 Alright, so we appreciate everyone being here. We have our first speaker, John Nye. He's the Vice President of Cyber Security Strategy at Synergist Tech and has over 10 years of experience in the security and IT industry. He is or has been an auditor, consultant, hacker, speaker, father, leader, and writer. So we want to give our attention to John Nye's theme as the human factor. Why are we so bad at security and risk assessment? We'll see if you still want to clap when I'm done. So as he said, my name is John Nye. I'll make the introductions brief because they've got a timer over here and I've got a lot to tell you about. So here he told you this. I do security. I was a pen tester for the last 10 years doing technical stuff and I'm sick of seeing the same stuff over and over again and I think we need to fix the root of our problem and that's what I'm here to talk about. I work for a company called Exilio slash Synergistic and we do consulting mostly for healthcare. Alright, so let's get this rolling. Wetware, which is all of you, we, and I mean by we, I mean we, every single human being are all biased. And I mean the most enlightened person you've ever met in your life, they're still biased. They have biases that control. It's an ingrained part of our core selves, of our humanity to have these. And without it we wouldn't be humans. I mean we have to have these biases but we also have to understand them. This is a guy this way. Each and every one of you came into this room today and you had some sort of preconceived idea about why you came here. You know maybe you saw my tweets or the blogs I was posting on peer list or somebody dragged you in here or the line was shorter than the other ones. You know there's a lot of things. Or you're here to get a seat to see Jason and Michelle talk, whatever. You know you had to get in here. Or maybe you hope to learn something. Maybe you think I am completely full of shit and you want to prove that. You know there's a lot of things you can do. You want to prove me wrong. That very well will be it. Then you all came in and sat down and you're like I wonder if this hour is going to be worth my time. All of you thought about that for a minute. Then the biggest hurdle for all of our bias is when you saw me. And you're like okay this guy looks like a tool. You know maybe I look like a tool or maybe you thought I'm cute. I am single. So that's awesome. Come talk to me afterwards. Or a million other things. You know you could say you hate my jacket. It looks stupid because my sleeves are rolled up like Zach Morris, right? Or my hair. Or you like my hair. Or a million things you could say. Positive or negative thinking about me on first impression. And that absolutely guides how you're going to view what I have to say. The entirety of how we feel about people, situations, risk, decisions, ourselves, others, all of that is directly linked to these biases. Which as you will see are directly controlled by our emotions. And that is a lot of implications. So it appears as best as scientists can tell at least that this is actually our brain's mechanism to keep us safe. Because if you think about it at every given second every single person in the world is getting so much data thrown at them. All of your senses. All the stuff you're thinking about. The emotions you're feeling. And it's more than a person could deal. It's more than you could handle. More than you can conceive of. More than we can fathom the amount of information that we're getting at any given second. Because of this our minds handle the vast majority independently of our conscious mind. So we don't even know what's going on. And that way we're not inundated at all times. We're happy, oblivious to what's going on around us. The vast majority of what's going on around us. And it's only possible because our minds have found this mechanism to stay sane. And that mechanism is not trusting you. Your brain does not trust you to do stuff. At least not with your conscious brain. So now you see your brain doesn't trust you. You need to think about whether you need to keep trusting your brain. So the main topic, what is the most important note on your network? We're all hearing about important things on our networks. Well, I'm going to get you in the right frame of mind before we dive into this. Think about a disagreement or a situation where you had to convince somebody of something that you had facts behind. So how many times has this happened in those situations? You come into this confrontation. You have significant, strong, irrefutable facts and evidence to show them. But no amount of logic or reasoning actually gets through to your opponent, to the other person you're talking to. They've dug in their heels. They won't budge. We've all seen it. And I know it's not unfamiliar to you. We see it every day at work. And I'm not just talking about idiots. These are smart people. We all know smart people who also believe things that we can't fathom and we can easily refute. They believe it. The question on the screen is rhetorical. I don't want everybody to yell out an answer. But I hope you've all thought about it. And in case not, the answer is humans. The most important note on your entire network is not a technical note. It's the biology. So think of the times you watch someone despite all the evidence and warnings to the contrary, proceed to make a horrible