Dr. Jessica Barker - Power to the People: bringing infosec to the masses

Ding ding dop

ding ding dop ding ding dop. Now there's a prize. A couple of you may have gathered the language. I don't know. But if anyone can give me the translation of that who doesn't already know I was planning on doing that. If anyone can give me the translation. You have a prize. The prize is Lego aka a bag of awesome. So um hands up if anyone can tell me word for word what I said word for word. Mustafa. Really? If you can please do. Sorry. Anyone

word for word or a rough approximation? Anyone tell me the language? Clling on. Yes, you get the prize.

[Laughter] Yeah, I was going to say please do not ask me to say anymore because I learned that for this. Um, so um there was a point to that. It wasn't just uh to have a bit of fun and that was to understand language you need a context. So you hear the tune and maybe you start to get what it is. But actually without a translation it's very hard to know what somebody says. So you can speak a different language and without the exact translation you won't know that I was uh saying bite me spin spin make my feet spin. Now bite me. Quite glad you didn't understand to be honest. I didn't want anyone rushing the

stage and uh biting me. But so I wanted to open up my talk today which is about how to raise awareness and communicate better with users, general users um with that demonstration as a way of saying we talk a different language. And I'll be talking about language um a fair bit today. And the point was to say that without context and without an understanding of the words being said, without speaking the same language, then you may as well be speaking Cllingon. Um, so I am Jessica Barker. I work as an independent consultant and my work is all around the human side of cyber security. So I look at users, user behavior, user awareness um and I work with organizations

um to kind of bridge that gap between technology and um the average user. And I'm talking today about awareness raising and about how we can better communicate with users. My background is in sociology and politics with a bit of psychology. And that's kind of what I what I bring to this um subject. So before I move on to talk a bit more about that and I'll be going back to language. Um I did a bit of a tiny bit of research last week. So I did a survey of a hundred people and I asked them how worried they are about cyber security for one question. Um and this is something I'm often interested in and it's work that I do

for clients as well is look at their consumers and see how worried they are about um issues of information security and what that means um for organizations. And we can see that people are actually people are quite worried. So the average score was 6.3, not massively high, but above um sort of five. So it was on a scale of of not at all worried to very worried. And people put it kind of um in the higher than medium. If we look at 9 to 10 compared to 1 to two, so if we look at very worried as opposed to not worried at all, we can see that it's double. So people are actually kind of quite worried about

this subject. I then asked them, do the same group of people um do you feel that you know how to stay safe online? And I was quite surprised with these results that actually the vast majority of people do feel they know how to stay safe um at least all of the time or sometimes. And it's about 70 odd percent that say either yes they do or they they at least do sometimes. So people are worried. They feel like they know what to do. But we can all say that human behavior um online is not particularly safe. So while people may feel they know what to do um they're not putting those practices into place. They're still

clicking on dodgy links. They're still using poor passwords. All of the behaviors that we are used to seeing. And one of those reasons is language. One of the reasons is talking to users, how we talk to users, how we make them understand um the behaviors they should be engaging in and actually encouraging them to do so. So, I've got another example um of the power of language and translation.

So, what you'll hear is a sentence, a spoken sentence that's been transformed by a computer to sound like gibberish. So, Any idea what they said? No. Okay. Anyone got any idea? Anyone who hasn't heard that before uh got any idea what that message was? Sorry. Something was in a bumblebee. Nothing was in a bumblebee. Good try. Uh you can hear it one more time. Okay. Now we'll hear the real sentence. Any after the second attempt? No. It's complete gobbledegook, isn't it? The Constitution Center is at the next stop. So there we have the translation and it played again. Did everybody hear that? Okay, we'll go back to the start. Does it make sense that time?

