The Weakest Link

Arun Vishwanath, a leading expert in human cyber risk, has held faculty positions at the University at Buffalo, Indiana University, and the Berkman Klein Center for Internet & Society at Harvard University. He has published close to 50 peer-reviewed papers on human cyber vulnerabilities and also written for CNN, The Washington Post, and other major media outlets.

Special co-host Dr. Matthew Canham joins me as well. Matt is an expert in Cognitive Psychology, Social Engineering and the Human Factor of cybersecurity. He spent time at the FBI where he handled insider threat cases, managed their Emerging Technology Program and consulted with their Behavioral Analysis Unit. We discuss his perspective on end user training tools, ineffectiveness of security awareness programs, injecting “human-factor” security into industry frameworks, developing security conscious habits, bridging the gap from Academia to industry, and his book, “THE WEAKEST LINK: HOW TO DIAGNOSE, DETECT, AND DEFEND USERS FROM PHISHING”.

SYMLINKS
Linkedin
The Weakest Link Book
https://www.arunvishwanath.us/
Arun’s “Degrees Quiz
2022 Verizon DBIR
419 Fraud
OPM Hack
NIST – Human Factors Task Group
Resurgence Brewing | Buffalo NY
Anchor Bar | Buffalo NY
The History of Buffalo Wings

DRINK INSTRUCTION
PHISHBOWL
2 oz Vodka
2 oz Coconut Rum
1 1/2 oz Peach Schnapps
2 oz Blue Raspberry Vodka
Sprite
Nerds candy
Swedish Fish
In a shaker filled with ice, pour in all liquor. Shake it well to mix. Throw some Nerds candy and Swedish Fish into the base of a round glass and fill it with ice. Pour the mix in and top it off with 2 oz of Sprite.

EPISODE SPONSOR
Center For Internet Security (CIS)

CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com

Chris: Arun Vishwanath, a leading expert in human cyber risk has held faculty positions at the university of Buffalo, Indiana university and the Berkman client center for internet and society at Harvard university. He’s published close to 50 peer review papers on human cyber vulnerabilities and has also written for CNN, the Washington post and other major media outlets.

Chris: Welcome to BarCode, Arun.

Arun: Hey, it’s great to be here, Chris.

Chris: And I’m also here with my special co-host, Dr. Matthew Canham. And for those that don’t yet know, Matt, Matt has appeared in the barcode previously and is an expert in cognitive psychology, social engineering, and the human factor of cybersecurity. He spent time at the FBI where he handled insider threat cases, managed their emerging technology program, and also consulted with their behavioral analysis unit, Matt, so glad to have you back on and, and able to join us.

Chris: Oh, thank you for having me. Absolutely man. So I first wanna hit on a major issue that all organizations continue to face, which is phishing. In fact, in the most recent 2022 Verizon data breach investigation report, they stress the importance of having a strong security awareness program in place, which as we all know is a critical element of securing any organization.

Chris: 82% of all breaches recorded last year in 2021 involved a social engineering attack of some type with cyber criminals, leveraging email phishing as the attack vector in over 60% of those attacks. I’m curious to know your biggest critique of security awareness training as we know it and why it’s not effective, you know, with the understanding of the problem that we have and the tool sets available in the product space today.

Chris: Shouldn’t that metric reflect a more positive impact.

Arun: Right. Hey, and before I begin, Hey, I gotta say I’ve shout out to Matt for being on this show. So good to see you too, Matt. You know, Hey, you know, I, let me just begin by saying, you know, I think security awareness is not a bad thing. It’s, it’s been there now for first, you know, what do we even mean by security awareness?

Arun: It’s, it’s unclear as to what we are really talking about. And, and I just don’t mean us. It just means what is security awareness, right. I can tell you one thing by now, everybody in the world is aware if you use just awareness as the standard of. I mean, I, I can talk about five years ago, I was in some part of Indonesia, I was giving a presentation and I talked about a Nigerian phishing attack and someone raised their hand.

Arun: In fact, I think a lot of people by show of hand said, Hey, we know what this is. Is there someone who’s not aware at this point or hasn’t received one? I would find that hard to believe, right? And, and then let’s look at the data here, right? Most of these attacks that are happening now successfully reported by D B I R are in organizations which have a security awareness program in place.

Arun: They have been hit on their head repeatedly by now with security awareness training, as it is the gold standard of training. And what do we see? We still see the same attacks having the same success, if not even more success. Then they ever do it. So we gotta say, well, you know, the data points are something that isn’t working, which is what I’ve been talking about now, you know, for the last four to five years, which is you know, there’s something that’s, that’s dramatically wrong here.

Arun: It’s not working. And, and there’s a lot of things here that, that, that, that point to the fact that the paradigm that we have as it is right now does not work. It can be improved. It needs to be improved. And it’s time we did it because we can’t wait for the next Verizon, D B I R to tell us, Hey, you know what?

Arun: The attacks have gone up even more. And that’s all we’ve been seeing for the last five, six years now. So if I can

Matt: ask a follow up to that, do you think Arun, that this is a result of just a numbers game, you send out 10 million emails and you’re gonna get a few people that are gonna respond, or do you think that this is more a, a factor of just how human cognition works and that these people are pushing the right buttons?

Arun: Right. And, and I think it’s, it’s a, it’s a mix of both, right. One is why does phishing, why did it even begin? Right. And let’s be, let’s be very honest. I mean, I wanna go back to, you know, Chris’s point too, which is when did this all begin, right? You would think this began. I mean, I, if you look at some of the data right now, people say it began the last five years.

Arun: No, it did. You know, the first major spearing attack began in 1998 in AOL. That’s where it got, it’s a name, spear phishing. And, and guess what they did back then in 1998 in AOL, when it was kind of the market leading ISP, while they sent everybody an email, warning them about it, they said let’s create awareness.

Arun: What does that tell you? Right? Where in 2022 which is, you know, a gazillion years, an internet time, right? Are the speed at which computing moves. And we are still sending emails after the Ukraine invasion, warning everybody. Hey, there’s a phishing attack that the Russians might be sending, be careful.

Arun: What we haven’t done is ever through these entire time period in this 22, 25 years, even tried to figure out why it works. Right? So one reason it works, Matt is of course, you know, it’s, it’s a low level attack, right? Let’s not forget, you know, remember 2014 when the north Koreans entered Sony pictures, right?

Arun: All of North Korea has as many email or internet connections as probably the people in your household. Do you know yet here’s a country that’s got basically little or no internet attacking Sony entertainment, right? The sign of one of the most tech savvy companies in the world how, and they crippled that company.

Arun: They bring it to its knees. Yeah. In 2014. And how do they do it? Because of course it’s a low tech attack. It doesn’t require a lot of technology, but you need to understand why it works. You need one victim. And in order to get to that one victim, you just need to understand human psychology, human behavior and take advantage of it.

Arun: And now from the defender’s point of view, where you and I. We need to have started back in the nineties itself to try to figure out, you know, why do people fall for this? And we haven’t done that, right. At least not in the security world, we’ve done this in other parts of social science. But we haven’t done it in the security world.

Arun: And that’s what I’ve been advocating now. You know, for almost a decade

Chris: now, do you feel like the reason for that is that we’re too tech heavy and too reliant upon tooling to fix this

Matt: problem?

Arun: Right? I mean, so one of the problems is you know, I am in a lot of security circles where in fact, last week, I, I was in some security conversation with a bunch of people and, and people talked about the fact that you know, technology has improved so much, however, our understanding of people has not.

Arun: Yeah. And that is the most ridiculous thing I’ve ever heard because the problem here is that the science of humans. Goes back a hundred years. The science of understanding computing technology is only 10 or 15 years old. In fact, we understand people a lot better than we understand technology. The problem is these are two completely different worlds and they’re stayed separate security folks are, are focused on security and they begin from a tool out, right?

