Hacking Humans 9.24.20
Ep 117 | 9.24.20
It's human nature.
Transcript

Tim Sadler: Security is - it's serious business. No one would doubt or question it's importance. It is literally mission critical for companies to get right.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Tim Sadler from Tessian. We're going to be talking about a report they recently published. It's titled "The Psychology of Human Error." Interesting stuff. 

Dave Bittner: All right, Joe, let's kick things off. Before we get to our stories, we've got some follow-up from a listener also named Joe - not you (laughter). 

Joe Carrigan: No, it wasn't me. 

Dave Bittner: From Chicago, where you are not from. 

Joe Carrigan: No. 

Dave Bittner: He says, hey, guys, loved the show today. Joe's section on OG accounts and email addresses was great and hit very close to home. OG or, of course, the original gangster accounts... 

Joe Carrigan: Right. 

Dave Bittner: ...Which are accounts - usually, it's either highly desirable account names. 

Joe Carrigan: Yes. 

Dave Bittner: And part of what makes them desirable is a short number of characters. We spoke about how, you know, I have @bittner on Twitter, which is, I guess, some would consider an OG account because... 

Joe Carrigan: I do. 

Dave Bittner: ...It is a surname. Yeah, yeah (laughter). So this gent writes in. He says, I have an OG Twitter account that I set up in 2007, which is regularly under attack. Of course, I have 2FA set up, which seems to keep the bad guys at bay. Interestingly, I know that one of the people who's trying to break in is a teenager in the U.K. who really wants my main Twitter name, as it's a three-letter handle that are also his initials. 

Joe Carrigan: (Laughter). 

Dave Bittner: I have to admire his chutzpah because the very first time he contacted me, he appealed to my good nature and asked me to simply give him the account to be nice. I am good natured, but not that much. 

Joe Carrigan: Right. 

Dave Bittner: He later offered to trade me one of his user IDs for mine. The account he was offering had over 30,000 followers, most of which were bogus accounts he had collected or bought. When I refused this, I saw increased attempts at breaking into the account. He started tagging me in tweets saying nasty things about how I wouldn't help someone who was starting out as an entrepreneur. That's when I reported him to Twitter and blocked him. I'm pretty sure he's one of the people who pops up once in a while to see if I accidentally turned off 2FA. 

(LAUGHTER) 

Dave Bittner: He goes on to talk about that he does have an email address that someone is using as backup for their Facebook page, Spotify account and other things. 

Joe Carrigan: You know what that means, Joe - free Spotify. 

Dave Bittner: Yeah, exactly. 

(LAUGHTER) 

Dave Bittner: Exactly. And he thanks us... 

Joe Carrigan: Free Spotify for you if they're buying the premium account. 

Dave Bittner: Yeah. He says, thanks for the good work. So interesting that, I guess, one of the burdens of having one of these OG accounts is that, in people's desire to have it, they can come at you and start hammering away at that account. 

Joe Carrigan: Yeah, the guy that asked me for my Instagram account did the same thing - appealed to my good nature. And I said no. 

(LAUGHTER) 

Joe Carrigan: This is not just my Instagram handle; this is my handle everywhere on the Internet. No, you can't have this. 

Dave Bittner: Right. All right. Well, thanks, Joe, for sending that in. That is an interesting follow-up, for sure. Joe, why don't you kick things off with our stories this week? 

Joe Carrigan: I will start with a story from hackread.com. This is by Sudais Asif. I hope I'm getting the accents right in that name. 

Dave Bittner: (Laughter). 

Joe Carrigan: And if I'm not, I apologize in advance. But this article talks about a new phishing campaign. So, you know, Twitter was hacked back in July. Everybody remembers that, right? Where - with the - and the arrests have been made. It was a bitcoin scam. 

Dave Bittner: Right. 

Joe Carrigan: And then earlier this month, in September, Prime Minister Modi of India, his account was hacked. And, again, people started sending out bitcoin messages. And the group was calling themselves John Wick, right? How creative and menacing. 

Dave Bittner: (Laughter). 

