SlideShare a Scribd company logo

Using Behavioral Science to Secure Your Organization

Download as PPTX, PDF
Masha Sedova
Masha Sedova

For decades security awareness programs have been based on the assumption that employees don’t know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to “surf” motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees’ security behaviors and how practitioners can create meaningful metrics. This was the keynote for Source Boston 2018.

Technology
1 of 43
1 Using Behavioral Science To Secure Your Organization Masha Sedova Masha@ElevateSecurity.com Co-founder, Elevate Security
2 Built and ran Salesforce trust engagement team Passionate about transforming security behaviors from “have to” to “want to” Co-Founder, building security behavior change platform About Me Computer security meets behavioral science
3 Opinion A: Users Are Dumb ...and will always make mistakes
4 Opinion B: It’s Us, Not Them “People are the weakest link in security is a comfortable excuse to lean on when it should be a rallying cry to change the status quo.” Jessie Irwin, security researcher
5 Historically, the industry solution has been to insist on terrible “check the box” trainings as an employee’s only defense. Training Alone Doesn’t Work 15% Retention 95% of breaches are caused by human factors.
6 Knowing Isn’t Enough
7
8 Behavioral Science + Security = How humans make (security) decisions and how security folks can help.
9 What are your key behaviors?
10 What Does Security Awareness Mean To Your Organization? Make less security mistakesEmbed security into everything they do Have more security common sense Be more vigilant
11 Set Behavior Goals, Not Mindset Goals Reduction of bugs in our code base by 30% over the next quarter. 90% of new process created by the finance team have a security control in place. Phishing click-through rates drop by 50% Reporting rate increases by 300% in 6 months
12 Behavior Change Components ▪ Motivation ▪ Ability ▪ Triggers
13 Behavior Change Model By Dr. Bj Fogg
14 Ability
15 Behavior Change Model By Dr. Bj Fogg
16 Security Action Can Be Simplified Having secure passwords for all sites Reporting suspicious activity Stop tailgating Remember 20 unique characters across 40+ sites Install a password manager Look up correct email, reporting guidelines & send Install a “Report” button Social Accountability Install a man-trap or in/out badging HARD EASY
17 Education Theory: Improves understanding of a concept and therefore increases the ability to perform that behavior. Practice: Not all education is created equal. “In theory there is no difference between theory and practice. In practice there is.” -Yogi Berra
18 Education Pitfalls Demand more of your trainings! 1. Does it have the intended goal? 2. Relevant and needed? 3. Timely?
19 Motivation
20 What about things that are hard to do? By Dr. Bj Fogg
21 When Does Motivation Occur? Hard things require high motivation.
22 Naturally Occurring Motivation MOTIVATION TIME EVENT MOTIVATION TIME EVENT Predictable Events Unpredictable Events ▪ Audits ▪ Red Team exercises ▪ Breaches ▪ Incidents ▪ News events
23 Good leaders seizes crises to remake organizational habits. Charles Duhigg, The Power Of Habit
24 What Motivates Us? “People will do things because they matter, they are interesting, part of something more important. “ Daniel Pink, Drive Pride Interest Achievement Curiosity Praise Punishment Money
25 5:1Positive to Negative exchanges Positive vs Negative Motivation
26 Competition How to Create Positive Motivation Altruism Access AchievementStatus
27 Competition How to Create Positive Motivation: Status Altruism Access AchievementStatus Leaderboards Top performer award
28 Competition Capture the Flag Bug Bounties How to Create Positive Motivation: Competition Altruism Access AchievementStatus
29 Competition How to Create Positive Motivation: Altruism Altruism Feedback on impact Champion Programs Access AchievementStatus
30 Competition How to Create Positive Motivation: Access Altruism Access Awarded points Access to exclusive swag AchievementStatus
31 Competition How to Create Positive Motivation: Achievement Altruism Access Achievement Recognition emails Company-wide shoutouts Status
32
33 Market Norms Assigning a monetary value to an exchange Social Norms The actions among friends that are not based on money. Dan Ariely, PhD Predictably Irrational
34 Triggers
35 Communications (aka Triggers) 36.5 million adults in the United States currently smoke cigarettes
36 Security Triggers
37 Putting It All Together
38 Lessons Learned in Changing Tailgating Behavior Goal: To ensure that people wore their badges visibly at all times while in secured spaces and not allow unbadged person tailgate behind them. Assumption: People didn’t know that this was policy. Bring “awareness” to them via digital posters ● Passive education ● Very limited results
39 Lessons Learned in Changing Tailgating Behavior Root cause analysis of the behavior. This is what we learned: ○ “I don’t feel comfortable confronting my peers.” (Ability + Motivation) ○ “Tailgating isn’t really a big problem, right?” (Motivation) ○ “I broke my badge pull reel and don’t have a replacement, so I keep my badge in my wallet.” (Ability)
40 Creating a Phishing & Reporting Behavior Change Campaign Goal #1: Reducing the percentage of malicious links that are clicked in a phishing email campaign to be 12% or less as an average across all difficulty types of phishing email. Goal #2: At least 20% of recipients of an attack report it to security, regardless of the difficulty of the attack.
41 Phishing Campaign Model ● Case studies of phishing related breaches ● Leaderboard of top reporters ● Thank you emails to employee + managers ● Kudos of breach-prevention on company call. ● Reporter button ● Safe sender ● Detection skills ● Phishing practice
42 Takeaways ■ Motivation is required when something is hard to do. ■ First- make it easy with technology. Second- rely on motivation. ■ Leverage naturally occurring events for motivation. ■ Connect intrinsic motivations to security motivation. ■ Negative feedback should be balanced with positive motivation. ■ Use triggers in the moment they are needed.
43 Comments? Questions? Let’s stay in touch! @modMasha Masha@elevatesecurity.com

