Human Security Spaghetti & the Wall You're Throwing It At

hey everybody it's guy mcdoodfellow co-chair of the proving ground track here at b-sides las vegas our next talk is human security spaghetti and the wall you're throwing it at by marsha arbesman who was mentored by tom porter hello and welcome to human security spaghetti and the wall that you're throwing it at changing behavior is difficult whether you're going about changing your own behaviors like overeating or not sleeping enough or if you're brave enough to try and change the behaviors of others like asking your friends to respect boundaries or keeping your employees safe from impastas yes there will be more puns no i'm not sorry why is the doing part of behavior change the actual flinging of the spaghetti

towards the wall so difficult it's not like we don't know what to do if i'm overeating i should eat less if i'm not sleeping enough i should sleep more if i'm trying to get employees to use a password manager i should just tell them to do so but that's not quite how it works is it just simply telling someone to change their behavior seldom ever really makes lasting change one of the reasons that it's so hard to elicit lasting change is because of the gi joe fallacy for those who didn't grow up in the 80s gi joe had his own cartoon where he'd end every episode with a psa like kids don't run into traffic

always followed by now you know and knowing is half the battle but knowing is not half the battle if it were all of the spaghetti we're flinging to make our lives healthier would actually stick automatically what the fallacy is misattributing is the effort that it takes to develop and stick to altered behaviors in fact telling someone to change their behaviors or as the security industry has come to term it spreading awareness is only about 30 percent of the full battle towards lasting change if we look at a human's full journey towards adopting a behavior it's broken down into six stages let's take my life for example the pandemic was hard and it's nowhere near over but after

getting vaccinated i felt a lot safer going about my pre-emptive care so i set up a physical with my doctor i did all of the normal measurements and when it was time to go over the results she ever so nicely told me that i had about 20 pounds to lose to be back in the healthier category i know i know upsetting spaghetti i'd love to pretend that i didn't know this to be true before i stepped into our office but just by having this conversation i moved from stage one pre-contemplation into stage two awareness if we were to ask gi joe then this conversation alone would have achieved half the battle by her telling me i needed to lose 20

pounds by golly gee i've already lost 10. thankfully we know better i know that losing weight will take a lot more effort and dedication than a simple conversation entering into stage three preparation i made a schedule of what peloton classes i would be taking and when i decided what diet i would stick to and i told my closest circle of friends uh of the new behaviors i wanted to exhibit so they could help keep me accountable now arguably the most difficult stages four and five consisted of me getting my butt onto the peloton to complete the classes of my dedicating sundays to meal prep of only eating the foods that i prepped instead of ordering delivery

and probably the hardest keeping only one or two drinks when meeting up with friends as all of us new year's resolutioners know we near humans tend to relapse on behaviors for example my biggest downfall is travel i forget the healthy part of my identity as soon as i make it to a different city for example i will be traveling between the time this this talk is recorded and the q a session that's live in about 20 minutes if you asked me if i had a hoagie the day that i landed in philly the answer is probably going to be yes but i'll slowly transition from my stage 6 relapse back to the pre-contemplation phase and

start the cycle all over again rewinding back if awareness on its own only makes up one stage is gained before the 30 mark of the cycle and doesn't account for effort why is it still considered half the battle when it comes to educating and training our employees against threat it's time to focus on measurable actions that your employees take with a focus on changing behaviors so these actions become an automatic response the different context employees face it's time for behavioral engineering i'm lucky enough to head such a team a team that focuses on creating cyber security culture by weaving security into each employee's identity our aim is to change behaviors for the better so that people do the actions

that we have previously identified as effective at breaking real world attacks attacks that require human intervention to break so how do we do this we partner with our red and blue teams of course to identify real attacks that can only be thwarted by behavior change we identify what behaviors might mitigate those attacks we measure those behaviors and effectively we throw spaghetti until we see what we see a positive change in those behaviors always ready to iterate what's working and doubling down always ready iterate on what's not working and doubling down on what does one of the most effective techniques that a red team has in its arsenal of attacks is capturing credentials so we as a team