decision. We've all seen it. In fact, if you want to use your own 20-20 hindsight, I am sure each and every one of you has an instance like this. If you're like me, you probably have an instance like this in the last couple days. And that's fine. We're in Vegas. This is a great time to make some bad decisions. So I'm going to do my best to help you all understand the people that use your networks, including yourself, through this talk. These are the broad topics we're going to cover. And as best I'm going to, you know, we're limited on time, so I'm going to bull through all these things. But I want to tell you right now, this talk is an introduction. These are topics and concepts for which there are dozens of books, hundreds of research papers. I could not even begin to touch on all this if they let me talk all day, because there is so much. So what we need to do is all of us need to dig. We all need to start looking at this. There is science out there. There is information that can help us. And we'll look at the studies out there right now in decision-making, memory, perception. Their insights have been applied to all sorts of industries over the years with amazing success. Financial corporations use it because they know we're irrational and it's helped them a lot. We see it in, anyways, we're going to look at decision-making, memory, and perception. And you'll better understand what we're getting ready to say here. So like Soil and Green, what where is people? And people are the single most important asset on any network. Computers, let alone the network itself, only exist because people use them. And despite or perhaps because of their best intentions, people are terrible at decision-making and by extension, security. All of our user education efforts are those pointless? Can we better understand our users? Is that possible? These are the kind of things we need to answer. Knowing what makes people tick, that's the key to keeping our non-biological system secure as well. The best hope we have to move beyond the reactive security model that we're all living in, as I know it feels like Groundhog's Day to me, is that we embrace the truth of human component of our networks and we have to keep in mind this is a very difficult journey to take. Our brains are full of these safety mechanisms that make this stuff hard for us to grasp and we consciously want to not believe it. Like my brain doesn't do that to me, I make good decisions, etc. But all of this is applicable to everybody. Let's get an understanding of what perception is. So I want to start this section here with an illustrative story. Set the stage so you can begin to perceive what perception is. It's very difficult concept for people to get. But story is one of the most powerful things you can use to illustrate concepts like this. So when I was a kid, my uncle, he had collected horses, not like pretend horses. He had real horses, like draft horses and all that stuff. Well, I was a city kid and I didn't know a lot about him, but he'd tell me about some pony that was growing up and he was going to have to break the horse. I didn't know what that was, so I made up what it was in my head. And to me, what I pictured was like a horse owner, which was of course, you know, it's like a cowboy, rancher looking guy, he's got leathery skin, a big bushy mustache and he's always be like, what you looking at? You know, yelling at everybody, sitting in his big huge horse and he would have to literally break the smaller horse, break it. That's what I imagined. So I pictured him taking his lasso and lassoing this little horse, diving on it, doing some sort of Hulk Hogan-y, you know, headlock and literally breaking its back and then nursing it back to health so it would be docile. That's what I pictured. And now that's not what breaking a horse is. I know people in here have dealt with it. Not that I really know much about it, but for a surprisingly long time, this preconception that was made up out of whole cloth by my six or seven year old mind, it stuck with me. And still now when I hear it, which is super rare, when I hear about somebody breaking a horse, the first image I have is somebody breaking a horse's back. I know that's now what happens. But you could see how my perception of this act of breaking a horse led me to have negative feelings and toward the people that did this. So I didn't, I had a bias against country music for most of my life because they talked about horses and I was like, I like animals. I don't want people to do that. So, you know, we all have these biases. So maybe you're a vegetarian and you think people that eat meat are disgusting, secretly, maybe not so secretly, or one that I see everywhere is with sports ball, whatever sports team you're into, the player for your rival team who you hate until they come to play for your team and then they're great, you know, and it's total, it's just the bias in there. So our perception is one of the most important things for us to understand. As humans, we have our own unique perception of the world and the default setting of our perception is to be narrowly focused on our own point of view with no concern for others. So by default, the world does revolve around you. By default, that's how it works. Again, another story about when I was younger. I lived near my grandfather and he was a professor in sociology and I didn't get to talk to