Arun: It begins with the technology and then goes out the people, the human factors as we like to call it, or the social cognitive scientist, we look at people and begin and end with people. Technology is a tool in between. It’s a mediating tool. It’s not the outcome of the process. The grip, the best example of this is, you know, you look at some of these social engineering you know, tag diagrams where they tell you, okay, here’s how the attack began.

Arun: And here’s how the attack spread. And you will find, you know, out of 10 slides, One of them dedicated to how the attack came in and the remaining nine will talk about the malware, the malware signature, the C2 servers, and how they figured out where the C2 servers, ed, and on and on and on into the complexity of the attack with the most important thing they’ll miss or they’ll barely spent time talking about is that it’s started off with someone clicking on a malicious link.

Arun: In fact, you know, in my recent book and I’m gonna plug my book at this point called the weakest link that I just published. I talk about this. I give you an example of, you know, major crimes that happened, right? You know, you talk about these major art Heights that happen where, you know, you look at the sophistication of how they attack and how they take down the systems and how they get in and do all these things and to take away all the art and sell it in the black market.

Arun: But the one thing we missed out is how do the guys, the bad guys enter? Well, they basically dressed up at, has cops and knocked in the door and someone opened the door. And, and the analogy, right, that metaphor works. For security as well. Be it the OPM hack, you know, which was at that time, the biggest hack in the history of security in the United States all the way to colonial last year or to, you know, the fact that a lot of people haven’t talked about it B’s entire source court for Microsoft is at least in February by hacking group again, using social engineering in 2022.

Arun: All of them use social engineering to get in. And, and the point is, again, you look at a company like Microsoft, oh, you would think everyone there is trained they’re experts at this they’re the technical minds we rely on for security. So, so, so that’s, that’s, that’s, that’s one of the issues we don’t talk about as much, which is you know, the security folks work on the tool end of the business.

Arun: And they start working on tools, outwards, and the human ends work on humans with the tool in between as just like a little thing that’s an in between.

Matt: So Arun, I’m, I’m curious follow up on that in your book, you talk about how there was a phishing attack against an organization. And after the attack, everyone was asked to change their password and the it department essentially sent out an email that looked almost identical to the email, asking everyone to log in and change their passwords.

Matt: And I’ve received emails from security conferences for honorariums asking for my bank details, which also looked very much like phishing emails. And I’m curious is sort of a two part question. Number one is. Should we be having some sort of security awareness training for security personnel to train them?

Matt: How not to look like phishing emails and number two, what, what sort of effect do you think that this is having on users when it’s almost impossible to sometimes to distinguish between the phishing emails and legitimate security emails?

Arun: Right. Well, you know, let’s go back to where this began, right? And, and, and straight, sadly enough, this idea of sending an email to warn users.

Arun: I just alluded to, it began in the late nineties with AOL. That’s what AOL administrators did. They sent everybody an email saying, don’t click on the email, that’s coming from the, because that, those are the bad guys. And we do that now. And we still do that after spending millions and countless hours and security awareness training.

Arun: And you’re right, Matt security. Here’s one of the biggest problems we have, which again, you know, I talk about in the boat is you have. It, the folks in it security in general, who act like they’re more prescient that as if, you know, they know what the user needs yet they themselves get hacked and they use very poor, you know, to lack of a better word security hygiene, when it comes to communicating with end users of what not to do.

Arun: And this began, you know, even early on, you know, these are, you know, federal institutions like N are also to be blamed for some of this, right? Remember the, you know, change your password with long passwords every three months. I mean, that was a standard thing that we all followed. And, and this is one of the problems with security that people talk about.

Arun: And this is a computing problem. What we start off the world follows. So now all over the world, every three months you had password expiries and password reset emails coming. And before you knew it, the bad guys were starting to create. And those were the easiest emails to create because they went to the heart of what the bad guys wanted, which is identity.

Arun: So when, and, and, and I have read the original articles on the basis of which N came up with that that idea that best practice and that was, that had nothing to do with studying humans. It had to do with the complexity of, you know, how it was to brute force passwords. And so you use a technology to come up with a solution for a technology without considering people it’s, it’s indicative of what, you know, to Chris’s previous question, you know, the problem in security, people are an afterthought.

Arun: And if you don’t consider people in the mix, then you have this problem where, you know, you have it folks who are not trained in, in any element of understanding humans dealing with humans, the way they would deal with any other, you know, patch, which is, Hey, let’s just send an email and tell everybody about it.

Arun: And then, you know, here’s an email that’s coming in. That looks just as bad as the one that came out. In fact, I’ve had examples. I believe after one of the credit monitoring bureaus were hacked where the bad guys’ email looked better and more formal than the email that was coming out from, you know, the credit monitoring agency.

Arun: In fact, if I was, you know, a victim, I would’ve clicked on their email because that was how good it was. So it’s, it’s a mess, it’s a mess. And, and, and we have to change this paradigm. And, and the way we change this paradigm is we go back to understanding people. We go back to studying the problem from the victim point of view and come up with best practices around that.

Chris: So you mentioned NIST and being that NIST is an industry framework that is commonly used by organizations today. Is there a method to inject the human factor element into the, the current NIST framework? Which in my mind would elevate the importance of it. I mean, is that even possible?

Arun: I think it is. I think it is.

Arun: And I think it is necessary. Right. I, I know some of the folks at N who do work on the human factors and of security they don’t have as much of a voice because again, you know, security is seen as a technical problem, right? So the technical folks have the, the lion share of voice. Now, if you look at some of the cybersecurity frameworks and I’ve talked about this in my book as well you know, the security, the cybersecurity framework.

Arun: Why, why, why intention hasn’t thought through the human element at all right. All they want you to do with the human element is do security awareness training. I mean, you can keep saying security awareness training in three different. But it’s still security awareness training. You know, you can say, you know, level one awareness training, a level two and a level three, and there is no distinction in what they mean, which goes back to what I, what I began with.

Arun: What do you mean by security awareness training? What is it? Yeah, right there, there is no clarity on it, you know? And, and we can talk about that. Right. Which is pretty pivotal here because at the end of the day, when it comes to human factors, the only answer we have is training. There is a better answer out there.

Arun: I have not heard it.

Chris: Yeah. And, and often that training is reflective of compliance.

Arun: Well, it comes down to compliance when you mandate it, which is what has happened. Right. So it’s become a mandatory thing. Awareness training, at least with many other federal government in many state government institutions and even vendors who work with them.

Arun: The training is mandated, so they all do it. And so every person, every it person does it and every user endures it. And, and you just kind of check that box and you say, Hey, I did it. So if anything does happen, you can’t turn around and say, Hey, you didn’t do that. So

Matt: I think you bring up a really excellent point when you talk about what is security awareness training.

Matt: And I’m almost wondering if this awareness term is sort of interfering with a potential solution. And what I mean by that is I think Perry carpenter talks about this just because I know, or just because I’m aware doesn’t mean that I care. That’s what he says. And to tweak that a little bit your background is also cognitive psychology, correct?

Arun: Partly

Matt: yes, partly. Okay. And as, as is mine. And so when I think of something like Pavlov’s dogs, right at the very beginning of behaviorism where you’re creating this sort of pair between, you know, a stimulus and a response, you’re almost inducing a habit in that dog. When you’re creating when you’re ringing the bell and introducing that, that food smell right to cause ’em to salivate.

Matt: And I’m almost wondering if, if there’s a way that training could take a similar sort of behavioral level approach to training user habits, because I know you and I have talked previously about how habits play such a serious role in vulnerability. I mean, we click on hyperlinks every single day without consequence, right?

Matt: Which reinforces the fact that they’re not unsafe, but there’s that one in a hundred or one in a million times that it’s not safe and everything that the user’s being trained is contradictory to that. I I’m curious what your thoughts are on that about maybe if there’s a way that we can train at a behavioral.

