 Okay, so we are really excited. So this is our second, this is our, well, we've been doing speeches in SE Village for like four years, but this is our second year as the official DEF contract for the human tracks. So it's really exciting. We've got some really great stuff planned for you. Our first speaker is Tomo Ishikawa. He's from Japan and I know Tomo personally because he actually came and took our course and it was really interesting to see the cultural difference in social engineering. That's the very topic of his speech is this cultural differences become a barrier for social engineering. Tomo has got over seven years of experience in penetration testing and IR and secure programming over in Japan. And he's currently studying for his PhD. So if you would join me in welcoming Tomo Ishikawa. Hi everyone. Thank you for coming today. My name is Tomo Ishikawa. I'd like to introduce that the cultural difference became a barrier for the social engineering. So first of all today, I'd like to talk about a little bit the culture stuff. Also at the same time, we'd like to talk about the social engineering stuff. First of all, let me introduce myself. As I said, Chris introduced me. I came from Japan and I'm also, as you know, the ESL guy. English as a second language. Also, I'm also studying in the PhD. Currently, I'm working for the insurance company now in the security team in the Philadelphia. I have a bunch of the certification now in the specialized area is penetration testing, instant response or boundary management. That's kind of the stuff. So let me first of all make sure what the situation is. The currently, the social engineering now is a remarkable attack vector now. For example, H.G. Galey, Hucked, or CIA director is also the Hucked. But if you think about the situation in Japan, I think I have a question that it's popular in Japan. Maybe true. It's simply because the spearfishing email attack is now popular in Japan. For example, Japanese pension system is hacked by the spearfishing email actually, but it's not so actively compared with the United States. So that is why my research question is, does the cultural difference became the barrier for the social engineering? If the culture works as the barrier, the cultural difference we'd like to say, I'd like to say cultural difference will be one of the solution. Also, the design of the, it's applied to the many ways. For example, the design of the organization, design of the corporate culture or design of the business process will be one of the effective way against the social engineering. So that is why I would like to discuss about it today. But additional note, the wide idea of the cultural difference is so important, simply because the CV is there. Have you ever heard of this idea? Anyone? Do you know about it? No? Okay. Basically, if you're familiar with it, it's fine, but if you're not familiar with the idea of a CV E0, please check the sound contents. Actually, it says that the human is vulnerable for the social engineering attack. It means that there is no particular day for the human being. So it means that there is a vulnerable for the social engineering. So that is why we say that it is a very important staff. So I'd like to start the discussion about it, but there is some sort of a disclaimer about that. First of all, I am not culture anthropologist, sociologist, this kind of a staff. Also, my opinion here, it's not my personal opinion. Also, it's not of my employer as a first of all. And also, we focus on the today about the difference between the United States and Japan, because actually I grew up in Japan and currently I work for the United States. So that is why today I focus on this issue. Also, maybe bias because I'm 20 years of experience in Japanese cultures, maybe professional about it, but only eight experience in the United States culture is a beginner or intermediate. So that is why maybe I'm biased. Also, it's not conclusion. Rather, we'd like to start the discussion about the cultural difference and the social engineering relationship. So I welcome the constructive criticism, also opinion, comment, any staff I welcome about it. Also, I do not want to discuss about the advantage or disadvantage staff of each culture. I would like to respect both cultures. First of all, I love the United States culture, but I don't want to discuss about the advantage or disadvantage, which is good or it is not. But we only discuss a defensive workability of the social engineering. Also, I welcome any question, any comment. I welcome that, but please, please speak slowly and simply because I'm not native speakers. Sometimes I cannot understand that. So please, simply. So let's start the discussion about first of all, what the culture or cultural differences is. Maybe one of the cultures shock for me is the size. If we came to here, everything is big, actually. I feel like kind of the Alice in Wonderland, everything is big. Cup is big. Food is big. Everything is big. That's one of the cultural difference. Actually, I go to the B-style Las Vegas. It's awesome, awesome contents. I actually got the T-shirt, a lot of that. Usually I wear the L-size T-shirt now in Japan, but here I wear this S-size now. It's maybe the cultural difference, but also maybe the cultural difference in the punctuality. If you look at here, in the Japanese country, actually in the country, if we delay the three minutes, they notified about it. If it was a 10-minute delay, the people, a train company, give a certificate about the delay. Maybe the punctuality is different. On the contrary, in Pennsylvania or Philadelphia, the bus delay every