Phishing For Answers

“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.

All Episodes

Phishing For Answers

Unmasking Vulnerabilities in Security Awareness with Wendy Nather

January 28, 2025 • Joshua Crumbaugh, Founder & CEO of PhishFirewall

Send us a text

Ever thought attending a security awareness class could make you more vulnerable to phishing attacks? Join us as Wendy Nather, a former CISO, unravels this unexpected phenomenon and challenges industry norms. We tackle the complexities of security training and explore why traditional methods might not be hitting the mark. Wendy shares insights into designing systems that protect against human errors, advocating for a collaborative approach that includes everyone from developers to IT staff in building robust cybersecurity frameworks.

Our conversation takes a turn as we highlight the importance of role-based training and engaging diverse personality types in cybersecurity education. Drawing from real-life anecdotes, like the Starbucks gift card phishing fiasco, we stress the need for clear communication and the introduction of security principles from a young age. This episode emphasizes how early tech exposure shapes user behavior, and we discuss tailored education strategies for different organizational roles to build a culture of security mindfulness.

Finally, we explore the art of empowering employees to recognize and report suspicious activities, sharing personal stories of innovative attacker tactics. From gamification to competitive training exercises, we propose fresh ways to make security training more engaging and effective. As we challenge long-held industry assumptions, we advocate for an environment where users feel safe to report mistakes, continuously reassessing and innovating cybersecurity practices to keep ahead of threats.

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Joshua Crumbaugh: 0:03

All right and welcome to another episode of Phishing for Answers. Today we have Wendy Nather with us. Wendy, do you have any interesting stories to share with the audience?

Wendy Nather: 0:17

Sorry, nope. No, I'm just kidding, we're all done now, right.

Joshua Crumbaugh: 0:21

I love it. Okay, podcast is over.

Wendy Nather: 0:24

No, no, I did promise that I would reveal what I actually think about phishing. So first of all, joshua, I have to give you kudos for being brave and inviting me on here. Thank you, thank you. When I was a CISO, we at one organization we ran a bunch of security awareness training classes. We had like 25 different classes and they were not mandatory, so people just showed up if they wanted to. We had a whole bunch of different topics and we kept track of who showed up and over time you know 25 classes, people showing up, really enjoying it, getting into it and everything we decided to do a phishing exercise to see how people would react had been at how many of the security awareness training classes and who fell for it and who didn't. And we found that those who went to the classes were more likely to fall for the phishing exercise, the phishing email.

Joshua Crumbaugh: 1:36

I got to say that doesn't surprise me.

Wendy Nather: 1:39

It doesn't Okay, because we were just gobsmacked.

Joshua Crumbaugh: 1:41

Yeah, because we were just gobsmacked. Yeah, no, I mean, I've actually met another guy. He did his PhD dissertation on this exact subject and he found me as a result of his research and that was his study. So he said, ok, we're going to phish users and see who clicks on stuff, and then we're going to run them through security awareness training and then we're going to phish them again and see what our results are. When they phish them again, they actually clicked on more stuff than when they phished them the first time.

Joshua Crumbaugh: 2:17

I truly I have a lot of theories on why this is, but if we look at security awareness, this is.

Joshua Crumbaugh: 2:27

But if we look at security awareness, you know, just going back, it really has only evolved one time, and so you know we had the initial once a year.

Joshua Crumbaugh: 2:33

You go sit in a boring class for an hour, you take a test and you're done for another year. And then it evolved a little bit back in, you know, around 2010, where all of a sudden now we've started to shorten it. You know, anywhere between, you know, three minutes on the lower end to 15 minutes on the longer end, make it a little bit more frequent, and we added in phishing simulations, but past that it hasn't evolved a whole lot, and there's a lot of things that I think we do wrong to make it to where our training causes people to turn off, and the key one is that we make it too complex. And I truly believe that if the training is too complex, the average person is just going to say, oh, I don't want to, and they're going to turn off, even if they go through the motions, but they're not going to listen to it, and I feel like that almost makes them less secure than if they just did the training to begin with. Without that preconceived mentality. Does that make any sense?

Wendy Nather: 3:35

It does. And our theory on what happened is the email that we sent said you know we need you to help the security team and check your password. Click on this link and type in your password and see if it's strong enough. And our theory was that the people who came to the classes enjoyed it so much that they really wanted to help us and that's why they were more likely to click on the link. And so the question is really can you devise a fishing training that covers all the eventualities against people who are going to try many different ways of fishing? And you know that better than I do.

