Transcript
Big warm welcome back to our All Things Human Risk podcast. Today we're talking about something so interesting and super fascinating and something that a lot of awareness teams actually do and many people feel uneasy about doing also, and that is using real breach stories in training. Why would you do that? Well, because actual real incident examples of course work. They make threats feel concrete and they can cut through this will never happen to me mentality. But of course there's a thin line between memorable and harmful and we never want fear mongering or victim blaming or any kind of humiliation of people who make mistakes and we never want to use that company's worst day for entertainment either because of course as we know these breaches can have horrendous impacts on so many employees. And if we do it the wrong way what happens is not just that we miss the opportunity to learn but we actually can lose trust. And to help us navigate this interesting topic today is David Bedanes. Welcome back, it's so great to have you. If you've ever heard David with us before you know he's practical and grounded and comes with years of on-the-field cyber security experience. And so today we'll be putting that experience into a playbook for ethical security storytelling. We'll cover how to choose your examples responsibly, how to tell the story with context and respect, and how to turn into training that actually stakes for employees. David, a very warm welcome to the show. Thank you, Nora. I'm so glad for a warm welcome considering that it's so cold outside where I'm joining you. But I'm so glad to be here talking about such a really a challenging topic and a challenging issue that you framed so well. Those of us who are in the cyber awareness and human risk management field, we really need to figure out what's that line between sharing stories that really make an impact but also don't cross an ethical line. It's a fascinating topic. I'm really excited to be here with you to share this with your audience. So David, first off, when we think about actually telling these real breach stories, why do you think that that is effective? Why do you think that's better than using generic or made-up examples to teach people? Yeah, I mean that's a great point and I think it goes back to how we're wired as humans. We really believe more and understand more the concrete versus the abstract. If you look at Heath and Heath's book, Made to Stick, one of the things that I draw from that is that we're really drawn to remember concrete sensory details. The attacker called pretending to be from IT to ask for a password reset beats, hey, social engineering attacks are increasing. I think back to The Office, one of my favorite American television shows, and there's an episode called Fire Drill where Michael Scott comes in and he shows workplace safety tips by going through a bullet point slide on the screen. And all of a sudden, what does Dwight Schrute do? Dwight all of a sudden creates a fire in The Office, a fire drill, and it goes disastrously. But it teaches everybody how to get out of the building. That's a memorable experience that actually sort of teaches lessons that goes beyond just sort of what you see on the screen. Great point. So obviously, they can really bring these examples to life quite literally, but where do you see the risk in telling these stories? What could go wrong if we do share real examples? Well, obviously, the risk is crossing a line of things that are sort of ethically dubious or things that you really wouldn't want your organization to be fishing about or doing otherwise. I'll just give you a couple examples. During COVID-19, many organizations, including one that I was supporting fishing training for, decided not to show and fish on situations around COVID, right? Not about click here to see if an individual that you had worked with was subject to contact tracing or click here to be able to access first ability to get vaccines. We determined that safety was more important than our fishing susceptibility, and so what we decided to do was to not include those. I also think about, as an organization, if you're sitting in a chair where you're buying cybersecurity services, hearing stories, it's almost like the old kind of ambulance chaser mantra where an attack happens to another organization and they call you up to say, I don't know if you've been following the news. The latest attack has happened. Is your organization safe against cyber attack? Let's click here, learn more. We would like to see whether your organization is the same. You mentioned doing it in an ethical way, and I think when we think about sharing these stories and using examples in fishing, I think most awareness managers and people working in human risk management would agree that they want to do it in an ethical way. But saying that is maybe easier said than done in that how do you actually define where that line is? And to help people tell these stories in an ethical way, how would you describe what that looks like in one sentence to awareness managers in particular? What does ethical security storytelling look like? One sentence is tough here, Nora, so maybe I'll give it a shot. Ethical storytelling and cyber awareness is incredibly important because generic warnings tell people just to be careful and real stories tell them what careful actually looks like. But you do want to make sure that you are not pushing the boundary and covering topics in a way that will make you just like the adversary itself. And I'd love to go into a little bit more detail of what could be included in that as far as overall talking points. Any sort of situations where you're victim shaming or blaming the victim, that is not what we're trying to do. We do not want to cover how dumb the victim is, and that would just simply make your employees think I would never do that because you want your employees to have empathy. Empathy is the key thing here of thinking that could be me. You also really don't want to go into too much technical detail and drowning people out with IOCs or CVE numbers when the heart of what you're trying to focus on for these is really behavior change, when you're talking about your overall people population. And you want to focus people on that decision point. Make them put themselves in the shoes of the person who suffered the incident. Give them, again, a sense of empathy for the person that was attacked, that was breached, and have them consider the decisions that went into it and