Joe Carrigan: There is a new campaign that's based on the July hacks. Now, back in July, when Twitter was originally hacked, they tweeted, we detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. That was a tweet from Twitter I think on July 15 - that's what the date in this article has. So now there's this phishing email, and it says, we are aware of a security incident affecting Twitter accounts. We are investigating and taking action to correct. We have detected what we believe to be a social engineering attack coordinated by people who have successfully targeted some of our employees with access to internal systems and tools. For security, you must confirm your identity. And then it says, confirm your identity down here - another one of these buttons that you should never click on, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: And what's interesting about this is that the second paragraph is almost copy and pasted from the Twitter tweet, right? So they're using Twitter's own language here to try to phish people and try to get them to click on the link. Something else the article talks about is that the phishes came out of a service, a third-party service, called sendgrid.com. And now when you send email with SendGrid, any links that you put in there, you can have them go through SendGrid. And this is probably, like, a marketing email feature that allows SendGrid to provide feedback to its customers in saying who clicked on what links, right? 

Dave Bittner: Right, right. Yeah. 

Joe Carrigan: And then you're taken to another link that is actually a t.co link, which is Twitter's own link shortening service. From there, users are redirected to a domain called twittersafe.com, which actually hosts the phishing landing page. And this is the credential harvesting page. And they're just looking for usernames and passwords so they can access and take over these Twitter accounts. 

Dave Bittner: Any advice for folks to protect themselves? 

Joe Carrigan: Well, of course, the advice is never clicked the link, right? 

Dave Bittner: Yeah. 

Joe Carrigan: That's piece of advice No. 1. And, again, just like what Joe said, our listener Joe, if you enable multifactor authentication, that makes it exponentially more difficult for these people to try to get access to your Twitter account. Even if you give them your username and password and you're using an SMS code texted to you for any web page, that increases their level of difficulty immensely. They have to specifically target you, and then they're going to have to call your cellphone company for a SIM swap account, and that takes a lot of time. 

Dave Bittner: Right. 

Joe Carrigan: If you're just being spammed with a phishing email that's going out to millions of people, even having an SMS code - which is, like, the least secure multifactor authentication - will stop this kind of attack. 

Dave Bittner: Yeah. All right. Well, it's interesting. One to keep an eye out for. 

Dave Bittner: My story this week - before I dig into it, I want to just do a little side, I don't know, explainer because this story actually happens to involve our show sponsor, KnowBe4. 

Joe Carrigan: Really? 

Dave Bittner: And - yeah. And I have to say, just sort of to lead into this, that KnowBe4 has really been a great sponsor of our show. They've, you know, believed in the show from the very beginning, and they've sponsored us for years and, as far as we know, are planning to do, you know, for years from now. And, of course, we appreciate that. But one of the great things about having KnowBe4 as a sponsor is they have been really hands-off, you know? We never hear from KnowBe4 about any of the content that we do or anything like that, you know? They let us do our thing. We help, you know, share their message through their advertising. And that's it. And then, of course, we wouldn't have it any other way at the CyberWire, either. You know, we keep those - the ad sales and the content separate, you know, deliberately, for lots of good reasons. 

Dave Bittner: So I say all that only because this story is about KnowBe4. It's actually a story from Bleeping Computer written by Lawrence Abrams. And my understanding here is that KnowBe4 actually tipped off some of the researchers over at Cofense, which is a security company, that there's some bad guys out there using KnowBe4 security awareness training as phishing lures. So I suppose on the one hand, it's kind of flattering, if you're KnowBe4, that you've reached the point where you're used so much, people know about your service... 

Joe Carrigan: You have a big enough customer base that this is a believable phish... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...For just sending this out - is what they're saying. 

Dave Bittner: Right. 

Joe Carrigan: Right. 

Dave Bittner: Right, exactly. But on the other hand, you know, nobody wants to have your good product associated with bad things and... 

Joe Carrigan: Absolutely. KnowBe4 is not unique in this. I mean, Twitter doesn't want the phishing attacks I was talking about going on. 

Dave Bittner: Of course. 

Joe Carrigan: It's exactly the same thing. They're taking a popular service, and they're using it as a phishing lure. 

Dave Bittner: Right. So the email that you get, it says, training reminder. Due date. Your - it says, good morning. Your security awareness training will expire within the next 24 hours. You only have one day to complete the following assignment - KnowBe4 security awareness training. So right off the get-go here, we're putting the pressure on, right? 

Joe Carrigan: Yeah, the artificial time constraint. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: That's right. 

Dave Bittner: Time is of the essence, right? And then it says, please note this training is not available on the employee training portal. You need to use the link below to complete the training. And then it has a link that at first glance looks like it could come from KnowBe4. It's training.knowb.e4.com. 

Joe Carrigan: Right. 

Dave Bittner: Not KnowBe4, but someone in a hurry could mistake it for being that. 

Joe Carrigan: KnowBe4's domain is knowbe4.com, right? 

