Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, and vulnerability and compliance tools, and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It's enough to make a security engineer cry. The one thing you can depend upon in an enterprise is that many of your users, even with training, will still make the wrong choices. They will violate BYOD restrictions, click on links they shouldn't, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet's name as passwords, etc. But what if this isn't because users hate us or are too stupid? What if all our ignored policies and procedures regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind's resistance to change? Humans are wired to be emotional beings. Emotions influence most of our decisions, good and bad. In failing to understand how this is at the root of user non-compliance, no matter how much money we spend on expensive hardware and software, we will fail to achieve the goal of good organizational security.

1. A New Model: Advancing Organizational
Security Through Peacebuilding

2. Who Are We?
 Michele Chubirka, aka "Mrs. Y.," is a recovering UNIX
engineer working in security. She is also the host of the
Healthy Paranoia podcast, the information security feed
of Packetpushers, and official nerd hunter. She likes
long walks in hubsites, traveling to security
conferences, and spending time in the Bat Cave.
Sincerely believes that every problem can be solved
with a "for" loop.
 Joe Weston is a workshop facilitator, consultant, and
author of the book Mastering Respectful Confrontation.
He is also the founder of the Heartwalker Peace
Project, which creates opportunities for connection,
discussion, and creative collaboration.

3. Who We Aren’t

4. Special Request
 Importance of feeling heard.
 Please put laptops and phones away for now.

5. A Language of Violence
 The taxonomy of information security is borrowed from
the language of war.
 How does this impact the way we interact with our user
community?
 How does this affect the practitioners?

6. Peacebuilding Levels
 Personal
 Social
 Institutional
Personal + social = institutional change

7. "The human brain hasn't had a hardware upgrade in about
100,000 years."
Daniel Goleman, Author of Emotional Intelligence

8. Users Aren’t Stupid
 We spend millions of dollars on security products and
at the end of the day, the weakest link is the user.
 Even with training, users make the wrong choices.
 What if the problem isn’t about the user at all, but us?

9. Something isn’t working
 We’re swimming in data, but we still can’t make
predictions about intrusions.
 How can we realistically change user behavior?

10. User: Definition
People who aren’t us.
 Developers
 Administrative Staff
 Management

11. Brain RTFM

12. Neuroscience 101
Limbic System: The interior of the cortex, includes the hippocampus and
amygdala. Supports emotion and long-term memory.
Prefrontal Cortex: Region responsible for planning, decision making and
moderating behavior.
Think of the limbic system to the prefrontal cortex as a horse is to a rider.

13. Demonstration: A Brain In the
Palm of Your Hand
 Hold up your hand and make a fist.
 This is a good representation of the brain and
spinal column.
 The brain stem, limbic system and neocortex.
* These two slides are oversimplifications of a very complex
system.

14. The Threat Response: Step 1
Cortex receives input (externally or internally) from the
thalamus, a component of the limbic system.

15. The Threat Response: Step 2
Limbic system and prefrontal cortex (the executive or
evaluator of the brain) take in data simultaneously.

16. The Threat Response: Step 3
Amygdala, responsible for emotional response and
memory, acts as an alarm activating the fight/flight
hormonal response if threat is perceived.

17. The Threat Response: 4
Then the sympathetic nervous system sets up organs and
muscles for fight/flight response, inhibiting digestion and
the hypothalamus prompts the release of stress
hormones.

18. Emotional Contagion
 The limbic system is an ―open loop,‖ influenced by
other people’s emotions, aka mirror neurons.
 Mirror neurons activate when an animal performs an
action or when an animal observes the same action of
another animal.
 They are thought to be the basis of empathy.
 Also called emotional contagion.

19. Negativity
 The brain has a negativity bias because the limbic
system is quicker than the prefrontal cortex at
perceiving and analyzing potential threats.
 Traumatic experiences are ―stickier‖ than positive,
happy experiences, i.e. harder to un-map.

20. No Escape From Threat
 Most of us are in a permanent state of cortisol overload
due to the constant stressors of modern life and the
fact that stress hormones stay in the body for hours.
 This decreases intellectual capacity, memory capacity
and lowers impulse control.
 Stress makes you stupid.

