to do your job and we need to be able to secure the environment so let's work with you to try to come up with something that works together so that we can meet your requirements and the security reports instead of no you can't answer why would you want to install software it's a completely different attitude a completely different perspective and our goal is to be able to develop habits right and to be able to develop positive habits change bad habits or develop positive before things become bad habits so we're gonna give you another example cats scratch stuff right they do we just know that why it's normal it's an instinctual behavior they do it to remove the dead

outer layers of their claws they can't chew their nails it's like we can or they're true so they do it to remove that the the claws they do it to mark their territory they do it to stretch and flex variety of different reasons so how do we deal with that well I mean we provide alternatives right you get them a scratching post you have to make sure that you can provide alternatives that work for them and that work for you you know that might work well for your cat and yourself or you you might need to go to something a little bit more extreme we've settled for something in the middle right now though it keeps getting

bigger and more every time my wife goes shopping I brought home some more cat toys okay but yeah you have to figure out the solution that's gonna work for them and it's gonna work for you that's gonna change the behavior and you have to make it fun again have that positive reinforcement that way of working with them to make sure that it's an incentive to do the positive thing so then when they come over to the couch and they reach up their claws you can be there and grab them move them over to the the scratching post let them know and then when they've done that or when they're on that you reinforce it yes that's very

good you know you you give them that reinforcement you also want to limit their ability to do harm so you know if you have that super nice expensive couch that the minute they think their claws into it they're gonna leave things there you know you might want to hang a little bit of aluminum foil there or something to limit their ability to do harm so it get a little bit of feedback or you if you've gotten you in the nice vase that's sitting on a stand and they they might want to use that stand to scratch on you take the vase and move it until you can change the behavior you want to limit their ability to do harm also to

harm themselves um I never thought I was gonna have to with two kids in high school go back out and find child locks for cabinets right by the way if any of you have gone through that and your needing to find child locks now you can't get him at Lowe's and Home Depot anymore they stopped carrying them I had to go to Target to get child locks but I had to put child locks on the cabinets because we got chemicals and other things in there the cats quickly figured out how to open the cabinet doors and you know where there were things in there that can do them huh so while we're trying to train them not to get in there we had to

be able to put controls in place to limit their ability to harm themselves or harm some of the other things around you want to be able to remove that access or limit access to too sensitive or harmful areas and you've got to be able to provide constant reinforcement right it's got to be consistent you can't have it so that you you I'm working on the computer the cats over there scratching on the couch I'm just gonna ignore it because I'm working on the computer you've got to be able to provide constant reinforcement all the time in order to modify behavior whether you otherwise you've got an inconsistent message and remember that scolding only works if you catch them in the act so if

you're gone for the day and you come home and the couch is scratched up you can't take the cat over there and say look at what you did it doesn't work they they don't associate that one now even though our users and people are more intelligent and they can make those associations better they've got better memory for being able to do that it's still ineffective for our users so let's take the same things we just talked about and translate them in for modifying user behaviors people click stuff they just do right why why do you do click things well it might be habit that's what they do all day long right they get there they click this they

click that they're used to maybe having a having to click through on an air on air or click through on a License Agreement they click things it's a tit they might open emails because why they're they might be important I might miss something that's important I don't care that it went to quarantine it's got something in there that looks urgent so I'm gonna take it back out and look at it right or they might be coming from the perception that nothing bad will happen surely opening this email can't cause me any problems or clicking that link because we've got a security department and they're protecting us right so it may be that perception that nothing

can happen or maybe even we're encouraging it okay how many of us tell our users all the time do not open attachments especially if they come from people you don't do not click on links in email even if it does come from somebody you know because you know who knows they might have you know given away their password and their accounts been compromised and now you've got a phishing mail that's going out internally from internal users to internal users and I mean it happens right so we tell our users that how many of you tell your users don't click on links in emails and right and then next thing you know they get a message from

HR that says oh we're gonna be doing the company picnic click here to be able to sign up or they get a message from from you know some other thing we're gonna be doing a survey you're going to be getting a message from SurveyMonkey you need to be able to click the link or or we don't have the processes and standards in place that say this is what we're gonna do we're not gonna click on links in emails and we're going to empower all these other other parts of the organization to be able to not do that we have inconsistent messages and it confuses our users so part of that is our education programs right and I'm

gonna step on some toes here how many of you tell tell users you know security is everybody's responsibility you have messages like that we have posters in that security is not everyone's responsibility at the end of the day it's just not I'm probably gonna step on some toes I'm probably gonna make some people mad you can disagree with me afterwards um there are some behaviors we want them to do but at the end of the day our users aren't really the ones that are responsible to first security that's why we bring in security professionals right you know after the the Equifax breach you didn't see the the users that develop the the code get fired you didn't see the the people that

