My slides from UISGCON14 talk. Original video in Ukrainian: https://www.youtube.com/watch?v=7Mvhf_eAQks

1. Social-Engineer
Your Security Budget
Vlad Styran

2. Good afternoon. I’m Vlad

6. Plan
1. Rationale
2. Economics
3. Social
Engineering
4. Influence

7. Part 1
Rationale for security budget

8. Ra#onale for security budget
Expectations
Corporate governance
Risk management
Market and government
regulations

9. Rationale for security budget
Reality
Audit reports
Security incidents
Vendor pitches
”CEO have read a book” ©

10. IT (security) budge1ng process
Expectations
1. Conduct a risk assessment
2. Quantify expected losses
3. Agree on risk appetite
4. Plan the controls
5. Implement the controls
6. Maintain the controls
7. Measure the controls

11. IT (security) budgeting process
Reality
1. Plan the budget
2. Present the budget
3. Divide the budget in half
4. Defend the budget
5. Divide the budget in half
6. Get the budget approval
7. Try not to cry in public

12. Why IT budgets are cut?

13. But if it only worked…
Expecta(ons
Corporate governance
Risk management
Market and government
regulations
Reality
IndustrialControlSystemsHealthcheck

14. Part 2
Cyber security economics

15. Cyber security economics
Market challenges:
Information asymmetry*
Invisibility of prevented loss
Lack of incidents disclosure
Poor regulation
_
* George Akerlof - The Market for Lemons

16. Why corporate security (normally) sucks
“Best prac+ce” driven
determinis+c approach
The promised land of
“Management commitment”
Obsession with formal authority

17. “Best practice” vs Real security
“Best prac+ce” security:
Determinis+c & control-centric
“When in doubt, look into the
standard” ©
Security against liability
Compliance ❤"#$
Delft University of Technology – Cyber Security Economics 101

18. “Best practice” vs Real security
The Real security:
Direct business impact
Security for business
Indirect business impact
Security for customers
Support of business strategy
Security against customers
Delft University of Technology – Cyber Security Economics 101

19. Management commitment
Expecta(on
ISO-IEC 27001 – 5.1 Management
commitment
Management shall provide evidence of its
commitment to the establishment,
implementation, operation, monitoring,
review, maintenance and improvement of
the ISMS by:
…
d) communicating to the organization the
importance of …;
e) providing sufficient resources to …;
…

20. Management commitment
Expectation
ISO-IEC 27001 – 5.1 Management
commitment
Management shall provide evidence of its
commitment to the establishment,
implementation, operation, monitoring,
review, maintenance and improvement of
the ISMS by:
…
d) communicating to the organization the
importance of …;
e) providing sufficient resources to …;
…
Reality

21. Obsession with authority
Expectation
CISO reports to CEO or directly
to the Board of Directors
ImagecourtesyofUSANetwork

22. Obsession with authority
Reality
“CISO” reports to the highest-
ranking executive who knows
what is the difference between a
firewall and an antivirus
ImagecourtesyofSca?Adamsh?p://dilbert.com

23. Cyber security business
Paper tigers
Blinking boxes
Feynman threat
Do it yourself attitude
Evolution of “fair price”

24. Part 3
Social engineering

25. Social Engineering
vs Human Hacking, Neurohacking and other bullsh1t

26. How it works

27. How it works

28. How it works

29. Plan A: let’s save 200 people!
• All 600 will survive with P=33%
• None will survive with P=66%
Plan B: 400 people will die…
• No one will die with P=33%
• Everyone will die with P=66%
Scenario: a virus outbreak is expected to kill 600 people. We have two
treatment plans to choose from.
Tversky, Amos; Kahneman, Daniel (1981). "The Framing of decisions and the psychology of choice". Science 211 (4481): 453–458.
How it works
78% 22%