set out with the goal of lowing credential lowering credential capture rate in general in order to be successful at setting a behavioral goal you want to be as contextually specific as possible what i mean by that is if you're telling your employees to do the secure thing or always be alert you're not giving them enough context to be effective you're leaving the correct behavior up to their interpretation which leads me to my first rule that we live by no impossible advice make sure that the advice you're giving is actually actionable the best way to do so is to take the time to get to know your audience understand their day-to-day figure out if the security policies and solutions

that you're instilling actually enable enable your employees to do their jobs instead of standing in the way of what they're paid to do and lastly lean on those partnerships that you have or create new partnerships with the teams whose programs look like yours the benefits team for example that already has a reward structure in place or the marketing team that already uses behavioral insights to funnel communication there's absolutely no need to reinvent the wheel when you can live off the land okay okay so if we're not telling people to not click links what are we telling them to do when it came to minimizing credential capture we focused in on one behavioral goal when your corporate account receives an

email sending you to a website asking for your credentials we want all employees to report that email now i know what you're thinking but masha if they report every email that asks for credentials the blue team is going to hate you with all the false positives which is why we partnered with our blue team we combed through the data and we partnered with them to see if there were other ways to minimize corporate comms being marked as fish or spam not only did the blue team agree that it was best to get more more reports than less but they also worked with us to train our coms teams to use an anti-fishing footer which allowed employees a point of

contact to verify legitimacy with the lofty goal set we broke our approach up into two main categories the technology side and the human side on the technology side we ask questions like are there technologies that we are using or can use that will make it harder for employees to give up credentials on spoof domains and can we make the behavior we want exhibited the default behavior that they take there were quite a few solutions that popped into mind like for example enabling email filtering so that less junk made it into their inbox in the first place or installing external tagging so that they were made more aware of emails coming from outside of the enterprise

but probably the coolest technology fix was realizing that we could train employees to use our corporate password manager's auto fill functions to spot spoof domains if they landed on a single sign-on page where the password manager did not auto populate it's because the domain was not recognized a corporate password manager became the answer to fixing a lot of pre-taught human behaviors around credential capture generating passwords from within the tool ensured unique and strong passwords and it broke the conditioned behavior of employees typing in credentials when they hit the single sign-on page if you don't know your password you can't type it in with our hero on the technology side identified we needed to drive adoption

of the password manager that's where social science techniques came in digging into my analogy at tadmor when you're initially throwing spaghetti at the wall not everything is going to stick with time and with data and paying attention to what does stick more and why it may be sticking it'll benefit your program overall one of the ways we went about gaining interest in promoting adoption that did end up sticking was the use of competition what started out as a dashboard for us to be able to track whether our spaghetti was sticking quickly turned into a tool for executives to use to bait each other by creating a dashboard for each org that not only pointed at

their own completion and adoption of behaviors but also showed how they ranked against other orgs we created passive competition imagine a meeting where you're our cto and the chief marketing officer uses this dashboard to show that the marketing work is kicking the technology works butt you're going to want to hype up your org to do better you are after all the head of technology and the technology team should be the best at adopting new technologies it was great to get the passive competition done for us the active competition on the other hand was supported with the use of incentives and rewards to promote security identity swag was awarded for good behavior those that rose to the top of the behavior

charts from each org were knighted as password manager nights and awarded t-shirts and stickers to support this newly achieved identity special events were held to honor and celebrate the knighthood and these knights became our spokespeople or influencers that spoke on behalf of the amazing benefits of using a password manager the reason that we created the knighthood was specifically to play into identity when an employee when an employee adds security knight to their employee identity they were more likely to exhibit and highlight the secure behaviors that they identified with this swag was fought over and it became an effective way to instill culture by shifting identity when it came to communication we understood that the employees attention was a sacred and

