© EXPRESSWORKS

It’s not just about the Technology,

it’s also about the Psychology Speakers:

Hend Ezzeddine, Ph.D

Cyber security Practice Director

Flora Moon

Sustainability Practice Director

Bsides Austin

March 2016

© EXPRESSWORKS

Agenda

Why does the psychology of security matter?

What are the pitfalls that hackers exploit?

How to apply behavioral change to reinforce cyber resilience?

Focusing on Results • Accomplish the original (business) intent

• Achieve Return on Investment (ROI) goals

• Align behaviors and actions to business results

• Deliver value without destroying potential future value

• Develop the capacity to adapt more quickly to change

• Create higher expectations for future projects

• Strengthen the organization’s competitive position

Delivering Expertise Our network of 120 change and learning

consultants leverage their years of

experience on change projects.

• Avg. experience: 17 years

• Avg. Expressworks tenure: 8 years

• 52% with a Master or PhD degrees

• 58% with “Big 5” experience

Creating Meaningful Sustainable

Change within Your Organization Our collaborative approach allows us to

leverage our expertise with your keen

knowledge of your business and your people.

Aligning with Your Unique Culture We’re not afraid to roll up our sleeves. We help you

get your arms around the actual work of change,

translating high-level strategy into concrete

outcomes that make sense in your organization.

Average over 200 Projects Each Year Our consultants are working in Chevron, Shell, Phillips 66, Adobe and

USAA; and in Australia, the Philippines, Indonesia, Nigeria, Angola,

Thailand, the UK and the US.

1984 1990 Today Founded in 1984 with a commitment to sustainable

change in diverse environments.

Guided by a Change Methodology developed by Expressworks, following a multi-client

research project on successful implementation of change

01 Change

Implementation Expertise

04 Results

03 Trusted

Collaboration

02 Adaptive

About

Expressworks

© EXPRESSWORKS

Who we are

• Hend Ezzeddine, Ph.D Hend is the Cyber security Practice Director at

Expressworks, a change management

consultancy. She has over 10 years of

experience helping clients implement and

adopt cutting edge IT solutions.

Her focus is on designing organizational

capabilities that enable a complete business

transformation and maximizes ROI of major IT

Programs. In the Cybersecurity space, Hend's

work is primarily focused on the human

element and leverages cognitive behaviors to

reduce user errors and establish safer

behaviors.

She holds a Ph.D in Organizational Design

and Innovation Management. Hend is the

author of a number of scholarly articles and

blogs on various topics.

• Flora Moon Flora Moon has been engaged in designing

user experience for her entire multi-decade

career.

As a filmmaker she engaged audiences with

award winning content. In high technology she

was part of the start up team that brought high

speed internet service to Houston.

As a management consultant she has been

responsible for user experience and insights

for web technologies and ERP systems.

Currently a Senior Manager for Expressworks,

a change management consultancy that helps

clients navigate systemic and culture change,

Flora has led change management strategy

and execution for enterprise programs since

2008.

© EXPRESSWORKS

Why does the psychology of

security matter?

© EXPRESSWORKS

Human vs. Technology: Who wins?

Technology

Training and communication

Users

© EXPRESSWORKS

Human error was behind the Target data

breach and the user wasn’t even a

Target employee

Target suffered 440 million

dollars in revenue

losses as a result of

lowered consumer

confidence from the hack.

© EXPRESSWORKS

Who is your user?

Your tech savvy user who is

excellent at taking shortcuts

Your not so tech savvy user who

is doing his best, yet…

© EXPRESSWORKS

Let’s look at the facts

66%

Former and current

employees

84%

Nature of security incidents

Non-technical

90%

Could anything have been done?

Data breaches are preventable

Source of cyber security incidents

© EXPRESSWORKS

What are the pitfalls that hackers

exploit regularly?

© EXPRESSWORKS

Hackers play on humans’ emotions and

exploit their psychological and cognitive

pitfalls

If they follow a script, for

instance, I know they’re

a low-level employee or

recently hired. And

they’re the types of

employees we can

exploit.

