8th Layer Insights 9.14.21
Ep 9 | 9.14.21

Security ABCs Part 1: Make Awareness Transformational

Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights."

Perry Carpenter: One of the big things that really bothers me is when security or IT people call end users stupid for making security-related mistakes. I'm sure you've heard the phrase that I'm thinking about. Someone tells a story about an employee falling for a phishing email or maybe sending business information in their personal email, and the security or the tech person says, you can't fix stupid, or, well, there's no patch for stupidity. 

Perry Carpenter: That type of viewpoint isn't helpful. At best, it misses the point of what the real problem is, and at worst, it's arrogant and fatalistic. It ends up setting up an us-versus-them environment that ultimately works against the organization. 

Perry Carpenter: But we also need to be honest with ourselves. There are lots of times when that employee who fell for the phishing scam or who bypassed the security control did receive security awareness training. So what gives? Does that mean that security awareness doesn't work? That's the question that we want to explore on today's episode. 

Perry Carpenter: To do that, we'll hear from several experts who know what it is to grapple with human attention, work with human nature and shape behavior. My guests are Lauren Zink, Chrysa Freeman, Ian Murphy and Dr. Jessica Barker. Let's dive in. 

Lauren Zink: When you think of a security awareness program, it's not just awareness. It's education. It's training. It's communications. It's multilayered. 

Chrysa Freeman: We all started from what we have to do - the compliance, check the box. You've got to have security awareness training. You've got to have people look at the policy and acknowledge it. And then it moved into, well, now you need security campaigns. You need to evangelize. 

Ian Murphy: I don't think you just do funny all the time, or I don't think you do serious all the time, or I don't think you can do whatever your flavor of that awareness is. I think a blend of all the different styles helps get the message across the whole organization. 

Jessica Barker: Awareness I really see as the foundation. This is about helping people become more familiar with cybersecurity, become more aware of the threats and the behaviors that you want them to engage in. 

Lauren Zink: Awareness, communications, education and training - you're going to work with different people within the organization to get those different pieces set up and working, and those are also different ways that you can reach out to your audience. 

Chrysa Freeman: Now it's really evolved to the point where, yes, we do still have to check the box, but what we really want is security-minded people, not somebody who can just recite the policy, but who is building security into the way that they think and into the way that they do their job day in and day out. 

Ian Murphy: The value for me is the emotion that's evoked and what that means around that emotion. Once emotions are opened, you can start injecting the information through those pathways being open. 

Jessica Barker: It's then about following through on that awareness and encouraging people to behave in the way that you want, which isn't just about raising their awareness. It's about the culture that that operates in. 

Chrysa Freeman: Really understanding the network and the culture that you are working with at an almost individual level because you've got to be in tune with that in order to connect with people in order to get your message across. 

Jessica Barker: There was a perception - if we could just help people understand more about the threats, then we'll have solved the human issue. But, of course, it is so much wider than that. 

Chrysa Freeman: You're dealing with humans. So you can throw technology at the problem, but it's a human problem, so you've got to have a human solution. 

Perry Carpenter: On today's show, we explore where security awareness programs go wrong and how to build an effective awareness program for your organization. Stay with us. 

Perry Carpenter: Hi there. My name is Perry Carpenter. Join me for a deep dive into what cybersecurity professionals refer to as the eighth layer of security - humans. This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. Welcome to "8th Layer Insights." I'm your host, Perry Carpenter. We'll be right back after this message. 

Perry Carpenter: Welcome back. 

(SOUNDBITE OF AD) 

Unidentified Actors #1: (As characters, singing) Give me a break, give me a break. Break me off a piece of that Kit Kat bar. 

(SOUNDBITE OF AD) 

Unidentified Actors #2: (As characters, singing) Lucky Charms. 

Unidentified Actor #1: (As Lucky the leprechaun, singing) They're magically delicious. 

Unidentified Actors #2: (As characters, singing) They're magically... 

(SOUNDBITE OF AD) 

Unidentified Actors #3: (As characters, singing) If I were an Oscar Mayer wiener, everyone would be in love with me. 

(SOUNDBITE OF ARCHIVED RECORDING) 

Unidentified Actor #2: (As character) Do you smell that? That's the sweet aroma of a workforce that values security and has good security hygiene. Smells good, doesn't it? 

Unidentified Actor #2: (As character) Sadly, not every organization smells so great. Some smell worse than a middle school boys bathroom after taco day. That's called awareness minimus, and it's more common than you think. Symptoms of awareness minimus include itchy, clicky mouse finger, policy pinkeye, unsightly and embarrassing data leakage and many, many more symptoms that simply aren't fit for polite radio. 