scarce resource meaning there was in fact a thing as too much communication so we had to be smart about the types of communication that directly came from us versus what was shared from among their peers and that came from leadership we of course provided what most are used to the more expected style of annual of annual security awareness training in the form of videos but we made the videos fun and completely custom employees would see their peers and leaders participating in the paranoids games or on who wants to be a paranoid the photos here are our screen caps of our internal trainings and the reason that we use so many relatable faces is because of a psychological phenomenon

called social proof wherein people tend to copy the actions of others in an attempt to fit in which is ultimately all that we as humans want in life a community to belong to to further support the community we shifted our focus from simply training folks on how to be a secure employee to caring about them as a as a human as a whole and putting effort into presenting them with real world situations where their identity and personal security hygiene could be improved there was a high visibility employee who had their personal twitter account taken over and they came to us asking for help they worked as a reporter with one of our brands and it was possible

that the attacker would not only use this platform to influence or really piss off the reporters following but also could use the account takeover as a step to ultimately attack the company we were we pointed the reporter towards a how-to article shown above um about recovering from a personal account takeover and by focusing on their safety and well-being as a whole human we got to reap the benefits of the default well-being it brought to them as an employee with this plethora of education it was not always easy to understand when or where to present communications in a way that would benefit employees when they needed it most and in order to understand when they needed it most we needed to understand

them a large portion of what i'm seeing missing in standard security awareness programming is the lack of customized messaging standard practice uh standard practices treat developers and sales associates and hr executives and others all the same as if their job were as if their jobs are not any different so the security messaging towards them shouldn't be either imagine how effective your system could be if it looked at and grouped the employees based on their security identities the systems that they use the permissions that they have the types of attacks that they're most susceptible to and so on using hr data and your own grouping criteria you can do just this now imagine being able to hit employees with

tailored communication from all sides top down bottom up self-paced and at the moment they need it most let's start from top down by asking executives to spread our security messaging we shifted the paradigm of how our security team was seen executives got an email once a month with their orgs progress a link to their customer report that we saw earlier which shows how their org is doing versus other orgs and most importantly a message that they can copy and paste through email or slack or that they could just read out loud at their team meetings instead of the traditional way security teams are viewed you know as the bullies running around and chasing employees with a stick of

new policies cascading communications allowed allows for your team to be seen as a partner a partner that helps employees the ass that comes straight from their leaders and executives nudge communications parallel cascading communications except they focus on the bottom up approach the reason to use nudge communications is is because you can point to a person's behavior as they do it much like rubbing your your pet's nose in the business they just exhibited you'll be more successful with humans if you can point in time show them what behaviors they need to shift mesh campaigns can take many forms like for example email alerts or application banners or pop-ups help chats and consumer websites or language-based slack messages that

fire on keywords in the example shown here you can see what happens when a user types in fish or phishing or susceptible email the slackbot reminds them how and where to report the sheet emails similarly when they type in password or password is or password colon they're reminded not to share credentials over slack and instead to use our corporate password manager to do so with all of these customized communications it was also super important to provide users a way to personally benchmark their progress this dashboard is available to all of our employees and is created to look up their specific adoption or susceptibility scores to provide them with the whole picture specifically when looking at the

security behaviors that matter most to our team alright alright i just threw a lot at you that was a lot of spaghetti are your knees weak are your arms heavy uh we've made the behaviors we want the easiest ones to exhibit we've employed technology to help reduce friction we've enabled employees with different types of communications that are custom to them and when we threw uh when we threw the spaghetti found what stuck and served up a hot plate we noticed a trend if you look all the way to the left of the graph the start of our journey we started with the traditional security awareness approach we told our company that had that we had

purchased a corporate password manager and that everyone would get a free corporate and personal account to use we even told them twice and sure there was some adoption but the line was pretty flat and the climb was slow then we made the behavior we wanted the easiest as possible to adopt we installed the corporate password manager to all endpoints now when employees went to look for it they didn't have to go through the hefty installation process and instead they could jump straight into learning how to use the tool over time the adoption petered out again and it wasn't until we launched the behavior dashboards that we saw another huge spike people were talking about it they wanted

