You Can't Make People Act More Securely, You Can Help Them Want To

me about five seconds

okay go oh hi I'm dr. Paula Campbell and just kind of context I'm a research psychologist at the Campbell and one of my specialties is understanding users and helping to inform design teams to create their products and processes with their user mindset I security operations manager researcher and enthusiasts I do training and teaching so the concept today is hopefully military forums why are here interested zoom is we're going to give you some ideas on how to develop kind of processes and security training so that other people are more willing to follow them and kind of a big point is you can't make people do something you can just try to get them to walk to yoga

so the plan is a little bit of construction into changing behaviors and then what the possible assets you have and challenges you may be facing and then we're going to go through a kind of four principles of changing behavior great to the principal's look every bit of a theory why common practices might not be working and then how to make it work successfully these you know theta T sequentially is not actually do one then two then three or four people are messy you can't tell you to do XY and Z and all of a sudden everything pop and we wanted to do I can't do is these are concepts you can follow and that will give you an idea on

what's a changing test and aptitude or behaviors you can get other people to do what you get people which is big point of next month things to remember you can't make people do something it may not like I'm overstating this but it's a really important concept because you can't

you can't people to do something if you try not only are you going to fail you're going to ruin your relationship with them in terms of professionally or personally if you tell people you need to do this and this otherwise organs like your data otherwise you can get come here to get infected the world looks blowed your laptops and it died and I can't fix it because that could happen when they screw up and you fix it you have just said well actually what I just said about warning you doesn't apply you've just lost a lot of credibility and it's really hard to get credible be back another thing you remember is you can control your behavior you have to change

if you want other people to change and not like personally as yours personally but that the point is to change what you're doing in your interactions with them kind of bridge tires concept of a security mindset you can't export the security mindset other people don't think that way what you have to do is take on a user when set which is how give you some steps on how to make that happen and finally change is a long term process you can't just do this once and then everyone will do what you wanted to do what you have to remember is it's not just your training somebody to behave differently and your training something behave differently in a world that is

constantly changing security procedures you have in place today are all they are gonna be the same tomorrow or next year so you have to check in make sure that what they're doing is still to what you're trying to get them to do and that maybe they're doing exactly you told them last year but that's no longer relevant so you can't just develop a procedure change as one interaction and all of a sudden everyone's can do it so just keep in mind that you have so assets challenges we have as it's probably security expert that's why you're here that is fantastic you know the stuff you're probably providing some sort of security training or information to

people and you want know how to do that more effectively also for whatever reason your users are required to follow your security rules they may be because it's a legally for a minute company requirement or whatever they want to follow on the flip side you probably don't have any direct authority and by direct authority of mean you can't fire them if they don't behave securely you probably can't give them a range they do to be securely that's a hard thing if you could do that it's much easier to make people do it get people to do with it convince them to love to do that okay it is an important distinction to me at least you're probably not picking your

users are you can't say I'm just going to work with this team but ignore all these other people to company am just going to work with the legal department because this is a legal requirement they will want to behave securely but I'm going to ignore all of us epa's ignore the designer is because they don't get me probably don't have that option your users are not security experts and this is not only on the house security experts they don't want to be security experts they're not injured in being security experts that's why I'm not even security that's the other don't have to not scare for example life and other things now maybe one of your CPAs is really just in

cryptography thanks to like a world war two history buff she's the exception she's taught the normal people most people aren't really in chicken security and don't want to become experts and the other big challenge is the pops security culture like palm psychologies security culture that communities they stink that hacking on the show 24 is accurate because that's how its portrayed in the media hacker goes for games that's how this community works they don't know any better they don't want to bet this will affect in a show why would they know any better this isn't there feel so just that's one of the things you have to remember is you're the experts in you're trying to

talk to not experts and so instead of trying to get them to change you have to change with you okay so for each of you is like I said we're going to go through this is overview what the plan is testing I'm going to talk about the three turned out good challenges you're probably freezing solutions so the first thing is good here is your testing some pho nomenal you got to make sure that security the procedure that you're giving them the ideas are ones that you follow and can call not just once what they are things you do I mean how often do you deal with the process it's like that strictly backup I had