day, every minute. If it came the way, maybe the 20-minute delay, it's fine. Maybe one hour delay, it's usual sometimes. So there is a difference of the punctuality, maybe. Or some Pokemon Go index. Actually, when I go to the New York City Central Park, many people walking around watching the smartphone and see the Pokemon Go, it's the same as in Japan. Actually, maybe they're the same in the culture. But also, if you want to curious about the Japanese culture and the United States culture difference, I definitely recommend this YouTube. And this guy explains how the culture is different. It's a little bit over-exaggerated, but I love that one. If you're curious about the pre-check that the contents. But again, what the culture or culture difference is, let's ask the Wikipedia. The Wikipedia basically said there's a lot of the definition is available. But Wikipedia points out one definition, which is called by the E.B. Taylor. That complex whole which includes knowledge, belief, arts, morale, blah, blah, blah, something. But it means that everything created by human being. But anyway, we'd like to focus on some sort of custom and also habit in the business scene. We'd like to focus on this issue. Also, I'd like to a little bit introduce about some cultural difference study. A lot of the sociologists or a lot of the anthropologists have a research about the cultural differences. I don't want to mention all stuff, but I'd like to pick up one of the famous study, which is the whole cultural dimension theory. He had a comprehensive analysis for the IBM employee because IBM is a very giant company and also everywhere. So that is why also IBM shared IBM value. But still there is a difference between the IBM employee in Japan and IBM employee in the United States. So that is why Hoss paid the focus on the study about it. And they find out six dimensions, six dimensions to characterize the culture, actually. Actually, he had a lot of comprehensive analysis about the questionary. Also at the same time, they have a statistical analysis. Today I'd like to focus on the United States and Japan, but if you're curious about the data set, please access to the URL. You can see any data or any country data, if you like. But today I'd like to focus on some sort of data in the Hoss field between the United States and Japan. If you look at the here, there is a sixth dimension it's defined by Hoss field theory. Basically it says it sets a power distance index or individualism or masculinity or uncertainty avoidant index or long-term orientation or endurance versus restraint, for example. If the value is so different, it means that there is a lot of difference between the culture. If the value is same, it means that culturally it's close to find out. There is the data here and there is the Japan value of the United States value. If you see some sort of difference here, there is three main differences here. We'd like to be focused on this stuff. First of all, major difference here between the United States and Japan is the Japan country as a long-term oriented. On the contrary, United States is focused on short-time oriented. I think it is true. Actually one of the good culture for me in the United States, in the United States, the decision-making process is very, very quick compared with Japan. The reason why that situation happened is because the United States focused on the short-term benefit and then they decided. That is why I think the United States culture decision-making is very quick now. On the contrary, Japanese people consider a long-term effect. That is why if you decide something, consider of course the short-term but at the same time consider of the long-term impact. So that is why they have a lot of the consideration or a lot of the discussion here and then maybe the discussion is maybe delayed. Also another index about the differences is that Japanese people don't like the uncertainty. They hate uncertainty. So this is a wonderful reason why the Japanese people don't like the investment because there is an uncertainty here. But I think United States people accept the risk. I think it's a good culture. Japanese people don't like it. So if I say my boss, for example, if my boss said, can you do that? I will say yes when I'm sure, more than 90% sure. It's my culture. But maybe I think United States people say, yes, I can do that. Maybe sure 60% or 70%. I think it's a cultural differences. Also another difference is here. It's Japanese, United States people focus on individualism, which means that focus on the families or their own benefit. On the contrary, Japanese people of course consider the personal benefit but at the same time community benefit, for example. Many Japanese people are actually very alcoholic. They sometimes contribute a company, even though they sacrifice their personal life. Maybe that kind of a difference there. But anyway, that is a difference between Japan and Japan culture and the United States culture here. Now we have some big, great background here. And then we'd like to focus on some sort of short engineering stuff. But before that, if you do not know about the social engineering stuff, I definitely recommend the Christ class. It's very awesome. I am actually an ESL guy, but they are very informative for me. Also, there is a couple of the connections within the class, and I definitely recommend this class. If you want to curious about it, please check this website. Also today I will be discussing about the four stuff. First of all, Olsen, and second one, tailgating, also the bishing. We will talk a little bit about the Lebanon scan in Japan. A little bit