Joshua Crumbaugh: 4:17

Oh, absolutely. I think that that's absolutely a core part of this is that there's a lot of complexities to fishing. It's far more than just throwing a fish out at your people and seeing what they click on. And when we look at what's happening in the wild, they're targeting my finance people with finance specific fish, they're targeting my IT people with IT-specific fish and my developers with developer-specific fish. So I think we have to adapt and we have to have something smart enough to be able to A do that internally but B go through all these different you know small subcategories, if you will, of phishing and just test people's risk holistically, if you will, of phishing and just test people's risk?

Wendy Nather: 5:07

holistically? I think so. But, and more importantly, wouldn't it be great if we could just design systems better so it doesn't matter if they fall for it? You know, it's because what we're trying to do today, in my opinion, is the equivalent of building a block list for people to say, okay, check for this, we've got to stop this, we've got to stop this, we got to stop this, we got to stop this, we got to stop this. And then we're relying on them to remember. And you know, when my blood sugar gets low and I get cranky, I'm more likely to fall for stuff as a security person, and so trying to enumerate all the badness and protect against all the badness we know in security, that's not the best way to go about these things. And coming up with a baseline that we could whitelist against, you know, or allow list and say, yeah, if, unless it's doing this thing, just don't go for it. That's hard too, because you know people's jobs. The entire Internet is here to click on. Why are we telling people not to click on stuff?

Joshua Crumbaugh: 6:08

I will say, though, chicken or the egg, because to me, part of that education and that awareness needs to be developer training too, to make sure that we are building from the ground up secure systems. Part of that awareness training should include not just developer, but what about your IT staff? What about your network engineers? What about even your defenders? To me, each and every one of those groups needs different levels of training. For your defenders, I think they should be learning about continuously, about the MITRE, att&ck framework. For your you know, your developers. It's a WASP top 10. And so I don't know. I think that's one of those elements that helps us build more securely in a mature awareness program.

Wendy Nather: 6:58

I think so too, and it's another thing I did was I used Microsoft's Elevation of Privilege card game, which Adam Shostak developed.

Joshua Crumbaugh: 7:11

I've seen that somewhere at home, but I've never played it.

Wendy Nather: 7:14

It's great, you know it's got cards with all sorts of different abuse cases, exploitation and everything, exploitation and everything. And I invited a bunch of developers after work and I said I'll provide the munchies, you bring your own drinks and we're going to play this and bring your application, the one that you work on. And so for each scenario where you, you know there was an abuse case, an attack case, you had to try to figure out whether it could apply to your application and if it could, then you know you would get, you know you'd have to raise your hand and say so and you know everything. So the good thing was, each of the developers brought their own application and they, you know, discovered things that they should go back and fix. So if, from one sense, they won, the bad sense was they had to create a whole bunch of new Jira tickets, and so we were like, oh man, I'm so sorry dude, sorry dude, but you know but if they don't have the answers, ok, this could apply, but I've done this, this and this to you know.

Wendy Nather: 8:28

Mitigate it Then yeah, that's, that's awesome and they're finding their own. I love it and it was and it was fun. You know, we like they won but they also lost and and we were all commiserating together on it instead of oh I got you, you missed a spot, which is I hate that sort of behavior and that's the easiest thing to do. You know, attacking is easy, defending is hard.

Joshua Crumbaugh: 8:55

I just got to say I'm going to give you credit, but I am going to shamelessly steal that idea and use it because I love the idea of bringing them in and playing that game. I think it's awesome.

Wendy Nather: 9:00

Yeah, yeah, it's social engineering. You know you do whatever you can.

Joshua Crumbaugh: 9:05

And when you get them to you know, tell you they believe it more too.

Wendy Nather: 9:12

And I exactly Exactly yeah.

Joshua Crumbaugh: 9:16

I mean, I think you can also use the same thing. It's sort of to what we were talking about before. We began about getting the cybersecurity people to admit that they've fallen for a few of these things. Right, because when that gets out there and the non-cyber people realize, hey, it can happen to any one of us, it works better, because people are more likely to believe negative about you than they are positive, and so when you start with that negative, they're more likely to believe everything that comes after it too.

Wendy Nather: 9:50

Oh, that's a really good principle. I didn't know that.