him about that. I was too young, but one day he did a really rare thing and he took me out to lunch, which I think that was maybe the only time he ever did and proceeded to tell my eight-year-old self a litany of life lessons that went in one ear and out the other because I was eight, who the hell remembers that. But he did say one thing to me and he said, John, remember, it's all about perspective and if you understand that, you can understand anything. Now, we're in a room full of hackers and I honestly think that this is something that hackers do well. We excel at this. We're all able, but we need to use it beyond the need to approach systems and software from the perspective of an attacker. We need to use that skill to see the perspectives of our users, to see the perspectives of our coworkers, of the person that sits next to you. So rather than beating users, berating them with security requirements and making it harder for them to do their jobs at every turn, maybe we need to work to better understand them and better understand perspective. So there's a whole lot of special images, videos and sounds out there that severely affect our perception and make us question what we're actually seeing. These images are here, these either illustrate perception, like in the two cartoons, that guy is seeing that number from two different angles, a completely different number. Or they show you something that appears to be something that's not. This thing in the upper left-hand corner, if you took a ruler to it, you would see that those lines are parallel, not askew as they appear to be. And it's because the pattern of blocks messes with our brains. Or you have other pictures like the two on the right-hand side that appear to be more than one thing at the same time. You know, is that a guy head-on or a profile? How many legs does that elephant have? So all these images illustrate how perception is not consistent. They're not all seeing exactly the same thing. You don't go home at night to the same family as your coworker. You don't know what they really believe with their biases, their prejudices, their passions, all the things that make them who they are. You don't know that. We can't presume to know that. So how can we presume to know how our user is going to react to something? Or training is a great one. From the perception of those that design the training, it appears to make sense. It probably even looks compelling. And probably to some small percentage of your population, of the population, yeah, it might be that. But not to everyone. And it's because their perception is different. So I mean, like, why does the cashier in the cafeteria care about protecting her outlook account? And she definitely doesn't care if the organization's hacked. It's not going to affect her. But from her perspective, if she could avoid to lose the money or lose her bank account access, her credit card, could be safer because of some action, that would matter. And that would affect her immediately. And it would begin to form habits. She can bring back. They follow them unconsciously. Our perception rules us. And it's ours to rule. And this means that we all live in a universe that is well and truly centered around ourselves. And if we want to reach the rest of the world, we have to reconsider our message. We have to reconsider our assumptions and how we deliver it. But then we have to consider how people retain information. So we look at memory. Human memory, while amazing, is inherently unreliable. And our tendency to trust is the cause of many of the problems we have in society today, that we trust our memories. Fortunately, or hopefully fortunately, we have a long line of really insightful scientists, academics who have literally spent their entire lives studying human memory. Because of this, you would think all the misconceptions and outright falsities would not be there. But they are. I can tell you with absolute confidence that you can rely on your computer's memory far beyond your own. And anybody who's worked in defer or incident response, forensics knows that that's kind of a scary thought. To have to rely on your computer more than yourself. So, for example, memories often mischaracterize as an accurate method of recalling an event. But, like I was just saying, our perception is unique to each of us. So my memory of an event would be different than anyone else that's there. This talk is a great example. To me, I'm on stage and looking at all your eyes staring at me. I'm going to remember that. Each of you is going to remember something different. You might remember this slide. You might remember another slide. You might remember what you're doing on your phone or what's behind your eyelids if you've been up too late. So there's a lot of, it's different for each person. So yes, we can recall that event, but is that recollection accurate? Often it's not. So it's something to think about. The turn of the century, this century, so in like 1999, two cognitive psychologists, Daniel Simmons and Christopher Chabris, they did a study to prove that when people focus hard enough on one thing, they get what's called inattentional blindness. Not intentional, inattentional blindness. And this study, the participants were shown a video of a group of people passing a ball around. Many of you have probably heard about this. And they were asked to count the number of times the