whether they would have done something differently. And finally, treating this as just simply a one and done, here's what happened, instead of reinforcing positive lessons over time. That's the way you draw out effective ethical storytelling in cyber. Really good points there. And that makes me think about when you said putting yourself in the victim's shoes and seeing how that sort of story can be told in a way that helps people change their behavior in a positive way, but doesn't shame them. If a breach is public, and it's publicly written about, or of course some breaches get a lot of press, does that mean it's fair to use in education inside companies as is? Nora, that's a great question. And obviously it can become a legal one, and it's above my head. So public just means accessible, right? It's through court documents, New York news articles, it could even be classified information, but that does not mean using them as appropriate. Fair to use is another topic. Is there still an active investigation? Could the victims potentially be identified or harassed? This is a big issue that we should think about with your people. Are we adding value to the conversation, or are we just really exacerbating and amplifying somebody's worst day? And then really to think about it, Nora, if the shoe was on the other foot, would we want someone else to be using our incident this way to create a situation for others? So, yes. So let's talk about some ideas, right? So maybe there's a lawsuit out there where naming an IT admin by name whose credentials were stolen. Is that in the public domain? Yes. Is that fair to use? Probably not. But is it fair to use? It's active litigation. It's probably the person is already facing legal and career consequences. What about an article from a well-known podcaster on a phishing campaign? Is it public? Yeah, that's something that you'd probably use. The journalist has already made those ethical editorial decisions. No individuals were named. So yeah, that's the type of kind of balance that you need to play when deciding what to publish and what not to share. Just because you can find something doesn't mean that you should use it because public availability is the start of the ethical analysis, not the end. Now on to some practical advice for an actual awareness manager who's planning to use a breach story. How would they decide what to include and what parts of the story are actually useful? What are those elements that turn it into something positive and that are useful and help people understand? But whilst steering away from being sensational, what sort of concrete points do you think, if you could give some examples, are appropriate to use and what are not? Yeah, I think you need to figure out what is the behavior you want your employees to change. And if you can't name that in just one sentence, then you're not ready. So that's really what it comes down to. Figuring out specifically what you're trying to do within your organization of behavior that you're trying to change and be able to communicate that clearly. So thinking about, does the story that you're putting forward, does it illustrate that behavior? Sometimes there are really great salacious and dramatic stories, but they're not really instructive. There's individuals that could be hurt by telling that story. And did you take other steps to minimize that harm? Is the timing appropriate too? That's another question that you can ask yourself. Is it relevant? Is it real? And would I be comfortable telling the story if it were about my company? There's actually a really good case on this. So Barbara Corcoran of Shark Tank fame, her company lost $400,000 to a BEC scam. And she's talked about it anywhere where it's been asked on podcasts and news shows. And this becomes a really ideal training example, because one, the victim herself, she decided to go public. She's a sophisticated business person. Nobody doubts her business acumen. This goes against the idea that only naive people would fall for something like this. And she discusses it without shame, and she models the right response. So I would encourage you, if you have examples within your own organization, where you've been a victim of a cyber attack or even a near miss, those are the ones that resonate the most. Because not only is it a real story, it's a real story about your organization. So to the extent that your corporate comms and legal are willing to have conversations about this, and I think a lot of them are, those are the ones really that you should be leading with. What is the context that you need to give to avoid sending that message that somebody did something stupid and framing it in a way where it's actually the mechanics behind the attack and learning how the attacker works and how to defend against that, they actually shine and not that person was stupid framing? Before you answer that question, I just remembered something that I read on LinkedIn recently, here in Finland, there's an editor of technology magazine, who's commenting on a thread about somebody who was the victim of a basically a scam, an elderly person who lost all their money. And this editor was commenting that she went to the parliament to discuss with some politicians what could be done on a legislation level to stop this from happening at the banks. And an unnamed source of the record in the parliament had said, we can't ban this by law because you can't ban stupidity. And so of course, I went on a rampage on LinkedIn to comment to say, I think it's extremely wrong on the level of parliament for anybody to blame victims and to label them as stupid when we all know that the attackers are spending so much time and effort. It's a huge business for them. It's something they keep optimising. So how do you think we can give that context to employees in a way that doesn't turn into such a long lecture on the mechanics of a cyber attack that then they would lose interest? That story just resonates so much with me that really does seem like it's victim shaming and blaming. But you do have to include those details that draw the reader. And that's why this is such a challenging thing. But I think you go to including the facts, right? What is the type of attack? How did it arrive? Sharing that. Was it an email, a phone call, a compromise vendor? And that moment of decision. Again, you want to have your reader, your listener put themselves in the mind of the person that was the victim and to see if there was anything that they would have done differently. What