From Weakest Link to Retaliation Weapon: Building Efficient Anti-Social Engineering Awareness Program
From BruCON 2017
As many infosec practitioners, early in my career I tended to disregard security awareness. People can't change, I thought, and the evidence was there. No matter what we, as security community, did to make our less savvy colleagues avoid social engineering threats, it seemed that it didn't work. But it turned out that we just did the wrong things.
Much later, when I've become more familiar with the industry as a whole and the agendas that drive its players, I've realized that information security is simply not the field where the answers to the questions of human nature could be found. All infosec industry could offer, was moving "the user" as far as possible from the responsibility of their actions, normally by placing a bunch of intrusive software on their devices and some blinking boxed between them and the Internet.
But wait, I pondered, if the human being is so unreliable and irresponsible, how happened that the humanity survived the natural threats and developed into the species that dominates planet Earth? Could we draw analogies between the threats in the real, kinetic world and the "cyber space"? Could we then use the strategies that helped us fight (or rather flight) a bear… or a tiger… to survive this new jungle out there? It turns out we could.
During the last two years I've developed an efficient program that leads to significant increase in user resilience to modern cyber threats that employ social engineering principles and techniques. The approach it takes is backed by social psychology and behavioral science research results, as well as the track record of its successful application to the high-profile companies here in Ukraine, that face threats that are slightly unusual to most businesses abroad.
During the talk I will let you know how it works, why it works, and how you can make it work for your own or any other company.