Yeah. Wait, was that is a sentence, a spoken sentence that's been transformed by a computer to sound like gibberish. So Any idea what they said? No. Okay. Uh, you can hear it one more time. Okay. Now we'll hear the real sentence. The Constitution Center is at the next stop. Does it make sense that time? Yeah. Wait, was that the same? It was the exact same sentence that you heard the first time. No way. It's the exact same sentence. Your brain is always using prior information to make sense of new information coming in. So, so did everyone hear the sentence was the constitution center is at the next stop and when you've had the translation and you listen to the

garbled message, you can hear it. If people want to hear that again, put your hands up. I don't want to keep kind of playing it and you can find it on Soundcloud, but if you want to hear it again, I'm I'm happy to play it. Um, but the point of that, the point that the researcher there was making and the point that I'm trying to make is you only understand language when it's in a context, when you have prior information. So, when you have a knowledge base already to translate it for you and it's exactly the same as the Cllingon and the Hatchop, um, if you don't know the the words, if you don't know the context, um, then it's just all

sounds like bobbled. It all sounds like a computer talking. And often this is the case with users. We use a very technical language um in this industry and if we don't translate it, if we don't put it in a context they understand um then users won't engage. They won't literally won't understand what we're talking about with language. I don't know if there's anyone else from Newcastle in the room. Um this was yes any excuse to put the lamp worm uh into a talk. Um I'm not going to sing it yet. I may at the afterparty. Um that's a threat, not a promise. Um, but language there are there is slang and there is jargon and they're actually

very similar although they're at kind of opposite ends of the scale. Slang is informal and is kind of used and has grown in an informal way and jargon is very formal and is often used in a a professional way but they often perform um the same functions. So slang and jargon both are kind of shortcuts. They're ways of saying things quickly. um to communicate a meaning without having to explain everything behind it. So I'm going to talk later about rationality and if there are any other sociologists in the room when I say rationality you will automatically know what that means. If you haven't studied sociology or history you might not have that shortcut to know exactly

what it means. So that's one function they have. Another function they have is to unify a group. So I just asked if anybody from Newcastle is here if they get that meaning and a few people in the room are from the same place as me. So they are familiar with the lamp worm and I have just identified kind of my one of my groups in a way people who are from the same place as me and that's a a purpose that's partly why we use slang and also why we use jargon. It's a way of kind of saying we belong to the same group. Um so we can kind of feel a kinship. Um, and it's also as a way of of marking

kind of therefore those who belong and those who don't belong. So if you understand what I'm saying, then you kind of belong with me. But if you don't, if I speak in this way um, and you don't get it, then I'm excluding you and you kind of don't belong to this group. And so it's this idea of social identity theory. When you speak the same language um, and exclude others, then you are kind of identifying with your group. And social identity theory is a sociological theory and it's all about group membership and it's about having signposts that mean you are part of a group and those who aren't part of your group are excluded and kind of um not a part of your

subculture and I think we see this a lot in our industry. Social identity theory is a way of kind of building up your own self-esteem. It's a good thing. you take pride. I know nothing about football. Um, but I was brought up in Newcastle thinking that Newcastle United are the best thing ever and therefore obviously so am I because I'm from Newcastle. Um, so it's just an example. Football is one way um that people have a kind of social identity. Um, and we use this to build up our pride, our self-esteem, also to unite us as a group. But it also has this effect of excluding people. And I often think in infosc we have a kind of

us and them um approach in terms of the people in the industry, the people who are sort of technology orientated um and people who aren't the everyday user. And you see it a lot. You see it a lot in media reports. Um you see it a lot on Twitter. And it's this idea that we are knowledgeable in this industry and people who don't have the same knowledge of us are stupid. Um, so we can see it in that register article. The biggest problem in infosc are middle managers because they are the ones in this latest report who are clicking on the most um fishing links. We've got this other tweet and um I thought I should block out uh who said

it but why infosc is hard. Basically the user the user is a disease and is an idiot. Quite an extreme example, but you see this undercurrent quite a lot of blaming the user. And what this actually is is victim blaming. The user is not the biggest problem in infosc. The biggest problem in infosc are of course the attackers. They are the criminals who are engaging in criminal activity. Um and they are the ones who are obviously causing the problem. Victim blaming um has been around for a very long time. It used to be a sort of recognized and reputable part of criminology. So for a long time um police and criminologists used a typology um of