Unidentified Actor #2: (As character) But there's good news. It doesn't have to be that way. Your employees aren't stupid. They're human. Capture hearts and minds and those pesky clicker fingers with our proven process. It's a special blend of marketing, communication skills, behavioral science and culture-shaping techniques guaranteed to help you work with, rather than against, human nature. It's transformational. Avoid the foul stench and ghastly guffaws of awareness minimus. Try a transformational security awareness approach today. 

Perry Carpenter: Security awareness is one of those things that virtually every organization does but many still struggle with. One of the main reasons for the struggle is in its name. The phrase security awareness has an inherent assumption built into it. It assumes that just telling people about an issue or a threat or a process will naturally lead to a more informed workforce, which will then result in a workforce that naturally does the right thing. 

Perry Carpenter: But let's be clear. That's just wishful thinking. I mean, any parent or teacher will be able to tell you that that's not going to work. They can tell you that just giving out information to their kids once a year and hoping for the best is a recipe for disaster. So why do we all assume that it'll work for security? I mean, heck, even the old G.I. Joe public service announcement got it more right than most security programs. Remember that line? It was, and now you know. 

(SOUNDBITE OF ARCHIVED RECORDING) 

Unidentified Actors #4: (As characters) And now we know. 

Perry Carpenter: And knowing is half the battle. 

(SOUNDBITE OF ARCHIVED RECORDING) 

Unidentified Actor #3: (Singing) G.I. Joe. 

Perry Carpenter: And I still think that that's an overestimate, but at least it's not saying that knowing alone is enough. 

Perry Carpenter: Back in 2019, I wrote a book called "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors." And early in that book, there was a simple diagram that I used to try to get this point across. It showed different possible levels of maturity for security awareness efforts. 

Perry Carpenter: At the lowest level was compliance-driven awareness. That's a program that's only concerned with checking a box to meet a regulatory or contractual mandate. The next level is what I call information dissemination, and that's exactly what the phrase security awareness suggests. Information dissemination is a well-intentioned effort to make sure that people have the right information to make good security decisions. Organizations at this level have moved beyond simple box-checking and are usually sending out newsletters, making videos available, assigning learning management system modules and potentially even celebrating events like Cybersecurity Awareness Month. 

Perry Carpenter: But remember, even by G.I. Joe standards, knowing on its own doesn't fully win the battle. So what lies beyond these strategies that are of limited effectiveness? That next level maturity is behavior shaping, and that involves an intentional focus on human nature and specifically working with, rather than against, human nature. 

Perry Carpenter: And then the last level, the highest level of maturity, is culture shaping. And this is where security-related values and beliefs have been interwoven into the fabric of the organization to the point that they've become the established norm. Those attitudes and values and behaviors are reinforced socially through the pressures and the rewards, and they're modeled through the lived-out behavior of most employees, and that allows the behaviors, the values and the attitudes to be caught by newcomers. 

Perry Carpenter: In the security world, we've adopted this phrase security ABCs to refer to awareness, behavior and culture, and we're going to spend this episode and the next episode exploring these concepts. Those of you that have been listening to the show for a while may remember that we touched on some aspects of communication all the way back in Episode 1 as we explored the Trojan horses for the mind, and we took on behavior science in Episode 3. Today's episode covers both of these in more of a targeted and programmatic standpoint, and our next episode will be a deep dive into security culture. 

Perry Carpenter: One of the exciting things about the security awareness space right now is that there is more of a recognition now than ever that to lead security awareness well, you need skills that are not just technical in nature. You need to understand things like marketing and communication and psychology and human behavior and so much more. And so one of the things that's going to be interesting today as we talk to our different guests is to understand the backgrounds that each of them come from because most are not traditional security backgrounds. 

Chrysa Freeman: I am Chrysa Freeman, senior program manager of security awareness and policy at Code42. My journey here was really quite interesting. It was very much happenstance. But there aren't, you know, a whole lot of coincidences in life. So I got in because I was moving from another state and had solicited a bunch of temp agencies. And they said, hey, we've got this long-term gig at a big medical device company, and they are looking for long-term person for security awareness. And they read the description to me, and I was like (laughter), I don't even know what you just said. And they said, we think you're perfect for it; we're going to submit you. And lo and behold, I got the job. 

Chrysa Freeman: And I think the most important part is that it just fit everything that I love to do and kind of my natural skill set. And that's probably why I'm still in it. I have a huge passion for people. I love technology. That was more secondary, so I've had to learn a bunch on the technology side. But motivating people and, in general, making the world a better place is where most of my passions lie. So being in the world of security awareness and helping individuals make companies better, that make our industry better, that make our world better is extremely satisfying to me. 

Perry Carpenter: So what do you think it was in your background that that agency looked at and said, we think that Chrysa would be perfect for this security awareness role? 