were the red flags potentially that were present but missed? And what were the consequences? But again, I would caution you and urge you to focus more on the organisational impact, not the personal punishment. And how do you do that? Really, you omit the names of the individuals, the technical details that the employees themselves can't act on, the relative stupidity of the individual. That is something that, back to your comment earlier, I think is outside the realm. And any sort of graphic details of the consequence, humiliation, firing, or any sort of speculation on motives or blame, that's just something that I just think would be not good for ethical storytelling. You know, this goes to, I would say that you should try to work backward from the breach. Try to figure out that fork in the road moment when what did the target see, what did they decide, and what could they have done? And then think about it in those if-then prompts. If you see that, maybe you should think and act 10 seconds before acting. Or, this seemed a little suspicious that potentially this vendor was not legitimate. What were the steps that you would put into place in your organisation in order to verify the legitimacy of a vendor? And if in doubt, here's exactly who to contact and why. That really resonates. And one thing maybe that I would add and would love to hear your thoughts on is the actual problem-solving of what happens after a breach. One time I heard a CISO do a public presentation about a breach that had happened to them during the Christmas holidays when, like, almost everybody was off. And there were two things that really resonated with me from that story, and I think I'll always remember them. One was the fact that when he was in his woolly socks and with a glass of wine, enjoying Christmas Day and got the news of the breach, and he started calling around the team and everyone just sort of pulled together to come together to fix what could be fixed at that point, and the teamwork, when you really come together and fix things. And I think that sort of shows people that security teams are there to help you, and it gives the feeling that if you were in a pickle, the security team would come through. They would come through from their Christmas holidays without complaint to help you get out and not to blame you and to fire you. And then the other part of what he shared that really, really resonated with me is that their whole trade secrets were available on the dark web now, and they contacted all of their competitors. They were like a flooring manufacturer, and so they contacted all their competitors and said, our trade secrets are now out. They've been stolen by criminals. Please don't access them because it would be a crime. And he said that without fail, all of their competitors contacted him and said, we believe in fair competition. We're sorry this happened to you, and we will not be accessing those files. And I feel like when you share those kind of positive things where people come together and you show the humanity of, you know, we're all fighting the good fight here, and when we do it together, I think those sort of positive examples reinforce this feeling about security teams as something positive. How do you feel about that? That reminds me of actually something that happened in US politics 20 years ago, and not to get political, I wonder if it would happen today. So there was actually a story during the 2000 presidential campaign of Governor George W. Bush versus Vice President Gore, and during the debate, there was a binder of materials that was left behind by actually Governor Bush's team, and it had a binder of all their talking points and notes about different topics, research memos, and the like, and it was discovered by a Democratic staffer who actually called and returned it. And this is, the idea was, I mean, it was stumbled upon, it was not legally obtained, and so they turned it over. And that showed the sort of, even though they were adversaries in this moment, that there was a sense of ethics that bound them even further. So I really like that story, Nora. Yeah, and I think that's also a nice juxtaposition to kind of really bring to life how you would behave ethically and how you would behave unethically, because of course, cyber criminals are behaving unethically. And then we're trying to turn these stories around to help us fight the good fights, but with examples of things that can be horrendous. So translating this into real artefacts that can be used in training, what sort of formats do you think are suitable for this purpose? And what makes learning stick? Like, should security teams be giving long presentations to staff or sending them newsletters? Or what do you think really practically works? We've talked about making sure that this positive reinforcement to change behaviour is internalised through this ethical storytelling of breaches, but how would people actually do that in practice? Yeah, so depending on the format, you can put that to the side for the moment. But I think the framework that you're looking at across all of your formats, there's an acronym that I've liked from that same book, Heath and Heath Made to Stick, which is it should follow the success framework, which is, it should be simple, you should have one clear lesson that you're trying to communicate with each deliverable. It should be unexpected, you know, a surprise that breaks the pattern. And that's something that catches the reader's attention. It should be concrete with specific sensory details, credible from a believable source, emotional, which makes you feel or believe something, and includes a story, a narrative arc, and then summarised at the end. So as you think about the different formats that you look at, that's what I would focus on the most. What's fascinating is that telling these stories of real breaches in an ethical way can indeed help us change those behaviours in a positive way that we're trying to impact with awareness programmes and within security teams. But how would you actually advise people put this into practice? Should security teams be giving long lectures to all staff, or should they send newsletters? Like, let's get really practical about how we translate that storytelling into learning moments and messaging that really does have the desired impact. And Nora, I'm so glad you brought up this question, because I think there's so much research on this subject that continual micro trainings and micro lessons work a whole lot better than