Joshua Crumbaugh: 9:53

Oh yeah.

Wendy Nather: 9:53

Start with something negative that they'll absolutely believe, and then they'll believe the rest. Wow, that's another really good thing to know.

Joshua Crumbaugh: 10:03

So that actually does bring me to another point around. I think we need more behavioral science in cybersecurity. Neither of us have really had much of a chance to go into our backgrounds a whole lot, but a little bit about my background was that I started out in ethical hacking saying I'm going to be the most technical hacker ever and I did a lot of application security, was very good at it. But also my very first physical assessment I talked my way into a bank vault and realized, hey, I like this social engineering thing. I went to school for marketing, which plays in, because that's sort of an offensive form of psychology in and of itself. And so now, you know, you flash forward a few years and I've got the opportunity to work with some professors from around the globe to help write college coursework on how we do this, you know, build effective security awareness programs. I was actually led by a professor out of Plymouth University in the UK.

Joshua Crumbaugh: 11:10

So I bring that up because one of the core principles that I've focused in on that I think applies to phishing specifically is identical elements theory, and identical elements theory talks about how, when you get a new car, you'll start seeing it all over the road, or a different example of you learn about something new and then you see it everywhere. Or you start hearing everybody talk about it as you like, flip through reels or whatever. Right, that is identical elements theory in action. You've learned about something well, so you see it everywhere. So the and that's your subconscious that makes sure that you see it everywhere. And so if we can train you really well about a few key identifiers it's only like 10 different core identifiers about phishing then you're going to start to see it everywhere. It's not just going to be in that specific email, but it's going to be on your phone and calls and social media everywhere.

Joshua Crumbaugh: 12:11

And so I think we have to focus more on what human virus definitions do we want to implant by running this phishing simulation and how are we going to achieve that? And I think that has to be asked before we ever go into the phishing simulations, because we do run the risk of causing disruption, hurting, you know well, I would say hurting our employees. At least you know their emotions anyway, their feelings, and you know there's this one story that's always stood out to me about this older lady who gets phished saying she's getting a raise and instead she's in trouble with her boss and just the emotional roller coaster that comes with that and how we don't want to do that to our employees.

Wendy Nather: 12:55

Yeah, we don't want to do that. And the other thing that really bugs me is that even if we create those virus definitions as you describe them and things like, they're likely to send you a notification that something good is going to happen. Just click on this to see what it is. Even if you do that, I have been in organizations where they have trained very diligently people not to fall for that and then the HR department sends out an email saying your bonus notification is ready. Click here and it's absolutely legit. And it's like did they not do the training? What makes them think that was a good idea?

Joshua Crumbaugh: 13:43

So I have a funny story of that, A Fortune 500 client of ours. They decide to send a Starbucks gift card to people and we have, you know, thoroughly beat up their employees with the Starbucks gift card. No one clicks on it, or I mean almost no one clicks on it, that's good.

Joshua Crumbaugh: 14:04

Yeah, no, the CEO had to personally send it out and say no, this is from us. You know you're only going to get it on this day, but you know, to that regard, it is funny how our own practices can make us vulnerable, and I think that's a great segue to you know, I feel like we need to be more extroverted. In cybersecurity. It's a lot of introverts, but I think it's important to get out there and have conversations with people, because that's how we learn about these things and prevent them from happening. I'm sure you have some thoughts about that from happening.

Wendy Nather: 14:45

I'm sure you have some thoughts about that. Well, as an introvert myself, I'm not that happy about that idea.

Joshua Crumbaugh: 14:50

But I'm an introvert too. I just see the need.

Wendy Nather: 14:59

Yeah, no, I absolutely agree, and having that sort of discussion with everybody is really important. You can be sitting next to somebody on a bus and start talking with them about those sort of security principles and you'll find that they understand and they have thoughts about. You know how, how people get tricked, what sort of things are bad design in tech that they wish they would fix. You know my kids have been through all sorts of of you know tech, starting when they were young, before they could even read. And you will have discussions at that at the appropriate level, like oh honey, you gave your gaming password to the friend and they spent all of your hard-earned money in the game. Maybe don't do that next time.