Chrysa Freeman: She didn't really call it out, but I would say that my experience going into security awareness was mostly marketing and working with entrepreneurs and startups, very much the ability to adapt quickly. All three companies that I worked for with the security awareness programs have actually built them from the ground up. So I think they saw that I'm more of a person that wants to build something than come in and just maintain it. But it was more - it was - marketing is what they were really looking for, which was extremely smart back then, 15 years ago. 

Lauren Zink: I actually went to college to be an educator, and I taught at elementary and high school level for about three years. And while I was doing that, I also was an adjunct instructor at a local college, which actually afforded me the opportunity to take courses for free in homeland security information technology. 

Perry Carpenter: That's Lauren Zink. Lauren is a longtime security awareness professional, and she's actually released two courses on LinkedIn Learning geared towards helping other security awareness professionals be successful. 

Lauren Zink: So I figured if they were free, why not do it? Let's see. I've always had a passion for it, but no one ever steered me in that direction, unfortunately. And so it afforded me the opportunity to then get the experience on that technology side. And when a position opened up for - I think it was an education awareness analyst at a very large company by me, I thought, why not? What's it going to hurt to apply? And I was able to pivot and utilize that training aspect from teaching and apply it into the security awareness position. 

Perry Carpenter: Let's hear about another pivot into security awareness. This is Dr. Jessica Barker. 

Jessica Barker: I'm co-CEO of Cygenta. And I'm the author of "Confident Cyber Security" and co-author of "Cybersecurity ABCs." 

Perry Carpenter: So, Jessica, I understand that you're another one of these people that has an interesting trail into cybersecurity and specifically security awareness. Can you tell us a little bit about that? 

Jessica Barker: I would never have expected to have a career in cybersecurity. I basically fell into the industry. I had my 10-year anniversary a couple of months ago. And it was really lucky. I was finishing a Ph.D. in civic design, looking at the growth of the internet economy, having previously studied sociology and politics and worked in urban regeneration, particularly focused on social inclusion. 

Jessica Barker: As I was finishing up my Ph.D. - and I was approached by a cybersecurity consultancy who were specializing in the defense sector and wanted somebody who could come in and look at the issues of cybersecurity from a different perspective, take a more human approach. Got to talk to them about working in cybersecurity. And the first thing I did was Google, what is cybersecurity? 

(LAUGHTER) 

Jessica Barker: It was that left field for me. But I could see it was interesting. I could see it was a complicated problem, and that kind of piqued my interest. I like a challenge. And the more I found out about it, the more I thought, this is a fascinating field to be in. So I haven't really looked back from that point. 

Ian Murphy: Well, so what got me to where I am now is that I wasn't too good at soccer. I always had a dream as a kid to be a professional soccer player. 

Perry Carpenter: That's Ian Murphy. Ian is the founder of a security awareness company called CyberOff. They create short, funny and often irreverent cybersecurity awareness training videos. 

Ian Murphy: I played semi-pro most of my life, a little bit of pro. And I got to play at our national stadium, Wembley, in the U.K., which was a big thing for me, in front of 20,000 people. So I can... 

Perry Carpenter: Wow. 

Ian Murphy: ...I mean, achieve that dream. But because I wasn't in the top 5%, let's say, I had to find something to do as a career. Most footballers - U.K. footballers - when they finish their career, they used to open a pub. I decided to go into cybersecurity. 

Ian Murphy: So it was - I joined the U.K. Ministry of Defence back in 1992, I think it was. And then I was with them for 10 years. And then I went out into the dot-com bubble world and then joined Symantec for five years. And then for the past 16 or so years, 17 or so years, I've been working for myself in one shape or another, either doing consultancy or being part of startups or starting my own startups. 

Perry Carpenter: I think it's clear when we see the emerging security awareness industry that's championing skills like communication and marketing skills and psychology and the like that this is an evolution that's been progressing for the past 15 years or so. Our guests' background tell that story. And this evolution is a good thing because - let's face it - most career technologists aren't the best communicators or marketers because, for the most part, they went into IT because they love the technology. People, for some, are secondary and, for others, might even be an obstacle. 

Perry Carpenter: I think before we even talk about the important components of a security awareness program, we need to acknowledge that the person running this program has to have a passion for people and communication. If the awareness leader views humans as a problem to overcome, then they'll likely end up subverting the entire program because of that bias. 

Perry Carpenter: So let's assume now that you've got a passionate champion of humanity on board to lead your program, or maybe you are that person. What's next? What are the fundamental components of a modern, human-aware security awareness program? 

Lauren Zink: When you think of a security awareness program, it's not just awareness. It's multilayered. I typically break it up into awareness, communications, education and training. The reason that I do that is you're going to work with different people within the organization to get those different pieces set up and working, and those are also different ways that you can reach out to your audience. 