Recommended

CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014
CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014
CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014Graeme Cowan Enterprises
 
How to create Psychological Safety - an overlooked secret to organizational p...
How to create Psychological Safety - an overlooked secret to organizational p...How to create Psychological Safety - an overlooked secret to organizational p...
How to create Psychological Safety - an overlooked secret to organizational p...Alex Clapson
 
Psychological Safety in the Time of Pandemic
Psychological Safety in the Time of PandemicPsychological Safety in the Time of Pandemic
Psychological Safety in the Time of PandemicJohn Dobbin
 
Persuasion Power
Persuasion PowerPersuasion Power
Persuasion PowerLois Kelly
 
Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015
Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015
Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015Lois Kelly
 
Marketing in Surprising Times: NAED ADventure Conference
Marketing in Surprising Times: NAED ADventure Conference Marketing in Surprising Times: NAED ADventure Conference
Marketing in Surprising Times: NAED ADventure ConferenceLois Kelly
 
Crash course in edugaming
Crash course in edugamingCrash course in edugaming
Crash course in edugamingPearson
 
The Change Challenge
The Change Challenge The Change Challenge
The Change Challenge Lois Kelly
 

Recommended

CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014
CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014
CEO Institute - Graeme Cowan Keynote & Workshop Dec 4, 2014Graeme Cowan Enterprises
 
How to create Psychological Safety - an overlooked secret to organizational p...
How to create Psychological Safety - an overlooked secret to organizational p...How to create Psychological Safety - an overlooked secret to organizational p...
How to create Psychological Safety - an overlooked secret to organizational p...Alex Clapson
 
Psychological Safety in the Time of Pandemic
Psychological Safety in the Time of PandemicPsychological Safety in the Time of Pandemic
Psychological Safety in the Time of PandemicJohn Dobbin
 
Persuasion Power
Persuasion PowerPersuasion Power
Persuasion PowerLois Kelly
 
Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015
Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015
Ideas for Leading Change: NHS The Edge Webinar Oct. 2, 2015Lois Kelly
 
Marketing in Surprising Times: NAED ADventure Conference
Marketing in Surprising Times: NAED ADventure Conference Marketing in Surprising Times: NAED ADventure Conference
Marketing in Surprising Times: NAED ADventure ConferenceLois Kelly
 
Crash course in edugaming
Crash course in edugamingCrash course in edugaming
Crash course in edugamingPearson
 
The Change Challenge
The Change Challenge The Change Challenge
The Change Challenge Lois Kelly
 
Change, transformation and improvement: where's it going and what's love got ...
Change, transformation and improvement: where's it going and what's love got ...Change, transformation and improvement: where's it going and what's love got ...
Change, transformation and improvement: where's it going and what's love got ...Helen Bevan
 
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
#1NLab15: Being the Dave Matthews Band, Not Dave MatthewsOne North
 
Leadership In The 21st Century2
Leadership In The 21st Century2Leadership In The 21st Century2
Leadership In The 21st Century2Margarita Quihuis
 
How to incorporate psychology into your comms strategy | Psychology of commu...
How to incorporate psychology into your comms strategy | Psychology of commu...How to incorporate psychology into your comms strategy | Psychology of commu...
How to incorporate psychology into your comms strategy | Psychology of commu...CharityComms
 
Skills & Mindsets for the future
Skills & Mindsets for the futureSkills & Mindsets for the future
Skills & Mindsets for the futureCatalyst Consulting South Africa
 
Breaking down hierarchical barriers
Breaking down hierarchical barriersBreaking down hierarchical barriers
Breaking down hierarchical barriersHelen Bevan
 
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...HIMSS
 
Patient advisors as change agents
Patient advisors as change agentsPatient advisors as change agents
Patient advisors as change agentsMarlies van Dijk
 
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...Kurt Nelson, PhD
 
New Lens on Change in Healthcare
New Lens on Change in HealthcareNew Lens on Change in Healthcare
New Lens on Change in HealthcareMarlies van Dijk
 
Graeme Cowan's Speakers Kit - Personal and Team Resilience
Graeme Cowan's Speakers Kit - Personal and Team ResilienceGraeme Cowan's Speakers Kit - Personal and Team Resilience
Graeme Cowan's Speakers Kit - Personal and Team ResilienceGraeme Cowan Enterprises
 
Leaders as change agents
Leaders as change agentsLeaders as change agents
Leaders as change agentsMarlies van Dijk
 
“Where social movements meets co-design”
“Where social movements meets co-design”“Where social movements meets co-design”
“Where social movements meets co-design”NHS Horizons
 
Summitup - Powerful beyond imagination
Summitup - Powerful beyond imaginationSummitup - Powerful beyond imagination
Summitup - Powerful beyond imaginationDavid Bowman
 
AQuA Leading Transformational Change programme: masterclass with Helen Bevan
AQuA Leading Transformational Change programme: masterclass with Helen BevanAQuA Leading Transformational Change programme: masterclass with Helen Bevan
AQuA Leading Transformational Change programme: masterclass with Helen BevanNHS Improving Quality
 
8 capabilities for the future
8 capabilities for the future8 capabilities for the future
8 capabilities for the futureCatalyst Consulting South Africa
 
The 21st Century Movement - Charlie Kim and Meghan Messenger
The 21st Century Movement - Charlie Kim and Meghan MessengerThe 21st Century Movement - Charlie Kim and Meghan Messenger
The 21st Century Movement - Charlie Kim and Meghan MessengerNext Jump
 
Creating psychological safety in the workplace a. edmondson
Creating psychological safety in the workplace a. edmondsonCreating psychological safety in the workplace a. edmondson
Creating psychological safety in the workplace a. edmondsonDidoy Fullon
 
How to be a brilliant change agent
How to be a brilliant change agent How to be a brilliant change agent
How to be a brilliant change agent Helen Bevan
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforceKeyaan Williams
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesNikComm Inc.
 