your back Attorney how many if you guys do your backups every didn't do the father grandfather side we know which both do it so many people actually follow your own procedures I think it's just one of those things that we know it's best practices we don't do and we expect other people to do it that's I mean that it's just so we understand we get understand that we're asking people to do things they don't necessarily understand why might that explain that we're going to make sure the damage that we're doing it it's easy for us or at least if no this isn't a test like if you can be bothered to do it that means it's

okay it just means it's a baseline if you can't be bothered then it's too hard if you can't be bothered it may still be too hard but that's a quick easy way to test so here's one of the challenges one of the most glaring examples is recently able to do is if you've been cleared the site's apartment but recently in Afghanistan there was a couple years ago they had a potential walking or somebody who knew and he you know they have this really good lead on the guy and then a whole bunch of think this at the CIA Afghanistan beans they have security procedures call you must follow these these are life and death you've got to

do this that I'll watch it awesome let's pull this guy you know he didn't want to pull the security procedures it's okay he'll be cool this is the largest loss of life in CIA history people who bet their lives and security procedures couldn't be bothered to all and it constable imagine what it's like for somebody who they're they're following security procedures they're only consequence is you're getting pissed on they don't see anything else they're not betting your life they're not betting any there's no consequence to them even the concept which gets bonamo security people don't so how do you fix this tester procedures and again when i say test them this is a behavioral change you're looking at

don't just try it once and like yeah I can totally do the father grandfather content color I'm not a person it's not easy you don't do that once and walk away do it every day for a week and if it's a one-day thing do that for a month if it's something up that you have a lot of casting people to love out of the computer every time they stand up do that every time you stand up I'm going to compel fee every time you're not believe to go fix something sign out and log back in just see if it's too much of a bother if you can't do it they sure as hell aren't and then also learn

about what your users are doing you may be sitting at your desk all day they may be getting up every five minutes to go help somebody they may not have a desktop computer they may not have they may be doing effing through mobile devices talk to them and ask and especially if it's it's gonna be hard how do you just said depending on your culture you can just send me mail hi I'm trying to work on this so I am can you give me five minutes and answer like these questions how long do you sit at your computer how often do you get up what the course is all depending on what kind of security

procedures are putting in place but just go talk to them and find out what they're doing love to help if you present it as I need a few minutes of your time because you're an expert on what you do and I'm trying to help you if you give me five minutes I will make your life slightly easier very few people can't be bothered to do that or at least they feel good about asking your giving kind of positive encounter with security which is an important thing to have in the culture of changing something so there's always going to be things or even they still have to do something and it's too much work that's that's going to be the case sometimes

they don't want to do it but you still need to have this procedure in place and in that case do what you can to minimize the impact and reduce the amount of work they have to put into it one of the classy examples is everybody gets microsoft gets a lot of stick but some things they've done very well one of the best things they've done is automatic backup for work how much effort has that saved people writing a thesis writing stuff everyone knows you're supposed to backing up ah I just lost my thesis it used to be an ongoing joke I mean there's their movies but I lost my thinking how am I going to get it back

I'm night backup backs up every five minutes all right it's not perfect but five minutes 30 minutes of a backup time for your work process and i'll give it this way better than oh my god it's dawn so microsoft realize that people aren't backing they took it upon themselves to do it for the users seamlessly in the background nobody's complaints they get because of automatic backup is mostly because it's not working not because it's working too I mean this is a perfect example just take it off if you can take it they use of the plate so the next big concept as part of this believing in seamless segue into reducing their work so the concept make their life easier

the challenge is securities a bird that's just a problem with what security is and solution seriously just reduce the amount so a fairy um users don't think security is their job at all not even close and in an ideal world security is just an asset like the Microsoft for example the users literally have to do nothing and everything is just a little better that's an ideal world you cannot live in time so they conceptually they just don't think of secure get the job if it crosses their mind at all that is totally somebody else's problem if security crosses their mind it's your job that's what you're there for and as once you ask somebody like we do this

via more securely what you can be doing is basically asking in a way hey I need you to do this to make my life easier so adding a cost to their life and their work and it cost is time physical activity or a mental burn if they have to think about it that's a cost and it doesn't seem like much because that's the world you're steeped in security is so important to you here you care about it it's interesting probably one of your hobbies forget that if that's not my interest you're putting a lot of work on my plate that I don't want because I have my own job now you're asking me to eat yours that's not going to happen so

