Mental Health Threat Modelling – Perspectives from the Field

is the message so that's the most important thing here so I see some familiar faces but for those who don't know me these are my you know the stuff that I've done so I finished a degree in Psychology and then went to law school for two years then drop out so I have a joke that I'm a psycho aside from being local Spanish word for crazy yeah anyway kidding aside um just to clarify I'm not a practicing psychologist I basically shifted careers and I focused specifically on the Deferred side so uh daytime I use my skills and knowledge to help protect and defend the organization I work for and during my free time I volunteer for a

lot of different community events in fact I love attending conferences and you know being with you because you're my people I mean I get to dress up in my you know favorite stuff and nobody like looks at me strangely in fact compliment me Awesome by the way thank you Dean he's my husband who makes the dresses for my conferences okay and um I'm an accredited Mental Health First aider standard and yes this year I got my accreditation to teach Mental Health First Aid so I'm now an accredited instructor okay but among all the things that I've done this is my special set of skills that I'm very proud yeah

so let's start first with threat modeling so this is an overview so uh I'm pretty sure a majority of you have heard or maybe you know are actually doing threat modeling as their day-to-day work activities but for those people who may not actually know what threat modeling is all about think of it it's just a process wherein you identify what are the potential threats and then you will now prioritize the mitigations so the idea is that you will have the abstraction of your system and then you have the profiles of potential attackers and then you have a catalog of potential threats okay now if you are like me a woman a woman of color okay I have been

threat modeling since I reached puberty I didn't know about that it's personal threat modeling I walk Acro in a busy street and I've had drivers like you know say okay I can't say those things here but you know what I mean right so in a way I didn't know before I went through cyber security I've already been doing threat modeling on a personal basis now I'm going to cover two approaches to doing threat modeling as part of this talk so who among you have heard of stride please raise your hand awesome almost like a lot of you but for those who don't know about this this is a threat modeling approach that was adopted by Microsoft in 2022 and this is

the most mature threat modeling method available so think of it if you are looking at the entire system design and IT addresses the potential security properties that are violated by the threats so stride stands for spoofing identity T tampering with data replication information disclosure denial of service and then elevation of privilege so if this threat happens in your particular system there are security properties that are violated so this is a quite quite mature you know approach so that's why I'm not surprised that a lot of you have heard about it what about this how about pasta anybody has heard of it okay compared to stride you know just a little bit less but among the threat modeling names this is

my favorite because it's pasta you know I like cooking I like cooking pasta but pasta in this particular situation stands for process for attack simulation and threat analysis so it's a recentric approach plus it combines uh business and Technical requirements compared to stride studies like looking at the technical perspective but for pasta there is engagement with the different parts of the businesses so for example first part is defining objectives in order to protect something you need to find out what is important for your organization what are you supposed to be protecting and then of course you engage with the different stakeholders in terms of the technical aspect because it's not just cyber security you have other

people from the different Tech teams like ID infrastructure database you know CRM and then there's uh the composition of the application and then then it goes like threat analysis so you'll also be engaging with let's just say CTI team or in you got to find out what are the different threats facing your industry and your particular organization and then you're also going to be working with the vulnerability Management in terms of the analysis for vulnerability and weaknesses and then finally you have the attack uh modeling and lastly there is an impact analysis so compared to stride there are all these other uh factors or particular areas that are also checked okay now any questions so far by the way

for those who are watching this uh in YouTube you have the chat there uh after the talk I'm gonna be like checking it if you are in the B-side spurt Discord I'm also going to be answering questions there after my presentation okay so now let's go to mental health now first things first I have a trigger warning here I'm gonna be talking about mental health you know challenges and even references suicide okay um for anyone here physically present if at any time the topic that I'm talking about makes it very difficult for you to continue listening please do not hesitate to go out and you know go to a quiet space and compose yourself because your well-being