weren't you know necessarily consistent on their patches getting fired you saw the c-level person that took the responsibility for you know they're the people that are responsible and your security people are responsible for making sure that our users know what to do we can't necessarily always go into it say our users should know all the security stuff that we know and they just they should know it because that's our job we need to be able to give them the pieces that they should know and and not much more and that's really where the education comes in being able to treat education that's something that that is effective for our users and not just a checkbox you know you have that annual

security education that your company puts together it's a two-hour video that they have to watch or they bring in somebody that's gonna lecture them for two hours about all the different things that they have to do so now they take that time out of their schedule they come they sit right here they listen to it and maybe 5% of it is applicable to their job and the whole time that they're sitting there they're going really I've got to sit and listen to this again I don't need this all I do is mop floors or you know whatever so we need to be able to make sure that our security training isn't one-size-fits-all though we can

customize it and that we can keep it simple so that our users understand the specific things that we want them to do and that we'll be able to empower them to do their jobs and do it safely and make it specific so you don't have that same big two-hour training for everybody you have training that's specific to the people in specific roles so when you have facilities staff that you know are doing maintenance and doing they do one or two applications you don't need to have them sit and listen to 15 minutes about business email compromised they're not gonna get that email that says hey send me w-2s and even if they do they'll go huh I don't have access to

that so make your security training simple make it short make it frequent so that users get the points they need and can understand what they need to get out of it and be able to respond there one way that we see that a lot is with phishing simulations do you fishery users send out simulations they can be very effective as long as you you use them properly and we'll talk about some of some of that in a minute or you may have tabletop exercises do you want to do with exercise with certain portions of your organization be able to structure those so they know what their role is and how they can can interact but again don't don't bring

people into the room that are gonna be involved in these things that are gonna have to sit there for however many hours it's gonna be and they've got one thing yeah I'm gonna have to talk to the media okay it's not going to be effective so again we want to have alternate behaviors right you got that scratching post for the cat so what are some of the alternate behaviors you might want to have for your users that click things well let's take reporting fishing for an example you want to make that easy if you tell our users all right if you get a suspicious email message you need to forward it to you know this big long

email address that they've got to type in and then they forward it to you and then you call them and say no I can't do anything I don't have email headers you've got to open up a new message to me now you gotta take that message dragging it they don't know that make it easy figure out a way to have an easy button now a lot of companies have plugins and you can do an outlook where they can just click something and they can get that to you and they can get it to you quickly you got to make the positive behavior easy and then be able to give them immediate reinforcement so that when you do your fishing

simulations and they report it because that's the behavior you want right that's that positive behavior you want you want to make sure they report if it's suspicious do you get them that immediate positive reinforcement yes that was great you know have some Outlook rules or whatever going so that the minute they report that or within a couple minutes they get a response back yes you identified something that could have been bad and you reported it and we appreciate it or when they do report things that are outside of your simulations that are real real threats or even if it's just spam that you give them that feedback in a fairly rapid manner so they know yeah this is the

behavior we want to do this is the things we may not necessarily want to do but if they just have this this button that sends it away somewhere and they never get any feedback you know you might be able to use that to harden your controls or do other things but you're not gonna change the behavior you've got to be able to give the feedback back to the users in order to change behavior and you may want to gamify it a little bit right where'd it go come on there we go you might want to gamify us you get statistics back and say our ad sales department is great they've had a 60% reporting rate on our last fishing

exercise you know you can you can say hey next time you guys might want to measure up to that you might not necessarily want to communicate that your facilities department had a 12% reporting rate or that you know they had an 80% click rate but you know make it competitive because people love to compete have some way of rewarding the positive behavior to recognition status public recognition works really well you see here one of the things that we've done recently is we start to for our fishing simulations we give out some little things and we have the little I mean we got them cheap oriental Oriental Trading Company but we give them out with a little certificate on them you

can't see their certificate there and they say we give the little ones out to the people who are the first ones to report a simulation so every simulation the first one to report it will get a little little fishy right anybody want a fishy all right but are people that are reporting threats every month we give out a little bigger one with a little bigger certificate certificate on say you know this is the person that reported the most real threats in the month of whatever and we'll get a picture with them and this guy had some fun with it so we've played it up a little bit but we get a picture with them and we share

that with the company these people are the people that are doing the positive things we want here Robert and and that way other people in the organization know that there's that positive thing we don't communicate that you know well this person clicked on it or this department did did poorly that's not going to get the behavior changes that you want to have