Arun: Absolutely. You know, I, I contend and I’ve got work on this that I’ve done at various levels that are published in, in various peer review journals. The best way to break a bad habit is to replace it with a good habit. Right. And, and that is true for a lot of things. Right. But what would that good habit be is something we need to get to the bottom of.

Arun: Right. And, and I think there is a lot of merit in trying to replace, let’s say, and, and one of the mistakes we make before we, we, we got on the, the answers there is that we tend to try to replace habits with thought, right. So what we try to do is we say, Hey, you know what? You have a bad habit. How about you think about this?

Arun: Well, the problem with the habit is that it overwhelms. So when you’re habitually clicking on something, let’s say, I’ll give you an example. You have a notification and you have this habit of, you know, Hey, I don’t wanna have hundred notifications. I, I, I like to make sure that I have no UN notifications.

Arun: And you replace that with, you gotta think about this. Be mindful. It’s not gonna work because habits are easier to trigger, right. That’s why they are there. They make it easier for the mind to kind of get done with the task. Thinking is harder, right? It’s an energy, it’s an energy intensive process. So the best way to replace that habit is to replace it with a good habit.

Arun: And what could that be? It could be as simple as taking away all notifications. So the system does not provide new medical notification counts. See, that’s a system level way of trying to deal with the problem or at the individual level. You cannot, you know, separate their inboxes. So they have less incoming notifications.

Arun: Right now, now notice that each of these are at different levels of interventions, right? So we are either intervening at the individual micro level for the user or at the system level for everybody. Right. But what is the right answer? It depends on the person or the, you know, the user and this is why you need those user level analysis.

Arun: Right. And, and habits while they’re important. Right. Are one element in it. Let’s not forget that. There’s a lot of things that we think about that we don’t do. And a lot of things that we do that we don’t think about. So what about the things that we actually think about and didn’t do, is there any merit to those thoughts that actually would’ve revealed deception in those individuals?

Arun: And we need to get to the bottom of that. So we need to get the entirety of this, right. So yes. You know, awareness you know, compares point. Yes. You know, awareness and I talked about this awareness is a very low bar. Right. But there’s more to this. Right. There is the thoughts, the, the thoughts and the actions and the actions that are mindless, which is the habits.

Arun: So the, the reasoned actions, the reason, thoughts, the thoughts leading to actions, the actions that are happening without God, we need to get to the entirety of it. And that gives us the full picture. And, and what I do in my book is provide the, the model for actually measuring all of these. And, and, and if you wanna get down into that path of discussing security awareness, I mean, there’s a lot more than just the term, right?

Arun: And, and I talk about this you know, I talk about five things that are pretty problematic right now, right? And the first of them is that what is the standard for a security awareness test? Like what is a phishing test? There’s no standard for it, right? Here’s a huge problem. You don’t have a standard for a phishing test.

Arun: We don’t know whether, if I’m an it person. And I want everybody in my organization to pass the test, I make a test. That’s very obvious. A Nigerian phishing email right now, farm Nigeria are looking like those standard ones. Pretty much everybody figures it out. So we have no standard right now to equate the hard ones from the easy ones from the not so easy ones.

Arun: You know, this is a visual standard. We don’t have a standard right now. The second one is no one can tell why someone fails. Right? We don’t know why these people who either didn’t click or clicked, did what they did. We don’t know the why we surmised based on clicking, but like I said, clicking is a behavior and it’s a, it is just one aspect of a reason action.

Arun: Right? What other people who almost thought about it, but you know, forgot to do it or had something else come in their way. And the people who, you know, inadvertently never click on anything, they just, you know, ignore them. All right. The, the third is, you know, there’s a ceiling effect, right? Everybody who’s ever done security awareness will tell you, Hey, you know what?

Arun: There is that percentage of people that always fall in. Sometimes it’s a different percent. And no one can explain why this is like one of those hidden, hidden truths of security awareness. Right? This is, so this is beyond just the terminology. The fourth is what’s the standard for awareness. That’s the terminological problem, right?

Arun: When is awareness enough? Can anybody tell me that? So, you know, let’s take it to that next step, just because I am aware, you know, to Paris phrase, I’m paraphrasing what you just said, you know, just because I’m aware doesn’t mean I care, but let’s say you do care. How much should I care? Like what does care mean?

Arun: Does it mean that you know, I’m an expert on C++ and JavaScript. I mean, do I need to know how a C2 server works? Do I need to know, you know, how to read the, you know, keyboard signatures to understand where, what is the standard? And no one knows, right? It’s, it’s a standard that somebody in it sits back and says, well, these are the things you should minimally know, but how, where, where do we come up with that standard?

Arun: So, what are we training people to do? It’s like I’m training you to be a physician without really knowing the patient without knowing what the standard of care is. What without knowing what, you know, an ideal blood pressure level or temperature level is. I don’t even tell you what you should be measuring with the cough.

Arun: I just give you a bunch of equipment and say, go do it. And I’ll tell you, 10% of the people are, are gonna fail these equipment completely, but you’re still gonna have to use it. I’m gonna mandate it. Right. And, and the last point is creating security awareness because of all of this is, is, is not a solution.

Arun: It’s a product, right? It’s something no one wants to talk about. It’s a product, right? Nothing wrong with capitalism. I love capitalism. We all are capitalists. Right? But there are certain things that, you know, the market should not be doing. You know, one of that is, you know, things like psychics are also part of the, that marketplace of capitalism.

Arun: And people spend millions of dollars on. Astrology, you know, and bad science, you know, these are the three things I don’t think that market does well. Right. This is where people like you and I, you know, all of us come in where we have to say, wait a minute, Hey, we gotta think this through and say, is this bad science?

Arun: It’s not bad science. It’s very poor science. Yeah.

Matt: Well, and to your point about the blood pressure cuff, and it comes to your last point as well is even if you don’t know what to do with that cuff, you’ll still come up with a number.

Arun: Absolutely. Have you seen, have you seen those ghost hunter shows? I mean, there’s gazillion of them walking around with all kinds of equipment.

Arun: They have no clue what it is, but it goes off and they quickly jump to quick conclusions. It’s like, wow. You know, how is it that they, these equipment work because no one has any clue how these things are supposed to work. There’s no question on tolerances. There’s no, this that’s sort of science. Right.

Arun: And we know it, all of us know it, but when it comes to, you know, things like security awareness, Most people don’t even know because it’s kind of like, you know, it’s technical and you know, you keep moving the goal post and no one really tells you the insights of what’s going on. And, and the vendors kind of dictate the ceiling effects.

Arun: You know, I’ve had these meetings with, with organizations where I’ll come and say, you know, you know, they’ll have some vendor come and tell them, oh, you know, you’re supposed to get in your first baseline test about a 10% victim rate. Where did that number come from? no, that came from us. Well, you know, that’s your, your blood pressure monitor basically, you know, the guy saying, trust me on the numbers.

Arun: Yeah.

Matt: That’s very interesting points. And these are points. I don’t hear people bringing up enough in the security community, but I think you’re spot on. Agreed.

Chris: Yeah. And you mentioned changing habits and I think that end users change habits, or they develop habits in different ways. What is your take on an organization, forcing habits via disciplinary action.

Chris: And does that work because I’ve seen it before where, you know, an organization will use scare tactics or threaten these harsh repercussions for an end user failing a phishing test consecutively over and over again. And I’ve even seen it go as far as termination. Have you seen this actually work in, in a situation or do you feel like that’s overkill that these organizations are just approaching this entirely in the wrong way?

Arun: Absolutely. You know, I, I, I have an anecdotal story about this and I, I, I, I, I write about this in my book. There’s a company, you know, name that I will not name in the federal government and agency in the federal government that was doing exactly this right. And their numbers were down to less than 1%.

