Security Awareness Lessons from Dr. Bonnie

okay um right uh here is all the information that you need about me in the qr code which you can safely scan and and collect all that information in as long as you maintain full awareness of the fact that i started my career in security researching malware and computer viruses and i know every possible way that there is to uh get someone to install malware on their machine um but enough about me uh this is a security awareness lessons from dr bonnie uh subtitle why i'm losing all the respect that i've built up over four decades for von palmer and why i never had any respect for her to adjustment uh that may become clearer as we get into it

you will not know who uh von palmer and richard zusman are they are uh reporters journalists media personalities in [Music] the vancouver area i am not only uh not an american and therefore an untrustworthy foreigner but i am on the wet coast of north america so i'm in vancouver british columbia canada uh and uh that uh will become uh somewhat important so uh some of these references will be a bit odd uh from your perspective um i i just like to say that it's kind of interesting that besides greenville while i certainly respect all the work that they've done in uh putting together uh b-sides during these difficult times uh it it is kind of interesting that

this out of the various uh proposals that i made was the one that they picked anyways uh who is dr bonnie and why should you care and and what does this have to do with security awareness uh the dr bonnie show as as some of us call it is the um uh covid updates from uh bonnie henry dr bonnie henry who is our chief medical health officer here in bc um and uh this is uh not just interesting in in terms of uh kovid but it's really it's been amazing as a master class a real master class in effective communication of difficult topics and situations and um this is uh there are so many lessons so many

pointers so many so much um you can take away from the dr bonnie show in terms of um uh how to to get across what may be a very complex topic and of course this is exactly the uh situation that we face with regard to security awareness if we're going to try and do it um the youtube channel and i have um also uh uh pumped uh all of these urls into the the chat area so uh you can go and pick up that there you don't have to screenshot the the slides although you're perfectly free to do that if you wish um the uh the dr bonnie show is is there on youtube but this is in fact the the bc

government communications channel and so you have to pick out uh the the covid uh update uh sessions from it um but it's all there now uh i i must say of course um this being the bc government they may not have made this stuff available worldwide and you may have to go to a vpn and and set your location to canada to uh to get it um but it's it's well well worth looking at that that is the background material uh what we're doing here uh here is uh dr bonnie henry um this is in fact not just a a nice picture of her this is the cover of her second book uh entitled become

be kind become be safe um and it is uh an interesting book in uh that while it uh outlines what uh actions were taken at the the beginning of the pandemic and the decisions that were made um it also outlines uh some of those decisions which related to exactly how they were going to put together the the covet updates and again the decisions outlined there and the rationale for those decisions has a lot to do with um security awareness and the principles and of effective communication uh that are important to uh security awareness so um that is uh again uh something that i would i would recommend and that of course is easily uh accessible to any of you who are

interested in that uh you can you can go and get that um that as i said it's her second book her first book is also uh well worth reading and uh that is entitled soap and water and common sense um anyways we're talking about communication uh this is an interesting definition which i recently got from somebody who obviously uh was into evolutionary biology the process by which a transmitter that's me sends a signal designed to manipulate a receiver that's you a receiver's actions in order to improve the transmitters that's me inclusive fitness and and so uh here i am uh giving you a presentation at b-sides and of course the real purpose of this is to enhance my

inclusive fitness uh i'm not quite sure how that works out but it's kind of an interesting way to look at things now in in regard to the pandemic of course one of the uh major problems that we have come to see is uh miss and disinformation this has been a huge a huge problem in in the pandemic but it's also a problem of course in security awareness and in the uh issues that we have to face if we're going to pursue security awareness we have to make sure that the information that we provide is right and it's it's interesting to look at the reasons why miss and disinformation are spread are created and spread there is

of course just plain ignorance um and uh that is that is one of the aspects but another reason is fear and and this goes back to as i say you know i started out in computer uh viral programs research the malware research and one of the interesting things that i saw as as i started out in that research was that people weren't doing anything about viruses as a matter of fact um and i was just talking about this yesterday on another presentation um i was um in the early days the conferences were few and far between not like they are nowadays but um uh and and one was being put together and i contacted the the people uh