there is a social engineering technique there. First of all, first we discuss about Olsen. So what does Olsen mean? I think you have an idea of what is the Olsen? Which stands for open source intelligence, and they collect the necessary information by using a public resource for social engineering. I think the cultural difference workability of Japanese culture is maybe good simply because Japanese preferred anonymity and the internet. It means that it's a little bit difficult to do the Olsen. If the user, if the Japanese, if the people use a false name or some sort of fake name, it is very hard to find out the data itself. Also, it's maybe, it is hard to connect the separated data into one. So that is why if the people use a false name, maybe a little bit difficult. So we don't have any evidence or any clue about it. So that is why we first of all start some sort of data analysis here. We first of all, today I'd like to use some sort of the data, which is MIC 2004 research. MIC stands for the Ministry of International Affairs and the Communications. The reason why I picked up the 2014 data is simply because there is a 6th country comparison about the usage of the social media or the usage of the internet. So that is why very informative data is in this here. So that is why I'd like to pick up this one. Sorry, I was going to be small for you guys, but first data from this report, it says whether or not people use the false name or are people prepared to use a real name. There is a bunch of the comparison here, but we focus on the Japan and the United States. If you look at the here, actually Blue Line is a used false name. Red Line is the kind of people who use the real name. So if you look at the here, for example, Facebook, more than 67% of the people use the real name is absolutely good because Facebook recommended about that. But on the contrary, in Japan, only 30% of people use the real name. Now that if you think about the Twitter data, actually in Japan, if you compare about the United States and Japan, actually more Japanese people prepare to use the false name, actually. Also, chat SNS, which is a Skype or WhatsApp, also use the false name. Also in the blog, it's the same situation as it happened. So it means that this data is very shown to you. Japanese people at culture prefer to use a false name, actually. On the contrary, the United States people prefer to use the real name from the data. Also MIC in 2004 research data show another example. As a conclusion, 66% of Japanese people have the antipathy against disclosing the real name. If you look at the here, Blue Line is a strong antipathy against disclosing the real name. And red is the moderate antipathy against the real name. If you look at the here, if you added the two birds here, 66% of the people have the strong antipathy against disclosing the real name. On the contrary, if you look at the United States people, 35% people only have the antipathy. It's a very unique culture in Japan, simply because if you look at the here, it's a total. A total means is the average of the six countries in these researches. There is Japan, United States, United Kingdom, France and South Korea and Singapore as included. If you look at the average here, actually in the average, maybe 38%, but if you compare with them, the Japanese people don't like to open the real name. So that is why a little bit Japanese culture, a little bit don't like to disclose the data and then it's mean that a little bit difficult for the authentic. Also, this data shown to you that approximately 60% of Japanese people and United States people feel the risk to be identified even though they use the real false name. So risk recognition is the same, but still there is some sort of differences. So that is why maybe the authentic, in terms of the authentic, a little bit hard to do it. Of course, even though you use the real name, it is possible to find some sort of data or link the data by using some sort of technique, but a little bit hard. Let's go to the next issue, which is the tailgating issue. So what the tailgating is, basically tailgating means that breaking the physical access control by using some pretexting. For example, pretend to be a FedEx guy or a pest control guy or pretending to be a freshman or a work from home guy or employee in a different location. I think also the culture difference is applicable in the Japanese culture simply because the Japanese culture is a detective environment. I'd like to show a couple of examples here, but basically office layout and the working style of the culture maybe will be the detective environment. So if you look at the here, if you look at the office layout here in the United States, it is a cubicle. Usually a cubicle is a very popular environment here, but on the contrary, if you look at Japan, there is a flat desk that we recognize what the colleague do it, what the colleague do it. We see every colleague. So this is kind of an office kind of environment. So the reason why does it work for the defense is simply because we easy to identify the stranger or attackers. Because this is a flat desk and we see what's going on in that environment, so we can easily identify the stranger or attacker compared with a cubicle, I think. Also, we can know the usual behavior or baseline of the colleagues or other vendors. So if the post office guy walking around in the office, it's not usual. It's maybe it's detectable. Also, if you look at the post office guy walking around in the office and if you see some sort of document, it's absolutely strange in this environment. So that is why I think that it will be this