ball was passed by one of the teams. And then immediately after watching, they asked the participants how many passes were made. And universally, they were right. They were able to count the passes. Good for them. But after that first question, they then asked, what about the gorilla? Did you see the gorilla that walked in? And none of them saw the gorilla. All these people completely missed something as obvious as a gorilla walking into the room, but they were able to count the things. So they were accurate. They accurately saw what happened, but they missed something, something really big. So that has major implications for witnesses and for victims where there's no other corroborating evidence besides witness testimony. We often remember even the most unique things we see and we add details. And this study is the epitome of the counterintuitive nature of our minds. In the polls since then, over 90% of people who've been asked said that they think they would have seen that gorilla. Now with the knowledge of the gorilla's existence, they probably would. But in 2010, Simmons decided to revisit this and see what he could do. So I'm going to play this for you. The audio is unimportant, but this is the second iteration. Counting me times of players in white pass the ball. So hopefully you guys 16. We all saw the gorilla because we expected it. So they say about half people miss it in real situations. Did anybody notice that? Did you see the curtain change color? Good. A few of you noticed that. Also one of the people in black walked out of the room. I'll let it play and rewind real quick and you can see, now you'll see it because you know about it just like the gorilla. And did you see that? It went from red to orange and there's only two players in black. It all happens right here. The player in black's gone, the gorilla's gone and it's orange. So we all see it. Hopefully it was new to you. If it wasn't, you could see that our memories being trusted as an agent of the truth is the biggest misconception about memory that there is. So there's an organization many of you probably heard of called the Innocence Project. What they're dedicated to doing is helping people who are innocent be exonerated, who have been convicted of crimes to be exonerated. And up till now they've been pretty successful through the use of DNA testing. They have been able to free more than 350 people who spent time in prison for crimes they did not commit. But because of false memories, false witness testimony, they ended up in prison. Or biases, a lot of it is racial profiling, things along those lines, biases we've all had to deal with. They also said on their website that on average, those people spent 14 years in prison before they were released. And they can only do this for cases in the U.S. where DNA evidence exists. So the number of cases out there where there's not DNA evidence and around the world, there are probably tens of thousands of people in prison because somebody remembered something wrong or thought they looked suspicious. And we all have to do that. So according to Dr. Julia Shaw, who I'll tell you more about in a moment, but she worked with these guys and she said faulty memory played a role in 75% of those cases through her research. And that is, again, only in the U.S., only where we had DNA available. It's pretty scary. Dr. Shaw, who I highly recommend reading or watching, she's very entertaining, she wrote a book and released in 2016 called The Memory Illusion, and it rolls together decades of academic studies and research and a bunch of research her and her colleagues have done that she has specifically spent her career studying false memories and working to better understand how the phenomenon works. And after her work at the Innocence Project, she and some of her colleagues began to research the method, a method by which false memories are formed and better understand how they impact our perceptions of reality. In one study, they gather a group of subjects and they went to their parents. Of course this is all college kids. It's research. That's what they deal with. So it's college kids that they got. They called all of their parents and they said, tell us about a couple of major events that you have a picture for that happen in their childhood. And they got a trip to Disney World or go into England, whatever. They get a couple of real pictures of real incidents that happen and ask them questions about this incident. They then doctored up a third image that showed something virtually impossible. For example, Bugs Bunny in Disney World, hugging them, which if you know anything about Disney, Bugs Bunny ain't never going to be in a Disney property. Another one was they convinced a guy that he had flown to England specifically to go have a picnic with the royal family and showed him a picture of him with the queen mother with Queen Elizabeth. I'm not British. Sorry if I messed that up. But regardless, they were able to show and without fail, all of these people believed that that thing happened to them and then produced more stories beyond just what was in the picture about these incidents. Every last one of them. It wasn't hard. It was trivial for them to do it. In the end, they were able to say that they can implant false memories in anyone trivially. It does not take a master or hypnotism or anything like that. Another thing, she covers a depth