Arun: Right. They had these, you know, threats and stuff that they would do where they would, you know, scare their employees big time. Right. And, and just imagine being somebody working in this company, falling for a test that has no standard. Right. I mean, so there could be a very difficult phishing attack. It could be a very lame one who knows.

Arun: Right. And, and you don’t know when they’re coming. Right. So it could be, and, and this particular organization had already done this for two years. So they had done many tests over a period of two years, they were using a security wireless package and all that stuff. And, you know, the CISO you know, saw one of my talks and, and called me in.

Arun: And he said, Hey, you know, I got a little bit of a problem. I have this ceiling effect where we have a few percent of people who are constantly falling. And, and, you know, since you talk a big talk, why didn’t you come and tell me why this 3% as is falling. And I, I love the fact that, you know, he’s a super openminded guy.

Arun: Very cool. You know, really, you know, I met so many cool people as I’ve been doing this, the, the research for my book and all the security work that I’ve done, you know, people who really wanna know that everybody, you know, who is insecurity, they really want to get to the bottom of it. They know that there’s something inherently problematic in the models that they’re working with.

Arun: And so my usual thing is that, listen, you know, I’m willing to come and check and see do sort of an audit. However, I gotta do the, the phishing attack. I’m gonna design it. You can design it. And so I designed a phishing attack using some parameters that I talk about in my book. I, I, can I give you the model of how you wanna think about a good phishing attack, whatever that word good is.

Arun: It’s qualified in that book. And I sent that attack and you won, believe it within 24 hours, I mean the phishing attack success, the success rate, the victimization rate, as in clickthroughs were five times what they had experienced. Now, what was going on here? Right? So we did a follow up survey and we talked to a lot of people, you know, we guaranteed anonymity and we talked to people and, and first is, you know, most of these guys had figured out what those attacks that were internal looked like.

Arun: They figured it out. That’s why they were beating their own tests. And the second thing that they were doing was they were telling each other about. and the third thing people were doing was they were not opening their emails. many days of the week when they were like, okay, you know what? Let’s just wait for two days.

Arun: If it’s a phishing attack, it’s not gonna come back. Yeah. See, to figure it out. We, we, you know, you start punishing people for low level behavior that has no, you know, they can basically, if you’re working in certain organization, you can say, you know what, I’m not gonna check my email. I’m gonna use a private email for the more important work that I have.

Arun: And you see this in a lot of organizations, much of this is never accounted for in any awareness exercise. So, you know, so these ideas of, Hey, you know, somebody talked about court, martialing people, it’s like, wow, that’s ridiculous. You know, let’s add more insult to the fact that we don’t understand our patient and let’s scream at them even more.

Arun: It just blame them for the problem because we have never figured them out. And that’s the problem, right? If, if, if, if the, if the pill doesn’t work, you keep giving them more. And then if they don’t, if they take all of it and still continue to be sick, then we tell them, it’s your fault. Now you’re fired.

Arun: Doesn’t work. I think we need to get to basics. Let’s understand our patient and let’s build solutions that actually work, and they don’t have to be dramatic. They don’t have to be more training. They don’t have to be more and more of these phishing exercises. We knew do need them. I’m not saying let’s throw the baby out with that with a bath water here, but we can do this to the people who actually need it.

Arun: We can do it using attacks that actually are relevant and that we can actually measure the difficulty level off. And then we can do it in a manner in which we can get to the problem. If it’s a habitual problem, let’s treat the habit. If it’s a cognitive issue, let’s go to the cognition. And let’s do it and, and solve it cause we need to right.

Arun: We can’t still be sending out emails 25 years after AOL.

Chris: Yeah, I completely agree. Do you feel like we need to involve more psychologists and professionals in that field into security? You know, it’s unheard of to walk into an organization and see an end user psychologist, and I’m using that in air quotes, but you know, it’s not something embedded within existing training.

Chris: It’s not embedded in typical agendas within an organization. So do you feel like that could possibly be a step in the right direction?

Arun: It is a step in the right direction, right? Part of the problem is that what we are dealing with let’s be so, so here’s the issue, right? So when you ask a, any it person, you know, what’s a computer, you know, it’s, it’s a material it’s software, it’s hardware, but really what is a computing system today?

Arun: Right? Mm-hmm what a computing system is, is a cognitive. Right. It is a cognitive system, right? We have all accepted. And, and the strange thing about this cognitive system, the reason we talk about it, and the reason it’s important is because unlike other, so language is a cognitive system, right? It’s a way we make sense of the world and we talk to each other, right.

Arun: But language takes a long time to evolve and a long time to spread. Right. It doesn’t happen very quickly. You know, even, you know, even today we still teach certain languages like English, for instance, it’s not a global language. We go to different parts of the world and teach English, right. Because we want the cognitive system to be universal to some extent.

Arun: So it becomes easier to relate it, easier to communicate and so on and so forth. But if you look at computing back in the seventies and eighties in the nineties, I remember there were textbooks that I was learning of, where there was one chapter dedicated to MIS where they were still trying to tell us to use computing, the big benefits of computing today, it’s everywhere.

Arun: And as a cognitive system, Everywhere, whether you’re in Russia right now, or, you know, in Bwana, I mean the computing system that has a mail program that has got the button send, sends email, there’s a universality to this. So not only is it a cognitive system, it’s a dominant cognitive system. It’s now ING essentially how we look at the world so much so that if you look at certain mail apps on your phone or your iPads and so on your, on your tablets and so on and so forth, they don’t even have you remember the old days in the computer programs you’d have a file button and the icon would tell you exactly what each GII meant.

Arun: Yeah. There are programs. If you go on, on your, on your, on your tablets and, you know, phones, most of them are like minor icons. Some of them don’t even have icons. They just know, you know, where to touch it’s so mindlessly done that the cognitive system is so entrenched in the way we think and the way we act online and these virtual surfaces.

Arun: It behooves us to say, okay, this is a Kindal system at work. How come we don’t even understand how it works in the individual, within the mind of that person, because if you wanna solve these attacks, these attacks are not happening at the material level they’re happening at that virtual Kindal level. So this is why the solution is to incorporate that understanding.

Arun: We gotta study those people, add that cognitive level. And, and, and it doesn’t, of course, it’s not just limited to, you know, computing or security, this permeates everything we do. Right. You know, it would electric cars today be the way they are, if not for computers, not just for the, for the device itself, not for, not just for the computing power of, you know, self-driving cars or whatever we have promised, but also how we have designed them.

Arun: You know, Tesla, for instance you know, openly talks about how impressed they were and how much they are designed like apple, right? How Steve jobs is, you know, designed philosophies, influenced them. Remember the early EVs that were in the nineties had removal batteries. Now the new ones. Don’t and I wonder if apple didn’t come in between with iPhones, which had non-mobile batteries, non-user serviceable batteries would Tesla’s have them, you don’t know, see, because this is what cognitive systems do, right?

Arun: I mean, they, they change, they infect the way you think. And they, that becomes the framework. The G I framework is the framework with which we see the world. So, so understanding this in that, you know, at the psychological social and psychological behavioral level for the, for the individual is, is imperative.

Arun: If you wanna ever understand what’s going on all over the world, and this is why you can have an attack that you can use anywhere in the world now, right? That’s why you see social engineering everywhere. You see an Amazon attack, you create an exploit that can, you know, let’s say recreate an Amazon webpage.

Arun: You can use this anywhere in the world. Why? Because there’s a system it’s used everywhere. That’s

Matt: those are very interesting points and You talk about studying these user groups and studying these interfaces. And in your book, you talk about academia’s incentive to maximize originality. But this can come at a cost, right?

Matt: And that cost is sometimes relevance to the real world problems. And on the other side of the spectrum, you have industry that’s developing a product, but not necessarily a solution. And I’m curious what your perspective is on how we might be able to navigate between these two

Arun: polls. Right. And it’s a great point.