Joshua Crumbaugh: 15:45

Yeah, we work a little bit with cyberorg and they get training and they're, I guess, funded by CISA, but they help get training in front of K through 12 students and they start as early as second grade and that's the type of stuff they're training about. Who are you going to meet online? And the reality is is that it's different scams, but they are absolutely targeted by scams from the youngest of ages nowadays and I I think we need to do more to get that training and start embedding those principles so that, by the time somebody's graduating from high school, it's the same as looking both ways before they cross the street.

Wendy Nather: 16:24

It is. And actually that conditioning can start with their very first exposure to tech my oldest, like I mentioned before, they could read. We'd put them in front of a computer and they'd play a browser-based game. And one day we walked in to find them in the middle of downloading some kind of browser plugin and they were sitting in front of it.

Wendy Nather: 16:47

And what I figure must have happened is, over time, they learned that if a pop-up came on the screen, there were usually two little rectangles. One of them was outlined darker than the other. That was the default and they figured out if they clicked on that one, it would make the pop-up go away and they could get back to their game. So that worked fine until the point when they were clicking on something that was trying to download a plugin, and they got to the EULA and there was no outline default. You know, it was either accept or decline and they didn't know which one to pick. And that's where we came in and discovered them. So they had already figured out how the interface worked, what they needed to do, what they needed to click on, without any involvement from us or, you know, again, without even the ability to read. We're all being conditioned like this.

Joshua Crumbaugh: 17:37

My takeaway is we're conditioning them from before the time they can read, to click through those security warnings.

Wendy Nather: 17:43

Right To solve their problem. Wow, I hadn't even thought about that. Click on the default. You know, this is what you do.

Joshua Crumbaugh: 17:50

Okay, I don't know, maybe we are doomed.

Wendy Nather: 17:52

No.

Joshua Crumbaugh: 17:53

I joke, I truly don't believe that. Maybe we are doomed. No, I joke, I truly don't believe that. Well, so one of the things we were talking about before we got started was role-based training. I'll open it up to you. Leave it just wide open. Do you have any thoughts on role-based training? I know it's a really complex thing and everyone has sort of a different opinion of how to go about it. So what are your thoughts?

Wendy Nather: 18:20

I'm really in favor of it. I had had done some research together with the Scientia Institute on security outcomes on what sort of outcomes are you statistically likely to see based on certain practices, and one of them was role-based training, and those organizations that said that they did that tended to have more success in getting certain outcomes. And it makes a lot of sense If you can go to somebody and say look, here are the sort of things that we care about in security, here's what you're likely to see, here are the sort of decisions that we're going to trust you to make, and we would really appreciate it if you come to us. If you see anything that looks funny from your perspective. This is going to be really helpful. I can tell you, as a former CISO, there was nothing better than having somebody come into my office and close the door and say I think there's something you should know, because that's a lot of cases how those breaches start.

Joshua Crumbaugh: 19:25

Yeah, no, I couldn't agree more. And there's so many of those business processes that are every day used against us, and so the more that we can have those conversations and customize training to that individual to make sure that they're prepared for those types of attacks, the better. And so to that point, one of the side subjects of role-based training, or sub-titles, if you will I don't know what's the term I'm looking for, but anyway, what about role-based fishing? I think that that's something we need to be doing more and more, because I see it every day from the bad guys.

Wendy Nather: 20:13

Yeah, and that comes under the category of here are the things you're likely to see, and we will say, by the way, they may try to make it look like something you would respond to, and so we just add that in there. And yes, especially with the automation that comes with AI and everything else, it's a lot easier to customize these sort of things, to do your research on the sort of people you want to target, and this is why I always say to administrative assistants you're probably the most powerful person in this organization because you know what is going on. You have the power to do these things on behalf of other people, and people are going to come to you instead of to the person you represent, because they're going to ask you for help and you're going to want to try to help them. So just be really careful. You have an awesome responsibility with your role.

Joshua Crumbaugh: 21:12

And if I can get the assistant to trust me, everybody else in the organization will fall over. Yeah yeah, and you know, abuse of trust. I think all too often we only think about it in terms of, you know, ones and zeros, our digital infrastructure. But our human trust relationships can be abused too, and I think it's just as important that we educate our people about that too.

Wendy Nather: 21:35

Can be abused too, and I think it's just as important that we educate our people about that too. Yeah, and even with the ones and zeros, I mean trust happens between individuals, not between organizations, and so, anytime you are, I have a friend who is on the offense side, and not only does he take voice acting lessons, but he also takes improv classes to help him with. You know the things that he's going to pretend to do when he is trying to to get to somebody.