long sort of compliance style training courses. Putting people actually to train in the environment in which they're learning is incredibly important. And that leads us to things like phishing and things like micro learnings as well. So let me go sort of the science behind it actually. So think about Wordle, the New York Times Wordle game. People will engage with like small daily activities, low stakes challenges. So think about that in your phishing and human risk management of your awareness programme. If you can sort of train people more than just once a month, certainly more than once a quarter, maybe once a week or once a, you know, that they're looking at it, they're in their native inbox, they're looking at messages or a phish come through. And it's different than watching a video about phishing. It's actually in your inbox, seeing the email and having to decide yourself. This is the difference between passive learning and active learning. And learners who engage with actively learning material, you know, they retain so much more information. And that's why it's that much more effective. So, for instance, if we wanted to do this with employees and train them about business email compromise, obviously a massive concern for any organisation really, because through what you would do really in terms of using a real breach example to educate users on business email compromise. Yeah, I could almost envision this like a choose your own adventure style scenario where you could actually see what the urgent invoice of business email compromise email would look like and it comes in and you have to decide what to do, right? Is it reported as phishing? Are you going to reply to the email asking for confirmation, especially if you think that this is something that you need to do? Are you going to call the CFO directly using the phone number of the email or potentially use an out-of-band communication? The idea though is that you almost want an all-of-the-above style formats for presenting information about this topic. I'll talk about what we did at my company. We sent emails to people that included business email compromise style phish. And then we would get together on a monthly basis and we would actually talk about them. And we would go through that scenario where we would say, you know, here's what they were trying to do. This is what we would recommend. And then for those that want to learn more about the topic, we could actually present them greater writings and greater understandings that they could get more information. Also, what we're doing here is really important. Maybe some people like to get information on the way to work. So maybe you can employ like a podcast or audio or different sort of things where people can learn different stories in a way that makes sense for them. Because the idea is you really need an all-of-the-above approach to learning this information. I totally agree. So in order to have that approach in place, if you don't already have it, how would you operationalise it? So if you were running an awareness team or working in an awareness team, we know a lot of awareness practitioners are working on their own. So they have to do a lot with very little resource. So if you wanted to operationalise this, what would a lightweight review process look like in order to make sure that you are always towing the correct line of ethics and as well as staying on the right side of law? How can you make this happen and actually bring it to life knowing what sort of pressures security awareness managers actually deal with on a day-to-day? So I think one thing that would be good to do is that to the extent that you're disclosing things that happen within your organisation or others, having the phrase based in true events gives credibility but also allowing some customisation. Real stories can build credibility. Fictional stories can build relevance. Use both strategically and be transparent about which is which. But I do think this is something where you want to, as you're talking about operationalising ethical storytelling of breaches within your organisation, you do need to bring in the advice of others. It can't just be one person within the organisation. It might be helpful to include people from HR or people who look and have different backgrounds than you do because you can have different perspectives in the room. We believe that that makes you stronger as an organisation. This is not bureaucracy for bureaucracy's sake. It's that pause moment, like the movie Inside Out. Before an emotion takes control of your brain and your overall perspective, there's a beat where someone should ask, you know what, is this a good idea? And you should have a repeatable process for that, right? You should have a checklist of, you know, again, back to that framework that we talked about earlier. What is the specific behaviour that we're trying to get identified? And what's the story that we're trying to illustrate that behaviour? And is there anyone that would be potentially harmed or hurt along the way? And go back to that golden rule. Would we be comfortable if this story were about us? And that way that you can sort of really think about how you can change behaviour while adhering to an ethical standard. Really, really great practical points there to actually putting it together. So once you've done it and you've executed your campaign, how do you know it's working? What are you measuring for? What signs are you looking for that you're doing the right thing here? So there are a few things that I can think of off the bat. If you're giving a story in a crowd, if people are enjoying it, if they're listening, if they're not looking at their phones, do they like the training? But that's the least predictive, honestly, of how effective it is. Did they learn something? You know, learning something is certainly necessary but not sufficient. Did their behaviour change? That's incredibly important. That's what we actually are driving towards. And then results. Did it impact outcomes? That's the ultimate goal and that's, of course, the hardest to measure. So that's really what I think about is going from a reaction to learning to behaviour to results. And most security awareness programs, they do a very good job at measuring level one and sometimes level two, quizzes, knowledge checks, that sort of thing. But real impact requires level three behaviour and level four results. Thank you for sharing. It's clear you've done this many times in your roles before. One other thing I'd