 Last night I was standing out in the hallway and somebody came up and they asked me to think about a question that they were going to give me. And it was if there was one moment in my career that adjusted my thinking and helped me to become a better social engineer. So I gave that some thought for about an hour and then when he came back I said that one event was hiring our next speaker as Michelle Fincher. Hiring her did a lot of things for my business because it added professionalism to us that we didn't have before. It added the ability to be proud of the work that we put out and the reports that we put out and it made me a better social engineer businessman writer because she demands perfection and scientific proof of everything I say. Which I appreciate now. Maybe I didn't at first but I appreciate it now. So I know you're going to enjoy this if you haven't heard Michelle speak before. Just join me in welcoming Michelle Fincher. Hey Yel. You like the dress? Actually my husband picked this out for me and I wanted to segue into my talk a little bit. I'm going to tell you a story about my husband. We met in martial arts class. It is the classic love story. I was a belt above him so I really thought I was badass and at the time what we would do is we would have a sparring session before we broke off into our separate belt levels and you know we chose each other. I think there was probably a little preliminary chemistry there but you know I thought this is going to be easy because he's a belt below me and I'm just going to humiliate him. Well what happened was the sparring match started he punched me right in the face and I said baby you're going to marry me. So let me tell you why though. It is not because I'm a masochist. He didn't break my nose. He didn't give me a black eye. Here is what he did. He treated me as a legitimate opponent. He tested my decision making. He basically said you made some decisions about not putting your hands up and I tested that appropriately. And the reason why I fell in love with that man that was that moment in time when I saw the measure of the man that he is because he respected me enough to give me a fair test and I'll tell you what I never let my hands down around him ever again. So this is the talk that I want to have with you all about your security programs and I think all of us or many of us are involved in Infosec and we like to think that we're doing a good job but sometimes I think everyone reaches a point in their security profession where they're saying things are just not working quite the way I thought they would and my population isn't listening to me like they should and I don't really understand why. So let's talk about a few things that can be impactful in the decision making that you have in terms of your security program. All right so let me see a show of hands here. All right what is the state of your security program? The greatest of all time. Come on show of hands. Who's got the security program that is the greatest of all time? Come on. Serious? Oh yes. Yes the man in the back in the social engineering shirt. The greatest of all time right there. There's one in the room. All right how about this. How many of you have security programs that are extremely average? Okay I see a few more. This is making me a little hopeful. Third option is still available to you. Mostly dead. Show of hands. Anyone? Anyone? Okay I don't feel really bad about that although you know it would have been nice to have more people than my boss say that their security program is the greatest of all time but we're going to talk about why mostly dead is okay. Okay and then most of that has to do with the fact that there's a lot of room for improvement. But next question I have for you before we get to that is simply this. How exactly do you know? How do you know that the state of your security program is where it is today? So let's see a show of hands. Realistic testing education and statistics. Who here does that? Show of hands. Ooh we get a few. I like it. Okay show of hands. You give your folks CBTs once a year. No laughter. No derision here in this room. Okay got a few there. We still have a third option for the rest of you. How about disco pants and haircuts? Okay so yeah disco pants and haircuts. So many of you may feel like your security programs are a little bit chaotic and it needs a few points of emphasis. So the good news is you know having a security program that is mostly dead means you know it's slightly alive. There are things that you can still do and because I have the background that I do we're going to talk about three major points. It's going to sound like I'm shoving a lot of information in your general direction but I promise you it comes down to really three things. Understanding how your population thinks. Understanding how they feel. And understanding the decisions that they make. Okay so let's go to the first point here. Understanding how your population thinks. The previous speaker oh my gosh John had a lot of really good points about cognitive bias and the mistakes that people make. Now let's talk about a couple of these. Overconfidence effect. Now this is the tendency to overestimate your ability or knowledge in specific areas. We all have a tendency to do this but if you had to guess between men and women who suffers the most from overconfidence. Yeah guys men generally speaking tend to tend to rely a little bit more on overconfidence. We'll talk about why that can be an issue because the next one is one of my favorites. Dunning Kruger. Does anyone know what Dunning Kruger effect is? Okay so Dunning Kruger is the interesting effect that when you learn something a little you know you learn about this much about a particular area you suddenly feel like the heavens have opened and you're now an expert. That's why if anybody says that they're an expert in something you know have caution with that. I remember in my martial arts class the the philosophy was that if you got to first black that's when that's when you actually had the door open to you. That's when you were a legitimate student of the art but what we had were a bunch of white and yellow belts running around saying I know all there is to know about kung fu and I'm going to prove it to you in this sparring match. So Dunning Kruger is interesting because there's a point in time where a novice has just enough information to be deadly okay and there is a point as you go in terms of knowledge in the field and you actually realize that you don't know