the challenge here's just some tasks at the compensation benefits specialist together this is the stuff you're thinking about on say a daily basis in terms of just their work life this does not include the fact that they need to get the furnace fixed or they're not putting to all of this other thing and their personal life or anything outside of their hobbies this is just the crapper thinking about it so when you add security what you're trying to do is so this is your life and all the different priorities you have but I need you to do this that doesn't you know this you probably try it if not in sum up not integrating some other topic I really care about

this thing and you don't care um conversation like I love them no never cares but me all right I'll stop talking yeah unfortunately you want them to do something about it you know this approach doesn't work so one of the other challenges and you're probably facing it is tell me what all the future benefits they're going to have what you're telling them in a way is here is now and you can go to this effort you can get all these fantastic benefits of secure backup your data you're not gonna have a problem later this is fine for now but it's kind of hard to understand the benefits of security are especially if you're not a

specialist like if I don't back up my data it'll all go away maybe perhaps under these specific circumstances but under these other circumstances you can actually fix it for me so as far as i am the user i'm concerned sometimes this matters and i have no way of telling which way or not and most of the time you'll just fix it it's pay me but for you again i'm putting in the effort as far as I'm concerned and saving you time that's not my priority the other thing with this image is if the imagine it's not benefit of securities benefits of working out right now today Wednesday getting up in the morning early on Sunday I'm totally

gonna go Jack that's the thing i can do will reduce my risk of health it'll all these fantastic things all the better all the social things i want all the things by doctors been telling me that was again nebulous Casilla but here in the bro saturday or sunday morning no I really getting up right now in six in the morning the effort seems way too much to get out the bed so I can't see the benefits anymore and especially in the benefits or so nebulous that this little black bart gets bigger and bigger and bigger as I get closer to the I actually have to do something I don't want to get up and go jogging I got us a blip you

know there's a lot of legitimate research that most people know about health benefits a regular exercise they still don't do that is there life and death moment in a kind of conceptual scheme we're not talking about life and death we're talking about more work for you I'm really not that worried about it as user so that's one of the big problems you are facing all right you know this is not news so how do we fix it make the black bar smaller reduce the amount of effort so even i guess it's closer to the time won't have to do something i can always see the benefits as they're related to it is always about me the user and

that's why I mean by the user wants it this isn't about you as so do the analysis of security costs and benefits photo you're the experts is what you know figure it out again things are nebulous and I'm just throwing that up there just do bad I'm sure it's really easy and there's this a big list you can go check online like I have comedians totally got this everything I need to know that exists but you do know what's relevant to your company did you know what's relevant probably to some legal standards you can access that information you do know what the security threats are or can find out or learn from this kind of thing you

know the you also have to do the difference between the cool new dress you've heard about and cool movements that are out there versus what is actually going to be a problem for the users I mean all right almost cool Skateistan that's coming out all the coast and stuff you work for a non-profit we r is less there's none there's no SCADA stuff in there they don't have to worry about it don't put it on their threat list where where does it target for your users maximum and

so just keep in mind and do that for them and as part of that identify the key speakers don't overload them with a big checklist of too many things because they don't know how to identify which is more important or not and they don't want to learn that so reduce it and I mean a few I mean three or four at most four is probably too many three things they have to do so as an example is we gotta come into first everybody is the cinema sans 20 best practices for security they're good press practices though geezer's gonna fall 26 that specific points it's not gonna happen so what you've got to do is be the expert

make it so that they make yourself available present it when people come to you with questions you answer the dumb questions well answer the what is a mouse where is the difference between click and double-click when I use one when I use the other one answer the basic questions to set yourself up as the guy who knows security and is helpful not the guy who you know security and every time I talk to him it's apt this answer the questions so solve the problem and it's worth it's been effective for and my company that they account you know the capacity the questions and this you're asking you to better questions and then you expand on