in her book and I'll touch on it briefly in a few minutes, but she talks about how to get through to subjects, how to make things memorable and what it comes down to, the base of it is arousal and I'm not talking about sexual arousal. That's always the first thing that comes to mind but in brain science, arousal is defined, actually it's defined by the medical dictionary as a state of responsiveness to sensory stimulation or excitability or a state of behavioral or psychological activation. In other words, your brain is active. You're paying attention and it's a very powerful tool we can use to improve others' reactions to things like training, awareness, I know we all love that and other important things that we need to deal with, like policies. But we need to look at decision making real quick before we can talk about how to fix things. So our brains are evolved from animal brains and that in the moment the fight-or-flight instincts that we have inherited from our animal brethren are what take over. And some people are a little better at recognizing these effects somewhat offsetting them but decades of study more of this demonstrate that decisions made by people are as likely to be logical as the flip of a coin. So that's something to think about. For years the security industry has been trying to figure out how to mitigate some of the issues that stem from the wet wear that makes IT so insecure. But IT could be considered relatively new. Cyber security is also relatively new. Like in the grand scheme of things. But none of these concepts are new. Since as long as people have had something to be scammed off of them there's been other people taking advantage of our natural stupidity, our natural mistakes, our shortcuts that our brains take and scams in general are nothing new and neither is the desire to better understand why we're so terrible at seeing these dangers and recognizing them and running from them. Oddly according to a lot of psychological experimentation and research one of the biggest reasons we're so terrible at identifying scams is the part of our brain we share with the animals. The fight or flight part of our brain is the mechanism that makes us jump to conclusions, make assumptions, see patterns that don't exist and then we confidently use this misinformation to make our decisions leading to many of the problems we all face every day. This part of our brain is controlled by our emotions and physiological impulses. It is not controlled by logic at all. We do not work on logic when this mechanism is activated. We are as likely to pick the logical choice that made sense yesterday than we are to pick something else. So any amount of planning and logic that we could put into our decision making process in the actual moment of choice this takes over. No matter how much analysis you have done if you as a person have a stake it will affect you in any way that decision, all that logic is out the window. It's your fight or flight and your brain picks the thing that it subconsciously thinks will cause the least amount of regret and that is problematic in a lot of ways. None of us are safe. This is a condition that I believe I'm using this correctly literally affects every last human. And shine some light on this let's take a look at another discovery. Neuroscientist named Antonio DiMazio a few years ago he and his team began studying the part of the brain that controls our emotions the emotional center. They went and found study subjects to find damage to that part of their brain. So these were like medically they were medically sociopathic they had no emotions whatsoever they could not do that. Then all of these subjects were easily able to see the logic behind simple decisions they could come to reasonable conclusions they could figure out the optimal option every time but only in theory. Only when they were talking in their minds they could do it they could discuss it. But in every case when they came down to actually making the choice they just couldn't do it because they had no feeling no emotion to drive the actual choice. They were literally not able to make decisions and I'm not talking about whether to buy a house or a car I mean like should I eat type decisions. The very basic stuff. And that illustrates that despite our logic all our metrics our measurements our analysis our emotional system takes over and delivers a choice that it feels is going to result in the least amount of regret when it boils down and to the actual point of decision making. And our emotions are in control of us. This movie was surprisingly accurate. I love watching it with my little's. So much of the foundational research for this was done by a psychologist named Daniel Kahneman and his colleague Amos Tversky. Kahneman won the Nobel Prize in economics despite the fact that he's a psychologist and specifically he won it for his research into the psychology of decision making. And it was really simple for people to equate this and understand how this could apply to the field of economics. It's tied into a plethora of industries over the years everything from entertainment to everything we do, they think about these kind of things. But we're here to talk about how it relates to our field to security as a whole and you've got to remember that security exists exclusively because of the people that use the networks and systems that we have to protect. If