Training for Results Webinar 2016
Training for Results Webinar 2016Training for Results Webinar 2016
Training for Results Webinar 2016KineoPacific
 

More Related Content

What's hot

Change, transformation and improvement: where's it going and what's love got ...
Change, transformation and improvement: where's it going and what's love got ...Change, transformation and improvement: where's it going and what's love got ...
Change, transformation and improvement: where's it going and what's love got ...Helen Bevan
 
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
#1NLab15: Being the Dave Matthews Band, Not Dave MatthewsOne North
 
Leadership In The 21st Century2
Leadership In The 21st Century2Leadership In The 21st Century2
Leadership In The 21st Century2Margarita Quihuis
 
How to incorporate psychology into your comms strategy | Psychology of commu...
How to incorporate psychology into your comms strategy | Psychology of commu...How to incorporate psychology into your comms strategy | Psychology of commu...
How to incorporate psychology into your comms strategy | Psychology of commu...CharityComms
 
Breaking down hierarchical barriers
Breaking down hierarchical barriersBreaking down hierarchical barriers
Breaking down hierarchical barriersHelen Bevan
 
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...HIMSS
 
Patient advisors as change agents
Patient advisors as change agentsPatient advisors as change agents
Patient advisors as change agentsMarlies van Dijk
 
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...Kurt Nelson, PhD
 
New Lens on Change in Healthcare
New Lens on Change in HealthcareNew Lens on Change in Healthcare
New Lens on Change in HealthcareMarlies van Dijk
 
Graeme Cowan's Speakers Kit - Personal and Team Resilience
Graeme Cowan's Speakers Kit - Personal and Team ResilienceGraeme Cowan's Speakers Kit - Personal and Team Resilience
Graeme Cowan's Speakers Kit - Personal and Team ResilienceGraeme Cowan Enterprises
 
“Where social movements meets co-design”
“Where social movements meets co-design”“Where social movements meets co-design”
“Where social movements meets co-design”NHS Horizons
 
Summitup - Powerful beyond imagination
Summitup - Powerful beyond imaginationSummitup - Powerful beyond imagination
Summitup - Powerful beyond imaginationDavid Bowman
 
AQuA Leading Transformational Change programme: masterclass with Helen Bevan
AQuA Leading Transformational Change programme: masterclass with Helen BevanAQuA Leading Transformational Change programme: masterclass with Helen Bevan
AQuA Leading Transformational Change programme: masterclass with Helen BevanNHS Improving Quality
 
The 21st Century Movement - Charlie Kim and Meghan Messenger
The 21st Century Movement - Charlie Kim and Meghan MessengerThe 21st Century Movement - Charlie Kim and Meghan Messenger
The 21st Century Movement - Charlie Kim and Meghan MessengerNext Jump
 
Creating psychological safety in the workplace a. edmondson
Creating psychological safety in the workplace a. edmondsonCreating psychological safety in the workplace a. edmondson
Creating psychological safety in the workplace a. edmondsonDidoy Fullon
 
How to be a brilliant change agent
How to be a brilliant change agent How to be a brilliant change agent
How to be a brilliant change agent Helen Bevan
 

What's hot (19)

Change, transformation and improvement: where's it going and what's love got ...
Change, transformation and improvement: where's it going and what's love got ...Change, transformation and improvement: where's it going and what's love got ...
Change, transformation and improvement: where's it going and what's love got ...
 
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
#1NLab15: Being the Dave Matthews Band, Not Dave Matthews
 
Leadership In The 21st Century2
Leadership In The 21st Century2Leadership In The 21st Century2
Leadership In The 21st Century2
 
How to incorporate psychology into your comms strategy | Psychology of commu...
How to incorporate psychology into your comms strategy | Psychology of commu...How to incorporate psychology into your comms strategy | Psychology of commu...
How to incorporate psychology into your comms strategy | Psychology of commu...
 