Chrysa Freeman: There's the way that you deliver your message as well. And then the other thing is that it's not a one-and-done. We have to make repetitive messages. We've got to keep it in front of people and get it in front of people in different ways. 

Chrysa Freeman: So it's not just an LMS training. It might be an LMS training and a lunch and learn and a newsletter, any way that we can - getting into team meetings, at the company annual kickoff, seeing if you can get the CEO or the CSO to state a message, on Slack channels, getting into the dog channel and the cat channel and the wine channel and getting to know people individually, really understanding the network and the culture that you are working with because you've got to be in tune with that in order to connect with people in order to get your message across. 

Perry Carpenter: So obviously, when it comes to security awareness, there is a communications component. And that means that we are delivering a message to an audience, and that also means that the audience is going to be perceiving that message in different ways based on the way that they like to receive messages, based on their upbringing and several other factors. 

Perry Carpenter: One of the interesting debates going on right now is around the use of emotion in conveying messages. And so questions like, is it appropriate to use humor in a corporate context? Where should you inject fear? When do you just need to be deadpan serious? All of these are actually very serious questions that we need to be asking ourselves as security awareness professionals. 

Perry Carpenter: So I wanted to ask Ian Murphy, who's known for the way that he uses humor in his awareness messaging, to talk about this and to talk about where humor is appropriate and where it may not be appropriate and what the boundaries might be. 

Ian Murphy: I think, if used correctly, you can call the elephant out in the room, right? You can diffuse and bring that room - all on the same side. I think that's what humor allows people to do without being offensive with it, without being... 

Perry Carpenter: Right. 

Ian Murphy: ...Too laden of other parties with it. But - and I've always found as well, during my semi-professional playing days, that in the dressing room - when you wanted to grab a dressing room, you know, managers could use really strong, overburdened tactics, but then it always fell to somebody like me in the dressing room to bring everybody together after the manager has told everybody off for what - for how they should've been playing. And it comes to somebody else to lighten that mood and get everybody else back on board and aiming at that one common enemy, which is your opponent. 

Perry Carpenter: And, Jessica, what are your thoughts on leveraging emotion and tactics like fear or humor as part of the communications piece of an awareness program? 

Jessica Barker: I think humor can be a great hook. It can be a great way of grabbing attention. And it's unexpected coming from cybersecurity. We often have this image of being dry and technical and negative. So I think humor has its place. And research shows that people are more likely to remember messages that are weird or funny, so it can be good at making some of your awareness-raising stick a little bit more and stand out a bit more. 

Jessica Barker: However, that comes with a caveat, and that is that a lot of research shows with humor, when you're trying to change behaviors, you have to use it carefully. So just like when we're using fear-based messages, we can't use this stuff bluntly. We have to use it in a way that is cognizant of where it can backfire. With humor, where it can backfire is if we use it too much, people can not take our messages as seriously. And this was shown in a piece of research that looked at the CDC's campaign around how to prepare for a zombie apocalypse or, you know, for some kind of unusual event. 

Jessica Barker: There was a big campaign trying to raise awareness of being prepared for a unexpected incident and making sure you have provisions ready. And the research showed that focusing on the zombie apocalypse element of it made it very memorable, and people thought it was very funny. But of the people that had seen that campaign, they were less prepared for an unexpected event than people who hadn't. And the researchers concluded it was because people thought it was just a joke, it was just a piece of humor. So it's getting that balance right that I think is important. 

Perry Carpenter: And so what we find is that, like any tool, humor or fear or any state of mind that we try to put somebody in is a tool, but we have to use that tool with an understanding of both the pros and cons that can come with it. And using any tool just because we have it means that we might misuse that tool. And so it's always important to understand what our goal is and if we're choosing the right tool for the right purpose. 

Perry Carpenter: Now, I want to shift gears for a minute here and get into the behavior side of things. So we've talked a lot about communication, and communication is all around this information dissemination piece. But if you remember, that information dissemination piece is really just the second level of maturity. It's not going to get you the full payoff that you can get with a transformational program. 

Perry Carpenter: So what is the third stage? The third is behavior shaping. And because I covered behavior management in pretty deep detail in Episode 3, what I want to do real quick is just play you part of the intro to that episode to help set the stage for what we're going to talk about. I remember it like it was just a couple months ago. 

(SOUNDBITE OF ARCHIVED BROADCAST) 

Perry Carpenter: This topic, behavior science, is really important for cybersecurity professionals and technologists to consider because - well, the reason is simple. Behavior equates to action. 