Joshua Crumbaugh: 22:06

So, yeah, no, I've been there and and I'll tell you, there's nothing like improvving when you're trying to not get caught. One of my favorite hacking stories was the time I almost got caught, because that's the first thing everyone asks you. Well, have you ever gotten?

Wendy Nather: 22:24

caught.

Joshua Crumbaugh: 22:25

And it's like well, sort of. But I had this one time where it was this big law firm and we called up and this is within like 15 minutes of starting the assessment and we had found a help desk phone number there. Help desk guy, he gives us his username, his password and he's a domain admin. So it's game over, we've got full control of everything and we just started. Well, they have, they're a very, very large law firm. Well, they have, they're a very, very large law firm. And so they wanted us to test four different physical locations to see how their security was, from both the physical as well as a, you know, social engineering perspective.

Joshua Crumbaugh: 23:07

And they were most interested in the social engineering aspect. Well, we fail at the first three places and I'm going to the fourth because we sort of divide and conquer. And I say well, the fourth because we sort of divide and conquer. And I say, well, guys, let's just guarantee this, we have full control of everything. Let's just throw it on somebody's calendar and make sure they're expecting us.

Joshua Crumbaugh: 23:26

And so, sure enough they're expecting me. I walk in and she says you know, hello. She greets me by whatever alias name I'm going with, takes me back to their server room, gives me the key everything I'm in, you know. It seems like it's perfect. About five minutes later this guy comes over and he says who are you and why are you in my server room?

Joshua Crumbaugh: 23:51

And it turns out they had this really cool little low cost security mechanism that I haven't seen in many places before or since, and it was just this pinhole camera on the ceiling that would email a picture of anyone that entered to all of IT. I mean, had not planned on that, didn't expect anyone in IT, and so when he walks in, I go to latency. I always went with latency, I don't know talking about milliseconds, just got people to let me do whatever I wanted to do somehow. But I give him my excuse. He goes away. About five minutes later these really really big buff guys come back and they say sir, come with us. And I realize I am being bounced at this point and as.

Joshua Crumbaugh: 24:36

I walk into the hallway, it's just lined with people. I mean, both sides of the hallway are full and word has spread that they caught somebody in their server room and that he's being escorted out right now. And so everyone flocks down. They want to see the drama and the excitement. Well, I have never used my letter of authorization up to this point. Andcks down. They want to see the drama and the excitement.

Joshua Crumbaugh: 24:56

Well, I have never used my letter of authorization up to this point and I don't really want to use it that day. And so as I get out into the hallway, I'm like well, it looks like they're looking for a show, let's give them one. And so I just put on this scene. I make an obnoxious scene my whole way out, and I'm able to get out without them ever asking me or trying to detain me. And they actually are a law firm that helps a lot of companies when they have cyber incidents, so they know a thing or two about how to handle this. But I like to tell that story because it's how I discovered what I like to call the denial of thinking attack, and that is, if you can entertain somebody enough, they will not think about security.

Wendy Nather: 25:39

Well, okay, joshua, remind me what we're doing right now. Are we being entertaining?

Joshua Crumbaugh: 25:44

I hope so Is that how we're doing.

Wendy Nather: 25:47

But no, you know and you really bring up a good point that training phishing response and social engineering response is a really good thing to add to your arsenal. If you train everybody in the building to be comfortable confronting people, it's not just going to help. You know the response in the organization. It's okay if you fall for something. It's how you deal with it and respond to it and you know mitigate it afterwards. That makes a difference, but that's going to help them in life. You know, anytime they see something that they think is wrong, even if it has nothing to do with security, going up to somebody and saying excuse me, but no, it would be great if we could, you know, train more people to do that.

Joshua Crumbaugh: 26:33

I agree, I do Well, yeah, no, I completely agree. I just don't know how we ever accomplished that, but I love it aspirationally. Okay, so a couple of actually let me just leave this more wide open. So quick question for you At the beginning we were talking about, or you shared the story about, how you tested it and they actually got worse. So how do you think we make training more effective with our programs? We've touched a little bit on role based, but you must have some other ideas or things you've learned over the years.

