The perception of information security
in a modern business.
Carnegie Institute of Technology
85 per cent of your success is due to skills
in “human engineering,” your personality
and ability to communicate, negotiate, and
only 15 per cent is due to technical
Effective security changes peoples behaviour in a subtle way. Behavioural
psychology is becoming even more important for security practitioners, helping to
influence executive decisions, and also to change peoples perspectives around
security, and its misconceptions. Ultimately reducing risk, increasing value, and
You need to win hearts and minds. To do that, think differently…
Survival of the fittest
Information Security just like the business or brand it protects, must evolve and become best
“fitted,” or best “adapted,” to its environment for it to survive, and help the business to grow.
The evolution of security
ADAPT OR DIE
Security PR – spin doctors
By making security engaging, it gains more acceptance.
Security should be a positive experience for the majority of people
Acceptance, is not only good for the business, it is good for you.
Try to make security fun for your constituents, while still getting the “message” across.
Making IT personal
Security has to appear human, and not a soulless destroyer of worlds.
IT Savvy – only human
I have won a
The Art of
*or, “How Information Security can improve your sex life.”
“Phishing is the act of attempting to acquire
information by masquerading as a
trustworthy entity in an electronic
Social Enginnering & Phishing
Who engages in social engineeringWho Uses Social Engineering
We All do.
SCAM / CON MEN
The Psychology of Seduction
1. Reciprocation (Favours)
3. Social values
We are hard-wired to respond to a
favour or gift, often not in direct
proportion to the size of the favour
done to us.
Commitment and Consistency
Once we make a choice or take a
stand, we will encounter personal
and inter-personal pressures to
behave consistently with that
When we “commit” we want to
believe in a positive outcome.
The Principle of Social Proof
We view a behaviour to be more
correct in a given situation to the
degree that we see others
By leveraging the power of social
networking sites such as LinkedIn
The Principle of Liking
Not a difficult principle to
understand, we prefer to say yes
to requests from someone we
know and like.
The Principle of Authority
Once we realize that obedience to
authority is mostly rewarding, it is
easy to allow ourselves the
convenience of automatic
The Principle of Scarcity
One of the most common tactics
is to build time pressure. The
scarcity of time often makes
people comply with requests in
violation of their policies and their
own common sense.
Trick or Treat
Find out what
…Then make it go
Social proof = Social behaviour = your social profile
Creatures of habit
Social engineering and phishing
works, as we are programmed to
have “rituals”, and the majority of
things we do day to day are
Rituals = Patterns of behaviour
Same websites Favourite food
Waterholes exploit your social
patterns, behaviour and rituals.
Home network Corporate network
The art of Seduction
Seducers draw you in by focused individualised attention
Choose the right victim – study your prey thoroughly and choose
only those susceptible to your charms
Create a false sense of security – if you are too direct early on, you
risk stirring up resistance and that will never be lowered
An object of desire – to draw your victim closer, create an aura of
Create temptation – find the weakness of theirs, keep it vague and
Pay attention to detail – the details of seduction, subtle gestures,
thoughtful gifts tailored for them