(SOUNDBITE OF BELL) 

Perry Carpenter: I know. Profound, right? Not really, but let me explain. When it comes to security, we talk a lot about security awareness, and that's great, but simple awareness of something isn't really the endgame. Awareness of something doesn't naturally lead to behavior based on that awareness. What we need to do is affect the decisions and actions that people take. And awareness is really just having head knowledge of something, and head knowledge alone isn't enough. So security awareness does not equate to secure behavior. 

Perry Carpenter: And the reason for that comes down to what I refer to as the knowledge-intention behavior gap. Here's the short version. There's a gap between knowing something, having information and intending to act on that information. In other words, there are a lot of things that we know but we don't really care or have the intention to act on that knowledge in any meaningful way. And so there's a gap between knowledge and intention. There's also a gap between intention and behavior. So even when we know something and have the best intentions to act on that knowledge, we don't always do so. 

Perry Carpenter: Think of this as the New Year's resolution phenomenon. Many people around the world make these lists of New Year's resolutions based on the knowledge of things that will make our lives better. We might want to eat better or lose weight or reprioritize the way that we spend our time and money. And these lists are an expression of our intent to act on that knowledge. But the sad fact is that the vast majority of us don't follow through. We might try for a week or two weeks or maybe even a month, but ultimately old patterns, habits and in-the-moment trade-offs override both knowledge and intention. And before we know it, another year has passed. 

Carl: (Crying). 

Perry Carpenter: I can see Carl (ph) over in the sound booth weeping now. Carl, can you shut the door? 

(SOUNDBITE OF DOOR CLOSING) 

Perry Carpenter: All right. Thanks. OK. Where were we? Oh, that's right. Before we all spiral into the same depression that Carl is in, let's talk about how this relates to security awareness. Out of this knowledge-intention behavior gap flow three realities of security awareness. Here they are. 

Perry Carpenter: No. 1 - just because I'm aware doesn't mean that I care. And if you don't believe me, think about the last speed limit sign that you whizzed past and took as a suggestion or the stop sign that you slowed down for and rolled through the intersection as you looked all around to make sure that nobody else was coming and that there weren't any police vehicles around. 

Perry Carpenter: No. 2 - if we try to work against human nature, we will fail. And we'll talk about this a lot more throughout this episode, so let's go to No. 3. 

Perry Carpenter: No 3 is that what our employees do is way more important than what they know. And I'll say this as bluntly as I can. Knowledge alone has never stopped a breach. It's always an in-the-moment action that is the cause. Knowledge can be part of that, but someone can do the wrong thing even with the right knowledge and someone might do the right thing even if they don't know why. So in the end, it all comes down to behavior. How our people behave is the key. 

(SOUNDBITE OF "AUSTIN POWERS" FILM) 

Mike Myers: (As Austin Powers) Oh, behave. 

Perry Carpenter: No. 

(SOUNDBITE OF "AUSTIN POWERS" FILM) 

Mike Myers: (As Austin Powers) Yeah, baby, yeah. 

Perry Carpenter: Carl. OK. I think Carl is back to his normal self now, whatever we call that. 

(SOUNDBITE OF CHIMES) 

Perry Carpenter: And we're back. So I'm glad that we got to revisit those concepts of the knowledge-intention behavior gap and the three realities of security awareness. All of this emphasizes why a focus on behavior shaping is so important. It's because that fact that, if we really want an impactful awareness campaign, then it isn't really awareness at all. It's about what somebody does. We'll be right back after the break. 

Perry Carpenter: Welcome back. So I remember - I guess it was probably just over 10 years ago now - when the phishing simulation market really started to become a thing. And within the security awareness community, people got excited. And within the audit community, people got excited as well because now we were officially moving away from this information dissemination piece that is always going to have limited effectiveness despite all of our good intentions. We were moving into something that started to impact behavior, that could train behavior, that could measure behavior and then was demonstrably reducing risk by pushing down susceptibility to phishing emails. 

Perry Carpenter: And I'll caveat that by saying that all that is true if somebody is following best practices because, as we all know, you could send out the same phish every time and the only thing that you've done at that point is you've trained your people to avoid that phish. But if you're actually mixing things up and you're approaching this the way an attacker would, well, then you can start to get your people on their toes. And so that really got people excited. Now there is a behavior-based way of approaching this. 

Perry Carpenter: And at the time, I was at Gartner and I was encouraging CISOs and the security awareness market and anyone that would listen to take that mindset and to also apply it in other areas, like password management or web proxies or DLP and so on. So anywhere that you could capture a behavior, you could also inject learning. Or you can take a metric that says, this is what this person is doing. What does that say about what they may know or what they may care about and how we might intervene in the future? And that's what behavior management is about, that's what behavior shaping is about, and that's what makes it so exciting. 

