This document discusses the need to use stories and games to educate corporate executives about cybersecurity threats, as technical explanations often fail to convey the severity of the issues. It suggests designing games and animations that bring cyber attacks to life in a vivid way. One expert argues that executives should play special computer games and watch animations to help them understand the scale of the threat from cyber-crime and support improvements in security. The document also discusses using social engineering techniques like persuasion and impersonation to gain access to systems, and the need for physical and psychological countermeasures as well as technical controls to address these kinds of attacks.

1. Developing the
Human Firewall
Frank Wintle
PanMedia
20/10/09 | Session ID: PROF-105
Classification: Intermediate

2. Agenda
A Journey to the East
It’s not just technology
The power of story
f
Four rules for happiness
2

3. A wilderness of mirrors...

4. Secrets Betrayed

5. From first man to fifth?

6. One author’s theory...

7. Sex and secrecy

8. A housewife and mother

9. Who is the hacker? Who is the spy?

10. An engineer calls...

11. ... and checks under the desk

12. Now wires have ears
“Keystrokes recorded so far is 2706 out of
Keystrokes
107250 ...
<PWR><CAD>fsmith<tab><tab>arabella
<CAD>
CAD
<CAD> arabella
<CAD>
<CAD> arabella
exit
tracert 192.168.137.240
telnet 192.168.137.240
Ci ”
Cisco”

13. New weapons, new fronts, old battles

14. Wedded to mystery

15. A true story?

16. Nonsense as science

17. Science as nonsense

18. Backs to the Facts
“The h
“Th human mind is l
i d i less di t b d b a
disturbed by
mystery it cannot explain than by an
explanation it cannot understand.”
David Mamet The Water Engine
Mamet,

19. Typical defence: silver bullets
Key features:
• Sexy name
• Pretty diagrams
• C
Complex t h l
l technology
• Flashing lights
• Rack mountable
• Reassuringly expensive

20. The criminal’s approach
Social engineering plus technology
• Phishing
• Trojans & rootkits
+ • Laptop theft
• In person intrusion

21. Why social engineering?
• Social engineering can be
g g
used to gain access to any
system, irrespective of the
platform.
• It’s the hardest form of attack
It s
to defend against because
hardware and software alone
can’t stop it.

22. The difficult sell!
The money you spent on security products, patching
systems and conducting audits could be wasted if you
don’t prevent social engineering attacks …
You need to invest in
Awareness
and
Policies

23. Countermeasures
Countermeasures require action on
physical and psychological levels
as well as traditional technical controls
Physical: Psychological:
– in the
i th workplace
k l – persuasion
i
– over the phone – impersonation
– dumpster diving – conformity
– on-line – friendliness

24. Staff awareness
• Educate all employees - • Train new employees as
everyone has a role in they start
protecting the
• Give extra security
organisation and thereby
training to security
their own jobs
guards, help desk staff,
• If someone tries to receptionists, telephone
p , p
threaten them or confuse operators
them, it should raise a red
• Keep the training up to
g
flag
date and relevant

25. Which point of view?
“The single most important problem in science is
to reconcile the first and third person accounts
of the universe...” V S Ramachandran

26. Third person

27. First person

28. Wooing the audience
“I CAN THINK of nothing that an audience
g
won't understand. The only problem is to
interest them; once they are interested,
they understand anything in the world."
Orson Welles

29. Telling the STORY
Once upon a time....
O ti And then one day....
A d th d
But what they didn’t know.... Climax and resolution

30. Understanding the mind
“Narrative is the primary human tool for explanation, prediction,
evaluation and planning” ------- Mark Thomas, The Narrative Mind
“We live, and call ourselves awake, and make decisions by telling
ourselves stories” ------ Julian Jaynes, The Origins of Consciousness

31. Games with a purpose
EXECUTIVE GAMES COULD HELP STEM CYBERCRIME, FIRST EXPERTS TOLD
Kyoto, Japan – June 30, 2009. Senior executives should play special computer games
and watch animations to help them understand the scale of the threat from cyber-crime
and win their support for improvements in security, one of Japan’s top Internet protection experts
said yesterday at the 21st annual conference of FIRST, the Forum of Incident Response and Security Teams.
Dr Suguru Yamaguchi, member and adviser on information security at the Japanese Cabinet Office
National Information Security Centre, was giving the opening keynote address at the five-day conference,
which got underway at the Hotel Granvia, Kyoto.
“We need to find ways to help corporate executives actually to visualize what goes on
when a computer network is under attack,” he said. “Just explaining in words isn’t enough
– the words are too dense, too technical – what we should do is design special games and animations
which will bring the severity of current threats vividly alive in the executives’ imaginations.”
g y y g

32. Everyone hates a sermon...
“Audiences shrink from sermons…”
Akira Kurosawa

33. Everyone loves a story
“I think that I have made them aware…”
I aware

34. “They just don’t get it...”
“We concealed the very things that made us
right – our respect for the individual, our love of
variety and argument, our belief that you can
argument
only govern fairly with the consent of the
governed, our capacity to see the other fellow’s
point of view... so it wasn’t much wonder, was
it,
it if we opened our gates to every con-man
con man
and charlatan?”
George Smiley (John Le Carré)

35. A human firewall

36. Four rules for a good life
1. Exercise
2. Love
3. Disdain
4.
4 A project

37. Need more information?
Frank Wintle
PanMedia
frankwintle@panmedia.co.uk
@p
+44(0)7850 102194