the swag they wanted to do better than those around them the biggest improvement though that we saw overall came when we enabled executives to lead the messaging and provided nudges as employees exhibited the wrong behaviors as you can see telling people to do something was nowhere close to as effective as actually enabling the spaghetti when it came to the adoption of our corporate password manager behavioral engineering made a much bigger impact than the standard security awareness approach and thankfully the spaghetti is proven to stick among all the measures that we originally baselined over the last two years we've seen improvements everywhere credential capture rate has halved susceptibility rate is down 10x reporting rate of both simulations and

real attacks has more than doubled and the adoption rate of our corporate password manager has tripled if you leave here with anything today please leave europe the following first prioritize your own needs over what the industry tells you to be true use the data and partnerships available to you to figure out what your population needs most get to know your population just like you can't change your own behaviors without truly understanding yourself and what causes the behaviors in the first place you won't be able to change the behaviors of others without leading with empathy security awareness is so last year saucy take i know lean on those who understand content who understand people who understand data

those who can iterate quickly and those who are not afraid to be wrong they tend to live outside of the security industry so don't be afraid to take a chance on them because security knowledge can always be taught point out behavioral changes as soon as you can and contextualize what it is you want to see from your end users and if you absolutely forget the last 20 minutes and really only leave here with one thing please teach those around you and yourself to use a ding password manager thank you hi everybody i'm here with masha so did you get the hoagie i did in fact and i'm almost embarrassed to say that it may have been more than

one more than one hook man you're ambitious what did you get [Music] uh a uh south philly italian sub is what they called it and it was delicious gotcha all right well we've got our first question from gabe in discord gabe the engineer how did the stages of changing behavior align with the sales funnel fantastic question and i think gabe asks this because he knows me and knows that i have a background in marketing so tricky gabe gabe is actually the reason that i was featured on this year's verizon's dbir if you haven't checked that out it's a very good read all the way through gabe i don't actually think that the sales funnel maps directly onto the stages of

behavior change but loosely speaking um your top of funnel which is your marketers would be looking at stage one and stage two so pre-contemplation and contemplation kind of gaining the awareness of the product the preparation stage i think would be kind of split between your your top of funnel and your middle so somewhere between your marketers and your business development reps the actual action of either meeting uh scheduling a meeting or possibly buying the product would be somewhere between four and five and then your customer success team would be really really important in keeping people from relapse and kind of resigning on with the deal okay make sense so all right next question let's see

uh i was in a cyber camp just yesterday and they were telling me never to use a password manager why and why not oh my gosh uh go to a different cyber camp i'm so sorry um the best thing that you can do for yourself in terms of password management all around is to use a password manager um i like to think of a password manager the way that you think of a safe at home where you're literally putting all of your most important luxury items instead of say perhaps scattering your luxury items around the house hoping that people don't find them a password manager is the best thing to do simply because that tool's only job is to save your

best is to generate important passwords and save them so your brain does not have to do the action of trying to like create new and unique passwords for absolutely every single thing and remember everything trust in our tools right that is actually something so my wife is an education professor and she refers to this phenomenon something called distributed cognition so basically you're offloading part of your brain to do something else that's why we have books it's a way of paper right and this is just yet another tool for that thing right we suck at remembering passwords we suck at being sources of entropy just use the tool yeah yeah attention is very very scarce don't overload your brain so gabe has

another question was the progress over the two years linear did it taper off or speed up uh yes it did taper off it did speed up um really if you go back to that one slide that i pointed out where it was a graph that went up you can see the different places where different campaigns had more of an impact thankfully over time you can map a linear progression though there are very obvious places where it kind of looped is it more like a punctuated equilibrium so you'd have periods where it'd be slow and then everything started happening at once and then exactly exactly okay all right that's all the questions we have at the moment unless i see

somebody's typing

so if someone gained access to my laptop would my password manager be in danger yes but if someone gained access to your laptop your everything is in danger right and this is this is sort of the idea of compensating controls in layer defense and depth right so this is why we have full disc encryption for laptops right and a lot of password managers now i know one password and lastpass do this you can do a remote um revoke verification basically you revoke the credentials for the target in question so i've i've had that happen somebody stole the laptop and we ended up just using one pad the the tool and one password to say just revoke all access to the vault here