Jessica Barker: Behavior science, I think, can teach us so much. And this is where, in cybersecurity, we could be learning so much more from fields that have done the work for us. Behavioral science is all focused on human behavior and human understanding. So actually, we can take the learnings from those disciplines and apply them to be more effective. 

Perry Carpenter: So, Jessica, for you, what does the application of behavioral science look like in an awareness program and how does that touch on the cultural aspect of things? 

Jessica Barker: So one example would be around social proof or social learning - the fact that we look to others to guide how we behave if we don't know what to do as human beings. Well, in cybersecurity, we often use that fact against ourselves. When it comes to social proof, we often actually kind of shoot ourselves in the foot and we talk about how badly everybody is behaving when it comes to cybersecurity, we talk about all the terrible passwords that everybody's using, and we think that we are shocking people into maybe changing their passwords, improving their behaviors. What we're actually doing is using social proof to tell people, everyone else has got a terrible password, so it's fine if you do, too. 

Perry Carpenter: Chrysa Freeman had a similar observation on how behavior and our understanding of the narrative impact of how we talk about the behavior is actually really important. 

Chrysa Freeman: The phishing metrics - we've been talking for a long time about click rates, and why aren't we talking more about success rates? So for instance, our last phish, we did very well and it could be a fluke - knock on wood that it'll keep going that way. But it was less than 1% of the people that clicked. And normally I would say, hey, we had a great, you know, less than 1% click rate. I switched it around this time with the company message on the internet and said 99% of us got it right, 99% of the company didn't click. And as a human being, that just feel so much better. So I think it's really nuanced all the way down to the way that everyone on the security team is messaging everything they do, from the reports up to the executives to messages on the company intranet to the one-on-one communications that we have. 

Perry Carpenter: Lauren Zink also really advocates for the idea that, yeah, avoiding a click on a phishing email is a behavior that you want to encourage, but an equally good behavior and something that you should measure is how many people are reporting that phish. Because when they do that, they're providing even better protection for the organization. 

Lauren Zink: If you are able to do phishing simulations, which I do think are a big part of a security awareness program, you see the click rate - again, one that everyone wants to measure and I think everyone at the executive level asks me about. And I say, while that is a great number to look at, there's a lot of variables that go into that because if it's a little more enticing, more people will click. 

Lauren Zink: Instead what we need to look at from a cultural shift perspective is how many people are reporting it. Maybe we didn't have a lot of people that knew how to report it at the beginning, and now we have a lot more people that are reporting the email regardless of what it looks like or how enticing it is. 

Perry Carpenter: Before we move on from the topic of phishing, I think we need to briefly talk about where phishing can go wrong and how to avoid missteps with your phishing program. Here's Dr. Jessica Barker. 

Jessica Barker: I've been thinking about this a lot lately and recently published a blog post looking at when phishing simulations backfire because we have seen a lot of examples in the last year. And I think the reason that it's really hit the headlines and touched a nerve is because emotions, of course, are running much higher over the last year or so. Fear, uncertainty, doubt, anxiety is a lot higher for most of us. And so actually people's capacity to cope with an organization potentially playing a trick on them from their way of seeing it is much lower. People don't have the capacity for that. People are already feeling anxious. 

Jessica Barker: And so actually, when they get a phishing simulation that says, as some have, you know, you've been working really hard because of COVID, so we're going to give you a financial bonus, click here and people feel, OK, a little bit of relief and a little bit of recognition for their hard work, they click the link and then they discover, oh, it was a phishing simulation. Or even examples of, you know, click here to find out about your vaccine coming, apparently, from the organization's HR department and actually, it wasn't about the vaccine at all - again, a phishing simulation. 

Jessica Barker: And I believe the organizations who are sending these very emotive phishing simulations - I think they do, of course, have the right intentions. But unfortunately, the execution is flawed from a human perspective because it is - it does end up being like a trick. It doesn't feel like training to people. It feels alienating. It feels unsettling. And it kind of puts salt in open wounds a little bit. So it does the opposite of what we want in cybersecurity. 

Jessica Barker: You want to operate within boundaries of psychological safety so that they feel they can come to you when they maybe have clicked on a link in a suspected phishing email, when they have some issue or some question or some concern about cybersecurity. And when we take these phishing simulations too far and we treat them more as a gotcha than as part of a well-developed awareness program, then unfortunately we're not building up that positive culture. We're actually undermining it. 

Perry Carpenter: So then that naturally leads to the question of, if we do want to prepare our people to deal with in-the-world, timely scams that the bad guys are using and to test on that and to train on that, how do we do it? How do we do it correctly? Well, the answer is really building a relationship with your people, letting them know that you're not trying to catch them out and then giving them an idea of the fact that you will be training them on these things. 