Skills & Mindsets for the future
Skills & Mindsets for the futureSkills & Mindsets for the future
Skills & Mindsets for the future
 
Breaking down hierarchical barriers
Breaking down hierarchical barriersBreaking down hierarchical barriers
Breaking down hierarchical barriers
 
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
HIMSS Workshop - Emotional Intelligence, The Key to Leadership, Success and C...
 
Patient advisors as change agents
Patient advisors as change agentsPatient advisors as change agents
Patient advisors as change agents
 
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
World at Work Total Rewards 2017 presentation - lantern group - behavioral sc...
 
New Lens on Change in Healthcare
New Lens on Change in HealthcareNew Lens on Change in Healthcare
New Lens on Change in Healthcare
 
Graeme Cowan's Speakers Kit - Personal and Team Resilience
Graeme Cowan's Speakers Kit - Personal and Team ResilienceGraeme Cowan's Speakers Kit - Personal and Team Resilience
Graeme Cowan's Speakers Kit - Personal and Team Resilience
 
Leaders as change agents
Leaders as change agentsLeaders as change agents
Leaders as change agents
 
“Where social movements meets co-design”
“Where social movements meets co-design”“Where social movements meets co-design”
“Where social movements meets co-design”
 
Summitup - Powerful beyond imagination
Summitup - Powerful beyond imaginationSummitup - Powerful beyond imagination
Summitup - Powerful beyond imagination
 
AQuA Leading Transformational Change programme: masterclass with Helen Bevan
AQuA Leading Transformational Change programme: masterclass with Helen BevanAQuA Leading Transformational Change programme: masterclass with Helen Bevan
AQuA Leading Transformational Change programme: masterclass with Helen Bevan
 
8 capabilities for the future
8 capabilities for the future8 capabilities for the future
8 capabilities for the future
 
The 21st Century Movement - Charlie Kim and Meghan Messenger
The 21st Century Movement - Charlie Kim and Meghan MessengerThe 21st Century Movement - Charlie Kim and Meghan Messenger
The 21st Century Movement - Charlie Kim and Meghan Messenger
 
Creating psychological safety in the workplace a. edmondson
Creating psychological safety in the workplace a. edmondsonCreating psychological safety in the workplace a. edmondson
Creating psychological safety in the workplace a. edmondson
 
How to be a brilliant change agent
How to be a brilliant change agent How to be a brilliant change agent
How to be a brilliant change agent
 

Similar to Using Behavioral Science to Secure Your Organization

Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforceKeyaan Williams
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesNikComm Inc.
 
Training for Results Webinar 2016
Training for Results Webinar 2016Training for Results Webinar 2016
Training for Results Webinar 2016KineoPacific
 
Security social selling e book2
Security social selling e book2Security social selling e book2
Security social selling e book2NeuronLeaders
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Making Performance Work (BetaCodex10)
Making Performance Work (BetaCodex10)Making Performance Work (BetaCodex10)
Making Performance Work (BetaCodex10)Niels Pflaeging
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Case IQ
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...EC-Council
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security ManagersJack Nichelson
 
Finding and Supporting Your Open Leaders
Finding and Supporting Your Open LeadersFinding and Supporting Your Open Leaders
Finding and Supporting Your Open LeadersCharlene Li
 
Moving from Developmental to Directional: Coaching Senior Executives for Last...
Moving from Developmental to Directional: Coaching Senior Executives for Last...Moving from Developmental to Directional: Coaching Senior Executives for Last...
Moving from Developmental to Directional: Coaching Senior Executives for Last...MRG (Management Research Group)
 
2010dayton SS.pdf
2010dayton SS.pdf2010dayton SS.pdf
2010dayton SS.pdfDjula1
 
Motivation : it Matters
Motivation : it MattersMotivation : it Matters
Motivation : it MattersManish Pandit
 
Business Agility and Organisational Learning
Business Agility and Organisational LearningBusiness Agility and Organisational Learning
Business Agility and Organisational LearningShoaib Shaukat
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignMorten Rand-Hendriksen
 