21. Amygdala Hijack
Key indicator: intense and immediate emotional reaction,
followed by the understanding that it was inappropriate.
 I thought that stick on the ground was a snake!
 I don’t like you or I’m bored, so I won’t cooperate or listen to
what you have to say.
 That guy who cut me off in traffic was trying to kill me!
 Why were you so insulting to me in that email yesterday?
(studies show there’s a negativity bias in email.)
 Other examples?

22. Thin Slicing: Warren Harding
Syndrome
 Human beings make quick decisions based on intuition.
Think ―love at first sight‖ or a ―gut reaction.‖
 This is sometimes called ―Thin Slicing.‖
 One example is ―Warren Harding Syndrome.‖ A
mediocre presidential candidate, Americans voted for
him , because he was tall, good looking and charming.

23. Harding has been
called one of the
worst presidents in
history.

24. Thin Slicing: Bedside Manner
 The likelihood of a doctor being sued has little to do
with the number of errors made.
 In an analysis of malpractice lawsuits, there was no
correlation between the number of mistakes by doctors
and how many lawsuits were filed against them.

25. Malpractice?
 In studies, psychologists were able to predict which
doctors would be sued more by analyzing the amount
of time spent with patients and if the tone of their voices
sounded ―concerned.‖
 Patients file lawsuits because of how they are treated.

26. The Power of Mirror Neurons
Marie Dasborough observed two groups:
 One group was given negative feedback accompanied
by positive emotional signs, nods and smiles.
 Another was provided positive feedback that was
delivered using negative emotional cues, frowns and
narrowed eyes.

27. Entrainment
 Those who received the positive feedback
accompanied by negative emotional signs reported that
they felt worse than participants who received negative
feedback given with positive emotional cues.
 The delivery was more important than the message.
 Your emotions and actions will be mirrored by those
around you.
 This is similar to a phenomenon known in physics as
entrainment.

28. Is Efficiency Overrated?
 Study conducted by Gillian M. Sandstrom and
Elizabeth W. Dunn of the University of British Columbia.
 Participants who ―smiled, made eye contact, and talked
with the cashier‖ at a coffee shop reported higher
satisfaction and moods than those who avoided
interaction.
 Small, unimportant interactions with others can create a
feeling of connection according to researchers.

29. There’s No Mr. Spock
 Neurologist, Dr. Antonio Damasio, had a patient who
had been a successful corporate lawyer.
 A tumor was discovered in his prefrontal lobes and the
surgeon who removed it inadvertently severed the
circuit between this area and his amygdala.

30. Somatic Marker
 There was no obvious damage to his cognitive abilities,
but his life fell apart.
 It was discovered that he couldn’t make decisions
when presented with the simplest choices.
 He no longer had any feelings regarding these options,
no preferences.
 This is the basis for Damasio’s Somatic Marker
Hypothesis, in which it is proposed that emotions assist
with complex decision-making.

31. It is a gross
misconception that
reason can be
completely separated
from emotion.

32. You’re the Threat
 The WAY we present information is just as important as
WHAT we present.
 In the first few minutes we interact with someone, we’re
being assessed for our potential to provide reward or
punishment.
 Could I have some carrot with that stick?

33. It’s Tribal
 As humans, we’re constantly trying to maximize
pleasure or minimize pain.
 That black, unwashed t-shirt and body art may feel like
a personal statement, but it can impact and even
alienate those we’re trying to convince.
 Are you a member of their tribe?

34. Social Connections Matter
 Anthropologist Robin Dunbar found that a species’
brain size—size of its neocortex, the outermost layer—
is linked to the size of its social group.
 We have big brains in order to socialize.

35. We’re Wired To Be Social
 In the brain’s non-active moments, when not involved in
a specific task, it reverts to a configuration called the
―default network.‖
 According to researcher, Matthew Lieberman, this
appears to resemble another configuration, the social
thinking brain, which is empathetic.
―The default network directs us to think about other
people’s minds—their thoughts, feelings, and goals.‖

36. That was the bad news.
Now for the good.

37. Training That Works
 The Dynamic Feedback Loop
 In the 1960s, Stanford University psychologist Albert
Bandura determined that giving individuals a clear goal
and a method of evaluating progress increased the
likelihood that they would achieve it.