is more important even at this particular time please go ahead I will not be mad or anything I'm very proud of you for being here but if it's too much please you know go ahead because your well-being is more important than my thought okay now just to clarify these are meant as general tips and this is not a substitute for therapy psychological or psychiatric advice but what I want to impart is a message that it's okay to talk about this in fact it's very important that we talk about this and seek help okay so let me just clarify let's go in terms of definitions okay so for World Health Organization this is their definition so

they Define mental health as a state of well-being in which an individual realizes his or her own capabilities can cope with normal stresses of Life can work productively and is able to make a contribution to his or her community so there are several words and phrases I have highlighted here it's just to let you know that it is about well-being about realizing your abilities you can cope okay you can work productively and you can make a contribution to your community so this is the definition of World Health Organization now quick uh you know thing what's the first thing that comes into your mind when you saw this particular slide this photo anyone at the back

Fiona okay any other Joy anything else okay so a lot of people when they think about the words uh mental health it's always like joy and all those things like exuberance and all those things but mental health all it's it's a spectrum okay it's a spectrum now what about this once you see this uh you saw this particular photo what comes into your mind grief sorry sorry just kidding what else anybody sorry I'm literally here all right so for majority of the people called me or the first thing that comes to their mind when they see this photo is like you know extremist stress could be like frustration okay so these are all part it's like

Spectrum like the things like uh like mental health it it involves being able to cope with the daily you know stresses that we face now let's look at some statistics okay so being the nerd that I am I love looking at reports even you know reading uh Journal Publications so from uh who they came up with the world Mental Health Report and in 2019 they uh they actually have this number that one billion people are living with mental disorder and 15 of working age adults experience a mental disorder and then of course surprise surprise combat 19 has triggered a 25 increase in general anxiety and depression worldwide I'll be honest with you I was deeply affected by

covet 19. not just because we were locked down in Melbourne by the way I'm from Melbourne it's because I've lost a lot of people to the virus I've lost former colleagues former classmates you know relatives and there's also people who weren't you know really sick uh with kovid but because of the breakdown in the hospital systems their medical conditions deteriorated yeah now some green stocks so that's like from a Global Perspective let's look at the local numbers so this is a number it's really quite high for me nine Australians die every day due to suicide and that's more than double the road tall and this is something that's really way heavily in my heart 75 percent of

those who take their own life are male so I have a lot of male friends I love my male friends you could like ask my my male friends and you they'll tell you I tell them I love you okay and it's not in a romantic sense I love them as if they were my brother okay now each year over 65 000 Australians make an attempt and it is the leading cause of death for Australians between the ages of 15 to 44 okay and then another thing is that for the lgbtiq plus Community they have a higher you know significant rates of suicide than the rest of the population and then the interesting thing here is that this is a

study wherein they found out that for each life that is lost to Suicide 15 135 people are are affected or felt by it it could be those First Responders the emergency responders were colleagues family members friends okay and to you you may think 135 is just a number but for me I'm one of those 135 people I lost two four former colleagues or guys and then I lost cause into suicide so there's always a hole in my heart that will never ever heal and that's one of the reasons why this mental health is one of my personal advocacies now I talk about the mental health from the perspective of definition of the World Health Organization for mhfa this

is the mental health first aid Australia so just to clarify whenever you hear Mental Health First Aid it started first here in Australia and it actually spread all over the world so for mhfa Australia the definition of mental health is a it's a Continuum okay and it can range from good mental health to mental illness and a person will move along this Continuum in their entire lifetime it could be you start out you know on this part of the Continuum you move to a little bit part of this then you move so it's really a continuum okay and then in terms of prevalence of mental health problems about uh 4 million of us Australians one in every

five Australians suffers from mental illness in a given year and our top three mental health uh problems are one depression two anxiety and third substance abuse I've also looked at the because I presented a version of this to some of the Defcon groups in the U.S I look at also their statistics there and depending on the year it's like also the same like three depression anxiety substance sometimes anxiety uh like a little bit on top but it's always almost these three mental health problems both in Australia and also in the US so bring it bringing it back to our industry okay I I didn't draw I like got all these you know emojis this one I think

