Category Archives: Communication

Your phishing awareness campaign may do more harm than good

Phishing and spear phishing campaigns become more and more elaborate, hence more difficult to identify and consequently more successful. Crelan’s 70 million € loss, early 2016 is a good example of the potential impact of such a successful social engineering attack.

As automated security systems are unlikely to detect and block the most elaborate and targeted attacks (as they need a significant number of similar emails to trigger their alerts), security officers are left with security awareness campaign focusing on developing skills to detect (spear) fishing attacks to try to mitigate this risk. It’s logical, it’s what security standards advise you to do but watch out you may be doing more harm than good!

One of the first mistakes in this approach is to consider awareness (or communication) as a goal. Any communication is aimed at instilling a change in its recipient(s). The aim of an awareness campaign is likely to change people’s behaviour and attitude so they pay more attention to the source of their emails, their contents and the rightfulness of what is asked to them. So basically, we should first have a measure of the current situation and aimed at a certain improvement in our “smart” metrics. The most obvious and significant one being: How many people will fall for a (spear) phishing email.

How do we usually do that? Often by a combination of training, online training, posters and “homemade” phishing campaigns to measure the exposure of the company and tickles our employees. In such case, we appeal on fear. Fear to contribute to a security incident, to a fraud, to a loss of money, fear to get fired.

Fear appeal is used to leverage behavioural changes as one believe the emotional reaction caused by fear will increase the likelihood of the occurrence of the appropriate, secure, behaviour. You better think twice as, like it is often the case, devil is in the details.

Fear appeal effectiveness is still a debatable question (that’s the principle of science) but mainly because it might works under some conditions. In their “Appealing to Fear: A Meta-Analysis of Fear Appeal Effectiveness and Theories” article, Tannenbaum et al. (2015) have analysed 217 articles on the subject and found few conditions making fear appeal ineffective while effects seem most apparent in women and for one-time behaviours.

However, in a review of 60 years of studies on fear appeal, Ruiter et al. (2014) concluded that coping information aimed at increasing perceptions of response effectiveness and especially self-efficacy is more important in promoting protective action than presenting threatening health information aimed at increasing risk perceptions and fear arousal”. A 2014 study of Kessels et al. using event-related brain and reaction times found that health information arousing fear causes more avoidance responses among those for whom the health threat is relevant for them.

Still, it seems there is some consensus regarding some specific conditions to be met by such communication: the communication must provide, just after the fear arousal, a solution to allow the audience to reduce this fear with a sense of self-efficacy, or, to say it simply, we must provide a simple way for our audience to fix the issue, being an easy to follow behaviour (one that doesn’t require too much psychological and physical energy). If our solution is so complex that it will (or the thought of using it) generate more stress than the feared event, our brain will likely avoid this behaviour and deny the reality of the risk (and the fear).

Latest researches in neurosciences (and more specifically in the field of neuroergonomy) provide some guidance to shape our message and solution in order to allow our audience to easily grab our communication and adopt the desired behaviour.

Like for most communication, we must avoid to saturate the working memory. What does it means? If we receive too many information at once, our brain is not able to process it at once. It is like for a lift. If there is more people trying to enter than the lift capacity, the lift is not going to move and will be stuck. It is the same for our brain. If we saturate the place where the information is stored in order to be processed (what we call the working memory).

The average span of the human’s working memory is 5 objects or, if we use Husserl’s terminology, noema. For most people, this span is between 3 and 7 objects.

But, what is an object (or noema) in that context? If I give you a phone number digit per digit (let say: 1,5,5,5,1,2,3,4,4,6,9), it will be hard for you to memorize the 11 digits of this number, each digit being an object. But, if we combine some digits together in small numbers (1, 555, 123, 44, 69), it will be easier to remember. The reason behind it being that these small numbers are also objects (noema) for our working memory and in that case, we don’t saturate it as there is only 5 objects (so, within the average memory span).

Why are the small numbers an object and not the large one? Simply because we are used to them. If you are bone in 1980, this number can become an object (as you are quite well acquainted with it) while 1256 could require 2 noema (12 and 56).

The same is true with words. Well known words (and their associated concepts) are easier to process. It is why I put multiple time the word “noema” (likely to be a new name for most readers) with the word “object” (a quite common word and clear concept) so it can be used as an “handle” to better “grasp” the new concept of “noema”. Similarly, using the metaphor of the “handle” to “grasp” a concept ease the understanding (the grasp) of the concept.

To summarize, our solutions, our expected new behaviours, must be as close as possible to something we already know in order to make it easier to grasp.