as much as you should or the field is much more complex or there's way more stuff to know here and your confidence actually takes a dip. Finally there's a point in time where you feel like you've spent enough time enough research and understand your topic hey Mike white rhino and understand your topic so that you can feel relatively confident about your choices. In terms of overconfidence and Dunning Kruger UTSA did a really interesting study where they found that most people think they're much better at detecting phishing emails than they actually are. I think that's no surprise to any of us who are here in the security industry but it's important to understand that this is a tendency that your population is going to have okay they think they understand phishing emails or phishing calls and they understand how they work and they know how to recognize them. Proof of the matter is that generally speaking they're not very good at detecting those kinds of things at all so this is something that you need to understand. Confirmation bias now I think John talked a little bit about this but basically the misconception is that our opinions about everything about life you know about everything that you can think of has to do with many many years of collecting facts in a rational fashion adding up the totals and creating a balanced opinion based on facts. What we actually know is confirmation bias is basically a way of thinking that says I have an opinion I know what I think about things and I'm going to collect and remember all the pieces of information that actually fit into this box and help strengthen my opinions okay that's a really really important point to think about because people are much more likely to be open to you if they agree if they already agree with your opinion so think about how difficult it is if you have a population that knows they're good at detecting fish or knows what they need to know about security or thinks that you know perhaps you have management that thinks that security isn't a problem that is what they believe so they're going to read the stories they're going to remember the information and they're they're really going to bolster their opinions about security based on what they based on the opinions they already have okay so think about how difficult that makes your job all right so why does all of this matter well this there are dozens and dozens of biases I talked about biases a couple years ago here in se village and we went over some of them but basically all of these affect the way your population makes decisions in life and in corporate life as well so let me give you an example why it matters so again overconfidence is an overestimation of one's abilities in a certain area my Dunning Kruger is a belief that you know despite a relative small amount of knowledge is in an area that you are actually much more competent than you actually are and then confirmation bias is the idea that you collect information that confirms what you already believe how does this affect this gentleman's belief system let's take a look okay the sound isn't important but what I'm going to note is the man is in a public place doing coconut breaking on the news here he goes he's feeling good he's feeling good he's starting to wonder he hurts his hand out out out and I'm really starting to feel bad about my abilities in a specific area okay we don't need to go any further on this because we understand how this ends okay now clearly he had an opinion about his abilities the man is sporting a black gi in public and breaking coconuts okay so why cognitive bias and understanding how your population thinks is is because the thinking errors that we make impact our behavior if you understand that as a security professional you can start to craft your messaging in ways that work with your population and not against your population all right so that's one third of what I'm going to talk about how people think let's go on to how people feel all right lack of diversity so this may be something that's killing your security program simply because diversity as it turns out is really really important in terms of the decisions that we make John talked about group think so group think is something that happens because we think cohesiveness in a group is very desirable we want a team that has good synergy we want to be able to agree with our co-workers and make decisions together that are great the problem is when you have a highly cohesive group they tend to make decisions that are bad because there may be one or two guys that disagree but they don't want to break cohesion right they don't want to be the guy that says you know I don't think this is going to work because that may affect their relationships within the group so what happens is over time the way the group bends is based on what people feel is consensus but is actually not and that leads to really really bad decision making so if you have a security team that's really tight okay you guys work really well together you have great chemistry you have good relationships you play poker on the weekends think how difficult it would be if you're the one guy that says ooh this is a really bad decision okay it's it may be really hard to bring that up unless you have a culture that promotes this sort of disagreement um creativity killers does anyone remember my talk from a couple years ago where I talked about ambiguity does anyone remember why ambiguity in a situation is scary to people I had a picture of a leopard that was like camouflaged right and asked you why if you go back to being a caveman if you're in a situation where you're not quite sure what's going on in the environment and then and it's very ambiguous it is but but what what about it what about it makes us feel weirded out in situations that are unclear it is or we might come on I say this in class all the time die thank you April yes it all has to do with death so basically it's a survival instinct we don't like ambiguous situations and what is creativity a creative person is somebody that throws it comes in and throws a hand grenade and messes everything up and asks a lot of questions and makes you uncomfortable because back in the way back we could die and we don't like that okay there's a lot of interesting studies that we we talk about valuing creativity as a culture but we really don't like it we don't like the guy that comes in and asks all the questions and that's because again it feels dangerous it is unsure we want to make those sure decisions