putting the program together and offered a presentation on my research into uh viral programs and they turned me down um they didn't think that computer viruses were in fact a security problem um and and that was one of the things that i saw that because people didn't understand what uh viruses were in those early days and there's an awful lot of people who still don't understand um that they decided what to do about them was nothing because they didn't want to do the wrong thing and again that's that's a similar situation we see with the pandemic a lot of people don't take appropriate precautions because they fear taking any actions in case it might be the wrong action

um and so that's it's a very interesting one and one of the the lessons that we have to learn and one of the lessons from uh the dr bonnie show is uh reduce the fear there's also legitimate contention of ideas there uh one of the uh interesting uh things recently of course is ivermectin um and uh there are some interesting theories and hypotheses about why ivermectin might uh be a treatment for uh kovid um the unfortunate uh situation is that the the studies that have been done um have all been done in a fragmentary and partial basis and there really is still no evidence uh really one way or another whether ivermectin uh does in

fact treat people although um uh the the one piece of information we do know is certainly you know a lot of people are taking out your mechan and a lot more are getting sick and going in the hospital from ivermectin poisoning then are getting better from uh you know not having covet um another aspect is is fraud and there are people who are uh you know out there just uh pushing uh supposed remedies um trying to obtain money from people by by selling these things and then there are you know outright attacks that that there you know there's always in in the midst of any disaster just people who want to see the world burn and and so

uh different aspects of that now again as we we uh talk about security awareness um one of the things that we have to watch out for is uh security theater and and uh the the people you know security theater is in general is um something that uh you you are seen to be doing something even if what you're doing isn't in fact useful at all um so the the powers that be we have seen we well we don't see this much anymore but certainly at the beginning of the pandemic you saw all kinds of these things where people were out spraying and fogging in in open areas uh trying to get rid of the virus and

and as any uh infectious disease specialist will tell you there's nothing you could spray or fog around open areas that would kill the virus that wouldn't kill you or at least you know seriously uh harm you uh so you know there there are issues about you know we have to make sure that we have accurate information and we're not pretending that what we're giving people is is going to help at the same time now well as increasingly as the pandemic has gone on um the the media and and this is where uh zusman and palmer coming uh the the media has decided to jump on this and you know oh good the authorities aren't perfect in the middle

of all of this ghastly mess let's point that out and harp on it and and of course uh you know that means that they are selling more papers you know it's kind of like the media is is doing what facebook is doing which is um you know we could give accurate and well-researched information but it's um much more profitable to get everybody riled up and upset um and uh buying the the papers or or watching the television news whatever it may be uh because we're creating a sensation even though we're not helping the situation so at last to security awareness now um security awareness has a bit of a bad reputation of so many people

uh and i've encountered this over and over again um i i started out basically as i well i was a teacher uh i still am a teacher here i'm teaching you um i i was a teacher in elementary school before i ever got into uh computer security not quite but um and uh so from my perspective you know teaching training uh awareness um training is important but but so many people in our industry uh say no it's not important it doesn't work well of course security awareness is not perfect but it it does you know it's a lot better than people give a credit for because most of the people who say that security awareness doesn't work simply

assume it doesn't work and don't try it and when you try it and this is one of the lessons from the dr bonnie show it really has a serious and significant impact so security awareness let's you know when we're trying to do it um do you need charisma i mean you know look at me here do i have any charisma absolutely not no uh and when you watch dr bonnie show no uh dr bonnie and adrian dixon are not exactly charismatic people um do you need bells and whistles um i here we are you know there's no bells and whistles i got the slides you will notice there's a little bit of graphics here but mostly it's just text

so i you know i don't have any bells and whistles um humor um well i hope that i do but certainly the dr bonnie show doesn't intentionally do any uh and and you don't actually need that you you can do security awareness very very effectively without trying to be saturday night live so uh first thing don't panic and that's the first thing to tell uh people when you are doing security awareness when you are doing your security awareness training as i said reduce the fear make sure that um you are telling people the threats but at the same time you are saying you know that the situation can be managed how the situation can be met what are