Dave Bittner: Right. 

Joe Carrigan: And this is the same domain, except they've gotten control of a subdomain at e4.com and put knowb in front of it. 

Dave Bittner: Right. So they have links here to go to this alleged training, and of course, when you go there, that's not what's going to happen. 

Joe Carrigan: No. 

Dave Bittner: They're going to try to get all sorts of credentials from you. The rest of the email says, your training record will be available within 30 days after the campaign has concluded. Thank you for helping to keep our organization safe from cybercrime - information security office. So, you know, this is plausible, right? (Laughter). 

Joe Carrigan: Very much so. Yeah, very much so. 

Dave Bittner: Yeah. 

Joe Carrigan: Here's a tip-off for me. Your training record will be available within 30 days after the campaign has concluded. I don't think KnowBe4 takes 30 days to update your training record. I think that's pretty much instantaneous with them... 

Dave Bittner: Yeah. 

Joe Carrigan: ...As it is with most online training organizations. 

Dave Bittner: Yes. 

Joe Carrigan: Right? 

Dave Bittner: Yes. I suspect that is correct. Right, absolutely. 

Joe Carrigan: When I complete my online training, I get immediate verification that that's happened. I don't need to wait 30 days. 

Dave Bittner: Right. But I think it's worth noting the English in this message is good. 

Joe Carrigan: Pretty good, yeah. 

Dave Bittner: There's no real big red flags about that. The only thing that really stands out is that link that isn't actually going to KnowBe4. 

Joe Carrigan: It is not. 

Dave Bittner: So interesting to me that this campaign is going right for the center of things, going after security awareness training, using security awareness training as the thing to distract you from them trying to harvest your credentials. How interesting. 

Joe Carrigan: Yep. Very interesting. I'm not familiar enough with KnowBe4's products, but I think that you can access - you can always access your training through their - through the employee training portal. 

Dave Bittner: Yep. 

Joe Carrigan: And I like - you know, this message says the training is not available on the employee training portal; you have to click on this link. 

Dave Bittner: Yeah, which I think is kind of throwing a little bit of a smokescreen to the unusual link, you know? 

Joe Carrigan: Right. 

Dave Bittner: Like, hey, we're just letting you know. We know there's something odd about this link, but it's OK. Just go ahead and click through. Yeah (laughter). 

Joe Carrigan: Yeah, this - I wonder how effective this has been. Does the article talk about that? 

Dave Bittner: I don't know. If indeed this was brought to the attention of the researchers by KnowBe4, you know, I guess they - someone reported it to them or, in their own work, the tracking they do of phishing, this came up on their radar. So... 

Joe Carrigan: We went to the conference a couple of years ago. 

Dave Bittner: Right. 

Joe Carrigan: And I was actually impressed with a lot of the research they do there. It's pretty good. 

Dave Bittner: Yeah, yeah. Absolutely. So interesting one. Again, this is from Bleeping Computer. We'll have a link to the story in the show notes. But I don't know. I suppose (laughter) don't let your guard down, and perhaps even be extra vigilant when you get messaging that claims to come from the folks who are trying to train you... 

Joe Carrigan: Right. 

Dave Bittner: ...In your security awareness. 

Joe Carrigan: Yeah. 

Dave Bittner: You can't trust anybody, Joe. You just can't trust anybody (laughter). 

Joe Carrigan: You can't trust anybody, Dave. Yeah. You've got to be constantly vigilant. 

Dave Bittner: Right (laughter). 

Joe Carrigan: It's tough, yeah. And I don't know how to tell people, other than not clicking on the link. 

Dave Bittner: Yeah. 

Joe Carrigan: But this email is very compelling. It's dangerous. 

Dave Bittner: (Laughter) It is. What a world. What a world. 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, those are our stories for this week. It is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from user Drewlius Caesar. I guess his name is Drew. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: He's on Twitter at @_acart. And it is a SunTrust phishing scam. 

Dave Bittner: All right. It goes like this. (Reading) Your email address or phone number may be incorrect. You've received an important notice concerning your account. Through the usual security improvement protocol, we noticed an error while trying to multiple sign in while logging into your online bank account. We believed that someone other than you is trying to access your account for security reasons. We have temporarily suspended your account, account and access to online banking services, and it will be restricted if you fail to update. Please note that accounts not renewed within 24 hours of suspension are subject to termination. You may conveniently view your account at suntrust.com. It is important that you do not close your browser window in online banking before verify the account. Closing the window disables your account, and you'll have to start over. Thank you for banking with SunTrust, sincerely SunTrust Customer Care. Please do not reply to this email. If you have questions about your account in general, email us through the secure message center. 