and creative people make environments that are really really uncomfortable for us okay let's talk about types of diversity there was a very very interesting culture report that came out this year I've got the link to it if anybody's interested but diversity I think we've been hearing about diversity a lot right we've been talking about the arguments between men and women especially in info sec and I'm not going to talk about talk about the fact that it's important because I think we can agree that we all don't want to look the same and think the same and feel the same but I am here to suggest to you that diversity is something that's really important to a secure culture and I'll talk about a couple different things gender this particular study indicated that women and men are very different in terms of risky behavior if you had to guess would you say women are probably more or less risky than men yeah less okay and that means that men take greater risks the interesting thing is men you reported a better understanding of the rules but you didn't comply okay so if you think about it in terms of security why why would you want to balance so if you have too many women in organization and you know that women generally as a population aren't risky risk takers what if you have too many women what might that lead to a lack of growth right exactly right but if you have too many men in an organization what might that lead to yeah chaos not following the rules okay so gender what ideally what we would like to see is a balance like we want to be in a company that has good growth but doesn't doesn't make stupid decisions all right cultural differences there were definitely differences found between cultures and and that is sort of culture in terms of nations and where you come from and your people some cultures report higher understanding some cultures report higher compliance some cultures report have a culture where they talk a lot amongst themselves about what's secure so think about your population as both your security team and who you're trying to protect and the fact that you are working with lots of different cultures and not just where you're from but what your family families like whether or not you like to talk whether or not you like to think and that will make a huge huge difference all right age versus exposure to tech now I'm not crapping on the millennials here but this was I'm going to caveat this this was a cross-sectional study okay this was just it took a slice of the culture at a single point in time it didn't follow a population over time but what they found was that secure behavior actually was better in the older population as opposed to the younger population and so it's not really an exposure to technology issue because young people have been exposed to technology from the beginning right as old folks we still remember what the rotary phone was I think it was one of our guys Mike had to explain to his kid what does it mean to say I'm going to hang up the phone now weird right because he didn't understand it so his son had been exposed to technology from the beginning and yet what we're seeing is that that is not the factor that tends to predict secure behavior it is age also makes sense with a lot of biopsychology stuff we know for a fact that our brains continue to evolve in in terms of logic and reasoning well into our mid 20s so that makes perfect sense when you're 21 and you're posting you know drunk nudies on facebook we get that but again think about your population if you're dealing with a lot of millennials or just a younger population in general you're going to have to make different decisions and craft your messaging differently to really reach them all right time on the job again this has to this has to do with um think about culture right if you've just been hired you're not going to be really invested in making sure your company is safe so if you if you work for a company where there's a lot of turnover something about um the development of culture is very very important you have to consider how you're going to create that messaging for your population based on the fact that you've got people that are constantly coming in but if you have a kind of population where people stay on the job a long time that means they've internalized the culture they um understand and they sort of take they they feel like the culture is a part of them and so secure behavior is going to be something that's very very important why does this matter well um this was actually a really interesting example World War Z was a fun book it was an okay movie but there was um an interesting scene in this where um Brad Pitt the main guy was flying around trying to figure out what was happening with the zombie culture you know there were zombies attacking and everybody was dying but for a very brief period of time in the movie Jerusalem was safe they had caught the infection very early and built a wall around the city so in this particular scene Brad Pitt is asking his his Israeli counterpart well how did you guys know you know how did you predict what was going to happen so again this is the movie I get it but this relates to all of these cultural kinds of emotional decision making and how how how these folks overcame this with the way they set up their decision making process a month later they are attacking all those folks that you see so excited to make change change the same information arriving at the exact same conclusion is the duty of the 10th man to disagree no matter how important they seem the 10th man has to start meeting the assumption in a little night of Rome and you were the 10th man exactly very dramatic but it was kind of like a perfect illustration of what I was trying to talk about and and the reason why that's important is because we tend to hire people that we like and that are like us who think like us who have the same kind of values but really what you can be doing is hamstringing your security program if your entire security team looks and thinks and acts just like you I get it you're not always going to be able to hire an Asian woman a black guy a teenager that's not going to happen what is important though is that you make make it a priority to hire people who don't think just like you okay who have a difference of opinion who come from a different place because what you want is a cohesive team yes but what you also want is a team that's comfortable enough to disagree and to think differently and to think about different creative solutions