it kind of sums up you know our Continuum in a day or we've had our coffee in the morning yes we're happy then like all these issues incidents all those things happening sometimes to the point that we have to you know even work late at night okay so we have all these industry challenges stress fatigue frustration and burn out now uh for this particular presentation I have actually new data points for those who have seen my cracky con or my con or my uh Isa cyber contact there are two studies that I now have included in this version of my presentation so this was the IBM security incident responder study that IBM uh commissioned uh morning consult and

interviews were conducted online in a sample of 1107 cyber security incident responders this is globally okay this is globally now uh one of the things and I am as an incident responder as a Defender one of the things that I really love about my job is that I have a sense of duty to protect and to defend so I've always been proudly a blue teamer but with a purple team mindset now not you know no surprise the first three days of responding to an attack is the most stressful now I joke like by the time that this was uh created and released I've already been out of the IBM X-Force IR but I talked to other former exports

ir and video the IBM did not include us in the sample because the numbers were a little higher so okay what are the findings 81 of the respondents think that it is the rise of the ransomware that has actually uh worsened the stress and psychological demands on incident responders 68 of the responders said that it is somewhat uh common for them to respond to two or more incidents that overlap so for me that's common for me but I have been diagnosed uh late in life with ADHD and my ADHD loves that kind of you know multitasking as if I was born to do this kind of job okay and then 67 percent experience stress anxiety in their daily lives as a result

of responding to incidents in my case at the end of the day I always reflect on what have I done can I do better and even when I'm showering you know doing like other things non-work stuff I'm always thinking about work how can I do better or did I miss something so I always think about this okay now 65 percent of those incident responders that responded to the survey sought mental health assistance for me that's quite low because if you are always you know dealing with this kind of stress okay 65 of that is quite low maybe there is fear shame embarrassment and all those things especially for me I come I grew up in a

country wherein going to a psychologist is considered a taboo and you're not supposed to talk about it because you're crazy but things have been improving a bit but still not not you know not that good now so that is the global IBM incident responder study now we go to Australia so this particular survey was from sakuru or it's a cyber security mental health survey and it was released on the world mental health Day last year on the 10th of October and their sample size is a little bit smaller compared to the IBM study it's just 101 cyber Security Professionals and this one instead of just incident responders it's cyber security as a whole the entire you know

like the industry okay who among you have heard of this report before anyone okay just one just okay just one okay so it's all here okay the numbers are quite telling nine in ten cyber Security Professionals reported experiencing mental health challenges at work over the past two years of course no surprise because when we went on you know like all the lockdowns everybody went uh online and you have the proliferation of different scams you know all those challenges so that's not a surprise and then in the industry half of the responder actually attributed their mental health struggles at work due to poor culture and or management styles there's a saying that people don't leave companies they leave managers okay and

then 50 percent or half of them also uh pointed out to the high stress nature of the job in our cyber security in our industry as uh something that impacted their mental health and almost two in five have actually quit the industry for me this is really a bad number because we are always saying we need more people because the attacks you know all these incidents they're always you know uh going up they're not going down but then people who are supposed to be protecting defending us uh they're all living like two out of five has quit the industry for me personally when I shifted from a non back to attack Tech Focus career my mentor was my high

school best friend she was a programmer but she quit due to bullying and I've always remembered all the things that she you know had to endure and then only to find out later on that I will also face the same thing and one of the things like recently there was one woman I worked with fantastic analysts but left the industry just because of one guy okay I'm not saying uh you know that you know it's it's I say guy as you know not guys all of you okay there are some and I'm talking here because I know the fact that you're listening you are allies okay and we want I want to make sure that we always

have diversity and inclusivity in our industry okay now so so with that let me just uh clarify certain things about stress because everybody talks about stress so what is stress it's just any physical or emotional reaction to certain conditions so they also have what is called positive stress negative stress like positive stress I'm getting married or we're going on a holiday but there's like you know the negative stress so when we talk about negative stress we have this certain types okay so there is what is known as the acute stress so this is the most common type of stress and then once the stressor is gone this stress goes away so that's cute okay and then you have the episodic