Arun: It’s something I, I, I, I kind of caught a lot deeply about as I, you know, eventually ended up leaving academia. And, and one of the reasons for that was because, you know, I, I gotta go back to the 1950s you know, in the 1950s, forties, thirties, forties, and fifties, Much of the social science of research and research in general, that was coming out, used to be funded by, by the armed forces, by the Navy, by the military.

Arun: You know, there’s a great study that that I began my career working with a bunch of sociologists who trained me and then I moved to psychology and then I moved to the cognitive side of, of, of users. Right. So I’ve kind of made this transition, but there’s a great sociological study that was done in the 1950s, which you could probably never do today where you know, the us air force used a plane.

Arun: This happened in Washington state and they used a plane to drop leaflets on towns. Okay. And the idea was to study, you know, and, and this was back when, you know, the Korean war had happened and the us air force had dropped about a billion, such leaflets, propaganda leaflets in Korea. The second world war, the allies had dropped 5 billion such papers, but nobody knew the effectiveness of these things.

Arun: So the us force funded the study to do it in Washington state. So they took a bunch of towns and they flew over it with these planes and dropped leaflets over a two to three day period. So a real cool study from an academic point of view where my academic had, I get excited about this kind of studies, right?

Arun: Imagine the resources that went into this, imagine what it takes to actually fly a play in over town, literate with paper and you know, and then do surveys to say, Hey, who found this paper? What do they do with it? And they did these follow ups. And, and in a sense, some of those researchers, what contributed to our understanding of you know, champions, for instance, you know, something we do in the security world, we talk about, you know, security champions.

Arun: Well, a lot of those language of what is called as opinion, leadership comes from some of this original work from the 1950s and forties funded by the, by the armed forces. Now, and today, and the reason I’m talking about academia is back then to do good academic work. You needed a lot of funding in the United States, government funded this, usually the armed forces, the war efforts funded this be the nuclear bomb.

Arun: Be it even the social science studies, you know, today, a lot of that work happens in industry, right? If you wanna work on big data and you’re not working for, let’s say Google or AWS, or what have you what big data do you really have? That’s worth looking at. A lot of that big quality work has moved to organizations that are either directly related or fully affiliated with the big, you know, Silicon valley corporations, or they’re like the Ivy league, the top tier, you know, the Stanfords of the world who have actual direct access to that same data.

Arun: So if you’re anywhere else in academia, the data quality that you have access to, if you’re not, let’s say in security, let’s say you’re doing security awareness. What’s the data that you have. Right. And so part of what has happened with academia is a lot of that, the thinking the, the good data to do the good work to do this large scale work has moved into industry, has moved into Silicon valley, has moved into the tech sector.

Arun: And so a lot of the people, I know many of my students, they all moved into the tech sector to get jobs because that’s where all the innovation is happening. And a lot of that innovation is very, you know, means oriented and ends oriented. Of course, you know, Google’s got, you saw what happened with your AI team.

Arun: They fired half the AI team when the data didn’t play out to be the way they wanted to. And that’s the way it works in industry, right. They have a reason that you’re hiring you in the meantime. What do you do in academia when you don’t have access to this kind of data, if you don’t have that access to security awareness or, you know, the big data that you need to do this high quality work while you start doing marginal work that basically gets you publications.

Arun: So of course there’s a reason that a lot of this work is incremental or really just based on, you know, just trying to recreate something and replicate something and, and call it something new. Because one, they don’t have the access that they used to have. Even with funding. Facebook is not gonna give you access to their data.

Arun: Period. NORS Google nor is AWS, nor is apple. So you know, NSF funding, which used to be, you know, the requirement to get access to big data doesn’t exist anymore. Right? You have funding, but it’s not gonna give you access. Right. So a lot of that move away is the reason academia has kind of lagged and is a lag right now, or, you know, they lag behind when it comes to tech innovation.

Arun: On the other hand, you have industry that’s doing what it’s doing because Hey, you know, they wanna move ahead. It’s the market at play. And how do you bridge this too? And I think that’s where the challenge is, right. It, it’s very hard to bridge these two because you know, you have a different set of motivators for both of.

Matt: Yeah, no, I think that’s a, an excellent answer. And it’s something that I’ve struggled with also having been in academia recently and then just transition to industry, I’m finding very much the same thing.

Arun: Right. But you’ll notice that a lot of the good data right now, if you really let’s, you know, go back to security awareness for instance, or, or even just cyber security in general.

Arun: A lot of that really good data is with the corporations. If you wanna study VPNs right now and, and the quality of uses and all of that, you are better off working with one of the VPN providers. Now, if you’re an academia, no, one’s gonna give you access to this. I mean, I tried this as an academic, a decade ago to get access to security awareness programs directly to work with them directly.

Arun: And I was shut off before, you know, I, I said, And I have emailed trails of conversations where they first said yes. And then they realized I was an academic and shut the door as quickly because no one wants to be scrutinized at the end of the day. Right. I mean, this is, these are for profit companies and rightfully so, you know, I don’t blame them for what they did.

Arun: But the point is well, that’s where the quality problem comes. So what is academia churning out today then? Right. So if you’re a social cognitive scientist sitting in academia, who’s not in one of these Ivy league schools who doesn’t have access, not, you know, to that kind of data. All you’re doing is, you know, you’re replicating someone else’s work or you’re creating work.

Arun: That’s essentially meaningless because you have no relevance or perspective because you really don’t have that real world data to make it.

Matt: I guess on the other side, you do have industry, which is interested in creating products and not necessarily solutions. Right? And so I, yeah, it definitely seems like a rock and a hard place sort of conundrum because the academia lacks access to relevant data, but industry lacks motivation to solve the problem.

Matt: Sometimes it seems like,

Arun: right. And, and, and, and, and to your point Matt, you know, in the security world it’s even worse, right? Because part of the problem that happens in security. So, so in general, you know, the Silicon valley guys, the it guys are not gonna give you access to data because they’re gonna say, well, this is IP protected, but in the security world, there’s one more layer, right?

Arun: There’s one more excuse. It’s like, oh, we don’t want the bad guys to get access to it. So that becomes your second reason to shut the door even tighter. So in case there are any gaps in it, you can always say, Hey, we don’t want the bad guys to get access to it. So we can’t give it to the good guys either.

Arun: right. So, so basically everything is shrouded in secrecy. And then you wonder why it is that, you know, 25 years after AOL, we’re still doing the same thing we used to do 25 years ago, because that was the most open and obvious thing. Everybody did. Everything else is shrouded in secrecy, but this,

Matt: this does seem like a solvable problem because there are areas of threat intelligence where security different companies have started sharing data to, to limited extents.

Matt: Right, right. Anonymized and, and so forth. And I wonder, I wonder why that hasn’t translated to human related security

Arun: data. Right? Yeah. And, and I, and I think, I think there needs to be more of that. I think there needs to be more of not just sharing threat intelligence. I think part of threat intelligence sharing was, was forced to some extent and to some extent, incentivized with the liability reform.

Arun: Right. But we gotta do the same thing for humans. There’s actually no incentive for doing it right now, so they’re not gonna do it. Right. You have to either incentivize it or you have to kind of force this. There’s only two things that we can do either. You kinda sweeten the part and say, Hey, here, share your data.

Arun: Or you say, Hey, share your data or else. And, and neither of that happens at the human end. So we still don’t know what it is.

Matt: Do you think that that necessarily has to be through governmental regulation? Or do you think that the insurance industry might be able to incentivize some of this?

Arun: I think the insurance industry ha holds the key to this, you know, I, I don’t think we can regulate our way into this.

Arun: I think there’s enough. It’s already cost enough. Right. So for instance, if you look at breach notification laws I mean it has created, it has bought lawyers into the mix, right? So moment you kinda come up with a regulatory framework. What happens is you have a bunch of corporate lawyers who jump in.