38. Feedback Loops
Where are they used?
 Personal training, leadership coaching, digital speeding
signs.
 In Garden Grove, California, the use of digital
speeding signs reduced speeds on an average of 10%.
 This was more effective than police ticketing.

39. Let’s Have Some Fun
Draw the letter ―e‖ in the air in front of
you.
*This is a decade-old method social scientists use to measure
perspective-taking – the ability to put yourself in someone else’s
shoes.

40. Communication That Works
• Interaction based on the core competencies of
Emotional Intelligence, such as self-awareness, selfregulation, empathy, and motivation.
• Social engineers already use some of these skills to
create emotional and social affinity with a target. It’s
called pseudo-empathy.
• Conflict resolution methods such as those based on
Non Violent Communication (NVC) and Restorative
Practices.

41. Self Awareness Exercise
It’s called ―labeling‖
 Think of it like putting yourself in debug mode.
 Process emotions or sensations you experience in real
time.
Let’s try it.
 Say to yourself, ―Right now, I’m experiencing….‖

42. Communication Models
 XYZ model
 Respectful Confrontation
 BEER Method
 NVC

43. XYZ
In situation X...
when you do Y...
I experience Z.

44. Joe Weston’s Respectful
Confrontation
 Behavior
 Impact
 Need
 Make a request

45. Suzanne Kryder’s BEER
 Name the behavior
 Its effect
 The emotion experienced
 The requested behavior
BEER = Behavior Effect Emotion Request

46. Marshall Rosenberg’s NonViolent Communication
 Facts or observations
 Feelings
 Needs or what’s ―alive‖
 Request

47. Respect
 If you want respect, you have to give it.
 How do we disrespect our users?
 Sophos study said only 4% of IT staff trust their users.
 What percentage of users trust US?

48. ―How To Break a Terrorist‖
Two tragedies to Abu Ghraib.
 The human cruelty
 The obvious failure of humiliation and violence in
gathering intelligence.
Interrogator, Matthew Alexander, discovered that building
rapport with prisoners was the most efficient way to get
information and stop terrorism in Iraq.

49. ―The quickest way to get most (but not all) captives talking
is to be nice to them.‖
Mark Bowden, author of Black Hawk Down

50. Motivation
Study sponsored by the Federal Reserve Bank found
three main factors motivate people in their work.
 Autonomy
 Mastery
 Purpose
If we want security ―wins‖ we have to include everyone as
partners in a cooperative process.

51. Neuroplasticity: You Can
Change Your Brain
 It is no longer believed that the brain becomes static
after childhood.
 The brain is always changing. This is caused by
physiological, environmental and behavioral factors.
 A study found increased cortical gyrification with more
years of mindfulness practice.
 Higher gyrification usually correlates to intelligence.

52. Practicing Respectful
Confrontation

54. My Truth != The Truth

55. Synonymous?
True Power
Brute Force
Confrontation
Conflict
Assertiveness
Aggression

56. Concepts to Explore
True Power != Brute Force
Confrontation != Conflict
Assertiveness != Aggression

57. Four Pillars of True Power
 Grounding
 Focus
 Strength
 Flexibility

58. Vulnerability != Weakness
It is only in your vulnerability
that your true power
is revealed.

60. “Water is fluid, soft, and yielding. But water will wear away
rock, which is rigid and cannot yield. As a rule, whatever
is fluid, soft, and yielding will overcome whatever is rigid
and hard. This is another paradox: what is soft is strong.”
Lao Tzu

66. Personal
Space

67. 5 Steps of Clear
Communication
1. Contact with yourself
2. Contact with other
3. Desire/Impulse
4. Act of communication
5. Received message

68. Key Takeaways
 Bad trumps good in the human brain.
 You can’t turn your emotions off or leave them at home. It’s
like wearing a bad toupee. You aren’t fooling anyone.
 If the limbic system is an open loop, we’re all responsible for
the quality of the emotional landscape.
 Stress makes you stupid, by shutting down blood flow to the
critical pre-frontal lobes. If you set off a stress response in
someone, you minimize the chance of having a rational
dialogue with them.
 Confrontation isn’t always negative. Resistance to change
can be a valuable source of feedback.