the tools and make sure that those tools are available to everybody you know don't don't go and say don't worry kovid for example can be handled by [Music] the monoclonal antibody stuff because that's not available to anyone it's hugely expensive um much much easier of course to go and just get a vaccine shot so uh what do we do then what are some of the lessons uh that we do in security awareness well uh repetition is one of the first just simply key you know get simple points and repeat and repeat and repeat those points i can remember we have a traffic radio station uh here in the vancouver area and um of course they've got tons and tons and

tons of ads and uh as we were driving somewhere one day one of the events came on it was for maple ridge motors and and it just kept on repeating repeating repeating the name of the company and my wife uh turned to me and said that's that's a ridiculous ad and i said no actually it's you know studies have shown that it's a very effective ad all you have to do is is repeat a simple point you are going to remember the name of that company for years and i was right because i still remember the name of that company even though we've never dealt with them uh so simple repetition react you know make sure that you have simple points

repeat them repeat them repeat them that is uh one of the essences of security awareness training how to do it now consistency um this has been really interesting and one of the big lessons again from the pandemic that it gives us in terms of security awareness uh the information has been constantly changing i mean after all uh coronaviruses are class of viruses that we didn't even know existed uh until the 60s and certainly uh covet itself well we you know we saw sars back in 2009 i believe it was maybe a little earlier than that um but you know we we didn't have a big outbreak then and and so the research um really didn't go on

now you know this is a pandemic everybody is researching it and the information is changing all the time because we are finding out new things about uh the virus and of course the the different mutations the mutations themselves you know now we're looking at the delta variant um this is like you know two and a half times uh more infective more lethal than the original uh virus that we were dealing with when the pandemic first started so um you know that is changing that is changing all the time we didn't have vaccines at the beginning now we have vaccines um some of the stuff is not changing and hand washing is still effective uh masking at the beginning

of the uh the pandemic was not a big issue now we know that uh the um uh aerosol well is it aerosols i can well droplet transmission anyways um is uh much more of a factor than uh was thought you know a year and a half ago so uh that that information that kind of information is changing and uh the importance of different aspects of the different tools is is changing the information is changing what the dr bonnie has has done in in the updates is to provide some sense of consistency by maintaining the format um the uh the format hasn't changed the uh you know it's just it's uh bonnie henry and adrian dix um who's our minister of

health that's why he's on there and and those are the people who are involved in and and they give a presentation um very often the presentation follows a very fixed uh format with uh data the latest metrics on on the pandemic um some discussion of of different aspects there are various things get reported on a regular basis and and then uh questions from from journalists and they've maintained that format for you know almost two years now and uh that's again you know it's it's comforting it reduces anxiety uh from people and and so it provides for some consistency in the midst of a situation that's that's very difficult of course in security awareness and technology in in

computer security um we are having to deal with that all the time you know the situation is changing different types of malware being produced different types of attacks are coming out the the base technology is changing all the time um everybody's everybody argues about you know which field of technology is changing the fastest and i always say that security is and has got a lock on that because it doesn't matter what other field of technology is changing that change has an impact for us in security so you know we're facing changing information all the time so uh you know find some way to maintain consistency with regard to what you're doing in security awareness you've got to have patience uh this is

particularly interesting in uh and illustrated by the uh question period at the end of the the dr bonnie show uh when the reporters are asking a question and the same person asked that say any question for the 140 second time in a row or when the next reporter asks the same question that you've just answered for his her it's seven previous colleagues um you know and dr bonnie never loses her patience uh she never freaks out over over this same thing that happens again and again and again um very very uh important lesson to today learn to answer stupid questions this was an interesting one where uh one reporter really did ask a phenomenally stupid question