Perry Carpenter: I also asked Lauren Zink her thoughts on, if an organization really wants to test using some of these potentially sensitive topics, what is the right way to do it? Here's her response. 

Lauren Zink: I think going out and communicating, hey, we may be doing these things. They're not telling them when it's going to happen. You know, this is reality. This is what's going on. We're seeing these attacks that are coming through the company that are based on COVID, based on different - you know, your different financial organizations - giving them the educational piece ahead of time and then saying, be on the lookout, we may be doing things that are related to this. So take a pause. If you have questions, come to security and ask them before you kind of flip out, I guess, would be the best way to say that and start canceling all of your credit cards and things like that. 

Lauren Zink: I want to make sure people know that security's is not there to trick them. They're not there to deceive them. They're not there to get them in trouble or get them fired. We're here to help. We're there to be a resource, not a roadblock. Instead, we're there to help them, again, not just at work but also in their personal lives, make sure that they're making the best decisions when it comes to their security and their privacy. 

Perry Carpenter: So here's a quick story. Early on in the pandemic, I published some articles about how to approach phishing the right way in the middle of a high-stress situation like COVID-19. Around the same time, I got a call from one of the clients of the organization that I work for. And this client was saying, I know that I need to send out phishing emails during this time, we can't just take a ton of time away from our phishing simulation program and leave our people vulnerable. And we also know that cybercriminals are going to be using COVID-19 as a way of tricking people into clicking on things. So how do I do this in the right way without breaking the relationship with my people and without making them feel targeted or tricked? 

Perry Carpenter: I took that as an opportunity to flesh out a few ideas. And what I ended up doing is, over the course of a weekend, I put together some training videos, one that was to be used in a pre-campaign scenario - so this is notifying your users of the fact that you are going to be phishing and that you may be using these types of themes. And the other video was to be used when somebody does fall for a phishing test. 

Perry Carpenter: So what I'm going to do real quick is play each one of these, and what I want you to listen for is the intentional establishment of these relationship components, the tone of the narrator and, of course, the message that's there. Here's the first one. This is the pre-campaign video. 

(SOUNDBITE OF VIDEO) 

Unidentified Actor #4: (As character) Hey, we get it. There's a lot going on right now. Millions of us are working from home, figuring out new schedules, new protocols from work. It's a lot to process. But we wanted to take a second to remind you that cybercriminals have gone into overdrive to take advantage of this time of transition, so we all need to be more vigilant than ever. 

Unidentified Actor #4: (As character) One of the ways we're trying to help protect our organization is by sending out simulated phishing tests - not to trick anyone or shame anyone but to help us build up those security reflexes, to remind us all that the threats are out there and we have to pull together to keep our organization safe. So anytime you see anything related to COVID-19 in your inbox, anything about configuring your system to work from home or about a charity you can't independently identify, always evaluate it with the sense of skepticism. It might be us, but it might be them. Don't take the chance. Cybercriminals are relying on distraction, stress and panic, but we can stop them. Just remember, keep calm and don't click. We're all in this together. 

Perry Carpenter: OK, so that was the pre-campaign video. And again, I hope you noticed the tone, the overall messaging, the reinforcement that this is about a relationship, that the security organization's trying to help protect people and that somebody shouldn't be ashamed. 

Perry Carpenter: So now I want to play the video that's used when somebody does click. And, again, listen for the relationship piece and listen for the non-condemnation that's in this because I think that that's the key. 

(SOUNDBITE OF VIDEO) 

Unidentified Actor #4: (As character) Oops. You clicked. Don't worry. This wasn't a real phishing email. You're safe and our organization is safe. And look; we get it. There's a lot going on right now. But cybercriminals are using all of the news, panic and disorientation around COVID-19 as a way to trick people to click on malicious links, open sketchy attachments or give away login and password info - even fake charities that look like they're trying to help. 

Unidentified Actor #4: (As character) The main thing you need to do is be super skeptical of any email that invokes strong emotion, like fear or urgency, especially if that email is related to COVID-19 and the coronavirus. If you're at all suspicious, don't click the link. If it looks like it comes from someone you normally interact with, use your cellphone to contact the supposed sender or contact them directly through their organization's website but not by replying to the email or following any links contained in it. Then be sure to report it using the standard phish reporting process. We know it's a crazy time right now, and we're here to help keep you safe. Remember, keep calm and don't click. We're all in this together. 

Perry Carpenter: All right. I know that phishing during times like this is controversial, and so this isn't to tackle that controversy. This is about ways that a security organization can work to build and maintain relationship even when doing hard things. I hope that this was useful for you. 

Perry Carpenter: It can be really easy to think about behavior shaping as being solely limited to phishing, but that does us a disservice. We can't afford to put blinders on because behavior can really be anything that our people might do. That can range from very traditional things like clicking links or taking training programs all the way to behaviors like practicing good password hygiene or properly disposing of sensitive documents. It can even be things like not tailgating through doors or more. 