you want to limit the ability to do harm right that's the same thing that we were talking about um the child locks this is where it comes down to the classic cyber hygiene your see is top 20s your least privilege your multi-factor all those things that you know you should be doing to secure your environment you need to make sure you're still doing those you need to make sure that you can can limit the ability that our users have to shoot themselves in the foot because again you're the security professional at the end of the day or you're the IT professional so limiting their that ability to do harm is is critical and constant reinforcement right so we're

not just having that once once a year security training and okay go here and watch the thing and check the checkbox at the end people that you have ways of being able to communicate simply and effectively and frequently so the users know that those messages are at the at the top of their mind all the time and again remember that scolding only works if you catch them in the act and even then it's not very effective you've got to keep it positive you've got a to make sure that you're not shaming people if you're shaming your users they're not going to come to you so when they have that security event the likelihood of them actually reporting it properly is

fairly low you know at the end of the day what do you want the user is gonna click the link in the phishing mail right they're going to give away their credentials at some point in time how many incidents have you done and investigated when you finally get down to it and you you get to the user that clicked and you say what happened well I got the email in the minute I clicked it I realized there was something wrong how many of you hear that message when you actually get to you know they know right the minute you click it you know well why didn't you report it well I was afraid of what you were gonna say or I

wasn't sure you know let's change that equation so that people know when they report we you know that's a good thing we understand that mistakes are gonna happen right but make sure that they know that they can come to us and they can report it and we're not going to shame them we're not going to through them in fact we may even take the opposite thing so we may talk to them after the effect and say you know in this security incident you came to us and you reported it and it's great can we use you as an example and maybe tell the rest of the company yeah we had a mistake happen and somebody clicked the

link and it happens and they came to us and because they came to us and they came to us quickly they called the helpdesk they knew what to do and we were able to go and find it and we were able to respond and we were able to quickly block those sites we were able to quickly take that machine off the network and because of that we could have saved ourselves millions of dollars in potential damage because the user recognized a mistake and reported it to us if we can have that positive perspective we can change behavior keep the goal in mind right when you own a pet in this particular case we're talking about cats there's gonna be a

certain amount of unpredictability right uncertainty you can't be predicted you can't predict what they're gonna do they have a mind of their own you have to take that into account and that's part of the fun right remember that in our companies it's all about business at the end of the day they have to be able to do business it's not always going to be predict predictable and people are gonna make decisions based on other factors as well things outside of security you just have to to balance all that and keep a positive attitude about it does it work well much of the time it does work be adaptable be able to respond to those times when it doesn't because it's not

always perfect alright questions comments snide remarks and references go ahead

100% I don't see any reason that anybody should be exempted from your phishing exercises and I've battled this over and over and over again you know well we we can't send those to our executives okay so let's make sure we post a notice on our website that says our executives are exempt from phishing emails please bad guys don't send them to them if a user can receive a message from an outside source that they can potentially click on or they can that can potentially cause them problems they need to be part of your your phishing exercises they can be and a lot of times they'll have the you know they may use excuse well our

our execs handle those emails and we had our director of risk actually sit down with some of our execs our executive assistants after we did a phishing exercise where we targeted the executives specifically and those assistants were interacting with the messages and and we got some results in and he went online and he did a little bit of OPSEC and he grabbed some some data or he yeah he grabbed information about them that he could find just in social media walked up to their offices and just sat down and talked to him they didn't know him from Adam how are you how did your kids do in their soccer game how is it they started to give them

the perspective of what he could learn just digging information about them and then making them realize just how effectively they could be targeted as well as our executives and and some of the the risks that were associated with there and it ended up being a positive conversation yes sir

so if you don't have relationships with people you can't change behavior that that's what it comes down to if your security organization is perceived as these people that operate in this tower and they're gonna come to you and they are going to punish you and it's gonna be bad and you never want to hear from security they're not gonna come to you you're not going to be able to work with them to develop things if you have that partnership then they might say hey we're working on this project we might you know might be able to bring them in or you know if you start to insert yourself in positively in some of those things you can you can affect behavior a

lot more effectively yes sir so it all comes down to risk right and you have to be able to communicate that risk to people who can make the decisions and thankfully more and more often as we have more and more compliance driven things that are being seen from a high level from a sea level from a boar level more and more those types of people are being exposed to security risks and security challenges so if you can start to communicate back up and down again through your CI SOS or through your other people that that have a feedback at that level you can drive change from both directions so you can have your security professionals that are saying

you really don't need to do this and then you can have the the people at the higher level being able to to say well how can we empower our organization's to function effectively and securely all right thank you for your time you