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...Salesforce Engineering
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 
RDV carrière : From Project Manager to Organisational Transformation Leader: ...
RDV carrière : From Project Manager to Organisational Transformation Leader: ...RDV carrière : From Project Manager to Organisational Transformation Leader: ...
RDV carrière : From Project Manager to Organisational Transformation Leader: ...PMI-Montréal
 
Digital culture change workshop
Digital culture change workshopDigital culture change workshop
Digital culture change workshopBrilliant Noise
 

Similar to Using Behavioral Science to Secure Your Organization (20)

Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated Workforce
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: Employees
 
Training for Results Webinar 2016
Training for Results Webinar 2016Training for Results Webinar 2016
Training for Results Webinar 2016
 
Security social selling e book2
Security social selling e book2Security social selling e book2
Security social selling e book2
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Making Performance Work (BetaCodex10)
Making Performance Work (BetaCodex10)Making Performance Work (BetaCodex10)
Making Performance Work (BetaCodex10)
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
 
Finding and Supporting Your Open Leaders
Finding and Supporting Your Open LeadersFinding and Supporting Your Open Leaders
Finding and Supporting Your Open Leaders
 
Moving from Developmental to Directional: Coaching Senior Executives for Last...
Moving from Developmental to Directional: Coaching Senior Executives for Last...Moving from Developmental to Directional: Coaching Senior Executives for Last...
Moving from Developmental to Directional: Coaching Senior Executives for Last...
 
2010dayton SS.pdf
2010dayton SS.pdf2010dayton SS.pdf
2010dayton SS.pdf
 
Motivation : it Matters
Motivation : it MattersMotivation : it Matters
Motivation : it Matters
 
Business Agility and Organisational Learning
Business Agility and Organisational LearningBusiness Agility and Organisational Learning
Business Agility and Organisational Learning
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web Design
 
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
Carrots not sticks- Using Gamification to Transform Security Mindset of an Or...
 
Leadership
LeadershipLeadership
Leadership
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
RDV carrière : From Project Manager to Organisational Transformation Leader: ...
RDV carrière : From Project Manager to Organisational Transformation Leader: ...RDV carrière : From Project Manager to Organisational Transformation Leader: ...
RDV carrière : From Project Manager to Organisational Transformation Leader: ...
 
Digital culture change workshop
Digital culture change workshopDigital culture change workshop
Digital culture change workshop
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Using Behavioral Science to Secure Your Organization