Dave Bittner: All right, so lots of things going on here, Joe. 

Joe Carrigan: Yeah, this is just really bad English. My favorite is the sentence... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...The - while logged into your bank account, period. 

Dave Bittner: (Laughter) Yeah. Yeah. Just... 

Joe Carrigan: (Laughter) That's a sentence. Right. 

Dave Bittner: Just a sentence fragment there. 

Joe Carrigan: Yep. And then, we have temporarily suspended your account, account and access to online banking services. 

Dave Bittner: (Laughter). 

Joe Carrigan: So they have suspended your account twice. And of course, here's... 

Dave Bittner: (Laughter) Yeah, just to be sure. 

Joe Carrigan: Yeah, here's the immediate call to action, the time pressure. You have 24 hours before your account is terminated. 

Dave Bittner: Yeah, so there is a legit SunTrust logo in here, and it looks like the last few sentences were just copied and pasted out of a legit SunTrust Bank communication. So that lends some legitimacy to it. The other thing that strikes me about this is where they say, it's important you do not close your browser window in online banking before verify the account, which means, I suppose, whatever they're doing behind the scenes is counting on the fact that you are logged in to your account when you go to whatever they're doing, right? 

Joe Carrigan: Right. 

Dave Bittner: So somehow - I don't know if they're able to leverage the fact that you're logged into your account and jump into that from, you know, whatever it is they're doing. But that's interesting that they... 

Joe Carrigan: Yeah, maybe they're exploiting some... 

Dave Bittner: ...Call that out. 

Joe Carrigan: ...Browser vulnerability that lets them do that. 

Dave Bittner: Right. Could be, yeah. 

Joe Carrigan: My guess is that this is just a phishing - credential harvesting phishing site. But maybe they have something running on the back end that tries to do that. These banking websites - we talked about this couple of weeks ago - they will log you out pretty quickly. 

Dave Bittner: Right. All right. Well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He's been on our show before. He's from an organization called Tessian, and they recently published a report called "The Psychology of Human Error." Here's my conversation with Tim Sadler. 

Tim Sadler: We commissioned this report because we believe that it's human nature to make mistakes. The people control more sensitive data than ever before in the enterprise. So there's customer data, financial information, employee information. And what this means is that even the smallest mistakes - like accidentally sending an email to the wrong person, clicking on a link in a phishing email - can cause significant damage to a company's reputation and also cause major security issues for them. So we felt that businesses first need to understand why people make mistakes so that, in the future, they can prevent them from happening before these errors turn into things like data breaches. 

Dave Bittner: Well, let's go through some of the findings together. I mean, it's interesting to me that, you know, right out of the gate, the first thing that you emphasize here is that people do make mistakes. 

Tim Sadler: Absolutely, they do make mistakes, and I think that is human nature. We think about our daily lives and the things that we do; we factor in human error, and we factor in that we will make mistakes. And something I always come back to is if we think about something we do, you know, many of us do on a daily basis, which is, you know, driving a car, and we think about all of the assistive technology that we have in that car to protect us in the event that we do make a mistake because, of course, mistakes are expected. It's kind of in our human nature. 

Dave Bittner: Well, let's dig into some of the details here because there are some fascinating things that you all have presented. One of the things you dig into is the age factor. Now, this was interesting to me because I think we probably have some biases about who we think would be more likely to make mistakes, but you all uncovered some interesting numbers here. 

Tim Sadler: Yeah, completely. And, you know, just sharing some of those statistics that we found from this report, 65% of 18- to 30-year-olds admit to sending a misdirected email comparing to 34% who are over the age of 51. And we also found that younger workers were five times more likely to admit to errors that compromised their company's cybersecurity than older generations, with 60% of 18- to 30-year-olds saying they've made such mistakes versus 10% of workers who are over 51. 

Dave Bittner: Now, what do you suppose is the disparity there? Do you have any insights as to what's causing the spread? 

Tim Sadler: I think it is just speculation that I think there's something interesting in just maybe thinking about the comfort level that younger workers might have with actually admitting mistakes or sharing that with others in the enterprise. You know, I think there's something encouraging here, which is actually we're seeing that if you were running a security team, you want your employees to come forward and tell you something has gone wrong, whether that's a mistake that's led to a bad thing or it's a near miss. And I think that you also might find that, generally, younger people may tend to be less senior in the organization and, you know, may not have the same sense of stigma that maybe the older generations, who are more senior, may think there is. So if I tell my boss that, you know, I've just done something and there was a potentially bad outcome, they might feel like they may be in danger of compromising their position in the organization. 