them you give them a little bit everything you present a little bit more knowledge just a little bit more each time and they keep coming back for more and suddenly it have any questions about security is this you know if there's a good link to click on what is a spam email look what is this crap even they bring that to you before they click rather than turn add the second part of that is once they've clicked don't feel high political Japanese proverb is fix the problem not the blame don't go after them about them doing some things don't tell them you've done something foolish quietly thicket go into the closet is required is what they've done make

sure that it's a result as best you can and make sure that they're not feeling that we're trying to you because you don't want to deter them from reporting security incidents there are people out there who are interested not many but if you can set yourself up as a repository somebody who's worth contacting more people will come to and you will get more information and information earlier in the problem rather than how can a 50 machines have been compromised like and only one person reported in G notice that the computer was shut down the last three weeks auto itunes to screw that make sure that your don't blame them don't make it their problem or their

fault it's you we have and another is to make a conceptual model is to help reinforce to the users they think of it a demeanor innovative it's a really old metaphor but there are good neighborhoods in bad neighborhoods if you're going to CNN you don't have to be as worried as if you're going to your favorite dodgy website hacker downloading where is a little bit more careful here be less careful here that way they're not in total panic mode every time there on the internet or as we've discussed later slides and this is a good example of three things anyone can remember to do if I'm confused as security if I ask scary Steve a question they're

not going to make you feel stupid they're going to answer it and also like no fault reporting like if I tell them something bad happen I'm not going to get a lot of crap board they'll just fix it for me which means that I'm more likely to ask security because we're building again ongoing thing frost yes what happens if your fix is not what they like because I wipe and rebuild computers when they're at I do about 80 or 90 a day so I'm not well loved in my organization because I'm the guy that says sorry I'm ugly for their stuff that's the problem that the problems that's our policy is you know no it's it's faster

to do it that way or spend three weeks wife and cleaning each one and rebuilding it from sort no it's just faster to flush it and you're somebody yeah that's does able to involve two it's easier for us and well your third complaint was like here's a new computer i'll get you your got it back it through a couple of weeks I mean this it is an ongoing problem it's something that you just we just got work up in I get the education of why I'm doing this and making sure that your coming to me with I can get to your good stone anytime you kid anytime you can lower the burden on the user through your

actions that's the best you can like if you could pull off their pictures before you wipe them rebuild if you can do any of the little little gestures go a long wait this one little tiny gestures Bob I'll get your pictures back and the hallway that rebuild it I'll get you you do know that that report that was due on Wednesday in 30 minutes that'll come back first and then we'll start you're getting your new process so anytime you can make their burdens smaller a small favor as part of this is kind of an impact I know this is terrible unfortunately this is the only way I can do this I realize this is upsetting and bad for

you because this is your computer and all your stuff but it's like I said changes of process if you really want people to behave differently you have to start and I don't know your specifics get to that later and I can give you some more advice yes

Rosemary's okay without making it sound like a lecture or you stupid you should have been doing this it's this is a terrible thing is something that you can use yeah sign that this happens open on you can just double click your Y Drive and help book it's all there go he already put this in more detail later so the next step and kind of the principles is use the right language the theory from I seriously hope you understand the problem of not speaking a correct language it's like going to Portugal demanding they speak Japanese actually that's probably really bad example is a lot of it okay and then the solution is minimize your right so the theory

you're in Rome live the room the way if you are elsewhere live how they do they're like I want to revisit you're trying to bring a security mindset to some extent to people who don't have one don't want instead of doing that in a way that's forcing your language and culture on to them learn their language and culture and then present your information in that way that is way easier to stay so we have some steps these are actually number in order this is how they should be done so over you minimize your art it's kind of a key thing so you want to go to buy your jargon you want to remove we can

replace if you have to and the last resort cheap your jargon but excited so what do I mean buddies step one identify our jargon words now this is a tough your experts jargon is fantastic when you're talking people in your industry home because you're waiting faster way of communication it's way more efficient that's why jargon exists it is a wonderful way to speak quickly and intelligently on a topic of interest to people who are all in the same industry feel so spent astok but it also means that you're sleeping your own culture and it's hard to step out and realize what words you're using that are actually Jarden X fishing spam spearfishing these are all jargon words basically very