kind of environment or some sort of office design will be workable for the social engineering detection. As I would like to a little bit mention about the working style culture, but before that, a little bit look at what the working style difference between the United States and Japan. First of all, in the working style in the United States, work from home is I think very popular, but also on the contrary, Japan is not. Also in second perspective, employment mobility, I think United States is a high mobility in here. Many people joined the company frequently, many people leave the frequently, especially in the security field, since I think now there is a negative unemployment now, I think. So that is why I think there is a high mobility in the company. On the contrary, in Japan, Japanese companies do not, like the first of all, middle-carrier recruiting at the first level. Also instead, one company more than 10 years. It's this kind of a tense industry there. Also, if you look at the kind of the stuff about the new graduate job hunting, of course in the United States, people apply to the job, right? Actually if you see the job description and then examine the contents and then they apply it. But it's not usual in Japan. Actually, especially for the new graduate person, it's not job hunting. Well, it's not applied to the job, it's applied to the company actually. Actually the company usually don't open the job description, what new graduate cannot apply to that specific position, usually apply to the general position, that's all. So that is why not apply to the job, apply to the company actually. Also in the usually new graduate, graduate university, end of the March, and then they join the company in the April 1st, and then there are many people coming to the office. As I said, since in Japan we apply to the company, usually, of course, many varieties of people apply to the job. For example, I am working in the IT security consulting firm or IT consulting firm now, but I have a background of the computer science major. But at the same time, for example, if you see my colleagues, actually their background is economics or management, philosophy or English literature or linguistic guy, apply the IT consulting firm and it's my colleague. So that is why usually Japanese company doesn't care about what is wrong in the university, just apply the company. And then in the April 1st, they come to the office and we start having the kind of ceremony here. This is a very typical ceremony in Japan. In April 1st, company work on the ceremony. This data is the Toyota's one. This is all Japan Airways. It's a very famous airline company in Japan. But in April, we have kind of the ceremony. Philosophy guy have no idea of the computer science is or what the algorithm is or what the bubble sort is. No idea. So that is why Japanese company basically creates two months, three months, four months training, like the kind of the boot camp. We learn a lot of the stuff. We have a lot of the project work after joining the company. We have a lot of the boot camp there. Actually, in Japan, there is many procedures. For example, in order to exchange the business card, we have some sort of procedure. If you like, if you take the phone call, we also have some sort of procedure. We learn our G-stuff. And then in my company case, we learn many, every freshman learn about what the programming is, what the security is, what the network is. This kind of the boot camp will be done within the two months, three months, four months. Of course, it depends on the company. And then company assigned to the division. Basically, people or freshmen cannot choose a specific job. Of course, it is possible to say, I want to go to this division. I want to go to this division. It's possible, but company finally decide which division they go. So that is why. So. And then it's very famous there. In Japanese company, and there is a job rotation system that is very popular here. I think you are not familiar with about this one. And basically, for example, my career is a penetration testing. Seven years experience is very lucky guy because I want to do the penetration testing in my job. But usually, if we get some certain experiences, usually company offer me to move another division to expand some of the experiences or expand some of the knowledge. Maybe next year or next year, company may be offered to move to another division. For example, development in the security products or security operation team. Maybe, I don't know, but there is a job existing system there. So why I am talking about that one is I don't want to discuss about that kind of culture difference. Maybe you think it's good. Maybe you think it's bad. But I think this kind of the culture is create a stronger informal connection between the colleagues. What they mean is people join at the same time, more than 300 people join the company at the same time and then we have a boot camp in the two months, three months, four months. And then we do a lot of the project works, a lot of the communication. And then people don't have, people usually stay in more than 10 years. So that is why this kind of Japanese culture has created some informal connection between the colleagues. I think it's one of the cultures here. So why does it work as a difference? Because if you come to new guys or strangers, it is very easy to identify it. Usually it is very easy to identify it. Also informal connection will work as a validation method. If the stranger is walking around in the office, maybe if you say, hey, what's going on? What are you doing? Maybe we can ask the question, when did you