69. Cyber Peace
 Peaceful doesn’t mean passive.
 Peace isn’t the absence of war or conflict.
 Violence isn’t always physical. There are subtle ways to
commit harm against another.
Let’s stop blaming the victims and work in partnership
with our users to empower each other in our mutual goal
of enterprise security.

70. ―If you use government to show them the Way and punishment to keep them
true, the people will grow evasive and lose all remorse. But if you use integrity
to show them the Way and Ritual to keep them true, they’ll cultivate remorse
and always see deeply into things.‖
From ―The Analects‖ of Confucius 5th century B.C.E.

71. Where Can You Find Us?
Michele Chubirka, spending quality time in kernel mode.
http://www.healthyparanoia.net
Twitter @MrsYisWhy
Google+ MrsYisWhy
networksecurityprincess@gmail.com
Joe Weston, writing and teaching workshops.
http://www.respectfulconfrontation.com/

72. A" en%on'Tutorial'A" endees!'
A" en%on'Tutorial'A" endees!'
Attention Tutorial Attendees!
Please'don’t'forget'to'fill'out'your'Tutorial'Surveys.'
A" en%on'Tutorial'A" endees!'
Please don’t forget to fill out your Tutorial Surveys.
Please'don’t'forget'to'fill'out'your'Tutorial'Surveys.'
Please'don’t'forget'to'fill'out'your'Tutorial'Surveys.'
Your feedback is very important to us and helps us shape
the future
of the LISA training program.
Please visit www.usenix.org/lisa13/training/survey and fill
out the appropriate surveys.
Thanks for your help!
'
''

73. References
Chubirka, Michele. "Is Cyber Security a Form of Violence." Web log post. Packetpushers. Packetpushers, 31 Jan. 2012. Web.
Esfahani Smith, Emily. "Social Connection Makes a Better Brain." The Atlantic 29 Oct. 2013: n. pag. Print.
Goleman, Daniel, and Richard Boyatzis. "Social Intelligence and the Biology of Leadership." Harvard Business Review Sept. 2008: 74-81.
Print.
Goleman, Daniel. Working with Emotional Intelligence. New York: Bantam, 1998. Print.
Hanson, Rick, and Richard Mendius. Buddha's Brain: The Practical Neuroscience of Happiness, Love & Wisdom. Oakland, CA: New
Harbinger Publications, 2009. Print.
Kryder, Suzanne. The Mind to Lead. N.p.: NeuroLeap, 2011. Print.
Luders, Eileen, Florian Kurth, Emeran A. Mayer, Arthur W. Toga, Katherine L. Narr, and Christian Gaser. "The Unique Brain Anatomy of
Meditation Practitioners: Alterations in Cortical Gyrification." Frontiers in Human Neuroscience 6.34 (2012): 1-9. Print.
O'Connell, Andrew. "HBR Blog Network / The Daily Stat." Harvard Business Review. Harvard Business Review, 30 Oct. 2013. Web. 02 Nov.
2013.
Pink, Daniel H. Drive: The Surprising Truth about What Motivates Us. New York, NY: Riverhead, 2009. Print.
Pink, Daniel. "Why Bosses Need to Show Their Soft Side." The Telegraph 17 July 2011: n. pag. Print.
Rosenberg, Marshall B. Nonviolent Communication: A Language of Life. Encinitas, CA: PuddleDancer, 2003. Print.
Siegel, Daniel J. The Mindful Brain: Reflection and Attunement in the Cultivation of Well-being. New York: W.W. Norton, 2007. Print.
Weston, Joe. Mastering Respectful Confrontation: A Guide to Personal Freedom and Empowered, Collaborative Engagement. Emeryville,
CA: Heartwalker, 2011. Print.
Zehr, Howard. The Little Book of Restorative Justice. Intercourse, PA: Good, 2002. Print.