specific things to you probably don't mean like most people I actually they don't mean that to most people so first step is figure out what you're staying that is actually jargon and we've been edified reckon words these are examples for today to remove the dark get rid of the words because American using so replace it just remove using fishing spam jpg no just emails you can ignore the CBA seriously does not need to know the difference or what those knee is just emails you can ignore yes we actually have very specific language that we use for this and the reason we don't use things like emails you can ignore is because I work in a university

and emails you can ignore includes emails from the students if they decide to their spam so we say malicious email and it's actually a lot simpler it also means it's easier for people to identify it as malicious and that someone did something bad using a computer I I'm you know I'm just going to call you guys out on this none of my users are that dumb I'm saying it's a different feel I am not enough it's again that you're you talking about academics I'm not always working with people who have necessarily a high school education neither mine yes I was working with academics don't assume our staff are composed of everything from mailroom all the way up

to high-level PhD so it's always context-dependent yeah use whatever terms you need to be fair enough and they don't have to know the difference I mean no number give North have to know the difference where the specifics between hacking and cracking well the term attack is kind of useful for that don't you think my foot in that again remove the drug and make it so it right wouldn't go with that we're just we're just pulling up to the most generic so for you details okay fine that's the term that works for your you're not saying fishing cuz fam yours English casinos you're doing this already yes that is fantastic I'm excited what happens I'm not kidding

whatever language works that's the point these are the and this is yes very obvious but if I understand that I can translate that pretty easily in another language not any less features who are you talking to why are you trying to talk to them keep that in mind whenever you're developing your language yes perfect example of another so another thing yeah so the next up Weaver go too dirty words but sometimes you can sometimes be just replaced if you don't want to remove jargon words entirely people are already using terminology that they know and want you but except pop culture version people don't in general don't care about the difference for example a fishing spear fishing it's family it's just

it's technically incorrect and I know that's probably got a dragon us a lot except that this isn't about you as soon as you start getting into discussion of technical specifics it ease you are saying this is about me in my field this has nothing to do with you and that's the opposite of what we want to do is all about your users right now in this concept in this world if you say well actually means i can start ignoring those two words i can be just as donate because you're gonna go on about something and eventually you'll get back to the point and I can start packaging so just remove the terms so so one of the examples that comes up in

pop culture again is Prabha from the Mythbusters I'm sure number of people welcomed with leicestershire they actually got a joke it's like well they're talking about the exploding pants episode who's ever seen them I'm talking about and they booked up this guy and begin to a fairly technical discussions but whether or not the pants actually exploded it's like well no it's just an incredibly fast burn okay technically correct but you were in a pair of pants that disappeared ball of fire and under a second thanks Floyd you're going to touch I mean if somebody hit me that a conversation with guy who said my pants explode actually no that was in fact incredibly fast /

no move on thanks book even actually will discuss it to see in accuracies it wasn't effective it was the filter who had that conversation minor technical accuracy moving on to the point of the story that's the key

so this is kind of again the third step if you want to get about you can remove it as much as you can and create new jar and that's what jargon is for you can't do that people things already being used in the comment own just accept that you have to be technically infected and then it gives you a fantastic opportunity if somebody's like holy I thought this I thought fishing and spam was slightly different it's the xkcd comment yes that is in fact true and now we're going to learn something fantastic and I will scale the enthusiasm can be appropriate to how much information you want it's the same thing as talking with people

who are of different ages lucky do a pothole that is not the same conversation you're having with your peers

you know these are all skills you have you know how to do this just thinking about it in a different way and applying what you already know in a different context and your ways of doing it so finally explain the drivers sometimes you can't get rid of it sometimes you're having a conversation and jargon fights jargon you aren't the only people who have jargon everyone does and there's a lot of where the native language we repeat them along so explain what your me if you have to so this isn't just a silly example that actually happened to me recently as I was getting ready I was doing a bunch of bullies can i was up at

the change window and my uncle's calls me who is a dentist right boy in school and I told what why are you still up it's very clock in the morning I'm doing some scanning how many pages do you have to do yeah no no a little bit different perfectly reasonable explanation same word usage yet no actually doing something different i'm doing books but again jargon in our keys totally different concept didn't realize that was going to be problem your cousin this is a little harping back to talking to your users if you can learn their jargon use their instead of yours if you're talking to a lawyer and you use IP you better be meaning intellectual property in my