yep pick up all right i think we have time for one more question so easy desert gator asks how would you tweak this approach if your audience were computer literate but not very techy that's interesting that is interesting um i would not tailor the approach pretty much at all what i would tailor is the type of communication that you give so making sure that you're actually speaking to what your audience is used to hearing is the best way to do so so again i would double down in focusing on that the user research the gaining understanding of your audience and tailoring whatever it is you're doing to them specifically cool all right i think that's all the

time we have for questions but that was a wonderful talk i loved it i'm gonna go grab that paper and read it oh we have five more minutes thank you sounds great okay all right well we have plenty of time so mouse is mentioning another option is a description text file or encrypted text file however doesn't offer the option of distributed access i did that for a while i i kept a keepass vault on a usb stick and honestly one password is so much better i i would just continue to think about it that it's literally that solutions one job to do this so they're iterating on it over time non-stop because it's their duty to do so

it's not our duty to kind of iterate on those processes so i would trust the expert in this case right and there's i mean the nice thing about one password specifically is that there's a bunch of features that sort of every time i ask a question like well there's a there's a feature missing or a gap it seems like in the next release they've solved it right command line access to one password vaults is is awesome uh being able to store keys in one password and then pull them out and use them once for tools like aws or azure is really nice um yeah and yeah and if you think about it on the corporate level yeah sorry go ahead

go ahead and corporate level no i was going to say if you if you think about it on the corporate level you you can't really control everybody and if your audience is the non-techie so to say it's easier to teach them this one thing that is much more user friendly than it is to attempt to teach them encrypted files and whatnot right it's it's it's yeah this is the best way to solve it okay so another question from gabe what additional behaviors do you hope to address in the future oh uh the biggest one for me is uh 2fa adoption i think that is next year's big challenge okay uh and how so using the framework how would you

just spit ball this how would you work on rolling that out how would you work on using the framework you laid out yeah yeah first and foremost the technology solution has to fit the the user base so going through and figuring out what machines your users are using if you're 80 mac folk i would highly suggest looking into the mac biometrics features so make things as dumb proof as easy as possible and go through there that's gonna be my first focus sure all right um what about things like so talk about tailoring to to the to the people you're working with what about the the um uh totp ver you know based systems like on a phone versus

ub keys so when would you recommend something like a ub key or or similar hardware token versus just encouraging people to use phones yeah it would it it would highly depend it would highly depend on on the people and what they're capable of in terms of adoption and it would depend on their kind of profile within the company as well if they're more on the higher profile side like our reporters like our executives i would probably go towards the yubikey in general but again i'm going to lean right back on research research your people research what they need research what they use and go from there okay so once you've done that initial stage of research now the next

what would be the next step in your mind you push out whatever technology you decide uh in terms of getting it onto people's machines making sure it's enabled make sure it works getting people the ub key functions and so on um then it's the comms machine it's it's the educational portion it's figuring out how they learn best and catering to them our employee base varies so much and the way that people learn whether it be auditory or visual or video or reading so being able to encompass everybody and the way that they digest information the best is kind of that next step and what about adapting that education as you go no plan survives first contact with the

enemy you'll run into situations where this browser is no longer supported or this works in this works in edge but not in chrome or whatever right how do you tailor your education to to adapt to situations like that during rollout a hundred percent it's not spaghetti right you you basically just do it do it on the flow um if you have the ability to do it beforehand by all means please do we've definitely had different versions of different educational articles put together to make sure that they get sent out at different times depending on when people need them but it's all about admitting to your mistakes or the mistakes of other solutions and adopting as you go

the more transparent and honest you can be with with humans the better adoption rate is going to be overall absolutely all right uh thank you very much for that's all the time we have for q a um thank you masha this was a fantastic talk i'm looking forward to reading the paper thanks so much thank you all i'll be on discord all day