Wendy Nather: 27:14

Oh, this is tricky because, you know, my reflex is to say why are we training them? Why are we making this dynamic attack surface of people, of individuals who come in and out all the time, who all have different, different wetware, all have different circumstances, you know, it's all inconsistent. Why are we relying on them to be our main control, our main defense against this sort of attack? And so, from that perspective, you know, I would say we can try to improve it as much as we possibly can. But I can't help thinking that, you know, maybe we're fundamentally going in the wrong direction. I mean, I tease my red team people. I say, you know, social engineering is not getting somebody you know a thousand people to click on a link. That's easy. Getting a thousand people not to click on a link, that is hard. And even harder is to redesign your entire system. So it doesn't matter whether they click on the links or not.

Joshua Crumbaugh: 28:18

So I do agree that security is all about layers and training is only one layer, and if you're relying completely on training or completely on your EDR or completely on anything, you can count your days until you end up having a ransomware attack, and so it is very critical that we have all of those different layers.

Joshua Crumbaugh: 28:43

To me, I think it's that we want to prevent as many clicks as we can, but it's not just about those clicks when I think of training. I think we want to, yes, stop those clicks, but we also want to increase reporting and make sure that you know people are reporting as high of a percentage as possible of the fishing simulations, because that tells us how much they're reporting of the actual fish. So we want to see that number be as high as possible. We want to reduce click rates as high as low as possible so we have less to deal with. But I think the other element is just put on the end user. Yeah, sure, we got in because of mistakes by the end user, but the reason we got access to everything was because of mistakes by IT, and it's so critical that we train IT about those mistakes to make sure we're hardening those systems, because I can't tell you how many times we took those mistakes and it got us around all the other security controls because of one mistake that an admin made.

Wendy Nather: 30:01

Yes, exactly. And so I hate it when people say you know users are the weakest link. No, I think users are. Yeah, I think users are our biggest asset if we treat them that way. And so you know, for for improving that sort of awareness training like we were talking about before. Oh see, you already have a slide. That's great.

Wendy Nather: 30:25

I do, I do you know work on incentivizing the behaviors that we want to see, and that includes response and recovery, not just prevention. And we want people to feel comfortable, you know. We want it to be a safe space where they can admit to having made a mistake, where we reward them for reporting things, we celebrate things and we say you know, this happened, but we recovered with the help of these people and these people and encouraging everybody to embrace it as not their problem to solve but as something that they contribute to helping with. And another great thing is you know to have discussions with people and say, if you were going to trick somebody, how would you do it? And let them come up with it, because then they you know this is the theme that you and I are running into over and over again that if they come up with it, they're more likely to believe it, they're more likely to own it, and it also triggers a wider oh there you go. Why am I even here? Joshua, you've got all this nailed down.

Joshua Crumbaugh: 31:44

No, I absolutely love it and I actually think that that's a really great segue to driving engagement. I feel like so often it's hard and one of the problems is that for the longest time, cybersecurity teams have only ever told people when they do horrible. We don't tell them when they do a great job. And you said we need to praise them earlier, and I think that you know that's such a critical element in driving engagement is praising them. But to that, I mean, I think there's other ways to drive better engagement too, starting with one of them being just shorter more micro training that really does adapt to the users, more you's more shrinking attention span and our social media lifestyles. But the other one I think that can help is gamification. What are your thoughts on either one or both of those subjects?

Wendy Nather: 33:07

Gamification is fine, except in my experience, it is often designed and purchased by people who don't have the right perspective from the end user side. And you know like I've seen too many bad examples of gamification where it was like you know, how do you do fellow kids where they're trying to be cool and the person sitting there is just rolling their eyes and pretty soon they get to okay, how can I just cheat and get through this as fast as possible? So it's training them to do things that you didn't expect.

Joshua Crumbaugh: 33:29

Almost too juvenile like hey, here's a gold sticker.

Wendy Nather: 33:32

Yeah, yeah, All that kind of stuff and oh, can you do this cool thing? It's like no, I do not care about this.

Joshua Crumbaugh: 33:41

One area I think we can use gamification is around phishing. I've heard debate about whether or not we should tell people that we're going to phish them. I think there should be no debate. We should always tell people we're going to phish them ahead of time because we can make a game out of it. And when we make a game out of it, we potentially take that negative situation that I talked about at the beginning, where that person that thinks they're getting a raise and instead they get in trouble and we de-weaponize it. But I also think we can make a game of cat and mouse out of fishing and just make it a little bit of a competition or a challenge for the user, without making it so juvenile, if you will.