world I oh does not mean input open it is something entirely different but when I'm talking to you I'm not gonna say I'm an Iowa psychologist because that makes no sense my collages yeah exactly no sense whatsoever change your language depending on and if you get a chance of luring bears and just use their language yes speaking with what is I Oh in your darkest industrial organizational psychology yeah not any clothes another example

this one just amuses me because it happened Monday I was talking to somebody about giving this talk and they said yeah they were doing going to its really interesting thing talking about happiness yay wow really yeah there's this he works for amazon and as you may know amazon just got a contract to host cloud data for the CIA hacking in the general population apparently means a brief overview of what this is happy is it going to show up for an hour and learn what this means for amazon oh that is not at all what I thought you were talking about you said a word I know it does it mean what i think it means let's ask that's the last step

when you're trying to get people this is the conversation that's what you can have these fun moments if i'm trying to convince you to behave a different way this is not a conversation we want to keep having because it's deal railing it's completely off topic you want to keep it focused because this isn't big drop you want to reduce the effort on them and having to have a long fun as it may be conversation an average a bijective security probably as a kind of a list of things to do and they've got all that other crap to worry about all right so finally cleaned out scary hairy here versus good behaviour the challenges your decisions

solution explain what's going on don't just people

so explain outs here this is good again jargon moment in my world this is the arousal behavior in the computer notice I don't have that listed why would you remember the point and the name this is just saying that depending on where people fall on fear their behaviors will be better or worse in terms of one security and if they have no fear they don't understand what the challenges and problems are I'm no security behaviors are crap because they don't think there's wrong I'm just gonna go do whatever it isn't doing it nothing bad can happen to me this is a bad place to be when they're too high and they're afraid of everything they don't know how

to decide what to do because everything means that they open an email they go to this website something bad can happen to the computer a bunch of data is going to be lost it's going to be you know proprietary information is going to get online so I'm going to steal it they're going to get fired me times they do anything the world is going to end they don't know what to do so they don't do anything that's another problem ideally what you want is to put them right in the middle meetings it give them enough information to know what to be afraid of and again these are all interrelated what should I be afraid of and that

tells me what I should do and then they're in the little hopefully that makes sense get yours bro you put it right there every time you say this is a terrible thing was going to happen and it doesn't happen here's the problem that's really tough for you guys is if you say if you follow this link something bad could happen people remember that if I following something that offended that's a very few different when something bad does not happen they move wait as you and you just lost a little bit credibility and that's hard to get back and it's really tough because you don't but if you try to put everything in the unreasonable fear if you don't do this

you lose your job if you don't do this and that's not something you have power but that's not a promise you can keep they learn that it's not true or they just don't do anything and you haven't done anything except lost credibility it's a hard place to be and like I said there are no easy solutions this is a process you have to figure out the best steps and techniques so again solution some of them the Green Zone give them the information they need at the level they needed to make the correct decisions and that's really difficult because it also depends on your company your culture what you're doing so every what you have to do is give them a mental

toolbox or how they work in your you have to make sure that each time that you give them some tools you give them maybe to two things to do as we discussed earlier contact security and we're going to wait whatever the tools are that are the most general that fixes the most problems in your environment so one of the best to think if you had two things to tell your users they could do because they're only going to have remember from and they're probably gonna remember one from like two jobs ago so if you might get 3x but think of the deal the venta to box is very small you don't want to give them a specific one

thing I didn't want to give them a diamond great that only works on this one this one situation you want to give them this one because it works most of the time and the special stuff you can really give them to 83 that is the most generic most useful and I can't believe with that you're gonna have to look at your environment and figure what's best for you for us we use a security if there's any problems just come to us first come get call item no matter what it is calling but some of the stuff has been you know we're getting so it's been really useful in that we cut things really efficient because Colin if there's anything

but don't give them too much don't give them a whole bunch of things that are very specialized give them a couple of big things that they'll remember the same thing giving some new dimensions if you're asking how to get somewhere and somebody says we could do this route with from left here do this or you can do this other routes like why do I need to I don't know anything I'm trying to get from A to B give me one route that you know will work good enough if you give me a second option I'm just going to complete the two and get confused lost and then have to go do something else and I'm not going