uh taking a huge long time to do it and when he finally finishes dr bonnie just says no and then stops talking that was really interesting um so uh uh social engineering is we we think of it in in terms of bad thing i certainly you know in malware research we know that you know security and social engineering is uh used all the time to get people to uh install uh malware on their machines but social engineering is something that we use all the time in education and uh so use that to your advantage uh make sure that um you understand uh your audience um uh use social engineering to to uh tune your materials uh it's interesting

uh adrian dicks um came up with this this simple slogan bend the curve not the rules you remember bending the curve back at the beginning of the uh pandemic people were talking about bending the curve bending the curve so bend the curve not the rules and of course you know you set up mandates you set up rules you set a block down restrictions that sort of thing and people always try to find some way around it so you know here was a reminder you know we got to keep the curve low uh don't don't bend the rules uh so simple slogans are an example of social engineering again you know keep the point simple repeat it repeat it repeat it

um some uh moving into other aspects of security awareness and different topics that we might be addressing uh risk management um uh this is one of the things from risk management which i've found is uh has has not made its way into the public consciousness in the pandemic um and that is the fact that uh none of the tools that we have are perfect and so the aspect of of layered security defense in depth that topic really hasn't come through and you don't get to choose it's not one of it's all of and staying at home distance hand washing mats no parties you know none of those individually are perfect but all of them together

provide you with a lot of protection and it's the same with the information security you don't get to get one free click on a drive by download if you choose a good password just you know it does not work so again you know those kinds of lessons are some of the the ones that we have to uh lean on in in security awareness stick to the basic basic principles but use illustrations uh from other areas if necessary to make those principles clear to people again from risk management they to those scenes it's fairly simple math uh to prove the greater good to delay the second dose this is again something um that bonnie henry uh

uh chose to do here in british columbia a lot of people were upset that that she was trying to roll out a lot of first dose get a lot of people uh vaccinated not holding back the vaccines to provide for second doses but you know getting people out there uh with their first doses and then are rolling out the second doses and that has come home to roost now months and months later uh because we're finding that uh here in bc um we have a longer uh length of protection times uh for those who are fully vaccinated than those who you know got their second dose right around the three week markets again this is one of the interesting uh

pieces of research that's uh come out of the vaccine uh situation uh cost benefit analysis now this is this is really interesting um we in security of course um security serves the business so in in the cost-benefit analysis of um staying in isolation versus reopening the economy you know you would think that uh security service business we would be on the side of reopening the economy but life safety is always the number one priority if for example you're going and writing the cisb exam so uh no there are higher priorities than reopening the economy uh at times so again uh some risk management decisions there um again um one of the situations that um we need to

point out in in security awareness training is is that things are not going to be perfect and this comes up in for example business continuity planning and situations like that incident response planning uh nobody is perfect and and emergency management is for emergency and uh this uh this has been amply illustrated uh not just by the pandemic but um the uh situation over the summer i mean we had the heat dome uh my entire province caught fire um you guys have had uh you know hurricanes and floods and and situations like that and and so emergency management has has been uh very much tested and found wanting in in a number of situations as i said you know it's it it's not

perfect and so again when we are dealing with security awareness we need to at least make people aware of that fact that you know this is going to try and do the best that people can but it's not going to address every aspect you know after all we are in the middle of a disaster uh something is going to be going wrong uh by the way in in regard to emergency management um and and again i put this um into the the stuff i pumped into the chat channel um uh search and rescue north shore from the knowledge network here in bc and knowledge.ca is the uh the site to go to uh again um i understand from other

people that i've talked to that this is limited to uh people in canada so um you will need to get a vpn and set your location to canada in order to get access to this but when you do go and search for north uh search and rescue north shore wonderful wonderful uh five-part documentary series uh outlining the uh the search and rescues team here on the north shore um and it's a also a gorgeous gorgeous piece of filmmaking um and when they used multiple cameras even connected to ropes and and things like that um and uh edited together in a phenomenally uh good fashion and of course it's shot here in the north shore so it's it's absolutely gorgeous scenery