victimhood to define how much a victim was responsible for a crime. It ran from one to six um one being a victim was completely innocent up to five and six where um the victim was entirely responsible. And that was recognized and accepted and it was seen as kind of normal that a victim could be responsible for a crime that was acted against them until the 70s and 80s when this started to be challenged. And it was a couple of sociologists called Timmer and Norman who led this this kind of challenge against um the idea that victimhood is a disease and a problem and that if you are a victim then you are asking for it.

Um and what they said is that um this kind of victimlaming attitude it diverts attention away from the real problem. So in our case, it diverts attention um away from the criminals and the people who should be the really the really really the them group um that we demonize and it also um is unfair and it's damaging and again I think we see this very much um the latter part in in infosc because it's very damaging for someone's self-esteem to tell them that they are the cause of the problem. an info, a user clicks a link or has a a rubbish password, then they're to blame um for um any kind of attack or breach

that happens. And this means that they will be less likely to communicate. They will feel stupid. So, they will shut off to any kind of learning or any kind of messages we try and spread. Um I'm not the first person to reference Tay today. Um she is a music icon, fashion icon and of course thought leader in infosc um to which none of us can rival. Um and I think she she very much has it right when she says um and this I would say is is a very big problem in our industry. The people who protect computers don't understand the users they're protecting. They think they're protecting people who are themselves. We expect users to think

like us, to have a a knowledge base and also a set of language um a jargon slang that we all understand. And if we really want to make a difference in infosc, if we really want to change um user behavior, then we need to start understanding users better. We need to understand how they think, how they make decisions, and also why there is this gap between awareness and behavior. We've seen a huge rise in awareness over the last couple of years. In the last year alone, there was a rise in media reporting of something like 400% in infosc. So, it went from, I think, 4,000 news stories um last year to 25,000 this year. So, there's a huge

public appetite for privacy and security stories. Awareness is probably higher than ever before, but behaviors aren't changing. And this is because we don't we haven't fully comprehended the emotional and the psychological aspects of this subject. And I think one way that we can start to understand this better is to look at um other fields. So for for example behavioral economics, behavioral economics um is all about understanding how people behave, why they behave um and they look at um heruristics or kind of rules of thumb. So behavioral economics says that behind every decision we make there is a sort of an unconscious set of structures like the scaffolding that will lead to that decision and we won't really be aware of

it. It won't be a logical and conscious decision that we necessarily make but it will be triggered by all sorts of things that are going on in our brain and decisions we make are very context driven and very contextorientated. So decisions we make will come from previous experiences um and they will be kind of fitting to the context that we're in. One um big subject that behavioral economics talk about is priming. And priming is basically this idea that that something happens or is said to you and it cues sort of downstream behaviors. So um for example there's been a lot of research done that finds if you tell people stories of achievement or success before they go into an exam um then they

will do better. Even if you just use words like achieve success um greatness all these kind of positive words people do better. Likewise if you engage with negative stereotypes people will do worse. So, one of the most depressing findings for me personally was if you tell a woman she's a woman, if you remind her that she's a woman before she goes into an exam, she will do worse than if she just goes in. Um, it was a study done in America. They found if you tell an Asian-American woman she's a woman before she goes in, she'll do worse, but if you remind her that she's Asian-American, she'll do better because of the positive stereotype um of working

hard associated with that ethnicity. So stereotypes really matter and how we talk to people and how we prime them is really important. If you've seen me talk before, you'll have heard me talk about the pyon effect and the Gollum effect. The pyon effect is basically if we expect a lot of people, we tend to get a lot back. So it's based on a study called Pyalon in the classroom. It was done by a couple of sociologists who took um school students and they told some of them, their teachers told some of them, "You're going to do really well." And their teacher took others and didn't tell them that. Um and the ones that were told they would do really well

