The document discusses the importance of human behavior and psychology in information security, emphasizing that 85% of success relies on interpersonal skills rather than technical knowledge. It highlights the need for security practices to evolve and engage users positively, making information security relatable and less intimidating. Additionally, it explores social engineering tactics and principles that exploit human tendencies, emphasizing the significance of understanding user behavior to minimize risk and enhance security awareness.

1. The perception of information security
in a modern business.

2. Behaviour
F
I
N
A
N
C
E
T
E
L
E
C
O
M
M
S
H
E
A
L
T
H
C
A
R
E
R
E
T
A
I
L
T
E
C
H
N
O
L
O
G
Y
D
E
F
E
N
C
E
Users
Human behaviour

3. Human engineering
Carnegie Institute of Technology
85 per cent of your success is due to skills
in “human engineering,” your personality
and ability to communicate, negotiate, and
lead.
only 15 per cent is due to technical
knowledge.

4. User experience...

5. 5
Effective security changes peoples behaviour in a subtle way. Behavioural
psychology is becoming even more important for security practitioners, helping to
influence executive decisions, and also to change peoples perspectives around
security, and its misconceptions. Ultimately reducing risk, increasing value, and
saving time.
You need to win hearts and minds. To do that, think differently…
Security Perception

6. Challenging Stereotypes

7. 7
Survival of the fittest
Information Security just like the business or brand it protects, must evolve and become best
“fitted,” or best “adapted,” to its environment for it to survive, and help the business to grow.
The evolution of security
AGILEFLEXIBLE
ADAPT OR DIE
ADAPTABLE BOLD

8. Fortress Mentality
STATIC
SLOW
INEFFICIENT

9. Flexible Framework
AGILE
ADAPTABLE
EVOLVING

10. Security as a brand

11. 11
Security PR – spin doctors
By making security engaging, it gains more acceptance.
Security should be a positive experience for the majority of people
Acceptance, is not only good for the business, it is good for you.
Try to make security fun for your constituents, while still getting the “message” across.

12. Making IT personal
Security has to appear human, and not a soulless destroyer of worlds.
NO!!!

13. IT Savvy – only human
I have won a
free iPad!
O’Really…

14. The Art of
Seduction*
*or, “How Information Security can improve your sex life.”

15. “Phishing is the act of attempting to acquire
information by masquerading as a
trustworthy entity in an electronic
communication”
Social Enginnering & Phishing

16. 16
Who engages in social engineeringWho Uses Social Engineering
We All do.
HACKERS
POLITICIANS
SALESMEN
SPIES
SCAM / CON MEN
PUA
ACTORS
MARKETERS

17. The Psychology of Seduction
1. Reciprocation (Favours)
2. Commitment
3. Social values
4. Liking
5. Authority
6. Scarcity

18. Reciprocation
We are hard-wired to respond to a
favour or gift, often not in direct
proportion to the size of the favour
done to us.

19. Commitment and Consistency
Once we make a choice or take a
stand, we will encounter personal
and inter-personal pressures to
behave consistently with that
commitment.
When we “commit” we want to
believe in a positive outcome.

20. The Principle of Social Proof
We view a behaviour to be more
correct in a given situation to the
degree that we see others
performing it.
By leveraging the power of social
networking sites such as LinkedIn
and Facebook.

21. The Principle of Liking
Not a difficult principle to
understand, we prefer to say yes
to requests from someone we
know and like.

22. The Principle of Authority
Once we realize that obedience to
authority is mostly rewarding, it is
easy to allow ourselves the
convenience of automatic
obedience.

23. The Principle of Scarcity
One of the most common tactics
is to build time pressure. The
scarcity of time often makes
people comply with requests in
violation of their policies and their
own common sense.

24. Gamification
Competition
Engagement
Increase Loyalty
Builds Empathy
Improves awareness

25. Trick or Treat
Positive reinforcement
Negative reinforcement

26. Risk reduction
Find out what
people fear…
…Then make it go
away.

27. test
Waterhole’s
Social proof = Social behaviour = your social profile

28. Creatures of habit
Social engineering and phishing
works, as we are programmed to
have “rituals”, and the majority of
things we do day to day are
habitual.
Rituals = Patterns of behaviour
Same websites Favourite food
FriendshipsSocial networks
Waterholes exploit your social
patterns, behaviour and rituals.

29. Asymmetric warfare
INTERNET
Home network Corporate network

30. Asymmetric warfare
Friends and Family

31. The art of Seduction
Seducers draw you in by focused individualised attention
Choose the right victim – study your prey thoroughly and choose
only those susceptible to your charms
Create a false sense of security – if you are too direct early on, you
risk stirring up resistance and that will never be lowered
An object of desire – to draw your victim closer, create an aura of
desirability
Create temptation – find the weakness of theirs, keep it vague and
stimulate curiosity
Pay attention to detail – the details of seduction, subtle gestures,
thoughtful gifts tailored for them

32. Recap
THANK YOU