Arun: So, if you look at how notification happens today, it happens exactly to the letter of the law rather than its intent. And this is gonna happen. The moment you come up with the regulation, everybody will comply with the letter of the law rather than its intent. Its intent was meant to inform us. So we were prepared.

Arun: But basically what has happened is they basically will tell you the bare minimum of what happened. And then, and what’s the solution to all of this. They’ll throw some you know, credit monitoring and that’s about it. So by now everybody’s got their credit monitored, right? I bet you, every one of us has received some, you know, breach notification and have got, you know, I have kids who six and 13 and they all have credit monitoring for free because all of their data has been stolen.

Arun: But that’s the extent of it. And, and, and the, the better way to do this, would’ve been to inward that, and just give everybody threat monitoring credit monitoring, to begin with for free take away the incentive and give it as part of, you know, our, our insurance framework. Just imagine what would’ve happened.

Arun: If we did that. Let’s

Chris: Let’s shift to your book for a moment, the weakest link where you certainly talk about this topic in more depth, you know, I’m curious to hear about your process for deciding to write this book. And I mean, you know, I understand the concept for it, but what was the driving force for you to put it down on paper?

Arun: Well, see, part of it was just a lot of frustration, right? It, it is this I’ve been hearing these complaints about not of, of us not understanding people or that people were the problem in so many security meetings. And I still see it, right? There’s still, you know, you go on social media on LinkedIn for instance, and there’s these conversations and security groups that I belong to, but our lack of understanding of people and I, if only, you know, people would, you know, step up and users would step up and on and on and on it went that, and, and I was working with individual companies.

Arun: I haven’t worked with many of them because I can’t scale my work that easily. And you know, I got to a point where I said, wait a minute. And there’s this, you know, every time I go to blackhead, I have all these emails and from people asking me for the methodology and measurement and on and on it goes, and, and I said, Hey, you know, rather than, you know, keep emailing everybody one at a time and convincing one person at a.

Arun: Why don’t I just put it all in a book and, and, and put it out there. So, and this is more, if you notice the, the book, the weakest link is, is, is kind of written for the security community. It’s not written for an end user. It’s written for the security community to take it and say, Hey, you know, here’s a way to think about users.

Arun: Here’s the science on users simply put together. So we, we can at least understand what we know about users and we know a lot. And, and there’s, there’s, there’s a lot of strategies here on how you could incorporate this, or even think about the inadequacy of what your, you know, awareness programs are or your cyber hygiene programs are.

Arun: And what do we mean by all of that? How do we measure these things and why do we measure these things? So I wanted to put that all into one cogent, one kind of, you know, reference point rather than, you know, sending people to various papers of mine that were hidden behind paywalls that I don’t control.

Arun: Let’s put it behind one little book and, and, and say, Hey, go, you know, here’s the reference for it? That was it. So, so the idea was. Coming out of this frustration of trying to, you know, go and talk in security meetings about wanting to study humans in 10 minutes where, you know, they were like, okay, then we got, you know, 15 other security folks talking about C2 servers and, and zero trust and on and on and on the terminologies go.

Arun: I said, Hey, well, how about, you know, I come in five minutes, talk about my book and let you read it. If you’re interested, then you’ll get to it.

Chris: And you mentioned the security community. So it doesn’t sound like to me that this was written with any particular individual in mind. So anyone in the organization can, can really pick this up and take something away from it.

Arun: Absolutely. You know, I, I don’t wanna write to the end users. I wanna try it to the physician. Right? So it’s like writing to the physicians, whoever that is. So it could be, you could be the, the CMO of the hospital, you know, to use that analogy of medicine. Who’s dealing with users, right. All the way to the physician at the bedside or the nurse, who’s actually dealing with the PHY, the patient one on one, right?

Arun: Every one of them can take this book and understand their patient. In this case, the patient being the user. One

Matt: of the things that I noticed about your book early on, that’s very different than other I guess similar genre books that I’ve read is that you spend one or two chapters talking about the criminal.

Matt: Community and kind of how that evolved and propagated. And I’m curious in, in the, okay, so we’ve seen CONAR in the early 20th century, right. We had the gentleman that sold the Brooklyn bridge repeatedly. And you talked about the evolution of four 19 scams mm-hmm and I’m curious what your perspective is on how that community helps the scams themselves evolve.

Matt: I mean, are these people comparing notes and learning from that? Or how, how does that help the attackers become better at what they

Arun: do? Absolutely. Look, you know, the, the, the, the attackers. So, you know, I, I talk about four things, right? What, what creates social engineering and what kind of ferment social engineering?

Arun: Right? One of it is the, is what I call the information environment, right? The information environment in which we exist. And we alluded to some of this earlier, right? Is that companies basically, you know, are, are complying. And they’re complying with regulations. So they do what is required by the letter of the law.

Arun: That’s about it. They share data based on just what they need to not to help anyone, but to make sure that they don’t get sued or they don’t get some penalty from the federal government or the state government. Right. So there’s a lot of concealing data that happens in the information environment from organizational perspective, right?

Arun: So you can have a ransomware attack and this is happening even as we speak, right. You’ll have an, a ransomware attack in one town on one street and the same ransomware attack will hit the next town and the other street. Without one telling the other about five months later, we’ll find out it was the same malware that was just going around in circles.

Arun: So why is that? Right? One of the reasons is we’re all trying to play, you know, the data close to our heart. These guys don’t. They can learn from each other. They can teach each other and they can be open about it. So for instance, you know, there are phishing kits, you know, PWG did this report, the anti-phishing working group of full phishing kits that are available from, you know, syndicates that are out there, black access.

Arun: I think one of these syndicates and I talked about it in my book, which sell a full phishing kits. So all UN you need to do, or anyone bad guy out there needs to do is download the thing, pay a license fee and essentially use it like software officer. You know, it’s basically a, a hack, a service model and this is happening everywhere, right?

Arun: India is an epicenter for a lot of phone based scams and tech support scams, right? They’ve had a huge, you know, vendor market and that vendor market, when it lost a lot of the back office processing business turned into fishers and hackers and, and fishers and SM fishers and all the terminologies that are out there for social engineering.

Arun: And they’re very good at it because they use VO IP and go, you know, across the world. They’re responsible for essentially every IRS cam that’s there in the United States. Every one of them. And I was working with some groups in, in in the security folks in some of our mobile service providers and a number of calls that they were feeling were in the millions coming from these locations.

Arun: And, and I’m talking about money that is, we’re talking about tens of millions of dollars that these companies were making per month, that they were now channeling back into R and D. These are run like corporates. So, you know, our view of this hacker, you know, sitting with a hoodie in some basement or some Starbucks trying to hack people is not at all what it is.

Arun: These guys are, you know, corporate entities that are training each other learning from each other improving the vectors, downloading malware, buying malware, creating malware, monetizing it, you know, it’s unrestricted. And you can spend a lot of time creating an exploit on, let’s say an iPhone as we saw with, you know, and, and, and it’s not just the bad guys, right?

Arun: Let’s be very honest. There are nation states that will pay for this there’s law enforcement that will pay for this. You know, I read about in know, law enforcement, the FBI, all these groups paying to, you know, break into phones because, oh, you know, bad guy had it. But once you go down that road, you know, you’re opening it up for other law enforcement agencies to start doing it.

Arun: And so there’s an ecosystem of support for, for this kind of stuff. Whereas when you’re a corporate, an organization, you know, the, the for profit entity in the United States, let’s say a hospital in, in where I am in New York. Hey, you know, they, they had a huge ransom attack. Who do they turn to? Right. We still don’t know what happened there.

Arun: The data’s still not being released. And so that’s a huge problem. So they has a, there’s a knowledge advantage. There’s an information advantage. There’s an incentive framework. The incentive is there. It’s in, you know, the hackers get a lot of street credit for this. And some of these hackers and just imagine the age of the hackers are doing this right.