join the company? Maybe social engineer said in 2009. So it means that we can maybe ask the colleague who joined the 2009. And then do you know this guy? Maybe it's possible to identify this guy. So that is why I think it's worked for the cultural difference. Let's go to the next issue, which is the phishing. The phishing is the kind of phishing attack by using the phone call. For example, pretend to be a computer support guy or pretend to be in the walk from home or under the branches. Actually, currently I'm working for the insurance company now. We have some sort of an incident, like the computer support guy. Actually, the target is the women. She is the under-lighter and she works from the home usually. And then she got a phone call from some computer support guy calling to him. Actually, since she is under-lighter and she got a phone call, the computer is infected by the malware and under-lighting information is now bleached. The reason why the social engineer understands that she is under-lighter is because LinkedIn tells about that. Then she's very upset, of course, because the malware is infected and also the under-lighting information is leaked now. The desktop support guy said, please install Microsoft Defender in order to stop the leakage. Of course, she's very upset and also she has only joined to the three months before. So, that is why she installed the product. But it's not free version. It's the professional version. She has to pay for it. But the desktop guy said, usually company provides the license but since it's the emergency, please enter your credit card and apply the expense later. And then she actually do it. And then after that, she is very comfortable and then she gives the expense application to her manager. Actually, we can stop. That manager is very clever. I see that it is a kind of a social engineer attack. They report me and we stop about it. But that kind of situation is currently happening. Bishing is very popular in the center now. So, in terms of the cultural defense workability in the Japanese culture, I think a little bit works from the work style and decision making process. So, let me look at one by one. They are working style. As I said before, the work from home is not popular in Japan in terms of that it's a little bit difficult to make the pretexting. Also, outsourcing is not popular also in Japan. Also, employees have a strong relationship and an informal connection. Why does it work as a defense? First of all, a little bit pretexting and a little bit hard. Also, if the phone call is suspicious, it is possible to ask the question by using informal network. Actually, in Japanese companies, sometimes it works simply because someone got a phone call and then if you look at suspicious, just texting, I got some sort of suspicious phone call. Is it an authorized one or is it a phishing one? Is it possible to do that? So, that is why informal connection maybe works as a validation function about it. Also, Japan has a very unique phone call handling. I have a quick question for you guys and when your colleague gets a phone call but your colleague is not your cubicle, do you take his or her phone? Usually, no, right? Usually, ignore it. It's his business, not mine, right? Usually, ignore it. But in Japan, not sure. Usually, people have to take out if the colleague is not there. If you recognize a body, Japanese people have to take it and then listen to how can I help you and what the issue is. If possible to handle it, I have to handle it. If we cannot handle it, it's not out of my business. It's maybe just asking the question about what the issue is, who he is or who she is and also company name and then make a memo and leave the memo for the colleague. That kind of Japanese phone call handling culture there. Also, in Japan, freshmen with a new graduate or other ministry staff take the phone within the street ringing is a usual rule. Usually, if you go to the freshmen, the first task is taking the phone call within the street ringing. It's serious. Actually, it's a freshman task in Japan. So that is why I was a freshman. Since I don't want to take your phone call, I'm a little bit nervous. I'm a little bit nervous to talk about the phone call. Actually, my boss has always... What are you doing? Take your phone. People actually say that. But actually, in Japanese culture, freshmen or other ministry staff take your phone call and then, of course, the freshman has no idea to handle the issue. So usually, take your phone call, make sure what the issue is, who he is or who she is and then transfer the call to the particular person. For example, it's a ministry call to my company and then if I'm with a freshman, I do a phone call and how can I help you? I ask the question and then if Mission wanted to talk about some specific issue, for example, Chris, I just recognize about it and then we say, Chris, there's a phone call from Mission about some sort of project. We say about it and then we transfer the phone call to the Chris. It's a usual process in Japan. Why does he work at the difference? It's simply, first of all, it's not intentionally, but we share the content of the phone call contents by just in the process. It's maybe we say, we share the contents through this process. Maybe practice is very helpful. We can say, if just loud, just shout out this one. Maybe intentionally, we shared some sort of contents about this one. Also, since freshmen or administrative staff take the phone call, by doing that, these guys can create some sort of baseline. For example, Tomo gets a phone, usually financial sector or insurance company call to the Tomo