As a concrete example, if you want your user to check the validity of an email sender’s domain name (just that concept is not that easy to understand for a lot of people, so what’s on the right of the @ in an email address), you should provide a tool available in the first level of the menu or a link in the favourites website. The best thing would be to have the information integrated in the email or at a click from it.

E-commerce websites have already well integrated such concepts. They understood long ago that if you want to have a client ordering something, he must find it and be able to order it with 3 clicks or less. You maybe know the saying: “the best place to hide a body is on the second page of a Google search”. Meaning? Most people don’t go to the second page, it is a click too far.

kittenUsing pictures, drawings (simple one, keep the 3 to 7 objects rules in mind), stories, jokes help memorizing. Anything that might be relevant to the concept or totally outstanding might help too. Emotions help to memorize. If you scare people first, making them laugh or smile with your “solution” might allow memorizing it. Go kittens! (see https://www.ezonomics.com/stories/how-pictures-of-kittens-can-help-you-manage-money/).

Also, do not forget a basic principle of behaviourism… the sooner the better. If you want to foster an action, the reward must come very soon, ideally immediately, after the action. So, if you have people clicking on a link in a “test” phishing email, you may scare them by pointing their mistake but you should also immediately provide a way to avoid this experience the next time by providing a few quick tips on what they did wrong and how they should do it the next time.

Here is a nice example of a video playing just a bit on the fear and providing advices in a non-threatening, aesthetic (it matters too) and very simple way (by http://www.nomagnolia.tv/).

So, you know (a bit more) what to do now!

Effective security management: 20 tips to change your audience’s behaviour

How do we implement security efficiently in an organization, small or big?

Although some security officers seems to still believe that having security policies and a plan to implement expensive controls like IPS, IAM or DLP (you’ll notice the common use of nice marketing buzzwords and acronyms to make you believe that you should know what an Intrusion Prevention System, an Identity and Access Management or a Data Leakage Prevention system are, like everyone else is supposed too, and maybe does. But does it mean it’s the solution to your problems?) are the solution, it is not! You can believe me on this, I was thinking the same way years ago, I saw it failing too often and now, I took another approach. And that’s probably one of the reasons why I still have a lot of work as a consultant.

So, what is the first thing we should care for?

When Kevin Mitnick, one of the most famous hackers, was still hacking PABX in order to have the possibility to do war dialling on all available modem in a region for free (yes, it was a long time ago), the weakest point for most computer security systems was already between the chair and the keyboard. Whatever you do, there is always a human involved somewhere and human are harder to control and less predictable than human (even if it might not always be the case). Bottom line, a good security starts with a good communication and training plan, like for any transformation journey, as it is the only good way to change users’ behaviour (depending where you live, you might also think about torture and brain washing but in as I live in Belgium and moreover due to my philosophical convictions, I exclude those from the equation)

Is it really necessary to have a communication and training plan?

The first Palo Alto axioms of communication states that we cannot not communicate (yes, I know, double negation are complicated). Let’s rephrase it: whatever you do or do not, you communicate. So, if you don’t communicate about your security, in fact you just communicate that it is not important or that you don’t care or that you don’t have the budget to communicate. It’s BAD! If you communicate poorly, you might in fact give the same message and even worse as you might give the false impression that security is useless or even boring. Really Bad too! And as you probably know, we just have one occasion to give a good first impression. So, don’t miss it. The basic reason for any communication is to change other’s behaviour. So, if you just want to write policies for yourself and don’t bother about the others behaviour, indeed, you can skip he communication plan.

What makes a communication efficient?

If a communication is intended to change other’s behaviour (or ideas), an efficient communication is the one that will change the highest number of person’s behaviour. How can we assess that efficiency? If you do security and risk management, you should know the PDCA cycle. So, you just use it, like scientists. When you do something you try to measure the effect of your action. Fortunately, there is already a lot of people having tried different paradigms and measure their efficiency. That’s what social psychologist and marketing researcher do. And on the specific risk communication issues, Amos Tversky and Daniel Kahneman, two economy Nobel prize winner psychologists, have developed the theory of perspective, highlighting the numerous biases affecting the human when taking decisions about a risk. Lucky for you, you won’t have to read and understand all those books and articles, I am about to give you a cheat sheet to prepare your next communication.

So, practically, how do you do it?