Wendy Nather: 34:22

Yeah, I mean all the people I know who love a good football game and love just teasing each other. I am not a sports ball person I never have been but a friend of mine dragged me to watch a game at a bar just last weekend because it was my alma mater versus a team that he liked and he wanted a chance to give me a hard time about it.

Wendy Nather: 34:45

That's all he wanted, and we ended up not even watching the game. It was later we looked at the score. So yeah, if you can make it that much fun for people who enjoy competition not everybody does but if you're going to enjoy competition, let it be the sort that they like and not, hey, we're all going to play this corporate game, because in my experience that that doesn't necessarily work.

Joshua Crumbaugh: 35:12

Oh, I agree and I think you know. The other thing is keep it positive, don't do a wall of shame.

Wendy Nather: 35:18

Do you know a?

Joshua Crumbaugh: 35:19

leaderboard. That's, you know, praise the people at the top, not the people, shame the people at the bottom. And I think that's that's what we want to do, because that way they they strive, they want to be at the top, versus, you know, just making it a negative experience. But I think that really goes back to the whole carrot or stick thing. Oh here we go yeah.

Wendy Nather: 35:42

I know so.

Joshua Crumbaugh: 35:43

I got officially asked the question carrot or stick?

Wendy Nather: 35:48

I'm going to say yes to that. See, I reject the rules of your game to that. See, I reject the rules of your game. I try to use carrots wherever I can, will resort to a stick when I need to, but again, it's about having respect for the people that you work with and having respect for the fact that you're trying to implement something that they don't want, need or care about, and you know that's interrupting their day and getting in the way of something that they're actually trying to do. So you got to cut them a lot of slack and so, yeah, I will bring carrots, you know, every day of the week, understanding that carrots are going to look different for different people. I think that's the other important thing about training is that people learn differently. They have different priorities, they come from different situations, and trying to adapt to what is going to work for them and is going to annoy them the least, I think, is a really worthwhile thing to try.

Joshua Crumbaugh: 36:51

Oh, I couldn't agree more, and I think a carrot is simply annoying them less too, you know.

Joshua Crumbaugh: 36:56

Hey, you did good, so I'm going to I know you're annoyed you didn't click or when they report, any opportunity to praise users to me is one of the most effective carrots that we'll ever have and it builds their confidence. One of the behavioral science principles that I've sort of focused in on as being very applicable to cybersecurity and and in particular, phishing and security awareness is called learned helplessness, and it's interesting because there is this group of people that will come into your security training program very proud of their ability to spot a scam. But if and I've seen this happen where if you trick them too much, use too much inside information and just you know whatever you get them to click, click, click, they can actually develop this sense of learned helplessness.

Wendy Nather: 38:05

They're going to give up. They're going to say well, what's the point?

Joshua Crumbaugh: 38:08

Apparently, I'm not as good as I thought I was. And as soon as they accept that, just even from a subconscious perspective, their attitude changes and they will become less secure.

Wendy Nather: 38:20

Yeah, yeah, that is that is so important and again it's it makes such a difference if you enlist somebody and say, look, I respect what you bring to this organization and I need your help, need your help. That makes such a difference than you know kind of staying at a remove from people and you know doing this mechanistic sort of routine and again playing gotcha when you don't need to play gotcha. I think there's so many different ways to redesign that.

Joshua Crumbaugh: 38:53

And I know it's hard to believe for most of my coworkers, but you know there are other intelligent people inside the organization other than just cybersecurity.

Wendy Nather: 39:03

Oh my goodness, oh my goodness, that's going to be the headline of this episode. I just probably will. I'll get in trouble there are other smart people in the room people in the room.

Joshua Crumbaugh: 39:19

So I agree, I think carrot whenever we can. Actually, just yesterday, I got an opportunity to interview with this reporter from the Morning Brew and it was exactly about this when is it okay to use punishment and how much punishment should we be using with repeat offenders? As opposed to me telling you what I told the reporter, what's your answer to that?

Wendy Nather: 39:40

Oh gosh. I think anytime you have to reach for the stick, you've lost to a large extent, especially since what you're ultimately doing is you're serving the business needs, and if the business doesn't want to punish that person, why is security trying to do it? That's my opinion.

Joshua Crumbaugh: 40:04

Oh, I agree, my answer was actually. My job is to communicate risk, and if that person truly deserves to be fired, there's going to be other reasons.