  • 1. 1 Using Behavioral Science To Secure Your Organization Masha Sedova Masha@ElevateSecurity.com Co-founder, Elevate Security
  • 2. 2 Built and ran Salesforce trust engagement team Passionate about transforming security behaviors from “have to” to “want to” Co-Founder, building security behavior change platform About Me Computer security meets behavioral science
  • 3. 3 Opinion A: Users Are Dumb ...and will always make mistakes
  • 4. 4 Opinion B: It’s Us, Not Them “People are the weakest link in security is a comfortable excuse to lean on when it should be a rallying cry to change the status quo.” Jessie Irwin, security researcher
  • 5. 5 Historically, the industry solution has been to insist on terrible “check the box” trainings as an employee’s only defense. Training Alone Doesn’t Work 15% Retention 95% of breaches are caused by human factors.
  • 7. 7
  • 8. 8 Behavioral Science + Security = How humans make (security) decisions and how security folks can help.
  • 9. 9 What are your key behaviors?
  • 10. 10 What Does Security Awareness Mean To Your Organization? Make less security mistakesEmbed security into everything they do Have more security common sense Be more vigilant
  • 11. 11 Set Behavior Goals, Not Mindset Goals Reduction of bugs in our code base by 30% over the next quarter. 90% of new process created by the finance team have a security control in place. Phishing click-through rates drop by 50% Reporting rate increases by 300% in 6 months
  • 16. 16 Security Action Can Be Simplified Having secure passwords for all sites Reporting suspicious activity Stop tailgating Remember 20 unique characters across 40+ sites Install a password manager Look up correct email, reporting guidelines & send Install a “Report” button Social Accountability Install a man-trap or in/out badging HARD EASY
  • 17. 17 Education Theory: Improves understanding of a concept and therefore increases the ability to perform that behavior. Practice: Not all education is created equal. “In theory there is no difference between theory and practice. In practice there is.” -Yogi Berra
  • 18. 18 Education Pitfalls Demand more of your trainings! 1. Does it have the intended goal? 2. Relevant and needed? 3. Timely?
  • 20. 20 What about things that are hard to do? By Dr. Bj Fogg
  • 21. 21 When Does Motivation Occur? Hard things require high motivation.
  • 22. 22 Naturally Occurring Motivation MOTIVATION TIME EVENT MOTIVATION TIME EVENT Predictable Events Unpredictable Events ▪ Audits ▪ Red Team exercises ▪ Breaches ▪ Incidents ▪ News events
  • 23. 23 Good leaders seizes crises to remake organizational habits. Charles Duhigg, The Power Of Habit
  • 24. 24 What Motivates Us? “People will do things because they matter, they are interesting, part of something more important. “ Daniel Pink, Drive Pride Interest Achievement Curiosity Praise Punishment Money
  • 26. 26 Competition How to Create Positive Motivation Altruism Access AchievementStatus
  • 27. 27 Competition How to Create Positive Motivation: Status Altruism Access AchievementStatus Leaderboards Top performer award
  • 28. 28 Competition Capture the Flag Bug Bounties How to Create Positive Motivation: Competition Altruism Access AchievementStatus
  • 29. 29 Competition How to Create Positive Motivation: Altruism Altruism Feedback on impact Champion Programs Access AchievementStatus
  • 30. 30 Competition How to Create Positive Motivation: Access Altruism Access Awarded points Access to exclusive swag AchievementStatus
  • 31. 31 Competition How to Create Positive Motivation: Achievement Altruism Access Achievement Recognition emails Company-wide shoutouts Status
  • 32. 32
  • 33. 33 Market Norms Assigning a monetary value to an exchange Social Norms The actions among friends that are not based on money. Dan Ariely, PhD Predictably Irrational
  • 35. 35 Communications (aka Triggers) 36.5 million adults in the United States currently smoke cigarettes
  • 38. 38 Lessons Learned in Changing Tailgating Behavior Goal: To ensure that people wore their badges visibly at all times while in secured spaces and not allow unbadged person tailgate behind them. Assumption: People didn’t know that this was policy. Bring “awareness” to them via digital posters ● Passive education ● Very limited results
  • 39. 39 Lessons Learned in Changing Tailgating Behavior Root cause analysis of the behavior. This is what we learned: ○ “I don’t feel comfortable confronting my peers.” (Ability + Motivation) ○ “Tailgating isn’t really a big problem, right?” (Motivation) ○ “I broke my badge pull reel and don’t have a replacement, so I keep my badge in my wallet.” (Ability)
  • 40. 40 Creating a Phishing & Reporting Behavior Change Campaign Goal #1: Reducing the percentage of malicious links that are clicked in a phishing email campaign to be 12% or less as an average across all difficulty types of phishing email. Goal #2: At least 20% of recipients of an attack report it to security, regardless of the difficulty of the attack.
  • 41. 41 Phishing Campaign Model ● Case studies of phishing related breaches ● Leaderboard of top reporters ● Thank you emails to employee + managers ● Kudos of breach-prevention on company call. ● Reporter button ● Safe sender ● Detection skills ● Phishing practice
  • 42. 42 Takeaways ■ Motivation is required when something is hard to do. ■ First- make it easy with technology. Second- rely on motivation. ■ Leverage naturally occurring events for motivation. ■ Connect intrinsic motivations to security motivation. ■ Negative feedback should be balanced with positive motivation. ■ Use triggers in the moment they are needed.
  • 43. 43 Comments? Questions? Let’s stay in touch! @modMasha Masha@elevatesecurity.com