performed higher than had been expected of them. So, how we speak to people, how we engage with them, what we expect of them, um is really important. The opposite of that is the Gollum effect. Um, it comes from Jewish mythology and it's the idea of rabbis building golems, building sort of lifelike um, man-like creatures out of mud. Um, and what happens in one of the main myths is that a rabbi creates a golem and um, kind of doesn't take responsibility for it, doesn't train it and um, educate it and the golem goes off and causes um, destruction. So the Gollum effect is seen as the opposite of the Pyman effect which is basically if you don't take

responsibility for people um that you are teaching if you don't um engage in positive stereotypes then um they tend to do worse and perform more poorly. This is a picture of uh Daycart I mentioned earlier um rationalism and um rationalism was kind of predominant in the 19th and 20th century. rationalism led to a lot of great discoveries. Um, but one core problem with rationalism and the idea that we are all rational beings um is that it thinks that there is only conscious cognition that everything that we do and think and all of our behaviors can be quantified, can be measured, can be broken down and understood. And this is often what we expect of users. We think their behavior can be

understood. We think they should be rational um when they're on a laptop. But we know that they're not. We know that users, for example, um I think it's 46% of people who have clicked on a fishing link or um a spam link, they know that they're engaging in risky behavior. They know that they are doing something which is likely um to have negative consequences, but they do it anyway because they just can't help themselves um or they are kind of curious. So, um, that's the reason I'm drawing on rationality because we're expecting users to to always engage in conscious thought and always be rational and we know that they're they're actually not. For more useful um approaches to user

behavior, we can look at the British Enlightenment and look at ideas of unconscious cognition and the importance of um, our unconscious. The unconscious is impulsive. It likes good feelings and it wants a kind of immediate and good response. And the unconscious brain is often responsible for a lot of our decisions um and a lot of our actions. It has a much more powerful um processing ability than the conscious brain. So at its highest potential, the conscious brain is 200,000 times weaker than the unconscious brain. So what basically happens when you're learning something new is you engage um with your conscious brain and then once you've learned it, you download that knowledge into your unconscious brain and that's

all you need going forwards. You don't have to consciously think about what you're doing. So this is why um once you've learned to drive and the information and the knowledge and the skills have been downloaded into your cons unconscious brain. This is why you can drive home and hardly remember the journey and kind of get home and think I was asleep basically for that. I didn't seem to be paying attention. Anything could have happened. How did I make that journey alive and not killing anyone? Well, you did that because your unconscious brain was working for you. You didn't need to think consciously because you already had all of the skills and the knowledge and the

awareness in your unconscious brain. Carl Pa who is a um Austrian philosopher, he talks about the analogy of clocks and clouds when it comes to human behavior and human thought. And what he basically says is clocks are neat and they're orderly and they can be taken apart and dissected and understood whereas clouds are messy and they're dynamic and they change by the second. Um and they're much harder therefore to analyze to study and to understand. And he basically says we think too often that the brain is a clock and that human behavior is a clock and can be dissected and understood like an engineering problem. when in fact the brain and human behavior is like a cloud. It

changes by the second. It's very hard to study and to understand and to apply rules to um and it's very dynamic. It's sort of very movable. So we need to understand the brain and humans more like clouds than clocks. The brain is an ecosystem. It's a set of parallel processes that are all working at once. Um and you'll all know about kind of synapses and synaptic connections. um which is basically when I see a cat for the first time, I have to be told this is a cat and neurons fire in my brain and I start to understand okay this is a cat. The more I see cats, the more I become to understand what cats are and the

differences between different types of cats and then those connections get stronger and stronger and stronger and so my thought processes around cats gets very much stronger, much quicker, much more efficient. So I can tell cats apart. I can see a cat just from its shape. My understanding of catiness is um much greater. Um and this is what you need to build up unconscious thought. You need to see and recognize and understand things more and more. And so this is what we need to do um with users. We need to engage with their conscious brain so they understand and engage in behaviors um that are much more secure in a way that they keep on learning,