Dave Bittner: Yeah, it's a really interesting insight. I mean, that whole notion of the benefits of having a company culture that encourages the reporting of these sorts of things. 

Tim Sadler: I think it's so important. You know, I think - somebody, you know, correctly advised me, you almost need an everything's-OK alarm in your business when you're thinking about security. You know, if you have a risk register or if you are responsible for taking care of these incident reports, if you don't see people reporting anything, it's usually a more concerning sign than you have people coming forward who are openly admitting to the errors they've made that could lead to these security issues. It's highly unlikely that you've got nothing on your risk register. It means that there is - you've completely eliminated risk from your business. It's more likely that actually you haven't created the right culture that feels like it's suitable or acceptable to actually come forward and admit mistakes. 

Tim Sadler: And I think this is really, really important. I think now more than ever, during this time where, you know, we have a global pandemic, a lot of people are working from home, and they're kind of juggling the demands of their jobs with their personal lives - maybe they're having to figure out child - there are lots of other things weighing in to an employee's life right now. It's really important to actually, I think, extend empathy and create an environment where your employees do feel comfortable actually sharing things, mistakes they've made or things that could pose security incidents. I think that's how you make a stronger company, through that security culture. 

Dave Bittner: But let's move on and talk about phishing, which your report digs into here. And then this was surprising to me as well. You found that 1 in 4 employees say that they've clicked on phishing emails. But interesting to me, there was a gap between men and women and, again, older folks and younger folks. 

Tim Sadler: Yes, so we found in the report that men are twice as likely as women to click on links in a phishing email, which again I think is - I think we were as surprised as you are that that was something that came from the research that we conducted. 

Dave Bittner: And a much lower percentage of folks over 51 say that they'd clicked on phishing links. 

Tim Sadler: Yes. And, again, you know, because of the research, of course, we're relying on people's honesty about these kinds of things. 

Dave Bittner: Right. 

Tim Sadler: But it does seem that there are clear kind of demographic splits in terms of things like age and also gender in terms of, actually, the security outcomes that took place. 

Dave Bittner: I mean, that in particular seems counterintuitive to me, but when I read your report, I suppose it makes sense that, you know, people who have more life experience, they may be more wary than some of the folks who are just out of the gate. 

Tim Sadler: I think that does play into things. I think that younger generations who are coming into the workplace, who are maybe even used to - you know, they've had an email account maybe for most of their lives. In fact, I would say that they're probably less used to using email because they've advanced to other communication platforms before they enter the workplace. But I do think that, you know, if you think about people who have had email accounts, you know, at school or at college, they're going to be used to being faced with potential scams, potential phishing. They've maybe already been through many kind of forms of education training awareness, those kinds of things, before they've actually entered the world of work. 

Dave Bittner: Yeah, another thing that caught my eye here was that you found that tech companies were most fallible. And it seemed to be that the pace at which those companies run had something to do with it. 

Tim Sadler: Yeah, I think there's something interesting here. And, again, just would say that this is speculation because we don't have the specific data to dig further into this. But I think there's something interesting with the concept that technology companies, as you say, if they're, you know, high-growth startups, they tend to be maybe moving faster, where these kinds of things can slip off the radar in terms of the security focus or the security awareness culture they create. 

Tim Sadler: But the other thing - and I think something to be aware of - is sometimes technology companies have that kind of false sense of security that it's all in check, right? 'Cause they - you know, this is kind of their domain. They feel that it's within their comfort zone, and then maybe they neglect, actually, how serious something like this could be, where they feel that, OK, we've actually - even if we've got an email system in place, in the instance of phishing - we've got an email system in place. We feel like it has the appropriate security controls. But then we miss out the elements of actually making sure that the person is aware or is trained, is provided with the assistive technology around them and then also feels that they're part of a security culture where they can report these things. So I think that's also an important factor, too. 

Dave Bittner: So one of the interesting results that came through your research here is the impact that stress and fatigue have on workers' ability to kind of detect these things. 

Tim Sadler: Yeah, and this is a really, really important point. So 47% of employees cited distraction as the top reason for falling for a phishing scam. And 41% said that they sent an email to the wrong person because they were distracted. The interesting thing, I think, there is that - another stat that came out from this - 57% of people admitted that they were more distracted when working from home, which is, of course, a huge part of the population now. So this point about distraction seems to play a really important factor in actually the fallibility of people with regard to phishing. 