Wendy Nather: 40:13

Oh, good point yeah.

Joshua Crumbaugh: 40:15

And the only people that I would ever really want to fire aren't the people that are having a hard time but trying. They're the people that don't care. And the people that don't care. There's other problems, for sure.

Wendy Nather: 40:26

Yes, good point, excellent point.

Joshua Crumbaugh: 40:29

Um, this has been absolutely amazing. I we are running a little bit low on time and one of the segments that I like to have is just to really make it free form. I know that the longer I stay in this industry, the more pet peeves I develop, Like my biggest one is you can't patch stupid. I hate that phrase.

Joshua Crumbaugh: 40:54

I agree. For so many reasons I won't even go into them. But what pet peeves do you have that maybe you can share with people that are trying to develop some pet peeves, because I've had guests that didn't have pet peeves and I feel like you have to after a little while in this industry.

Wendy Nather: 41:11

I was going to say wait, how much time do we have?

Joshua Crumbaugh: 41:14

I have a lot of them.

Wendy Nather: 41:15

I already named a few, you know, and I agree you can't patch stupid as like. No, you can't patch bad design. That's true. That's where we should be turning around. Yeah, I mean one of the. I'll just leave you with one, one of the biggest problems that I've had with the security industry. Somebody asked me once if I could go back in time and change something about how we do security. I said I would have done away with the person who invented antivirus, because here you discovered a vulnerability in an application. And they said well, you know, instead of actually just fixing the problem, why don't we slap something on top of it to try to protect it? And now we have a billion, billion billion dollar industry with security spackle. Everybody's just slapping things on top of other things and everybody wants to be the top layer. And as an industry analyst, I saw nothing but that. And by the time we got to the sort of product that my colleague Adrian Sinabria called a sim for your sim, I said okay, that's it, I'm out.

Joshua Crumbaugh: 42:22

Wait what? I didn't even hear about the sim for your sim.

Wendy Nather: 42:26

Yeah, that's what we. You know it was another layer of analytics. You know that that filled in what a sim could not do, and okay. But the thing is, yeah, a SIM for your SIM. Okay, we're getting a little bit ridiculous now.

Joshua Crumbaugh: 42:40

So I'm guessing that goes to what you talked about at B-Sides New York a little bit, which was and I'm probably saying this wrong but largely around what we're wasting our time on in cybersecurity.

Wendy Nather: 42:55

No, really that. You know we're trying a lot of things. Why are we working so hard? Why is it still so hard and it's not getting any easier? Well, maybe there are things we are going about the wrong way, and so I list a few things. We need to rethink these assumptions, and anybody can do it. You can go. You know, I've been doing this for 20 years and we're still trying to solve this the same way. Isn't it time to rethink this?

Wendy Nather: 43:18

So, I was trying to get people to question everything, including me. I said you know, okay, stop listening to the boomer, because chances are I might've created some of these problems that we're dealing with now, or my cohort did. So it's really up to people who can think differently, and that's why we need everybody in this industry.

Joshua Crumbaugh: 43:39

I do like that and honestly, that's where Fish Firewall came from was trying to ask you know, what are we doing wrong and how can we fix it Because it's not working? And that was something that was really really stood out to me was just, I would go in most of the penetration, testing and red team work. That that me and my teams did was largely driven by compliance, and the problem with that was we'd go in year after year. We'd issue the same report year after year. Nothing would change. I tailgated off the same guy one time four years. Oh my gosh, once I got done, high-fiving everybody and laughing about it, it actually sort of really made me upset and a little bit sad that this in the report year after year and it would never make it to that person.

Wendy Nather: 44:31

Yeah, yeah and that's yeah. So we've got to keep questioning everything. That's part of the learning process.

Joshua Crumbaugh: 44:38

I couldn't agree anything, and I think we have to know what our metrics are and apply all of our vendors to that.

Wendy Nather: 45:03

Yeah, yeah, agreed. There's still so much to do, gosh, I guess we've got to get back to it.

Joshua Crumbaugh: 45:08

We're just going to have to go work harder.

Wendy Nather: 45:11

That's right.

Joshua Crumbaugh: 45:13

All right, don't hang up just yet, but for those of you listening in, I'm going to have to end. Thank you for joining us. It's been a pleasure, and have a great day.

Wendy Nather: 45:23

Thank you.