a system is designed to interact with another system in a certain way it's going to just do that. It doesn't try and change its way. People are the ones that attack networks and systems. People are the ones, are the reason the tasks are successful and even in cases where it's like a bug in software, a hardware issue, still somewhere down the line a person screwed up. It was human error that led to that and people attacking it. Kahneman and Tversky's insights were a major wake up call to the world of economics. They were researching their findings. The world of economics was literally a completely different field. Before this, economists based all of their predictions on the belief or the assumption that people make rational choices. They do not. And they were able to embrace this decision theory that Kahneman and Tversky developed and then they were able to completely change their models. If you talk to somebody who retired in the 60s for economics, they would have no damn clue what a current economist is talking about because it's that much different. And there's so their models account for the fact that common sense as it were, there's nothing more than a fallacy and it has nothing to do with the reality of our irrational minds. Common sense is about as real as rational decisions are. So Annette Simmons, she wrote a book called The Story Factor a book I highly recommend if you want to reach other people in some way. Story is the most powerful thing you can do. She said people are unconscious of most of their behavioral choices. If you ask someone why they did something, they're going to give you a good reason. A very rational, sounding reason. And it has nothing to do with the real reason. As a rule we humans aren't going to be aware of making choices much less why we make the choices we make. We do it that way because somebody told us to do it that way. It feels right. You know, this is how people work. So there is no such thing as common sense. So just stop saying it, stop expecting it, stop thinking about it. Every single person is different. Their brains don't work the same as yours. You don't know them. Not the real them. Common sense to each person is different. So we have got to stop that. That's like that just makes me angry. Yes so these revelations among others that these two came up with that we just don't have time to go into but I highly recommend reading into this. To Kahneman has several books out. He's done TED Talks watch it, read it, learn it. Anyways this is the reason for the renaissance of economics. A paradigm shift in the world in the art of negotiation it changed how policies were written. It's affected every industry. And while it's relatively simple to see how it was applied to those verticals why is it applied to InfoSec? Why do we care? Well there is an overwhelming and pervasive misunderstanding of human nature in the world of IT. Not just security IT period. And I'm not trying to say this is a dig to the industry that I love and that I am happy to be part of. I'm trying to say that we can do better. If we seriously want to move the industry forward we have to begin to accept a few facts of life and work to in sync with those instead of against them like we are now. But first we need to break security down or at least part of it. What is it really? It's a way to protect people, their property and their livelihoods from entities that may cause them harm or distress. And we all see that this is going. It's back to people. I really want to reiterate I am not telling you guys something new here. I am not a profit from the future. This is old stuff. I'm trying to show you how we could use this to change our focus humanize IT and security. People are the core component of all aspects that there are in security. Even the most analytical ones like big data, threat analytics they are all driven by people. People had, someone had to make the algorithms. Somebody wrote the software, somebody manages the databases they handle the reporting. Ultimately a person has to confirm the analysis isn't just crazy. So people have to look at it all along the way. They are driving every component from the users we are securing to us doing the securing. And if we don't figure out a better method of influencing our users and even our peers, all the people then we can expect an endless loop like this GIF. Or GIF if you prefer. And as we all know quite well the vast majority of attacks start from the inside and that is done with social engineering. In most cases basically every single type of social engineering attack uses these tactics to take advantage of human emotions and our natural tendencies to take shortcuts. So you know Chris, Hadnaggy and Jason Street these guys are all talking about this stuff all the time. There are people out there preaching about it. But we need to figure out how we can better adapt how we can actually make the right change. Technology is not new but it could actually be said to have started with the invention of the wheel. For all of human history we have been striving to make our lives better with technology. It began with the wheel or maybe fire, paper, printing presses, plumbing, electricity all of these are old technologies and they are all ingrained in our lives. We deal with them every day we couldn't live without them. God I wouldn't want to not have electricity here. None of these they didn't have