Tim Sadler: And then a further 93% of employees said that they were either tired or stressed at some point during the week. And 1 in 10 actually said that they feel tired every day. And then the sort of partner stat to that, which is important, is that 52% of employees said that they make more mistakes when they're stressed. And of course, tiredness and being stressed play hand-in-hand. So these are really, really important things for companies to take note of, which is, you have to also think about the well-being of your employees with regard to how that impacts your security posture and your ability to actually prevent these kinds of human errors and mistakes from taking place. 

Dave Bittner: Right. Giving the employees the time they need to recharge and making sure that they're properly tasked with things where they can meet those requirements that you have for them - I mean, that's an investment in security as well. 

Tim Sadler: Completely. And I think what's really difficult is that security is serious business. No one would doubt or question its importance. It is literally mission critical for companies to get right. Some companies take a draconian approach when it comes to security, and they penalize or they're very heavy-handed with employees when they get things wrong. I think, again, it is really important to consider the security culture of an organization. And actually, creating a safe space for people to share their vulnerability from a security perspective - things that they may have done wrong - and actually then having a security team or security culture that helps that person with the error or the issue that may arise versus just creating a environment where if you do the wrong thing, then, you know, your job, your role might be in jeopardy. 

Tim Sadler: And again, it is a balance because you need to make sure that people are never being careless, and there is a responsibility that we all have in terms of the security posture of our organization. But what this report shows is that those elements are really important. You know, we don't want to contribute to the distraction. We don't want to contribute to the stress and tiredness of our employees. And even outside the security domain, if you do have an environment that doesn't create a balance for your employees, you are at a higher risk of suffering from a security breach because of the likelihood of human error with your employees. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: I really liked that interview. Tim makes some really great points. The first thing he says is at Tessian, they believe that people are prone to mistakes, right? Of course we are, right? But why, in the real world, do we act like we're not? That is what struck out to me immediately - the fact that Tim even needs to say this or that somebody needs to say this, that people are prone to mistakes. We act as if we're not prone to mistakes. And then the driving analogy is a great analogy, right? If everybody does everything right in a car, nobody would ever have an accident. But as we all know, that is not the case. 

Dave Bittner: Accidents happen (laughter). Yeah. I think in public health, too - you know, I often use the example of, you can do everything right. You can wash your hands. You can, you know, be careful when you sneeze and clean surfaces and all that stuff. But still, no matter what, every now and then, you're still going to get a cold. 

Joe Carrigan: Younger people are more likely to say that they've made mistakes than older people, and I agree with Tim's speculation on the disparity of responses across age groups. Younger people have less to lose than an older person who might be more senior in the organization. I also think that an older person might be more experienced with what happens when you admit your mistakes. 

Joe Carrigan: And that comes to my next point, which is culture. And that is probably the single-most important thing in a company. And this is my opinion, of course - but this is so much more important when we get to security. It needs to be open and honest, and people need to absolutely not fear coming forward about their mistakes in security. This is something that I've dealt with throughout my career, even before I was doing security, with people making mistakes. If somebody tries to cover up a mistake, that makes the cleanup effort a lot more difficult. And it's totally natural to try to do that. You're like, oh, I made the mistake. I better correct it. If you don't have the technical expertise to correct it, you're actually making more work for the people who have to actually correct it. 

Dave Bittner: Yeah. I also - I think there's that impulse to sort of try to ignore it and hope it goes away. 

Joe Carrigan: Right (laughter). That happens, too. I find this is interesting. Men are twice as likely to click on a link than women. Older users are less likely to click on a link. I think that comes from nothing but experience. You and I are older. We've had email addresses for years and years and years. I've been on the Internet longer than a lot of people have been alive. I know how this works. And younger people may not have that level of experience. Plus, I think younger people are just more trusting of other people. And as we get older, we, of course, become more jaded. 

Joe Carrigan: Tech companies have a false sense of security because this is their domain. That's one of the things Tim said. I think that's right. You know, that's not going to happen to us; we're a tech company. Things are still going to happen to you because, like Tim says very early in the interview, people make mistakes. 

Dave Bittner: All right. Well, again, our thanks to Tim Sadler from Tessian for joining us this week. We appreciate him taking the time. Again, the report is titled "The Psychology of Human Error." And that is our show. Of course, we want to thank all of you for listening. 

Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.