like to ask you about, I know you've worked also with a lot of international contexts and with people from all sorts of different backgrounds and that could be their different backgrounds in terms of their level of technical knowledge or also culturally from different backgrounds, different countries. And when we are communicating these messages and we want to do it in an ethical way, there may be a difference between different cultural contexts. What would be your advice for doing this in a way where it's suitable for diverse contexts? That's a great question. And it goes to kind of a fundamental concept that I'm trying to get across, which is it's so important to know your audience. I'm going to go back to pop culture for a second, just because I love the show The Office. And I've made a couple of references there. You know, many people remember that The Office actually started as a UK series and it was focused on dry, cringe humour, sort of the dynamics of office jobs that didn't necessarily go anywhere. And when it came to the US in the first season, they had to adjust almost everything. And some things really kind of fell flat, not just the jokes, the pacing, but sort of the relationship dynamics, the idea that, you know, the Jim and Pam sort of needed to have a relationship arc. Same premise, same show, but had to be different executions because cultures vary differently. And that's really important. You need to sort of adjust your style based on the culture. In different societies, let's think about the idea of the CFO email. So back to business email compromise. In different cultures out there, there's a different approach when it comes to challenging your boss or your manager. When I led security awareness for an international company, one of the things that we had to focus on was this idea of challenging your manager's authority with regards to business email compromise, because that wasn't a universal concept across the world. So we relied on something called stop work authority, which is known across the country and across the world, that if you see something that's going wrong at a risky business situation, whether it's at a water treatment plant or a power plant or a substation, you have the ability as any employee to say, we are going to stop if I see something risky or dangerous until that is resolved. And using that same logic to apply for business email compromise works, right? So even if you get an urgent email from your boss or even the CFO saying that you need to do something, if you slow down that operation, the acquisition of some important business by not responding right away, there is no retribution. So that's a really important concept across cultures to get forward. Yeah, great points there. Like the way that we talk about, for example, in our company context, if I had a suspicious message from my boss in the evening, I would just call him at home and say, hey, hope you're having a good evening, but what is this about? And of course, not everyone can do that. And of course, there are many contexts where also when we think about the ethics of the story in terms of the victim of the attack, the level of shame that could be associated with that experience in different cultures can really vary. So I don't think we can talk about ethical storytelling without taking the cultural context into account. So that's, of course, something that I guess we both agree on that security awareness managers across the globe should take into account. So think about some different industries as well. Small startups, a tech startup, a lot of the mantra there is move fast and break things. They're going to have direct examples and even internal near misses that you potentially can call on. Those more regulated industries, financial services, critical infrastructure, government, they're going to have a little bit less of an ability to sort of suggest anything to the regulators that they've had sort of any issues. So there's a lot more sensitivity in there. So a story that's empowering in a blame-free environment can be terrifying in a shame-oriented environment. And that's why it's so important to know your audience. And when in doubt, I would advise to err on the side of dignity, more context and more emphasizing that, you know what, reasonable people can get caught. Great. I think we're coming up to time. Is there anything else that you would like to add, David? To bring us home, I think before you tell any story, I think there's a five-question ethical test that I think we should put forward. What behavior am I trying to change? Does this story actually teach that behavior? Who could be hurt? And have I taken the steps to minimize harm? Is the timing appropriate? And would I be comfortable if this were about my own company? And I think that that is just really kind of the heart of it. You know, the two sentences of context I'd like to leave you with is what made this attack so sophisticated and why a reasonable person could have been fooled. If you do that, hopefully your viewer, your listener, your reader will put themselves in the seat or the chair of the person who was impacted and to really think of them with empathy and to think, and they'll actually, going back to what we said, they'll know what to do and they'll actually act on it in the future. Some great points there to turn. What can be a difficult topic, where do you draw the line? What is ethical and what is not? And you've really distilled it down to some very clear steps that hopefully the listeners will be able to implement in their day-to-day life and work. Thank you so much, David, for your time. At its core, ethical breach storytelling is remembering that behind every single security incident is a human being, somebody who was trying to do their job, someone who got targeted by someone who's full-time occupation deception, and they're probably already feeling terrible about what's happened. Our job in this scenario is not to pile on, it's to make sure that their experience helps someone else while treating them the way that we would like to be treated if it happened to us. Such a great reminder, and not just the full-time occupation of cyber attackers, but they have funding, they have technology, they have AI, they have so much sponsorship behind what they're doing that, as we've agreed on, it's totally unethical to blame the victim and instead we need to turn these stories into something that can truly impact people's behavior in a positive way. Thank you so much, David, for your time.