any friction in becoming that way. They are irreplaceable there was no problems. They have no problems sticking around in our lives they're not going anywhere. All these technologies have one thing in common each and every one of them was invented specifically to deal with a problem that all people face. Like going to the bathroom or turning on the lights. So these are technologies that interjected in our lives to fix a problem we already had. Computers were invented to solve a problem but not a problem that most people face which was cracking codes and I know that my mom doesn't crack codes or know what that would mean but she uses a computer. We've done a really good job of interjecting computers IT and all of its myriad iterations into our daily lives and it's certainly irreplaceable I couldn't live without the internet but I'm of the opinion that there's been too little focus on the human element we made a keyboard, a mouse, a monitor and we were like we're good people can use it they can interact now it's not entirely true there's interfaces there's operating systems that are fool proof fish user experience gets plenty of buzz I don't hear that word all the time so I mean they talk about it but it's not happening it affects all of us the networks we're chargers securing and certainly the users which includes our friends our families, our loved ones not just the girl that works in the cafeteria con artists have been using all these flaws in the human for as long as there's been people as long as there's been a society what they're really good at is fooling people into thinking that something is their own idea so it's the same thing our brains do so they either convince them that the idea is their own or that the con is something that is more advantageous to the mark than it is to anybody else and they have to believe this and we all know that this body of knowledge has been incorporated into social engineering and it's almost indistinguishable now from the old tricks that worked for centuries it's similar things the primary key to the success of these methods is to convince the mark that whatever plan they're being swindled into is either some other own idea or that the idea is so much more beneficial to them than anybody else including the instigator and that is these are basic psychology they don't require technology to work but technology especially in its current form has made the perfect vehicle hence the popularity of this village and talks like mine and Jason's and Michelle who's talking after me all these insights can be applied to other aspects of Infosac and even the most exciting part social engineering in case you didn't guess but to do that we need remedies now I do not have the answers this is something that we all need to figure out but I have some ideas we've been building our security solutions on false assumptions from the beginning how can we expect to secure something as irrational as humans are the answer is relatively easy we do what the world of economics did more than 40 years ago when Kahneman and Tversky shared their findings we change our assumptions we no longer build our models our software and whatever on the assumption that users are going to make rational choices this doesn't leave us in the lurch we are not completely screwed you know rather if you think about it this kind of assuages that itch that we're all feeling that internal that inkling that something's just not right which has been driving me crazy for 10 years of pen testing it doesn't seem right something isn't right and we have to try and change that it seems to me that the latest tactic I see to deal with the human aspect of security for most organizations and I work at a consulting firm so I do a lot of different organizations is to do one of two things one is put their head in the sand which is the oh no no SE on this engagement we know we're going to fail that is putting your head in the sand and ignoring the problem and that's not going to help and I know we've all heard that crap all the time or alternatively they throw more tech at the problem which we all know is we start taking capabilities from users we make their lives their jobs more difficult like the temporary VM session that loses everything in the end or other extreme examples out there we have to accept that people all of them including us are fallible and they're probably not paying that much attention not in reality so we need to approach the problems that we're facing from a different angle the most obvious area that these concepts are applicable is of course user awareness training and I know we all hate that every organization I've worked with the users and the security people cringe when they hear that term as most of you probably just did we all cringe when we hear that no one likes the awareness training we're subjected to it's like a PowerPoint deck once a year and we all cheat on the multiple choice answers in the end I know the users do, I know I do I don't care, I mean it's not helpful at best it's marginally helpful at best so instead maybe we should take a cue from how humans actually think they can't make people do things and if we're honest people are really just worried about themselves so of course they love the company and they know that inherently the enterprise and security is tied to their personal happiness that is sarcasm they do not know that I don't care