again these are all things you know how to do it's just harder in this context because benefits and security is really nebulous and it's really a specialized field obviously guys do and you're trying to convince somebody isn't a specialist it doesn't remotely specialist how to think like you

so one of the examples of the fair thing is the TJ maxx bridge her brittle diversity of experience possible this is the big biggest breach pci data terrible the other thing that's going to happen I mean a bunch of news stories came out will they you lose 75 percent up there because this breach oh my god this is good you know holy and we're on the graph this is a kitchen back to stock prices over the year around the breach we figure out where that will every comment happen there so results after the breach so if you tell your your users you don't want to be like TJ maxx right you look at that graph and to a business

business analyst and say whom the breach happened there after the breach your stocks going up thirty percent i do look that to me hello can we have a couple I mean where's you going to put in their context the fear and the result it was TJ maxx respond is there there there breach did the right things and what people remember was TJ maxx was in the news by something they couldn't control they responded to it well not many people got their their credit card stolen they did all that they did all the right things all the background procedures worked TJ maxx come on up better than before it's a bad example of do this route it

but if you do this you'll end up when TJ maxx i remember one of my managers was try to sell that to it to vp at the time looks that this goes dumb that's why we're going to supply review this Bentley and security we could end up with the difference in stock right make sure you know if you're predicting the future you're right we go to the four steps so any general questions or

we made perfect sense every one ever knows Becca there how do you address the manager users that are keep looking for more specifics or details and you don't know how to keep going without getting technical that's the thing if they're asking you then get technical like they just said please fill me with your Jordan then yes if if you get technical and then they're resisting the jargon is that what's happening yeah like the key I try to keep things pretty you know my level and then they're like asking for more details and I keep going and I can see you they're not glazing over there getting frustrated and it's just like I like I'm trying to go through all the

different ways of how I can say it differently but nothing's getting through from what I've had luck with is uh except a limiting factor they accept my don't use a lot of acknowledges I've been analogizing stuff I'd like to talk to a lot of doctors it's like what's a fire it's like a it's a surgical mask good stuff comes out I stuff can't gum in huge oversimplification but they've got I mean just any time you can analogize with their specialty it shows that you understand it shows that you're working with them and they'll get the high-level concepts and you can start kind of rolling the analogy farther and farther and then it'll break it it'll clearly

bring down at some point but at least you've got them farther than and also if they're asking for details and then you start giving them details and make glaze over check back in and like okay I have done this one guys obviously I did not answer the question just ask let's try me what do you actually want fear what they actually want to know because we've never saying technical details they probably are referring to something else because when you give those don't care so part of an ongoing conversation okay I can tell I mean this is what you want i want you try to find out could you play this is what I think you just ask

me is that correct and it's good a basic skill you have this just practice it again I guess analogies and double check as soon as people glaze over like all right there's a miscommunication I thought it was answering your question i'm honestly not let's try this again what do you actually want to know because i misunderstood and again its presentation it's not there's a miscommunication jerkface and there's an eye on ously misunderstood it doesn't hurt you at all today okay hang on hang on I am confused please assist me I've made a mistake that kind of language makes them much more respect accepted and also it shows that you care about what they're doing and it

builds that trust on language of okay well you're not going to give me crap knocking blame I can come to you and get more information and in depth you obviously have the skill set go on but not what I wonder right now but if I need that I know I can go to you so if you can kind of establish yourself as an expert and one of the things about experts is yeah if I don't know that it's because I don't have to that's kind of an expert attitude which is a fun one all right so does those summary you can't make people do something I'm gonna keep saying that because you you can help them so I went there here's

the five thanks s what you're asking first use their language reduce their work use a reasonable town so don't scare and explain why don't want to get you remember nothing you remember this

yeah is there a place we can access the site later we put it online I think doesn't be sliced do that well we've yeah we were yeah if not I can give you a card

sorry gonna be here remember you'll remember what sticks most let's expense because it suits you at the time we are meeting to believe so if there's any other questions we just want to chat specifics will be with you here [Applause]