stress this happens when the acute stress happens frequently without enough recovery time so think of it from the perspective of there's an incident okay acute stress okay then like okay you have resolved it okay like okay now I'm okay but if it frequently happens and you don't have enough recovery time then that is considered episodic stress and this is the one that will lead to lesser tolerance in terms of uh other stress events and then you have the chronic stress which is long-term stress it's like for example you're always in a constant state of stress so for people who are actually in the battlefield you know out there you know the soldiers they will have this chronic stress they

will always have to be alert because there may be a bum or there may be like you know gorilla you know all these things happening out there in the battlefield and this chronic stress is the one that has the most significant serious effect in our physical and our mental health and episodic and chronic stress contributes to operational risk and burn out and that's actually there's a study so this came from a research done by dagstra and Paul okay by the way later on I have a slide with all the sources there you could take a photo of that okay now uh about this thank you very much to um I forgot the name of that guy from

canva yesterday he actually already covered uh okay yeah hi thank you very much for covering this so I don't have to cover this all for everybody okay you can just like go back watch his presentation it's about the definition of burnout there's three uh you know uh Dimensions there okay now now so and talk about all the numbers the statistics the definitions and I've also talked about threat modeling let's look at the safety plan okay so who among you have heard of the safety plan okay just a few okay so safety plan is something that is provided to and it's actually something that is done for people with suicidal you know thoughts okay so for example if

you have thoughts of harming yourself you talk to a counselor to your GP your psychologist your psychiatrist they will come up with a safety plan for you so there are four steps there okay now I am reporting septalizing this as your mental health threat model think of step one as the identification think of step two to four as your mitigations so this is uh what I'm approaching it it's like our own personal mental health threat modeling so let's look at this so the first step is know when to get help so you need to identify you have to like uh I hope after this talk you take a time you know to think about what are the warning

signs the personal warning signs that you're beginning to struggle with your problem okay you think about what are those thoughts those feelings or behaviors okay so it's gonna do you have to do a lot of self-reflection again you have to be honest with yourself and then step two the coping skills so if you encounter these thoughts these feelings these behaviors what can you do by yourself in order to take your mind off the problem healthy you know coping mechanisms not drink yourself to death okay and then what are any obstacles to using the scoping skills okay so you think about that so that's step two so now what has worked for me so these are some

of the simple techniques so breathing helps I don't have the exact names of those psychological studies but there are certain techniques there's a box technique there's this number techniques but what has worked for me is that I count like uh four like inhale then hold for two and then exhale for a longer count like six or eight so these deep breaths will help uh activate your parasympathetic nervous system helps calm you so there were times before I had uh when I was working as a consultant as ISO from Europe who was actually yelling on me on the phone hey I want you to show me your the results and all those things and I'm sorry I

can't now you have to show it to me right now and they're like how what are you you're not so professional I'm gonna go to another one and then finally when he ran out of breath I said I can't share with you my my screen because you call the hotline you're on the phone foreign and I asked okay give me five minutes to hop into you know Ms teams to be with you so that five minutes I took this deep breath because I was really trembling okay and it's like reflecting upon that I remember like at night after that particular yelling situation I remembered because several years ago I was in an in an on-site you know

assignment and there was a size of who wanted to beat me up yeah so yeah because he wanted he at the time I was doing training he paid for five individuals he wanted to have 15 people come in and I said we can give you like you know three six uh I mean free two people seats but not that because that's too much and he was really angry and his body language was he was about to punch me back after that I went for a crab from Burger lessons Okay anyway another thing is grounding you know think about the present time so that's what I also did so I remember like why was I trembling even like you know that night