Perry Carpenter: Here's how to think about it. If you have a person taking an action or making a decision, then you've got a behavior, and that means that you can probably model it, and there are a slew of methods and models to help you do so. I mentioned earlier that we did a deep dive on behavior modeling in Episode 3. And on that episode, we had three great behavior scientists. We had BJ Fogg, Matt Wallaert and Alexandra Alhadeff. So if you're interested in that topic, you need to check it out. 

Perry Carpenter: OK. So it's about time to wrap up today's episode. I'm going to give Chrysa Freeman the last word, and then I'll be back to summarize with a few closing thoughts. 

Chrysa Freeman: At the end of the day, the security team wants stories. I mean, it's a little bit selfish because I want the stories. I want to use them when I'm doing the training. I want to use them when I go to department meetings. I also want to celebrate those people. So if we have a bunch of stories, we can take, you know, one a month and highlight that super ninja of the month. At the annual kickoff, we can take the best of the best for the whole year. 

Chrysa Freeman: And what I love about that is just yesterday, somebody came up to me and said, hey, I was on a call, we were working with a third-party vendor, they're going to be running our conference or webinar coming up, and they wanted us to set up our portal using this ridiculously stupid password. And our marketing guy said, hang on, stop everything, not using that password. We need to reset it to something much more complex - and actually instructed them on how to do a complex password. That was somebody not in the security team giving a security awareness message to a third-party vendor, which is another huge risk for companies, as we are well aware. So that's exciting for me. That's - someone else is doing my job. 

Perry Carpenter: Well, we've reached the end of today's episode. I hope that you found the conversation interesting and useful. But if you feel like this episode left you with more unanswered questions than answered questions, that's because we could spend entire seasons diving into the details related to security awareness and behavior shaping. 

Perry Carpenter: And I'll remind you to check out Episode 1 for an exploration of what I call the Trojan horses for the mind. I really believe that understanding those and using those intentionally in your awareness efforts is fundamental to success. And we went pretty deep into behavioral science and behavioral model in Episode 3, talking to some of the top behavior scientists in the world on that episode. 

Perry Carpenter: And then if you really want the most comprehensive resource I can recommend for security awareness leaders, I have to recommend my own book, "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors." That book covers everything from why security awareness is valuable to how to gain executive support to the fundamentals of marketing and communication theory related to security awareness to applying behavioral science to security, how to build a security culture and much more. I've actually been really honored by how this book has been received by the security community, and it was even recently included in the Cybersecurity Canon Hall of Fame. 

Perry Carpenter: Our next episode, Episode 10, continues this conversation about the cybersecurity ABCs and focuses specifically on culture and how to foster an organizational culture that has security values running through its fabric. And just for your awareness, Episode 10 is also the final episode of this current season of "8th Layer Insights." I'll be taking a couple of month break and be back before you know it with Season 2, and I've actually got a ton of cool stuff planned for that season. 

Perry Carpenter: Also, if you're connected with me on social media, be on the lookout for a quick survey that I'm going to be sending out. I'm really interested to know your thoughts on the show and how best to plan for Season 2. I'll be asking questions about which topics most resonate with you and are most useful for you, the optimal episode length, show format and more. I really want to give you the best show possible, so your input and feedback is super important. 

Perry Carpenter: Thanks so much for listening, and thank you to my guests, Dr. Jessica Barker, Chrysa Freeman, Ian Murphy and Lauren Zink. I've loaded up the show notes with links to the references that we mentioned today and a ton of other relevant information related to security awareness, behavior and culture. 

Perry Carpenter: If you've been enjoying "8th Layer Insights," please go ahead and take just a couple seconds to head over to Apple Podcasts and rate and consider leaving a review. That does a ton to help. You can also help by posting about the show on social media and maybe even finding an episode to recommend to a friend or family member. And if you haven't yet, go ahead and subscribe or follow wherever you like to get your podcasts. 

Perry Carpenter: Lastly, if you want to connect with me, feel free to reach out on LinkedIn or Twitter or Clubhouse. I'd be happy to connect with you. Until next time, thank you so much. I'm Perry Carpenter signing off. 

Carl: In a world filled with humans, inundated with technology and threatened by cybercrime and human error, one book emerges from the secret libraries of sages filled with the incantations and wisdom needed to become a security behavior alchemist. That book is "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors." Available everywhere fine books are sold. 

Perry Carpenter: Wow. That was actually pretty good. I mean, long, awkward, melodramatic and cheesy, but pretty good. Thanks, Carl. 

(SOUNDBITE OF BELL)