how much they love the company they do not believe that sure logic can tie them to this you can tie their happiness to their employer's success their livelihood relies on it but really outside the C-suite who sees the fruits of that not that much and again really people are not rational so we can't expect this assumptions, as we've been saying don't make those, they're bad instead of teaching users how to protect company assets what if we taught them about how to protect their own information, their data their devices let security start at home teach them why and demand that they do something tell stories make it interesting show them how to protect their home Wi-Fi that helps the organization anyways because you know you're going to make them work at home so there's even a way to sell it to your executives and I'm sure there are dozens more ways or hundreds more ways that we can apply this that I've never thought of I'm not the smartest person in this room I am sure and I don't know the answers it's going to take all of us to think about this and I'm going to keep digging because I'm in, I'm down the rabbit hole but hopefully some other people will jump in with me besides training and user education maybe we should take a look at people and processes what about processes and workflows I think it may be possible to change our approach to the plethora of processes that organizations collectively rely on to ensure that business continues effectively and efficiently and safely but instead of simply making a detailed list of steps that must be followed maybe there's a way to design this these processes in a way that the user can learn that leads them to the most appropriate solution without like brow-beating them into doing it yelling at them people want to feel empowered and they want to feel that they've made a contribution and that is absolutely true unfortunately I don't have time in this venue to take this part of the discussion to like another level because we only have so much time but we need to take this online we need a brainstorm this is one I don't know for sure how we can fix but I do think part of the answer to this problem is going to be a better focus on the human element and the use of story and so I'm compelled to put up yet another quote from Annette Simmons who's the author of that book I mentioned the story factor it's like eight bucks on Amazon just buy it you will learn a lot anyways I don't work for her most policy statements she says this most policy statements concern me if you want to do the thinking for someone and that is all any policy statement is designed to do that is really important at least story invites the human being you wish to influence to participate in that thinking process mandatory rules don't allow participation and they tend to influence people to either mindless obedience or gleeful malicious obedience and we've all seen that that can only make things worse and that is like I'll follow that policy okay and you know it's a stupid policy or it's leading to a bad place we all know and how can we fix it I think it's going to take some more time to figure this out we're only going to face opposition especially with policy it's critical to the enterprise they rely on it it keeps them in compliance this is going to be a really hard area to approach so in the arena of human interaction we are all equals non-users, babies, old people everyone it is the ultimate in inclusion our humanity is the one thing that levels the playing field we are not better than that user who downloaded a macro virus last week and we are all in this together whether we like it or not the only way we can actually get the elusive users to be more secure is going to start with humanizing them telling them stories making the habits you need for them to form good security hygiene directly and exclusively applicable to them and their sphere of influence their loved ones, their family, their kids that's what makes a difference they will make changes they'll keep themselves, their loved ones, their family anyone they care about safer and they'll form good security habits those habits will follow them because people don't break habits they will follow them, they'll carry over to work and they'll have it with them and then they make the enterprise more secure now all we've got to do now is figure out a way to do that consistently and effectively so I hope somebody out there knows none of this is news as I said and although we don't as a collective consider this consciously nearly enough we are all fallible no particular group all of us and that tendency to err is what allows us to keep our jobs in security definitely the cause of the greatest beauty in the world art is created because of this it's also the root cause of the most colossal screw ups in history it's the same things all of this I say it all not to paint an ugly picture of people or of anything I need, I think this topic needs to be brought to the forefront of our collective consciousness as a group and now I'm talking about security people the people who are here we have some of the greatest problem solving minds the greatest creative thinkers in the world in this community so if we can build on the knowledge that is already out there that's been built on by other industries to drastically improve the world for everyone we can actually make the world safer so let's get to work