I was like still you know there's also that anxiety and then I remembered it's because of what happened to me before it triggered certain things in my body okay and so I had to ground myself no that was before I'm present right now and another way is blowing on the hand to remind myself I'm here because sometimes our minds will take us to those previous negative uh experiences or situations okay so blow on the hand and then describe to yourself what you're feeling so it's like grounding yourself in the moment another is visualization so I think of like the three like I do that movements okay that's why I like working from home because when I get stressed out with

work I stand up and I just imagine I'm just a tree blowing in the wind okay and then I also have like strong visualization skills another is leaves floating so let's I'm just imagined myself I'm under a nice tree and then and there's like a brook by the tree and then I imagine my concern it's a leaf and then it it was like broke off from the tree and then it floated on that water and started moving away so that's like bye bye you know zero ticket number whatever and then okay another ticket you know ticket number okay bye-bye so those are the things that has worked for me so I hope some of these tips you

know incorporate them try to figure out what works for you okay and then another thing is the health the use of healthcare technology so we have several you know apps available some are free some are not uh very good one from Australia is smiling mind that one is for free and then you also have we also have here from Reach Out worry time so please take photos of these because there's a lot of these apps that are useful some are paid some are not so it's quite useful it helps me I have those apps on my phone to help me you know when I need you know a chance to focus on things to make sure that I

stop you know worrying about you know other things okay now let's go to the third part of the mental health threat model that is about social support if you are unable to deal with your distress mode by yourself contact trusted family member or friend so you will have your own contact list there have a list if your first choice is not available okay so another thing is like what we do here the fact that everybody's here on a weekend and then we all turn up for work on Monday it just shows the level of commitment that we have towards learning and also sharing knowledge and also catching up with the friends we've made in the

conferences okay now So speaking of that uh part three of our mental threat mental health threat model there are spectrum of interventions so we have there from prevention early intervention treatment and there is this you know think of it it's in terms of your Continuum of your mental health you are well becoming unwell then unwell then recovering and this Arrow here it's where Mental Health First Aid can help you have mental health first aiders just to clarify they are not you know there to diagnose it's not part of mental health per seed who among you has done uh first aid from Red Cross first aid okay so that's good okay so you have an idea that you're there to respond

because something happened okay this one is helping people talk about what are the different situations and then what are the pathways to access help okay so this is where Mental Health First Aid can help Okay so there's no diagnostic is being done okay just to clarify and then the last one is about seeking help from professionals if the problem proceeds and there's still some very negative dark thoughts please reach out to a professional support system okay and then part of the safety plan is actually making a path and signing it meaning you are going to use steps one two three to help yourself and you're not gonna act on your thoughts of killing yourself okay now when I

included here Dr Blair raw stages of grief because there are times wherein uh we are grieving not just because somebody has you know died it could be that we're grieving about you know other parts of our lives like for example it may be that you figured out this is not a place for you in the organization and so at first you're denying no this is the best organization because I be I'm being paid for the first time in my life the highest you know salary that I've ever had in my life and then there's anger later on because of the things happening and then you're trying to bargain it's okay I'm getting paid a lot

of money although I'm like working 60 70 hours and my boss doesn't like really listen to me or doesn't really you know uh listen to my concerns and then later on you feel sad and then you move into acceptance I think this is not the job for me this is not you know something for me then you move on so this that the stages of grief happens not just because somebody has died it applies to other parts of our lives too okay now just to clarify it's not all doom and Bloom okay we can do this okay so first off okay remember you matter all of you matter for those people watching on YouTube you

all matter make sure that um you use the techniques here use the model the mental health threat modeling approach that I taught you and remember that you you are not alone there are always other people in the community your organization who are willing to listen but don't be afraid to ask for help and then second make sure you practice self-care when we say self-care people think oh I'm gonna go on a spa you know I always say no sometimes simple things like doing your hobbies or like cooking baking woodwork all those things or just taking a nap you know resting self-care remember you have forensicate you know eat hydrate sleep repeat do yourself care it's just a