Arun: You know, I, I, I dedicated a section of my book to talk about the fact that most social engineering attacks are done by teenagers, including the one that just recently in January hacked into Microsoft and saw and stole and released B source score. They were like teens from UK, you know, apple was hacked by some kid in Australia.

Arun: And these are, you know, let’s, let’s be honest, apple and Microsoft sure are training their guys with security awareness, the gold standard. I’m sure they’re like, they’re, they’re, you know, yelling at these guys for any mistakes they make. I’m sure the, it is on top of everything that they click on yet. They got hacked, but social engineering attacks done by kids and, and the incentive was with these kids.

Arun: Right. They could get away with it. They got a lot of street credit from that. Their group got bigger, they attracted more people. They made money. They probably got contracts from some bad, you know, agencies out there. You know, if you remember the Russians, when they hacked into the DNC, they used a kid in, in, in, in Canada, a young kid, 19 year old kid to do some of the social engineering attacks on the DNC operatives.

Arun: And this guy, this kid was making big money. He was driving an Aspen Martin to learn a million dollar house like 17 and 18. So, so the incentive was there. Whereas, you know, if you’re an it guy working in a company, you take home, you take home your salary and you get yelled at whenever there’s a there’s anything that goes wrong.

Arun: I mean, what an untenable position to be in. So, so in a way, the book tries to address it security, you know, from that perspective saying, Hey, you know, we are not equipped them with anything either. So if you’re an it guy right now, we’re security guy, first Seesaw out there, and there really isn’t anything to equip you.

Arun: I mean, everybody has, you know, lots of acronyms in their titles, lots of certifications, but it’s still not equipping you to ensure that your organization and its people are resilient. Right. And that’s unfair. I think that’s very unfair. We’re putting them in a very unfair positions where you’re a CEO out there and, you know, and this happened in Europe quite a bit where, you know, companies that got hacked and the CEOs were personally held liable personally.

Arun: And I was like, wow, that, that creates a precedent. And that’s unfair too. So, so we need to be, we need to equip them as, you know, cognitive social psychologists and what have you. We need to equip that group with the knowledge necessary. So their careers can prosper. You know? So there is, this is, this is, this is something that can benefit a lot of that community.

Arun: That is our community, the good guys out

Chris: there. Yeah, for sure. For the listeners that are, are hearing this right now, where can you direct them to find your book? Is it in stores? Is it strictly online? Can you point us to a link where well we can purchase it today?

Arun: Yep. So, so the book is called the weakest link, how to diagnose, detect, and defend users from phishing.

Arun: It’s published by MIT press. It’s available at every online store, as well as offline. You can get physical copies of the book or you can buy it on Amazon. You can buy it on Barnes and Nobles. You can buy it on Walmart, you can buy it at target online. So the digital copies are available. You can buy it offline.

Arun: We already sold out the book in the UK. There’s another fresh group of, you know, books coming in. So, and parts of Asia again, I got email saying we sold out the book, so it’s doing really well touch wood, but I hope that it gets to all the right hands, you know? And I think the effort here is to make sure that it gets to enough for those right people who can actually implement it.

Arun: Yeah. Right. You know, the, the merit is in that. Transfer of knowledge. If we can achieve that, a modicum of that change, where we say, Hey, you know, people start rethinking their security protocols, their awareness programs, their hygiene programs and considering these initiatives that itself, you know, implementation is like a, the next stage.

Arun: But if they can start considering it, rethinking it and saying, Hey, addressing it as a cognitive issue, I think would’ve gone very far.

Chris: Yeah. And congratulations on the success of the book thus far. I wanna ask you, you know, as end users embed this into their routine is it possible for users to transfer this behavior from the corporate world into their personal life and, and have that, you know, psychological perspective when they’re at a bar for instance, or, or within another situation where they need to be.

Chris: Cognizant and aware of these social engineering attacks outside of the, the confines of business.

Arun: Well, the answer is yes. And that’s another issue that we’re dealing with, right? We think of the employee as just a user in an organization. Yeah. But the bad guys don’t think that way. It’s just the it folks, the security folks, we look at it and say, oh, here’s a user in the organization using a device or a series of devices or a workstation, or what have you.

Arun: But the bad guys are not thinking about it that way at all. They’re unencumbered by any of these ring fences that we think we have around them. So, you know, yes, good habits can translate out, but show can bad habits. So can a hack right? Show can the fact that you have data stolen at one level, be used to infiltrate you at another level.

Arun: So if I can steal something from you, let’s say from your wifi password at home, Or, you know, some access gateway that I have to get into a system there. I can infiltrate your work device that you bring to home or that you use from home. Right. We never consider this. Right. And we never consider the scale of the operations at the back end when it comes to some of these organizations.

Arun: So if you remember, I think last year or the year before you know, you know, I was, I was talking about this in voice America where, you know, we had these, these, this company in China that had aggregated data from various breaches of Americans and people from different parts of the world. And what they had done was they had taken data sets that they had found in all these different breaches with password emails, preferences of not just the individual, but of his family or her.

Arun: Spouses friends, relatives. And they were building that data set out. And the data set was basically, it was a Chinese military sponsor program where what they had done was, and I’m sure a lot of that opium data ended up there too, where, you know, they had built these massive databases based on answers to security questions, which I think are ridiculous.

Arun: Right. As, as a, as a security protocol, I think security questions, knowledge questions are the worst thing you can do because once they’re hacked, I can repudiate it. I can’t change my mother’s maiden name. If I put it in there. And once it’s hacked, it’s over. Right. And we do a lot of these really bad practices and they had answers to all of this in this huge, vast minable data set.

Arun: I, I, I believe the name of that agency was a company was ZOA. I maybe pronouncing it wrong, but out of China and. We, we never consider how this data can be used. Right? So this earlier as I was promoting the book I put together, I, I have this concept of degrees, right? When I say, how many degrees separating you or I from a hacker.

Arun: Right. Rather than thinking about the user, as somebody who works in a company who uses a device, which is how we think about it. Right? One way to think about people is to think about them as how many degrees separate your eye from a hacker, from a bad guy. Right. And how do you quantify that? So we came up with a quiz.

Arun: I mean, it’s, you know, not entirely scientific because the data in it is still being aggregated. But the idea here was to say, you know, if I take someone, like, let’s say, Matt, how many degrees do I need to get to? If I was a bad guy to get to some data set of Matt that would gimme access to his device.

Arun: Right? So each step that I have to take as a degree. Right. So I’m using the word. Remember the, that seven degrees separated six degrees of Kevin bacon, six degrees of Kevin bacon, right? Six degrees of Kevin bacon. So it was the same concept, but I’m using degrees. I remember six degrees comes from, you know, Duncan, Watts, small worlds research.

Arun: Right? So this is research that said how, you know, basically what, what they did back in the seventies, I believe is it’s a, it’s a, it’s a Harvard study where, what they did is they asked people, random people, Indiana and Kansas, and so on to, they gave them a sheet of paper and a package. And they said, okay, find, drop this to another person that they didn’t know.

Arun: And what they found was most people required on five or six other intermediaries. Like they’d go to the post office to find someone, to find someone, to find someone package had to be taken hand to hand. You couldn’t give it to a, to a male carrier. So you take that same concept from the hacker’s point of view and say, okay, how many steps does it take for a hacker to get to Matt’s laptop?

Arun: Right. And so each is a degree. So we created a quiz and I, in fact, I’ll send you a link to the quiz. The quiz is still available. I of course a link. It also links up to my book. It’s on LinkedIn, but I’ll send you the quiz link. And the idea here was, you know, the fewer, the degrees, the easier it is for the hacker to get to you.

Arun: And some of the things that define it is, has some data off yours being stolen already because that’s a degree, right? That’s a huge step because if you already have a degree of data out there, a modicum of data out there, I already have some information about you that you don’t know I have, or you forgot that I have, because, you know, if you think of something like OPM in Matt’s case, I mean, the, the depth of that data is just phenomenal, right?