or government agency call to some sort of Chris. Maybe since Tomo is very lazy, accounting division call every time, the kind of the baseline will be created by this process. Maybe it's workable because if the suspicious phone call is coming, she or he, freshman guys can recognize that kind of a staff. So that is why, in terms of creating a baseline, it's maybe workable. Also, in terms of business email compromise issue, actually the decision-making process will be helpful to stop the social engine staff. I think in the United States, if the boss say yes, it's done, right? But in Japan, Japan prefer to create some sort of consensus. We sometimes talk about the other guy or many division. A little bit, sometimes I don't want to do that, but it's kind of a Japanese culture. Why that is so helpful in terms of the social engine staff is simply, since in the Japanese culture, if we do some sort of settlement, we have to talk about a lot of the people. For example, in my case, if we approve of something, first of all, I talk with a leader, and then I talk to the manager, and then sometimes we talk about some sort of accounting division, maybe. So we have to share that kind of idea in the various stakeholders. It's maybe workable because the various validation function by this process, and especially for the financial settlement, since we have to talk about the many people, even though the manager is stupid or goofy, but other people can't detect that kind of social engine attack or settlement issue. So that is why we say it will be helpful. Lastly, a little bit talked about a limited scam issue. I give a couple of examples of Japanese business cultures and the workability against the social engineer. It's maybe, maybe you have the objection, it's fine, but however, but just, I think a little bit Japanese culture maybe helpful stop the social engineering or detection. However, it does not necessarily mean that Japanese culture and the people are torrent for the social engineering. Actually, a scam for the everyday people are very serious problem in Japan actually now. We see a lot, a bunch of the social engineering technique now. We have to share some sort of scenario in the Japan scam. Actually, it is one of the example. Actually it's the real one is a more complicated but a little bit simple quite about it. If you try to the target everyday people here, the recent technique is like this. First of all, attack is there. It's pretend as a police officer A. She give the phone call to victims. Recently, we arrested a scam to loops. They have the list of the future attacks and the name list include your name. They also committed the cloning of the credit card and your credit card had the possibility of abusing. We invested in this case with the FSA Financial Service Agency and the FSA staff will contact you just calling, just calling that. This is the first step. And then maybe a couple of hours later or next day, FSA guy called these victims. She said she got the phone. I think you got the phone call from the police officer A. We investigate the malicious usage of your credit card. Please tell me last four-digit and experienced expired date of your credit card. Also, in that time, she strongly said, don't tell about the whole credit card number because it's very important information. Don't mention about that. Just mention about the last four-digit. Kind of the care about the security. So that is why it is kind of the... It looks like a very good guy. And then please tell me about the last four-digit expired code. We will match with our database whether or not it is abused for now. Then maybe some type typing noises or some sort of take your time. And then FSA guy said it is abused. So we started some sort of process to the issue, the new card and FSA staff go to your home and pick up it. People say that. Social engineers say that. Maybe it's a very strange process, of course. FSA doesn't care about the card for the ease, but for elder people, they're very upset. Maybe they're accepted. Maybe some clever elderly people say, why do you take about my credit card? In that time, FSA guy said, usually it is taken by the card company. But since it is a criminal case, first of all, we make... FSA makes sure about the credit card. The FSA guy said that. People believe that, actually. In that term, we have some sort of the technique about authority. Maybe you are familiar with Robert Chaudhigny. He's an awesome guy. He's a psychological guy, a psychological professor. They actually define the sixth principle to persuade the people. If you're very curious about that, please check the book called Influence, I think, in English. He said about that authority is a wonderful way to persuade the person. Actually, this guy said the police are treating the police officer, or FSA staff, and they try to persuade it. And the final step, the FSA guy, some FSA guy go to the home and pick up the credit card. It looks like a very professional guy is coming to the very gentle guy is coming and pick up the credit card and then it's done. This kind of discovery recently happened in now. Actually, we call it a it is called limited scam, but recently scam scam is logged by a bank or some sort of some sort of the bank or some sort of the agency. So that is what recently scam try to pick up the money or pick the credit card on the they go to the office and pick up the card or pick up the money actually. Actually, one of the bad stuff in Japan that we don't have any check system, the usually if there is a check system people can stop it. It is possible to stop it, but in Japan, we don't have any check. So that is