to the problem okay does that make sense all right so let's go on to the point number three and that is the decisions that they make all right lack of consistency maybe a third aspect of what is harming your security program now consistent messaging with respect to training and what you what kinds of decisions you want your population to make and how you want them to report and what happens as a result these are all consistency of messaging and these are reflected in your cultural norms okay we figure out what is okay and what is not okay based on what is continually rewarded and or punished like um causing me we come from a culture where we value the screaming of babies okay maybe not so much here but this was good luck man this drives off evil spirits many of you may think this is strange cause and I think it's awesome but basically your cultural norms are going to going to have an impact on the decisions that people make again this is what they internalize okay so if you are inconsistent in your messaging if people aren't sure if they're supposed to report fish here or here or if they feel like they're going to be punished for something they do one way and rewarded for something they do another way it's it creates a situation where they can't make a good decision and they're not going to be learning the lessons that you want to provide this this um goes right into learning theory if any of you have familiarity with learning learning theory reinforcement schedules are really important are you rewarding your populations for the behaviors that you want to see how often are you rewarding them because that makes a difference if your populations are learning a brand new behavior they need to be reinforced on a regular schedule after that behavior is acquired you want to reinforce your population on an on a less than regular schedule okay there's a reason why Las Vegas is still in business right because you're pulling the slot machines and sometimes you win and sometimes you don't you know how to pull the slot machines but the reason why people why is why is it that people continue to pull those slot machines because the chance you know chances are that the next pull they're going to win and that is a reinforcement schedule that is irregular it's extremely powerful the other thing you guys got to know is punishment does not work and punishment is where you are providing something bad to decrease the behavior now punishment basically needs to be severe it needs to be immediate and the effect goes away as soon as you leave the room okay so think about this think about when y'all were kids and you were trying to get away with something what did punishment actually teach you how to get around the rules right exactly so think about this and how important that is with respect to your population okay so why is this important well because we're basically monkeys okay and my example is monkeys I won't show all of this but this was just so awesome and now onto an unusual tip to fight off that business crisis a Japanese tatano is bringing up a new generation of customer pleasing waiters look at monkeys are we ready for some monkey business this sulky house in northern Tokyo employs two popular and unusual waiters they are named yatchan and fuku-chan and are a pair of Japanese macaque monkeys four-year-old fuku-chan has already two years of experience under his furry belt his main duty is delivering hot towels to customers before they order their drinks yatchan first learned by watching me working in the restaurant it all started one day when I gave him a hot towel out of curiosity and he brought the towel to the customer both monkeys are well appreciated by customers who tip them with boiled soybeans the monkeys are actually better waiters than some really bad human ones all right so here is the point these are pretty complex behaviors but even monkeys can be taught proper behavior provided they are given proper reinforcement okay so that is the point I know your population is smarter than monkeys I promise you they are so I know I've only got five minutes left so I'm going to rush through this what can you do here's some things that I want you to consider first of all you need to be aware of bias your bias your security team's bias and your population's bias how are they thinking how are they making decisions as a result and where where can you have a little fudge to teach them a little bit and where do you have to work outside of those bounds higher diversity it doesn't have to be skin color or gender it has to be people who think differently and bring different things to your team um be available okay one of those things is you don't want to have an adversarial relationship with your population you they need to feel like they can come to you with questions and problems understand learning theory this is so important we see so many companies that punish their population but really if you provide proper reinforcement you're going to get that behavior I promise we are monkeys and remember that this is an ongoing process you're never done okay this is security this is something that we do it's not something that is done all right last slide well second to last slide okay here are the three things I want you to take away humans rely on shortcuts okay that is how we think we have to do it because we don't have enough mental energy to process all the information that's coming in that's how we think humans care about norms and groups we belong to cultures we have values as a result of cultures we internalize that information that is how we feel simply filling people up with facts is not going to make them better decision makers that's a deficit model that says if I just throw more facts at people if I just train and go over and over they're just going to make the right decisions here's what we found um in a in a particular study is that there is a relatively weak correlation between the amount of training and decision making okay that that missing piece is culture and decision helping people make decisions as opposed to just throwing more facts at them assuming they're going to know what to do okay I hope that made sense to you I know this was a very short presentation but I'm afraid to go over because Amanda's going to smack me so if you have questions please feel free to contact me there's my email I'm sultry asian I promise I didn't make up that handle on my own no I did not but I thank you so much for your attention and thank you for coming to the village love you guys