Arun: It’s unbelievable how much data they had and that got stole. So of course, it’s also what kind of data got stolen. That adds a degree. And so you can count the number of degrees separating you from the bad guys. And, and that gives you a different way of thinking about vulnerability. So we can think about, we can’t bring fence everybody the same way, but the people who are very, very close to the hacker, the hacker is just like one degree away from you.

Arun: This is a person that needs to do a lot of things to safeguard his or data, right? So these protections have to be much more, much more in depth and they have to permeate, not just the work environment, but maybe even their household environment or wherever they go. You know, they go to the bar with their laptop, for instance, well, that’s something we need to make sure that, you know, we ring fence that, you know, use a, you know, authentication key, for instance, a physical token, if we have to and, and, and do things that you may not do, if you were someone who was, let’s say four degrees away from a hack.

Arun: Yeah. But this is just, I. A different way of thinking about it. So we’re basically changing that paradigm of where we think of a device as the problem and the device as the conduit and the user is just somebody. Who’s just another one of those things in a mix. So right now, if you look at how, you know, users are constructed in the security literature, we look at software, we look at hardware, we look at user and we give each of them the same amount of value.

Arun: In fact, the user is given even less value, right? We’re more focused on so software, then we’re most focused on, you know, Ram leakages for like drams and stuff. So that’s a hardware that we focus on. We focus a lot on software code integrity and so on, so forth. But when it comes to user, there’s just like one little thing.

Arun: We do security awareness, then we’re done. Right. So here, we kind of change that around and look at the user in terms of degrees of separation. Interesting. Right. Just a way to think about it. Right? So, so these are different ways to say, you know, what is vulnerability at the user level, right? Is it just a phishing test that we have to do all the time?

Arun: Is that the only thing that we have? Not necessarily, we have other ways of doing this. If you ask anybody right now, they don’t know what it’s.

Chris: Yeah. Very interesting perspective. So you mentioned you’re based in the New York area, correct?

Arun: Yes. Buffalo,

Chris: New York. Do you have any cool bars in the Buffalo area?

Chris: Like anywhere unique that you would, you know, direct outsiders like myself. If I were in

Arun: town, I would send you to, we have a ton of microbreweries. I’m sure it’s the same everywhere now, but you know, we have a lot of local breweries that have opened up. I love local breweries just because it’s, Hey, it’s our water.

Arun: Right. So I go to a bar called resurgence, which is a microbrewery around here, highly recommended. And of course, Hey, when you’re in Buffalo, you gotta go to anchor bar for the wings. Okay. Not for the bar, but for the wings, because that’s where they invented chicken wings.

Chris: Is that the actual venue where they

Arun: invented it, this is the actual venue where the chicken wings were invented.

Arun: Interesting. Okay. It’s an anchor bar in Buffalo, New York. It’s about two miles south of where I am. And I gotta tell you. Their wings. I I’ve had wings. So, so, you know, one of the things we do in Buffalo is where are we go? We try their wings just to see, you know, Hey, is there anybody else who can do this?

Arun: Right. I gotta tell you, no one does it as well as we do nobody. And I’m telling you, I’ve gone, I’ve gone everywhere. You know, around the world and had wings. I think the only country that even does wings, clothes forget the cities in the United States. It’s not like Buffalo wings, but I’ll give them a lot of points.

Arun: Is the Korean wings. I mean, they’re the only guys who can do wings that are crispy and different than you can say, Hey, these are wings I can have with bar food. But other than that, we do wings better than anybody else does. You know, Buffalo wings, we have it with blue cheese. Anchor bar is the one who, you know, they created it right there.

Arun: They, you know the, the woman who created it, who passed away, family still owns the bar. It’s called anchor bar. And, and, and that’s the, the history of wings begins in Buffalo, New York. We resell more wings and eat more wings. And I think anybody else does in the United States with blue cheese, well, I can

Chris: put down, I can put down some wings, but you’re telling me like the wings stop down the street for me.

Chris: Doesn’t

Arun: compare. Doesn’t compare. Okay. Doesn’t compare nor does Buffalo wild wings, which has nothing to do with Buffalo. It’s a cha I believe it’s based on Ohio. It’s not gotta anything to do with Buffalo and you go blue cheese,

Chris: right? You go blue cheese, not ranch. We go blue cheese.

Arun: Yes. We go blue cheese.

Arun: And that’s the thing, you know, when, when we go around and we eat it with ranch and we, I was in Indiana for a while and they had, you know, wings with ranch, like, what is this? And, and it’s different. Once you get used to Buffalo wings with, with, with blue cheese, you don’t turn back from that. And it’s wings season.

Arun: It’s about to begin, right? Football season begins in a week. It’s always wings season here, but football season begins in a week. Resurgence is something I would, I would highly recommend. It’s a local microbrewery. One of many that we have a huge booming population of microbreweries here. So that’s a fun town.

Arun: So come on down. Anytime, Matt, what

Chris: is your take on, on wings? Are you a wing.

Matt: I I’m kind of, so, so maybe I just haven’t had the right wings yet. I need to come out. Yeah. I get the Buffalo. That’s why Buffalo?

Arun: Yeah. That’s so come on down to Buffalo guys, you know, you eat our wings. I’m telling you it is just, I could be

Chris: there in like six hours.

Arun: I’m telling you, come on down. Hey, it’s worth, I’ll tell you it’s worth the drive. Because then I was in DC last week, week before last and I had some wings just because I had to doesn’t compare. Yeah, it was awful. I was like, my God, my daughter was with me, 13 years old. She was like, wow, they’ll make wings.

Arun: Like we do.

Chris: Yeah. There’s nothing like a bad

Arun: wing. nothing like it. I had to come back here and redeem myself. I had to go to resurgence. I had to get, get alcohol. Then I had to go to anchor bar and have wings. So you needed a resurgence? I had, I, I literally had to redeem myself and just get, get my taste buds to go back to what, what it’s used to eating.

Chris: Hey I just heard last call here. So do you have time for one more? Absolutely. Go for it. If you decided to open a cybersecurity themed bar, what would the name be? And what would your signature drink be called? Oh,

Arun: that’s a good one. I honestly haven’t thought about it. I’d probably call it the weakest link.

Arun: There you go. I’m plugging my book. I love it. I would call it the weakest link and you know, I’d have some kind of a security test and the person who fails it has to pay for. Ooh, I like that. And, and we, we have to do something in that lines. Right? It’s what else can I, I haven’t thought this one through, but that’s the only thing that comes to my mind.

Arun: Whoever fails the test, you know, everybody has to walk in, has to do a test or they fail the test. They gotta buy.

Chris: Yeah. Yeah. Back to back to those security repercussions, right. Of failing a phishing test. except you’re, you’re buying beer. That’s

Arun: right. But Hey, nothing like alcohol, right? It’s a great incentive.

Arun: And you get to talk about it.

Chris: Why not? And what would your signature

Arun: drink be? Yeah, that’s a good one. I would call it the four 19 after the name of the Nigerian penal cord on which the phishing attacks that came from a Nigeria were named after. Right? The, the penal cord was called four 19. That’s it. There you go.

Arun: We call four 19 and that’d be the drink. The signature drink.

Chris: Signature drink. That’s it. I’m sold. There

Arun: you go. I love these questions. I haven’t thought these ones

Chris: well, Arun thanks again for joining me, man. I advise everyone listening to go check out the book, the weakest link and Matt. Thanks again. It was great having you on again and, and having you share your knowledge as well with

Arun: us.

Arun: Thank you, Matt. Thank you, Chris. This was a lot of fun. Thank you. Can’t wait to do it again.

Chris: All right, guys. Well, thanks again.

Arun: Take care. Be safe. Oh, you too. Thank you.

To top