that you're dealing with uh but lots and lots of good uh lessons about security management there um one of the questions that the uh reporters keep on asking how vicious are you going to get with people who break distancing rules or whatever the the rule du jour you know vaccine mandates masks whatever it may be um and and this uh question gets asked over and over again with different wordies and and and that sort of thing and uh very interestingly uh gain um uh bonnie henry has refused to get involved with the the divisiveness of of this fight and she has uh an amazing variety of ways to to do that to to get out of this trap

and it is a trap really um she uh certainly illustrates the principle that you catch more flies with honey than vinegar again reduce the anxiety um do not attack people do not say you are bad for choosing a bad password but you know your life your work will benefit from choosing a good password um take that kind of position you know very very important lesson uh one of the important social engineering aspects of uh security awareness training to uh to do that now as i say uh security awareness training has been unregarded in uh in our industry um and the dr bonnie show uh bonnie henry has uh consistently taken the position that uh you need to educate rather than mandate

she would much rather provide the information in the updates then uh uh you know issue another set of restrictions and and a lot of people certainly a lot of people in the in the media have taken issue with that and said this is the wrong way to go but bc is doing comparatively well and and so you know very much thank you uh to dr bonnie for proving that security awareness does actually work because when you look at the restrictions bc has never had a lockdown that was as severe as many many other places um even right now we're we're in a fourth wave and and we do have some local restrictions in in local areas and

and certainly uh with uh thanksgiving uh this weekend you know that's when we have thanksgiving it's when there is an actual harvest not you know later in november when you guys have it but um the uh you know and they've said you know don't have big multi-family parties this year this is not the the year to do it but they haven't mandated it you know there's no thanksgiving police going around and making sure that people aren't gathering in in large numbers but bc is still doing comparatively well uh relative to a lot of of other places um and i can prove that uh because i would talk about metrics now um one of the the issues of metrics um

uh a lot of people are are on this transparency and accountability bandwagon and they want them the metrics they want lots and lots and lots of metrics well metrics should be useful network metrics um uh are not just numbers having lots of numbers and providing lots of numbers uh is you know it is not necessarily useful this this was an interesting uh cartoon that i i found recently the company notified you of a breach and shared the incident details and insights on the adversary but they didn't share that data but you have what you need if we had forensic images maybe we'd find more maybe likely not but all data isn't realistic and sharing it with

others poses other risks well they aren't sharing then you know this is what the the media is is constantly uh harping on oh by the way if there's no other way that i can get you to take uh coveted uh seriously um i i don't know why this uh issue has not gotten more air time with the media if the media really wants to to do it they would uh point out the fact that uh covert 19 is linked to erectile dysfunction and i'm sure that would improve uh you know people's uh uh vaccine hesitancy and and that sort of thing but um in terms of the the format of what you're doing i talked about the

consistency here uh use an authority not an authority figure um in uh i don't know what it was uh down in south carolina uh of course everybody uh saw uh new york's presentations and and they weren't bad um but you know that was uh como um uh front and center and and he certainly had specialists back him up and that sort of thing but here in bc we had dr bonnie we didn't have premier horror uh he wasn't on deck uh adrian dix was there he's the house minister but not the premier you know and and so we had the authorities not authority figures and uh personally um you know i i like speaking to b-sides here because we

don't get the technical presentations from the vp of marketing that we get in so many other uh conferences and and uh that's you know an issue there but again back to metrics um lots of metrics in the pandemic uh case counts case rates doubling rates death rates case per capita hospitalization i'd see lots and lots of numbers um positivity is is one of the things oh and and by the way um in terms of metrics um there is a book by broad bean hanson pragmatic security metrics and and pragmatic is an acronym and uh they have the the different uh uh terms and and uh you know uh factors that uh you should have in in

your metrics and you know relevant meaningful accurate or part of them in there um but uh positivity rate is is one of the ones that that people have been relying on in terms of the pandemic uh here in bc we've got a big film industry um and uh they were allowed to reopen uh fairly early uh got going um they have very uh rigorous uh controls um but uh it's it's interesting they do so much testing in the film industry that it actually skews our positivity rates for the province as a whole it's it's kind of interesting so you you need to know what the the metrics actually do mean um again the metrics and and from the

pandemic um in terms of the covet updates bonnie henry uh has uh consistently uh provided modeling but refused to look at projected deaths and you know again she uh discusses that in her book you know was this going to be helpful no it was not you know modeling uh helps you planning for various things in in the medical industry but projected deaths you know while it's great and sensational for the media it's really not helpful for anybody other than undertakers so uh but in terms of the metrics um and now this this slide these next couple of slides are a little bit uh old now but um they uh the numbers still uh still hold

uh as of march comparing uh per capita to the rest of canada bc should have had three thousand debt and comparing us to you guys in the us bc should have had 6 000 debt and instead bc has saved over a thousand you know just over a thousand dead at that time when i made this slide so dr bonnie has saved 5 000 lives at that point and continues to save uh to this day on an ongoing basis uh bc plateaued at 500 cases per day since november and that has remained remarkably consistent uh it's fluctuated up and down a little bit but um dr bonnie said to vaccinate the old the deaths per day in november were 20 per

day the deaths per day at the end of march were five and that has remained remarkably consistent so dr bonnie is saving 15 lives every day that the decisions that she made the principles that i've been talking about um in terms of security awareness that are illustrated by the dr bonnie show um those are factors that um illustrate the importance and and and prove the importance of security awareness educate them and mandate education saves lives um a few other points uh change up your your slogans and that sort of thing look at security awareness in the same way you do advertising last year's commercials are boring come up with a new slogan an illustration a new

analogy but of course stick to the essentials the the basic points uh that we've talked about earlier um functional versus assurance requirements and um i this is something that we don't talk about often enough in in security functional is is our actual security tools assurance requirements are the ways that we can demonstrate that either the tools are working or that they're doing what we in fact want them to do uh for example um you go to a restaurant um hand hygiene is important you don't want anybody uh you know making your food with hands that are unsanitary and therefore you know uh getting you sick by doing that um and of course you go in all the restrooms

and they say you know employees need to wash their hands but yes that's a functional security requirement but it doesn't give us any assurance requirement you go to a subway and you see they put on those gloves cheap little little gloves plastic bag gloves but you can actually see that they have the gloves on so you know the functional requirement of hand hygiene is there but you also have the additional assurance requirement of actually seeing the gloves and this comes out in a variety of ways um uh mass mandates in schools interesting thing um the the functional we're looking at isolation we're looking at mass physical distance i mean they're all problems in schools you know we're we're putting

kids together hand washing is probably okay because kids can make a game out of anything or you can make a game out of anything in a game that's that's a good security awareness point make a you know game out of things um but uh in terms of the assurance requirements detailed contract tracing is is how we can get assurance and we find that even though kids are getting more sick these days there's still very low transmission in schools when you do the detailed contact raising as to where they got uh the infection uh bars versus restaurants bars um here in bc we had a really interesting uh restriction that bars had to stop serving alcohols and

restaurants had to stop serving alcohol before 10 pm now is alcohol more dangerous after 10 p.m than it is before 10 p.m yeah but in fact um the uh looking at the numbers after that mandate came into place indicates that yes it was very effective so uh interesting to look at the functional versus assurance requirements in terms of security awareness don't speak down even complex topics people will get it if you explain it properly if you can't explain it simply you don't understand it well enough and that was said by smart person albert einstein that also is is quoted in soap and water in common sense by dr bonnie henry and as i say both of those books are

very well worth 3d um so we're approaching that of our time okay okay hopefully i've mentioned defense in depth before so we don't need to do that um one thing in regard to the dr bonnie show during the the wildfires this summer the bc wildfire service tried to have a similar messaging they had metrics they didn't have the consistent format the same face the messaging and communications with the wrestling government that unfortunately did not work so again here is here is dr bonnie i i really think that she has uh done great things for us in the pandemic but also given us a great illustration of what to do in uh security awareness training and her

mantra be kind be calm be safe that is something that uh will help us in providing security awareness for all of our colleagues