  1. First, you have to remember the 3 basic rules of education: repeat, repeat and repeat again.
  2. Then, you have to remember that if you repeat too often a signal, it tend to be ignored by your brain. When you put your socks on your feet, you start ignoring the sensation of the fabric on your skin after a few seconds. The same way, you don’t notice most of the object in your office that are there for so long. But, if you move it or change the color, interrupt the pattern, you will start noticing again. So, the basic education rule might become something like: repeat, explain and do it again differently.
  3. Keep it simple, stupid and sexy (KISSS): use terms and analogies that everybody can understand. Your target is not a group is security experts.
    Ex.: “Security is wearing belt and braces for your first date
  4. Give many concrete short examples: give examples that are relevant for your audience. Use their vocabulary, the process they already know, things they do for a living.
  5. Use examples allowing people to identify themselves to the story
    Ex.: « The new employee walk into the printer room and find a confidential document on the printer, as he remember the security training, he brings the document to the security officer»
  6. Ask questions and mostly questions creating a knowledge gap, meaning your audience won’t have the answer, or at least, not the right answer.
    Ex.: “How long will a 8 characters long password last again hackers attack?
  7. Use positives sentences (people have difficulties with negative form, they tend to forget the negation)
    Ex.: prefer « You will take care » to « You will not jeopardize »
  8. Use emotion and feelings to describe situations, it will make it more memorable (you can also add references to sensations, sounds, colors)
    Ex: “Alice is afraid of loosing her beloved grand-mother gold ring
  9. Explain to your audience as if they were your kids or grandparents
    Ex.: “You may see Risk as the cost resulting from an incident (like having a car crash) multiply by the probability of this incident occurringNB: I know, I Repeat myself, but what we call the knowledge curse, meaning believing the others understand what we are saying, is really killing most security communication
  10. Use precise numbers, it will be perceived as more credible
    Ex.: “You have 2.13 times more chance to die from self-inflicted injuries than from transport accident
  11. Naming your sources will also add credibility? (if they are credible).
    Ex.: « as stated in the Federal Statistic Death Cause report of 2009 »
  12. Link important concepts to images, Preferably known locations and persons. Use unusual associations (incongruence) to increase the remembrance.
    Ex.: “Ghandi walks into a computer shop and ask for a computer bringing serenity
  13. Spot the « victims » of the incident or the persons impacted by an incident. Give a face, a personality, to the victims.
    Ex.: « Alice, Bob’s secretary, is affraid of being fired after she disclosed confidential information »
  14. Provide multiple examples of the same risk. it will create an illusion that the risk is higher, helpful to trigger action & compliance
  15. Use yes sets (A set of affirmation that will be acknowledge by most people (Yes) preceding an affirmation we want them to acknowledge): As they acknowledge the first affirmations (priming), they are more likely to acknowledge the last affirmation.Once acknowledged, not complying with this affirmation will likely trigger a cognitive dissonance (inconsistency) in their mind, increasing the probability of compliance.
    Ex.: “As many, you like to keep your secret secret. You understand the risk of disclosing such information. So, You will probably keep this information secret.
  16. Use double “No” or paradoxical sentences:
    Ex.: « You don’t want us to take such a risk, don’t you? », « As you care about our security, you will classify the document adequately. No? » or « You may give your password to your colleague and be responsible of all his mistakes. No? »
  17. Make it look like normal: Make your expectations appear like something normal, that we should do as part of our normal behaviour
    Ex.: “As most of your colleagues, you take care of your customer’s information…”
  18. Provide a meaning to your expectations (appeal to our inner trends to make things right)
    Ex.: “Keeping our customers’ transaction confidential prevent insider trading…”
  19. In the military, it is known that no plan survives the contact with the enemy. To circonvene this, always think to provide the CI (Commander’s Intent) that will allow people to take judgmental decision.
    Ex.: “The main goal is to ensure our CRM applications remains available between 7 to 20
  20. If you make a presentation, speak slowly, pause for a second after important information, it will be perceived as more charismatic

Ok, I stop here. There is of course more to say but you have already more than enough to make your communication at least 3 time more efficient. Combining all these advices, you may change the odds of behavioural change from 21% to 78%! Can you do better?

Who don’t need arbejdsglaede?

Arbejdsglaede is the nordic word for Happiness at work. The video below is a nice animation from Alexander Kjerulf on arbejdsglaede (= Happiness at work). It is fun and accurate.

[youtube=http://www.youtube.com/watch?feature=player_embedded&v=6uxu-wiYsYU]

You can also visit the related website with videos of happy people at work! http://whattheheckisarbejdsglaede.com/

As cherry on the cake, a video that shamm make you smile, as it is all that this prince of positivism is aiming at:
Honk if you love someone
[youtube=http://www.youtube.com/watch?feature=player_embedded&v=1EwYLZmkUxo]