30. Part 4
Influence strategy, tactics and ops

31. Influence strategy
Formal power
Expert power
Social power

32. Formal power

33. Expert power
An expert is a man who has made all the mistakes which can be made,
in a narrow field.
--Niels Bohr

34. Expert power
An expert is a human who has made all the mistakes which can be
made, in a narrow field.
--Niels Bohr

35. Expert power
Open Design
Least Privilege
Fail-Safe Defaults
Defense in Depth
Complete Mediation
Separation of Privilege
Economy of Mechanism
Secure Weakest Link First
Psychological Acceptability
Least Common Mechanism
Ross Anderson – Security Engineering

36. Social power
University of Michigan – Influencing People

37. Social power
University of Michigan – Influencing People

38. Social power
Cultivating Compassionate Tech Communities - April Wensel - AnxietyTech 2018

39. Influence tactics
Behavioral economics
Social psychology
Neuroscience
Robert Cialdini – Influence

40. Influence ops
Oren Klaff – Pitch Anything

41. Step 1: Introduction of self
Define yourself via your background and brief history
Name top-3 or top-2 cool things you did professionally
State the purpose of your pitch

42. Step 2: The “Why now?” frame
Recent changes by economic, social, and technological forces: factual
and external to the company
Backstory of the idea: important changes in the business, forecast of
trends, impact on cost and demand, and the opening window of
opportunity

43. Step 3: Idea introduc1on pa2ern
“For [the beneficiary],
Who are dissatisfied with [the current situation],
My proposed idea/product/project is a [new thing],
That provides [key problem-solving solution],
Unlike [the alternative(s)].
My idea/product/project/solution is: [describe key features]”

44. Good evening. I’m Vlad

45. I spent 16 years in IT infrastructure,
Information Security Management,
IT Audit, Application Security, and
Security consulting
for the largest banking, telecom,
software development and professional
services companies in Ukraine.

46. I am one of the ”founding fathers” of UISG,
co-founder of OWASP Kyiv, NoNameCon security conference,
and my own consulCng company Berezha Security.

47. Today I am here to help you
secure adequate budget
for your cyber security program.

48. All of you are aware of
1. increase in frequency and financial impact of cyber attacks,
2. strengthening of government and market regulations,
3. and inability of traditional IT security solutions to thwart the
permanent threat of state-sponsored hacking backed by Russia.
In the face of
1. poor InfoSec market conditions that will not improve in the
nearest future,
2. and the inevitable period of increased geopolitical tension
caused by the upcoming presidential elections;
You shall not miss the opportunity to secure the funding required
to implement adequate safeguards as soon as possible.

49. For your security organiza0on,
that is poorly funded in line with “tradi0onal” corporate
budge0ng process that creates a disbalance of es0mated goals
and assigned costs,
my proposed method is a tool for leveraging natural human
features, beliefs, and aspira0ons,
that provides tangible percep0on of “fair amount” of cyber
security spending to all stakeholders,
unlike the tradi0onal “risk assessment” approach that is
inherently prone to error and doesn’t fully cover the ever-
changing threat landscape.

50. My proposed method uses current body of knowledge in
psychology, social sciences, and cyber security economics to
help security leaders
• obtain necessary resources,
• deal with cyber security market challenges,
• build and maintain influence power in the organization,
• and take well-deserved place in the business hierarchy.

51. How to find me
sapran@pm.me
https://fb.me/vstyran
@arunninghacker

52. References
George Akerlof - The Market for Lemons
Del6 University of Technology – Cyber Security Economics 101
Ross Anderson – Security Engineering
University of Michigan – Influencing People
Robert Cialdini – Influence
Oren Klaff – Pitch Anything
CulMvaMng Compassionate Tech CommuniMes - April Wensel -
AnxietyTech 2018

53. Recommendations
Introduction to Psychology, University of Toronto
Christopher Hadnagy, Social Engineering: The Art of Human Hacking 1st
Edition
Robert B. Cialdini, Influence: The Psychology of Persuasion, Revised
Edition
Dan Arieli, Predictably Irrational, Revised and Expanded Edition: The
Hidden Forces That Shape Our Decisions
Social Engineer Podcast