Turning Users into Cyber Heroes
BY JORGE MARIO OCHOA, CISSP
A few years ago, P&G launched a marketing campaign for Colgate toothpaste in which it presented images of couples where male models all had stained teeth. So focused were viewers on the stains that few noticed other oddities in the photos, such as a man missing an ear, a woman with six fingers and another with an extra arm. To them, the stains were more obvious (and shocking) than some serious abnormalities (See below).
In another example of quiet deception, after the business platform LinkedIn was infiltrated and its database leaked, users received emails about the breach with instructions to change their login credentials. Some of those emails were not legitimate, but users didn’t stop to look for discrepancies in the message or headers. Instead, they blindly filled out false forms that often included the same credentials they used for corporate access at work. That’s how cyber criminals were able to easily break into more networks and compromise additional databases once they’d cracked LinkedIn’s user database.
In both examples, savvy specialists took advantage of people’s propensity to overlook alarming details. Research shows that more than 91% of targeted attacks now start with spear phishing. The latest Verizon Data Breach Report indicates cyberattacks using social engineering techniques continue to increase. It’s why cybersecurity awareness training is fundamental in a cybersecurity strategy. Attackers have noticed that they have a better return on investment when they use social engineering via email; therefore, why spend weeks trying to identify vulnerabilities in a system when it is so easy to search the internet for the director of Company X and launch a credible spear phishing attack to steal credentials? Or impersonate the director to gain corporate secrets?
I recently had an opportunity to learn how attackers manipulate our emotions as part of a Ph.D. program I am pursuing that involves neurohacking. Part of this growing discipline involves better understanding human behavior across different generations (Baby Boomers, Generation X, Millennials and Generation Z). By fully understanding why humans make the decisions they do, we can all improve our cybersecurity programs through greater user compliance.
Turning to experts in human behavior
For seven years I was the CISO of an organization with more than 4,500 employees, and one of my main responsibilities was to lead the corporate cybersecurity awareness program. Communicating effectively with so many collaborators was a challenge I willingly embraced. I also asked for help—especially from people working in human resources. I tapped people on our marketing and internal communications teams to create action-oriented messaging tailored to different generations and preferred channels.
We (ISC)² members are experts in cybersecurity, but we need the expertise and assistance of others who better understand human behavior in order to improve our security posture through a well-educated user base.
Putting the complex in simple terms
A long time ago I saw what we’d now refer to as a meme that warned: “We are training the 21st century generation with 20th century tools using 19th century methodologies.” It made me realize that memes might be more effective for Millennials and Gen Zers than the PDFs and PowerPoint slides favored by older employees. It also reinforced for me, in an abstract way, the importance of empathy—where we put ourselves in the shoes of others—to understand that some people are more auditory than others, some more visual, and some need more detailed information before they can change bad habits and adopt better cybersecurity hygiene.
It’s also important that the messaging speaks to many. To paraphrase some of the biggest thinkers of the past, Albert Einstein once said if you can’t explain something simply, it’s likely because you don’t understand it well enough. Nikola Tesla, genius that he was, counted among his top traits the ability to explain something complex in a simple way.
In addition to empathy and simple messaging, we need to better understand our adversaries. Here again is where neurohacking can help. We must try to think of their motivations, not just mechanisms, to infiltrate our organizations if we are ever to gain the upper hand in our battles against the many creative ways malware finds its way into our data centers and cloud-native environments. We also must acknowledge that the only constant is change.
Turning users into Cyber Heroes
I presented a session on neurohacking at the (ISC)² Secure Summit Latin America in Sao Paulo and later to audiences in North America, Europe and Asia. From those talks was born CyberHeroes.me, a proprietary cybersecurity awareness training based on gamification that incorporates augmented reality, characters and playful learning techniques. The goal is to improve cybersecurity competencies and raise users’ awareness that they must change their behavior—not because there is a penalty, but because they believe faithfully in the benefits and understand how their actions contribute to reducing risks. They become cybersecurity allies, a.k.a. cyber heroes, as users are the most important component in a cybersecurity strategy.
In summary, the most relevant cybersecurity risks are directly related to the human factor, and that is why we should invest more in people (the most valuable asset) through cybersecurity awareness, training and certification programs. The cybersecurity workforce shortage keeps growing, and we need all the people we can marshal to help us create a culture of cybersecurity risk prevention, to design mature processes, and to get the best out of technologies such as artificial intelligence or neural networks that provide us the best chance of protecting our companies and our employees against those who wish to do harm.
To learn more ways to improve workforce cybersecurity awareness and compliance, be sure to read the March/April 2020 issue of InfoSecurity Professional Magazine, out Feb. 21, devoted to this subject.
JORGE MARIO OCHOA, CISSP, CISA, CISM, CBP, has almost 20 years of experience leading regional and global projects. He is a professor in the Panamerican Business School’s master’s in cybersecurity program, an international speaker and a writer. In 2017 he received the (ISC)² ISLA Award for Senior Information Security Professional and EC Council Global CISO Award for Innovative Security Project of the Year.