Behavior Modification Through Social Engneering

(Steven Porter) #1

Regardless of the systems we put into place, our final line of defense will always be end-users. I’ve stated for years that my real job is behavior modification, trying to increase security awareness through a series of email messages with information on the latest scams, zero-day exploits, and general horror stories about the impact of blindly clicking simply because a message or web site tells them to. Unfortunately, I’ve discovered that many within the organization tend to ignore any email coming from IT.

We all go to events, conferences and vendor showcases, and generally return with more promotional items than we could ever use. I’ve started dropping a paragraph into my security messages telling staff to respond to the message before than the close of business on a given date to be entered into the drawing to win some ‘fabulous’ prize. I follow up with an All Staff message slugged ‘We Have A Winner’ to announce our lucky employee.

Of course, someone generally complains that they never received any notification of the contest. When I show them the unopened email in their inbox they’re suitably chagrined, and I know that I have yet another person who will be reading every word of anything regarding security.

(Edwin Eekelaers) #2

Nice trick. Didn’t think of that one yet… But no way i’m going to make my KnowBe4 shirt part of a contest…

(Steven Porter) #3

There will always be some SWAG that I keep, but how many 2GB flash drives do you really need? :slight_smile:[quote=“batye, post:4, topic:614”]
paranoid about everything…
Paranoia is justified… personally, I keep a machine disconnected from everything to inspect and/or scrub every stick I receive - whether filled with marketing info or from a retail source… using an infected device as reward for reading security emails seems more than slightly counterproductive. My goal is always to work less by taking preventative measures.

(Alex S) #4

for me security is to be paranoid about everything… some free usb stick - could cost you - your job

(Stephen Rogers) #5

Hey Steven,

If we could only convince the bad guys to send all phishing attacks from “IT” …


(David Schultz) #6

I just hate rewarding people for doing something that they should do automatically. When I have something big like that, I like to let the VP know and she forwards it on instead of me. That usually gets the people to read something. Following it is another story though.

(Steven Porter) #7

Yes, they should just ‘know’ what to do, but sometimes it is necessary to educate your users rather than deal with the consequences. The rewards I use are generally inconsequential marketing trinkets - making more of a game out of it than any profound statement. Behavior modification comes in small steps rather than sweeping reforms.

Passing important messages to a VP for distribution really doesn’t do anything to gain acceptance for IT as a whole. Part of the battle we fight is that we are ignored as being difficult to work with, and changing that perception within the organization is critical.Still, every situation is different, so you’ll need to make decisions based on your organizational structure.