cycle okay and then uh consider going for mhfa training so in your organizations maybe talk to your managers hey I'm like interested in doing this and now I'm telling you since now I'm an mhfa accredited instructor if you have six people willing to do the training let me know I'll do it for you because my personal goal in a decade is to train 1 000 cyber Security Professionals to become mental health first aiders so I'm telling it to everyone now you heard it person besides birth that is my personal goal as an instructor please help me do that okay other kinds of training it may be that you're more interested in Tree Side prevention there's also assist so

right now I'm not an accredited assist trainer but I have gone through the assist training okay and then build a culture of openness and support that and make sure that you have support for well-being so once again hats off to canva for like the check-in and all those things that emoji now I also have to clarify sometimes if you have a bad relationship with your with your manager you sort of like mass and just keep on saying like I'm happy I'm happy but inside you're not okay try to do something about it because no job is worth your mental health just remember that okay and then don't be afraid to lean on your community as people talk to people

in in in person virtual there's a lot of discords people have actually started like chatting a lot so it just reminded me of my IRC days I think I've aged myself there and then now consider the power of collective action for the greater good okay uh you know for those people who know me personally I don't I'm very upfront I don't do BS stuff and all those things sometimes in an organization no matter how much you want to advocate for things or sometimes no matter no amount of deep breathing you know meditation mindfulness can actually fix a broken system so in that case that's why you need to work with other people in the industry

help make sure that our industry remains uh an industry that everybody could drive whether you're neurotypical you're a diverse and for those who may not be familiar we actually have a union for professionals so the union is professionals Australia so this screenshot actually it's a conversation between security visas and chat GPT to describe this uh organization so uh not just people in Tech I.T cyber security even pharmacies you know scientists engineers game developers so that's professionals Australia okay now these are the sources and resources please take a part of this so if you're interested in reading the reports the studies you know the statistics please take a photo then I'm already I'm actually put all my social media

accounts because my DMs are open because if anyone I've always said that if you have any questions please feel free to ask me afterwards or hey I'm feeling this or that yeah let's have a conversation because you are important to me okay every one of everyone here you are important okay and I will listen to you and if you ask you know for advice or question yes then I will say oh these are the options all those things so with that I hope that this talk has inspired you to go for Mental Health First Aid course or be an ally and just to be you know uh someone who makes sure that they take care of themselves and

also help other people become mentally you know uh you know okay in our environment so with that thank you very much

and there are any questions here uh yes

um

yeah okay so the question is if you haven't heard it in uh the video If like what about those on the side of customers or consumers who have experienced cyber crime or Cyber attack where can they go to for help So currently it is ID care here in Australia and so far it's it's them but we just have to be patient because they are really inundated with calls for help and that's why in I previously talked about I've done a lot of other presentations it's like for us in the community let's also be open and like try to help them but it is also quite challenging because there's also uh the concerns about uh the advice that we

give them so you always have to preface it that hey I'm just doing it on a personal basis it's not as an incident responder for this particular company and all those things yeah there is actually a need for that so far right now in Australia it's ID care anybody else yes on breakfast at the TV um some of the stats that you mentioned looked at incidental response but does any of the data show that our professionals working in a particular domain of cyber have a higher prevalence of negative mental health than other areas of sidewalk okay so the question is is that the numbers that I've shown is for incident responders what about people who are working in other parts of

cyber security so the first study from IBM that's specifically focused on incident responder the secure study survey based in Australia it's actually people from other parts of cyber security but the sample size is too small and doesn't really state which particular you know aspects in cyber security or like particular specialization but that is a great question because maybe I could run a survey myself maybe I will run it like yeah okay thank you very much for that idea thank you okay and it's like oh we don't have any more questions it's pretty good maybe you've got a few DMS okay no problem okay so thank you very much and remember maybe you're a little bit inhibited or shy in asking

questions here you know my different social media accounts just send me a DM and just like say hi I'm from besides a bird like I heard from that because I present in different conferences so that I would remember which talk you're referring to thank you very much for listening foreign