Former Hacker

“

”

© EXPRESSWORKS

Deception is more of a science than an

art…

Cognitive science

Psychology

Behavioral Economics

© EXPRESSWORKS

What hackers try to exploit…

BEHAVIORAL ECONOMICS:

• Most people are less afraid of a

risk they choose to take vs. a

risk that has been imposed on

them

• Most people are willing to take a

risk if they believe that it also

provides them with some sort of

benefits (framing effect)

A penetration test

targeted the finance

directors of 500

publicly-quoted

companies. They

were sent a USB

memory stick as

part of an

anonymous

invitation saying

‘For Your Chance to

Attend the Party of

a Lifetime’; 46% of them put it into

their computers

© EXPRESSWORKS

What hackers try to exploit…

PSYCHOLOGY:

• Most average users really want

to be helpful and the illusion of a

reason is as effective as a valid

reason

• Most users respond obediently

to authority, hence the

effectiveness of “CEO fraud”

type of attacks

According to the US

Federal Bureau of

Investigation,

CEO Fraud has cost

businesses around

the globe more than

$2bn in little over two

years.

© EXPRESSWORKS

What hackers try to exploit…

COGNITIVE SCIENCE:

• Frequent changes to a

memorized item interfere with

remembering the new version of

the item

• When required to change their

passwords, users tended to

create passwords that followed

predictable patterns, called

“transformations”

An attacker who

knows the previous

password and can

carry out an offline

attack can guess the

current password for

41% of accounts

within 3 seconds per

account.

© EXPRESSWORKS

What does it mean to think like a

Hacker?

Psychology

of security

Cognitive

Patterns

Actions/

Behaviors

© EXPRESSWORKS

How to apply Behavioral Change

to reinforce cyber resilience?

© EXPRESSWORKS

Cyber resilience is often a balancing act

Security

behaviors

Human

errors

The most successful

results are exhibited

when we take a

system approach

where the “human in

the loop” is at the

heart of the cyber

security initiative

© EXPRESSWORKS

How to design a cyber resilience framework

around behavioral change?

Leadership

commitment

Organizational

structure

Operating

model

Talent

management

Culture

How to get the board

and the C-suite to

demonstrate

commitment?

How can you guide

them to support you?

What’s the best

organizational structure

for your initiative?

How to empower

employees to make the

right decisions at the

right time and level?

Do you have a clear

cross-functional

cooperation model?

Do you have clear

cyber security

activities?

Why is culture key to

your success?

How to develop a

strong cyber security

culture?

What are your needs in

terms of skills and

resources?

How to train and retain

the right talent for cyber

security?

This material is protected by copyright. No further reproduction or distribution is allowed without explicit permission from Expressworks.

© EXPRESSWORKS

How to leverage behavioral science to

reduce human error and reinforce safe

behaviors?

Design to reduce

human errors

Maintain compliance by

reinforcing the right

behavior

Train users to recognize

Cyber threats

Perceptual learning:

Consider training specific

visual skills to develop users

ability to recognize cyber

threats and extract meaningful

patterns instantaneously.

Human Performance

Engineering:

Consider which type of security

warnings will be most effective

in triggering the right behaviors.

For example, active warnings

will require the user to

deliberately decide accessing a

web site or downloading an

attachment.

Choice architecture:

Consider minimizing decision-

making when users are trying to

focus on their day to day tasks

by defaulting external emails to

be filed as spam.

Social proof:

Consider communicating the %

of people who are compliant to

motivate users to comply.

© EXPRESSWORKS

Once people adopt the right behaviors,

complying with cyber security will become a

second nature

I have diversified work assignments and

access to the right training.

I understand our cybersecurity solution

and how to measure its effectiveness.

I own cybersecurity for myself and my organization

I feel empowered to make the right decisions and

can access the C-suite/board as needed

© EXPRESSWORKS

Contact Information

Visit our website: http://www.expressworks.com/

Email us

hendezzeddine@expressworks.com

floramoon@expressworks.com