keep on building up those connections to then download that into their unconscious brain. Um there is a quote from a book that I recently read that talks a lot about this and I would recommend it. is called the social animal and it's by a guy called David Brooks and he said humans succeed because they have the ability to develop advanced cultures to understand any kind of threat or anything in society. We need a kind of scaffold of culture. We need something that helps us understand and work together and share this knowledge. And this is something we need to build up um with our users. When I talk about unconscious thought and the power of unconscious thought,

you could then argue, okay, well, well, what's the point? You know, if the if the conscious brain has no power, how can we engage with the unconscious brain um and actually make a difference? And there's a good analogy I recently read about it, which is unconscious emotions have supremacy but not dictatorship. So, if we think of the brain like a camera, a camera has an automatic function and a manual function. The automatic function is fast and it's quick and it's sort of has instantaneous results but it's not at all flexible. The manual function is slower but it's more controlled. And so when it comes to infosc and and users we need to be encouraging them to engage in

that kind of manual function and uh engage with conscious thought to override unconscious thought. Um so coming on to kind of the final bit of my presentation is to talk about empowerment and empowerment is an important theme in information security. Um the definition of empowerment is to give somebody power um a role of responsibility um to be able to do something the authority and the the ability to do something. And it's also to make someone feel stronger and more confident. And there's lots of ways that we can impact on empowerment. So language is a really important one. Engage in your more positive um language rather than the kind of negative language that we saw earlier um in terms

of victim blaming. But there's also lots of things you can do in an organization. So setting a vision, having a strategy, having a mission, making sure people understand what is going to be done and when and kind of having a set of road maps in place, raising education and awareness, but doing so in a way that people understand the why. So not just telling people what they can and can't do, but telling them why they should be doing it. making sure that people feel that they can engage in asking questions and conflict um and challenging people so that they are kind of empowered enough to for example um stop someone coming in without a badge on or

tailgating. Um roles and responsibilities is a really important thing when it comes to empowerment. So a study um was conducted around mental health and alcohol abuse um and it was basically how to keep people um engaging in positive behavior when they want to um sort of change their their relationship with alcohol. And this study found it was a kind of support group of people um with mental health and alcohol abuse issues. And it found that the more they had a role in the the group that they were belonging to, the more empowered they were and the more likely they were to engage in positive behaviors and stick with the group. So there was kind of a scale um of

membership of the group going from just going along to meetings to kind of mentoring someone to setting a strategy to being on the board. And the higher up the scale attendees went um in terms of empowerment, the more likely they were to change their behaviors um for the positive. So in terms of information security, we can think about that in an organization and having kind of different roles for people having this idea of ambassadors um and champions. Horizontal working is also really important. Getting people to work in groups and people from different departments working together. So from HR and legal comms um all working on the infosc problem and this is not just to make sure that it kind of spreads wider

in an organization but it's also really important in terms of empowerment and actually problem solving. So a study found um there's this card game called the the I'm not sure if I'm pronouncing it right theon or the waste and selection um card game. I don't know if anybody knows it but it's very difficult. It's very complicated. And a study found that 75% of groups completed this game successfully, but only 9% of individuals did. So when we work together as a group, we're more likely to be able to solve complicated problems. Thank you very much for listening for me to me today. If you have any questions, I'd be very happy to take them now. Um

or you can get in touch by email or Twitter. I've also recently set up um a new Twitter account and a new website that I've literally just launched in the last few days. Um so I'll be very happy um if you want to have a look at that. I am planning on putting the first article on the website up soon. It's going to be an interview I did um with Phil Zimmerman who I met um yesterday in Austria and who was very kind and spent some time talking to me. Um so hopefully you might be interested to have a look at that as well. And sorry for the plug. Um, thank you all for your time.

[Applause]