what if you want to give the money, usually cash. So that is what if the L.A. people it's if the L.A. people have some try to give them the money, the usually it's cash. It is it is impossible to stop it in Japan situation. So that is what even the Japanese culture I never say Japanese card is very strong for the social engineering. It still needs kind of a problem there. So, I would like to quickly wrap up my presentation. My question is that a cultural difference became a barrier for the social engineering. I think it's yes, but maybe you have the objection is fine if you have any comments please, I work on about it. But I think the beginning of my thought maybe I misunderstood my United States culture is maybe but I'd like to start some sort of further discussion about it. Also from the attacker's perspective, adjustment of the protecting to specific culture is very important. For example, if you want to if you plan to start a business with Japan, with Japan, don't slow away your business card. Usually, in Japanese culture, when we exchange business card, usually very don't slow away that kind of thing. Actually, my manager is very United, of course, it's United citizen. When I first meet, hey, it's my business card. Like, kind of a staff. But it's not popular in the Japanese culture. I kind of try to exchange some sort of procedure there. Maybe the adjustment or practicing in the specific culture is very important from the attacker's perspective. Also, I think if the culture difference is worth, the design constellation of the culture or business process will be helpful to stop or detect or avoid social engineering. I think that kind of the design is absolutely important for that kind of staff. Thank you for my presentation. It's the end of my presentation. If you have any questions, please feel free to contact me. There's a contact information there. If you have any question, any objection, any comment, question, please let me know about it. Thank you for the listening. Sorry, you guys, please speak slowly and simply. I can talk with the elementary guys. Cool. Great presentation. I have a change happening in the Japanese culture as the world becomes more globalized. For example, if you look at the U.S. 50 years ago, people expected to stay at the same company for their entire life. Yes, I think absolutely I agree with your opinion. Actually, for example, the SNL cases now Facebook dominates and they don't use the real name. That is why I think the culture is different day by day. Of course, a lot of people import a lot of culture from the United States or other countries. That is why culture is slightly different. Maybe 10 years later, maybe you are definitely true that. Thank you Thank you So, based on a social engineering concept among foreigners, they called it Gaijin Smash. You have some problems with Japanese government or Japanese police or something like that. You just pretend, I don't understand Japanese language, I don't understand Japanese culture if you're a foreigner living in America, you just ignore the police, walk right through, that goes very badly. So I was wondering if this could be sort of a flip side, you have cultural defense, maybe also cultural vulnerability, especially cross-cultural. If you're a foreigner, if you're a Japanese person walking into a Japanese office, social engineering very difficult, but maybe if you're a foreigner and you pretend you just don't understand anything, but that might be an avenue. I absolutely agree that. Maybe culture will be vulnerable for that kind of stuff. Yes, Gajin Smash is absolutely workable in Japan. Japanese people is very kind to the United States people or Fondant people, unfortunately. Even if they ask a question, maybe ignore it, but if the Fondant go there, they give a lot of questions, a lot of information, Gajin Smash is absolutely workable. I definitely agree about that, definitely agree. But actually, yes, absolutely true that, yes. Gajin Smash will be vulnerable, but also maybe it sometimes works, sometimes it doesn't work. When they take the course of the course, in the course course, we have a lot of the homework. We go to the bar, we go to the bookstore, we have something, doing some social engineering stuff. In that time, sometimes my guidance states, it's workable to put out information, sometimes people are scared to be about it. Yes, it absolutely works, it sometimes works, sometimes vulnerable, yes, thank you. I was, thank you very much for your talk. I wanted to ask, do you have any empirical data where you've experimented with this in a Japanese setting or is this more of a hypothesis? Because I think that there are a lot of scenarios where we think that we have a defense against social engineering and we really don't. I think that probably a lot of the people in this room think I'm really good in defending against social engineering and in fact that's not the case in a lot of scenarios. So have you done any experiments with this? I actually only for only a few experiments about it. Actually, I'm a little bit of a hypothesis now, but a little bit only a few cases I know about about the social engineering stuff now. I'm a little bit much more hypothesis, but in terms of the, how can you say? And in terms of the feeling about it is not my case or it is not, maybe I am not become the social engineer target, but for example, that kind of a scam is very popular now as the many people are get the attack by the scam. Maybe in terms of, if you analyze that kind of the case, maybe much more improve my theory or improve my hypothesis, maybe, yeah. But I would be hypothesis level, yeah. Thank you.