"No Mr. Cyber Threat!" - A Psychological Approach To Managing the Fail-to-Challenge Vulnerability

Presented at Black Hat USA 2022, Aug. 11, 2022, 1:30 p.m. (40 minutes).

An unrecognised individual enters a busy workplace. They are not wearing any ID and they are asking people if they can use their laptops or plug in an unauthorised USB device. Even though people typically know this is a problem, staff often fail to challenge resulting in an exploitable vulnerability. But our individual is wearing a brightly coloured t-shirt with the words "CHALLENGE ME" in large friendly letters on the chest and they are overtly trying to engineer risky behaviours. It is all far too obvious - almost like they want to be caught doing something wrong…<br><br>That is exactly the point. They want to be caught because each time they are challenged, our work indicates that their target becomes more secure. This is the "Malicious Floorwalker" exercise, an impactful behavioural intervention designed and delivered by the UK MOD Cyber Awareness Behaviours & Culture team. <br><br>Grounded in robust psychological theory interwoven with social engineering practice, it is a way to manage human vulnerability rather than just uncover it. Taking only two minutes, it puts people at the heart of their own story around challenging a threat. By making it as obvious as possible that a challenge is required it leverages the social cues and psychological tensions felt by the individual, leaving them with no option but to raise a challenge. Importantly this is done in a safe, fun, and light-hearted way, free from fear and punishment; it is simple, yet complex and effective. <br><br>Engaging with the Floorwalker allows individuals to develop their own narrative towards challenging and to build a psychological script to work from in the future. When challenged, the Floorwalker coaches a good outcome and as a result, fosters positive sentiment towards the ideal behaviour. <br><br>We have delivered this across several sites to excellent effect with quantifiable success.

Presenters:

  • Simon Pavitt - Head Cyber Awareness, Behaviours and Culture, UK Ministry of Defence
    <div><span>Si Pavitt is the head of the MOD Cyber Awareness, Behaviours and Culture (CyAB&C) team under the 2* Directorate of Cyber Defence and Risk (CyDR). He is primarily responsible for setting the strategic direction for socio-behavioural change as it relates to cyber-secure behaviour across Defence although also provides consultancy to Defence human vulnerability and social engineering activities. Drawing on significant experience, ongoing academic research, and an unending passion for the subject of psychology in cyber, Si actively seeks to share knowledge and best practice with any and all interested audiences within Defence, wider government, international partners, academia and industry. </span></div><div><span><br></span></div><div><span>Key experience includes Forensic and social Psychology, Social engineering penetration testing (formerly MOD Cyber Vulnerability Investigations socio-behavioural lead), Former UK military (Army) and Previous presentation/literature: MOD Psychology Conference 2019 – "Psychology in Cyber Vulnerability Investigations", 3SDL 'Offensive Psychology' workshop 2020; host, presenter and co-ordinator, MOD Human Factors Integration Symposium 2019 – "Exploiting Humans: Human Behaviour, Vulnerability and Underpinning Culture through Cyber Vulnerability Investigations", Defence Academy, Cyber Foundation Pathway Module 0, lecturer for 'Human Sciences in Cyber', Forensic Cognition Research Group (FCRG); member and contributor, British Psychological Society 'DefSec21' – "What do you mean, 'Awareness' – Redefining current attitudes towards cyber-security through discourse-shaping content.", Open University Software Engineering and Design (SEAD) Research Group – "Weaponized Cyber Manipulation" Research interests; Malicious actor cognition, narrative orientated learning and engagement, gamification, discourse engagement, threat avatar construction, intangibility cognition, constructed emotion, heuristics, and converged security.</span></div>
  • Stephen Dewsnip - Behavioural Scientist, Atkins
    <div><span>Stephen Dewsnip is a Behavioural Scientist and Organisational Change Consultant from Atkins Global. Working in the highly collaborative MOD Cyber Awareness Behaviours & Culture (CyAB&C) team and reporting to Si Pavitt, Stephen is responsible for the design and delivery of behavioural interventions to promote cyber-secure behaviours. With a strong focus on finding pragmatic approaches to the application of behavioural science and psychology, Stephen has recently spent time deploying interventions to a high-profile target audience within MOD. </span></div><div><span><br></span></div><div><span>Key experience includes Organisational Culture development & change, Development of interventions shaping behaviours, and Delivery of organisational transformations and supporting behavioural change. Previous presentation/literature includes Research into mobile phone dependency across different age groups, Research into perceptions of manufacturing within UK school age children, Presentations to pan Defence Cyber Working Groups, Leeds University Business School Advisory Group – "Don't automate human interactions!", and Numerous CEO / Director level presentations on the importance of behaviours and culture in leading organisations in both the public and private sector. Stephen’s research interests include Organisational culture & behaviour – assessment and development, human-machine interaction and socio-technical systems, persuasion and influence.</span></div>

Links:

Similar Presentations: