The Cyber-Psychology Connection: Futureproofing with AI

Show Notes

Uncover the fascinating intersection of human behavior and cybersecurity through the eyes of Tolgay Kizilelman, an expert in IT and cybersecurity. Explore how his career journey, from IT management to the pivotal role of CISO at the University of California, has shaped his unique perspective on the human element in cybersecurity. As we exchange stories, I share my own path from marketing to ethical hacking, highlighting the unexpected ways human psychology plays a critical role in both fields. This episode will leave you questioning the traditional approach to cybersecurity and appreciating the complexity of managing human behavior in a digital world.

As technology continues to evolve, so too does our relationship with it. Our conversation spans the generational divide, examining how different age groups perceive and integrate technology in daily life. We discuss the monumental impact of artificial intelligence, likening it to historical advancements like electricity and the internet. Our discussion navigates the potential and pitfalls of AI as it becomes an indispensable part of our lives and workplaces, and we stress the collective responsibility to educate and adapt in order to maximize its benefits while mitigating its risks.

Discover how maintaining the human touch in an increasingly automated world is essential, especially in the realm of AI security. We uncover strategies for effectively reducing risks through tailored training and the innovative use of gamification techniques. By making cybersecurity awareness engaging and relevant to diverse audiences, particularly younger generations, we equip listeners with the tools to recognize and respond to threats confidently. This episode offers a fresh perspective on how to address human vulnerabilities and harness AI's potential responsibly, ensuring a safer digital future for all.

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:01: Exploring Human Element in Cybersecurity
• 16:20: Technology Milestones
• 19:07: Adapting to AI Dependence and Threats
• 24:42: Human Element in AI Security
• 39:59: Proactive Gamification in Cybersecurity Awareness

Transcript

Joshua Crumbaugh: 0:01

Hello and welcome to another episode of Fishing for Answers. Today I've got Tolgay Kizilema with us, and he is a PhD and a CISO and I'm really excited to speak with him and learn a little bit more about him. Maybe you could introduce yourself. Tell us a thing or two about you.

Tolgay Kizilelma: 0:22

Sure, definitely. Well, thank you for having me. I really appreciate the opportunity. So my name is Tolgay Kizilelman.

Tolgay Kizilelma: 0:30

I've been in the industry for the past three decades. You know spent a good first part of my career in IT, managing IT in different industries, and then the second part of the last 15 years or so really start focusing around information security governance risk compliance. I've done my PhD in information security, patient safety, quality management systems. I worked in the cybersecurity field in different industries, worked for the University of California for multiple campuses as their CISO, chief Information Security Officer. I work in healthcare. Currently I'm the director of our Dominican University of California, the Master of Science in Cybersecurity program. I also do teach data analytic courses and GRC governance risk compliance courses at the program. So education awareness is really something I really love like and it's my passion, and really trying to give back to the community during at this point in my professional career and really engaging with community events conferences take place, attend and keynote speakers but overall it's really. I think trying to raise awareness is really what I'm trying to do nowadays with my professional career moving forward and education is a big part of it.

Tolgay Kizilelma: 1:48

Our program at the University is really focusing around that around the business aspects of cyber cybersecurity implications from a business consequence impact perspective, but also dealing with the social aspects as well. So thank you.

Joshua Crumbaugh: 2:04

So I have so many questions after that intro. Let's start with how did awareness and that human element sort of become your passion?

Tolgay Kizilelma: 2:18

You, know it's actually started. When I became the CISO at the University of California one of the campuses Looking at the problem I had my major as a computer engineer back in the 90s. I always focused around the issue, around technical. I thought, okay, technology is always a problem. But then soon I realized late 90s this is not the case, it's always the people.

Joshua Crumbaugh: 2:44

Human issue.

Tolgay Kizilelma: 2:46

Exactly, it's always a human issue, right? So dealing with the technical side of the equation is always easier. It's just a matter of budget, money, all that, but dealing with people, the soft skills and awareness policies. This was back in 2016, or so I realized. Okay, you know, the tools are there, but dealing with people managing people. Raising that level of awareness, addressing the human element, is not easy Because, by our nature right, humans are different, people are different.

Tolgay Kizilelma: 3:24

Everybody has their own personality and their character, and you cannot treat everybody at the same level with the tools. Technology is straightforward. You know, if something works, it works, and two plus two is four. But humans are not like that. So that's when I decided to focus on the human element. You know, awareness, education and how can we really make a difference? What do I need to do? And that's really this idea of, you know, launching a business focus around human element, the program that started in my mind, but yeah, that's a good, I say 10 years ballpark.

Joshua Crumbaugh: 3:59

So that's, that's fabulous.

Joshua Crumbaugh: 4:01

My story is a little bit different, but arriving at very much the same place.

Joshua Crumbaugh: 4:07

I well, way back when I went to school in the first place, the school that I went to didn't have a good computer science program.

Joshua Crumbaugh: 4:18

I taught myself to code back in high school. I was actually pretty good, and I felt like I was taking a step backwards, to antiquated languages at the time, just because a lot of programs or that program did not keep up. Anyway, that led to the marketing dean grabbing me and saying hey, you should go to school for marketing, which is something I had never considered for my life. I ended up going to school for marketing, though spent a good bit of time in marketing, until I learned one day that ethical hacking was a thing and I quit my job and I'm like I'm going to do this. And it wasn't long before I had a new job in the industry and then, not long after that, I was running one of the top teams in the country, and that's when I quickly realized how much all of the marketing stuff that I had learned applied in social engineering and how it made me really really good at breaking in.

Tolgay Kizilelma: 5:29

You know I think you just touched on a very good point. You know, most people think you know cyber, cyber security, is a technical issue, right, contrary, right, that's really not the case. I mean, there are technical elements, obviously. I mean this is our topic of phishing, social engineering. It just, you know, surfaces the human element, all the non-technical stuff, and that's why, actually, there's a huge gap in the industry and more people think, oh, I don't have the technical skills, I'm not an engineer by education nature. But they're wrong. Right, and that's also part of the education awareness, because the human element is important. The non-technical components are very important for us to deal with this issue, for the business level, at an individual level, and I think that's part of the education awareness items that we're trying to address Make sure people understand everybody can contribute, everybody can educate them, so everybody can transition to cyber domain. There's a huge skill set lack, of a gap there. But I guess we can discuss those further.

Joshua Crumbaugh: 6:31

Oh no, I love it. I think it's all really good stuff For me. Breaking in, you do the same thing again and again, and again, and you see no improvement to human security, and that, to me, was what led to it. I hear everyone in the industry with their favorite phrase being you can't patch stupid, and I really just felt like we could do better if you will, and so that's how I developed my passion and and so, because I'd done so much social engineering, I looked at it more from a how do we use social engineering for good perspective? And and that really just led to oh, there's this huge thing called behavioral science. We should just look at it's researched, almost all of the questions that we're asking, and I don't know.

Joshua Crumbaugh: 7:34

To me, that's where my sort of passion came from, and I find it interesting to find where each person draws their passion from. So, on, the human element there's well, there's so much to it. Since you're, since you teach future leaders, what do you teach them around the human element as it pertains to management? So you know, for me, the as a manager, there's a huge role of the human element there too.

Tolgay Kizilelma: 8:14

It's not just, uh, you know, with the users and stuff like that yeah, I mean, obviously it's a complicated issue, it's not easy, right, there's no silver bullet, but, it again, it's all about awareness. It's something if you don't know something right, you don't know about it, so you start learning about it, discovering, finding and trying to find out what you don't know. And that's really the purpose. And with this, around the human element, the human risk, I think the one key thing is you know what we do, why we do, how we do right? Those are the key questions we ask and in this society that we have today, organizations that we work for, businesses I think we also first need to understand the purpose. Why, right? Why do we do you know, why do we work for this business? What is the business purpose, the mission, vision, all those things.

Tolgay Kizilelma: 9:11

I think understanding those high level overarching, you know, oversight, governance is very important. If you don't know those things right, if you don't understand at the lower levels and the leadership says, oh, we want to do this and there's a gap right in between, we're not going to go anywhere. So I think that's very important, that alignment that I I call the pyramid, right at the highest level, the leadership structure, you know, the stakeholders, the board, the management and cascading all the way down to the staff, to the you know level up and eventually it's just one. You know a pyramid structure so that anything you are doing, whether it's, you know, technical, non-technical, you're doing the right thing in the right way. Uh, the other, I think, element we want to make sure our students really understand around fishing, social engineering and anything else around the human element is it's always a risk issue right at the highest level, you're trying to create value for the business that purpose we mentioned but because you're in business, there's that risk right.

Tolgay Kizilelma: 10:12

I mean we don't say, oh, it's not 100 percent, uh, risk-free. There's always that risk element because you're in, you're in business, so you have to deal with that risk element, the risk management and every organization is different. You have to understand. And that risk element, the risk management and every organization is different, you have to understand. And the reason every organization, business, they're different is because they have people right in the work and then they create the culture, their cultural elements, the structure is different, the characteristics and the personalities are different, as I mentioned. So how you address the risk, risk management when you're doing business, when you're creating value, is different. So that's important to understand. Everybody again, at different levels. Cultural aspects are important. One organization, one department, one leader might be risk averse versus risk aggressive. So that's another important element.

Tolgay Kizilelma: 11:03

And of course, you know in businesses, the landscape we have. You have to do the things in the right way from a laws, regulations, perspective, so businesses don't exist in a vacuum. You have to interact with this political environment, the technology, the social aspect, the landscape and regulatory and economic, all those things right. The dynamic nature is important, so you have to be compliant. Compliance element is important. And also, of course, at the end of the day, humans are humans. We are curious, the uncertainty is there and that kind of vulnerability that we have. That's the weakness, Because we're human. Right, we just say we're human, so that allows us to make mistakes. And it just is a matter of when you kind of bring all these things together and try to answer the questions of why, what, how right in your own context and make sure you understand that there's a balance between how you create value and how you address the risk, how you address the security, privacy, you know all those things. It's really a balancing effort and obviously leadership at the highest level is important, the support and engagement, and it needs to go down all the way and that gap should not be there.

Tolgay Kizilelma: 12:22

And once you do this then I think slowly you get there. But this is not a reactive approach. You also have to be proactive. It has to start early. Things change. There's a technology component Education, training is a big part of it. So ongoing learning is very important. We didn't have, you know, GNI, ICH, GPT, like two or three years ago, but now where we are, it's a huge different. You know completely different environment. So adaptability is important.

Tolgay Kizilelma: 12:51

Right, Ongoing technologies, you know what we have yesterday we have A, we're going to have B tomorrow, but for humans, the weaknesses we have will continue. But our focus on learning should never stop, so that we know about the technology, how to use them, how to get the most out of it, how to assess the risks associated. So that's really what we're trying to do for our users too.

Joshua Crumbaugh: 13:20

I mean, I think AI is the greatest example of why, as cybersecurity professionals, we have to constantly be learning. Look at how quickly technology is evolving right now, just at a phenomenal rate. We've gone from you know almost that I guess we had generative AI a few years back, but it was terrible. And now we have generative AI that can go out. And I mean just this morning I went to Google, I told it what I wanted to research. It presented a research plan and then it went out and looked at 167 different websites and returned to me a 30-page document on what it found, with links and references and everything. I mean, it's really impressive what it can do. It's pretty, almost intimidating when you look at some of the industries that it has potential to just completely disrupt. But I think to me it brings a lot of risk and we we have to understand that risk and we can't just say, well, you're not going to use generative AI because they're going to use generative AI, regardless of what you say.

Joshua Crumbaugh: 14:46

So that's you know. One of those other social aspects is you know how do you convince and and make users want to be more secure, because you know just to me, cracking the whip doesn't really work. Actually, that's a great question that I like to ask everybody and get their opinion on. So if you were to only have one carrot or stick, what would you choose and why?

Tolgay Kizilelma: 15:14

Yeah, that's a good question. I think the answer depends right, that's always the right answer. I think it depends on the context, the industry.

Joshua Crumbaugh: 15:25

It's not black and white like this at all. That's right.

Tolgay Kizilelma: 15:29

So there's that gray area always. So I think the balanced approach always works. But in certain industries, care might work better In certain other industries because of the laws, regulations. You know there's so much at stake. You know, maybe sticking more, but I think, regardless how you look at it, you have to use both. It's just the degree right, how you balance both. That's important. And also, uh, back to you know the, the point around the carrot stick and you know the, the consequences. Make sure you have your policies and all those things. And, coming back to the basics right, the what, the why and how, make sure your users and your employees understand that it's all part of the culture. And again, going forward, technology will only get better, right, we'll only be more pervasive and will be part of our lives.

Tolgay Kizilelma: 16:20

Younger generation I don't know what the latest term, jen and I stuck with the millennials. Yeah, I don't know what it is either. Yeah, I said X, y, z, my younger son, and he started sliding when he was three. So, younger generations they use, they live technology. You know generations like ours, right, we use technology. So there's a difference. You know they use, they live it, we use it. So, and going forward, these, you know, advances in technology will become more and more and, you know, be part of our lives. I think it's really we're going through the transitional phase for again. It also depends on what generation that you belong to Definitely going through a transitional phase right now.

Joshua Crumbaugh: 16:57

I would agree there. I think AI is going to change everything.

Tolgay Kizilelma: 17:01

Yeah, ai itself is a huge thing. It's a milestone, right. It's an inflection point, I think is what I say, just like how we today use electricity, water, right, we just take it for granted, it's there, we turn it on, use it. I think we're going from a technology perspective right. The way we use technology. We had those milestones in the back in the past, I don't know 40, 50, 60 years and the computers, mainframes and web and all that right at the the ai, gen.

Tolgay Kizilelma: 17:28

Ai going forward is one of those major milestones and things will never be back the way they were right. That's reality. We have to accept it. So only thing we can do going forward is educate ourselves. And that's also that generational differences. Certain generations have less you know, knowledge and skill because of their you know generational status versus younger. So and that's the context, so we need to learn more. We need to find out more about the risk, how we use it, how we create value and really bring ourselves, collective society, right up to the level, and then it'll take time. That maturity issue, I think, is important. We're still in the early phases of that, you know, maturity life cycle, but we're getting there, you know, step by step. You know, think about the two or three years ago, when it came out what we were doing, and think about all the things we were doing now, and there's a huge difference. And this gap between.

Joshua Crumbaugh: 18:25

Well, I rely on it every day. I mean I don't have AI employees yet, but I mean that's been the talk of all. The news this week is I think it was the NVIDIA CEO who says AI employees are coming this year. Uh, and I would agree. I. I think that agents are almost to that point. Uh, but to me, the the big core issue still with them right now is their lack of memory. Um, and until they fix the memory problem, the fundamental memory problem for all of these large language models, I really don't see them being able to join the workforce.

Tolgay Kizilelma: 19:07

Yeah, I mean, I think we kind of can imagine, right, what is possible, what is feasible, because now and these are the things that we were not able to think about and imagine, let's say, 40, 50 years ago, right, but now we can think, oh, that's possible.

Joshua Crumbaugh: 19:26

I will say I met the CSAIL group at MIT, their AI, I guess outreach group, so they try to bridge the gap between industry and academia and I was talking to them and I'm like, well, when was your group founded? And it was like back in the 60s or maybe even the 50s, and it was just impressive and I mean, and AI has been about to take over the world since the 70s, I think, when the first AI beat somebody at chess. But, like you said, it's an inflection point. Now, back in the day, it was just something we talked about. It wasn't something that people relied on. It wasn't something that you would freak out about if there's an outage. Well, now, if there's an outage, there's tangible outcome and loss that comes from that, and so we are seeing a lot more people start to rely on it. It's interesting for sure. That's definitely right.

Tolgay Kizilelma: 20:33

I mean I think we need to make sure that difference between AI versus Gen I.

Tolgay Kizilelma: 20:38

AI has been out there for the past 60, 70 years. It's not, it's the Gen I so, and some people use it interchangeably, which is not the case. But you're right, I think it takes time for us to adjust ourselves, to get used to it. And you know, yeah, we had our lives and businesses when Gen I wasn't there, just like in the old times when electricity wasn't there, when water wasn't there, we still lived our lives. Right, the infrastructure.

Tolgay Kizilelma: 21:05

But more and more as we use them, more we become more dependent, and that's really the thing. And that's why, if something there's a disruption, right, and nowadays, the digital connectivity 24-7, all those things make these things a big item. If something goes down, our lives, get you know because of this dependency disrupted, we cannot, I mean, think about electricity goes down. Nobody thinks about that nowadays because we're so oh, it's there, I turn it on, it's up and running all the time. But think about you have this disruption for a day without electricity, without water.

Tolgay Kizilelma: 21:40

So, ai, I think we're going to that direction. For the next five, 10 years, we'll become more dependent and reliant on things from a business perspective, from an individual perspective. Of course, there are physical elements. Right, it's not all about digital, like how AI, gen AI, with robotics and things, serve uh, make our, our lives easier and whatever the things you know, tasks. So there's that juncture between, you know, digital, uh, you know, and the physical element. Of course, there's still much to be done in that area, but I think uh what's that's going to skyrocket quickly.

Joshua Crumbaugh: 22:18

I mean, did you, you're right? You're right? Did you see that new AI that allows you to train robotics in a virtual world so you can run millions of hours worth of simulation to get them better at physics and just basic things like that? I thought that was a very interesting and cool use case. But I mean, there's so much around that, I mean, and it's largely thanks to our new computing abilities. I mean, even when you look at the large language models, we've had neural networks forever. We just didn't have neural networks that could run this many computations per second yeah, the the circumstance was they were not right.

Tolgay Kizilelma: 23:03

So when the certainties come together, right the past, whatever years, it just the ideal conditions happened and now, as a result, we kind of took that leap and moving forward. Of course, we just have to again in those milestones, when you know the train, the locomotive and the engine, all those things, those major milestones throughout the history, and again we're going through those, one of those major milestones. It's just a matter of adjusting our lifestyles, it's just a matter of learning about it. And this transition will take place, is taking place, and we just need to really, you know, make sure we're moving in the right direction, understand the associated risks, learn about it and see how we can really integrate it to our lives as a society, business and individual lives.

Joshua Crumbaugh: 23:49

Yeah, no, I imagine in the very near future, computers won't have a keyboard and mouse anymore. It'll be all voice driven and the keyboard and mouse will be more for, like maintenance if if you have to break it out but I mean, that's the direction that we see things going is as all these voice assistants get that much smarter. So it's it's fun to think about. But the other part of this is what about the threat? What threats are you thinking about as it pertains to AI? Sure?

Tolgay Kizilelma: 24:24

You know it's really. It makes it easy, easier, cheaper, right and the attacks coming from different directions and you just need to All directions.

Tolgay Kizilelma: 24:34

Yeah, all directions. You need to protect yourselves at the business level, your individual level, at the national level, right? So it's very important and technical elements are always there. Of course, there's a certain level of automation and using technology, but at the end of the day, there's always currently at least there's the man in the human in the loop element, right? So as long as we have that human in the loop, hopefully we'll always have that that human nature. You know the risk around humans will always be there. It was there yesterday, it's there today, it'll be there tomorrow because we really want to make sure humans are in the loop as much as possible. And as long as humans are in the loop in this whole AI, you know life cycle going forward in AI attacks, focusing around humans and human nature, around our weaknesses, our vulnerabilities, you know we'll still be discussing similar issues. Technology will change but because of the human element, we'll still have the same issues going forward.

Joshua Crumbaugh: 25:38

I agree with an asterisk. I guess I do agree that to some extent you're never going to fully mitigate that human risk, but there is a lot of that risk that you can mitigate. And uh, and I look at like we run fishing simulations for all kinds of different companies and I I look at the ones that are sitting at 0.5% fish click rate and uh, and it has this ripple effect. And I don't think it's just about that.

Joshua Crumbaugh: 26:16

One of the things that I studied that I found really fascinating and I've focused on quite a bit is identical elements theory, and it's this behavioral science principle that talks about why you will, after you buy a new car, you might see that at every other light. You know shortly after you buy it. It says that once you learn about something really well, you'll see it everywhere. And then when you look at one of the core purposes or functions of the subconscious, it's to protect us, and so that's where reflexes and things like that kick in. Reflexes and things like that kick in.

Joshua Crumbaugh: 27:04

And so I look at identical elements theory as our way to implant these human virus definitions, when we make somebody really aware of urgency and how it's used against them, of authority and how it's used against them. Then, all of a sudden, the next time they see it or it happens to them, their subconscious says whoa, red flag, red alert. There's something wrong here. So I do agree that you're never going to get rid of all of it, but I will say I think you can get rid of so much if you do training right. But also there's a ton of studies that show that if you do training wrong, you may as well just waste your time because you're not actually having any improvement.

Tolgay Kizilelma: 27:48

No, I definitely agree with you. I think you know the issues that we have today with the technology, especially with AIG and AI. So much can be automated, so many of these problems can be dealt with. Because we have so much data and humans, it's not possible for us to deal with them. And this is really what the machines are good at right, it's about the patterns, it's about the machine learning, those type of things. So the automation aspect is good, but we cannot automate everything from start to finish, all the way the life cycle. So there has to be that human control in the loop somewhere so that, because of the consequences depending on different industries, right, it's not 100% secure. It's not 100% right Because there's always that risk and again, depending on the training data, and again, garbage in, garbage out and different data, the poisoning. So there are risks associated with the use of AI, gene AI and the consequences, depending again if you're in health care, for example. So if your model is basically attacked and manipulated, the consequences can be deadly, for example.

Tolgay Kizilelma: 28:54

So, you have to take things a bit step by step but at the same time realize there's no turning back. Governance, I think, is a big issue and I have to understand there's always two sides of the coin. We want to use it for a good purpose, right, and there's third parties and hackers and attackers. They want to do it for their own use and it makes it much easier for them, cheaper, so it's just going forward. How do we deal with this new environment when we have so much to deal with, when we have so much to lose, yet at the same time, we have so much to gain for value, for position purposes?

Joshua Crumbaugh: 29:30

Well, I mean, I think the problem is also the solution, and it's one of those weird double-sided things, but it is the reality. We're going to have to fight AI with AI or we will get run over. I am convinced of that. Okay, so another area that I like to highlight is role-based training. But before I even jump into that, one of the things that a lot of guests bring up is that you have to make it personal. So tell somebody about how to stay safe at home so that they care in the first place, and I think that role-based training is the exact same as that. Just one is connecting the dots to make it personal for them at home, and another is connecting the dots to make it personal for them at work. But I've also seen that there's a lot of different ideas around how role-based training should be done, what types of role-based training should be done, and stuff like that. I'm curious what are your thoughts around role-based training?

Tolgay Kizilelma: 30:48

So I think you touched on a very good point right At home, because we want to make sure people have that, you know. Answer yeah, what is in it for me. So, if we, what we do at work, if they get value out of that as a training, education, whatever, right. However, we deploy it, if they can use that for their personal lives, then they will be more committed. And if they understand that question of what is in it for me, yeah, we want to do all these things and phishing campaigns and different programs and awareness, but it's all about change management, too, right, if they want to, they want to make sure we want to make sure they are aware of this change we're going through. We want to make sure people will be addressed, that their desire, that what is in it for me?

Tolgay Kizilelma: 31:32

Question and, of course, everybody's situation is different, as I mentioned, personalities, character, that people are different and we need to be able to tailor and adjust. And communication is like that, too right. When we're engaging with, you know, individuals and departments and businesses, we need to be able to customize, tailor and at this point, if we have, you know, our whole workforce, that means we have, let's say, a thousand people, thousand different personalities. Our you know campaigns, awareness, training, educational programs need to take that into consideration and modify that for everybody, based on their background, based on their skill set, based on their position, based on what matters for them, based on their projects, so that they really uh, you know, like the idea, they really commit, they really want to learn. If they're not involved, if they're not really committed, there's nothing you can do. I mean, you can have the latest technology, right all the bells and it's not going to matter if the people are not part of the equation, part of the solution.

Joshua Crumbaugh: 32:38

Absolutely Connecting, it is so powerful for them and making sure. I mean I think just you know, so often people will, you know, come up after I do like a security awareness, training and a story will come up about their elderly parents and and that really demonstrates that's where their heart is and that's how you reach them.

Tolgay Kizilelma: 33:01

Yeah, you know, actually you mentioned about the elder. So I'm part of an organization, I'm the president of our FBI Sacramento Citizens Academy Association. We did an elder training, elder fraud with local law enforcement and I couldn't believe the stories that I heard. So, even if it is like at an individual level, the things that they go through, the social engineering and the impact, the consequences it had on the society, on people, on the families. So, again, what we do at work, the training, education we provide, we want to, again based on the role-based training implications, uh, and this, this elder aspect is very important.

Tolgay Kizilelma: 33:42

That's a very and most organizations don't use that and it's a, it's a part of our lives. We have all parents, right, our uh, moms and dads, and you know grandparents and grandfathers. So that's basically and I, I know organizations where they use that very effectively. They basically create charts and graphs and you know gamification, whatever. Focusing on here's what you can do, right, it's the same technology, same tools, that protects the business stuff, the, the data, all that. But it also helps them protect all their financial, institutional resources or their identities, for example for elder, for their parents, so they can take the same knowledge, same information, same training and apply at home. So I think we need to kind of think out of the box and we need to partner with other institutions Local law enforcement always have good resources, obviously because this is really a major, major problem affecting, impacting everybody.

Joshua Crumbaugh: 34:45

I got an opportunity to speak with the or at the FBI, our local FBI's working group, out on base and AI working group and and at the end of it, the I got to this agent was driving me back to the base gate and and she works largely in cybersecurity or cyber fraud and it was just insane the stories of just the emotional and financial turmoil that these people went through and it wasn't just elders, I mean, it was anyone who was vulnerable in any way and they're exploiting those vulnerabilities at every single point. And to me that's the terrifying part is that now that it gets better and they can call up the elderly on the telephone using their grandson's voice, it doesn't even take expertise or real super tech knowledge to be able to do that. I mean, all you need is a laptop not even a laptop, a tablet and you can do that.

Tolgay Kizilelma: 35:59

Well, yeah, unfortunately, yeah, with all the benefits we get from the current technology, that's the downside of it is, you know, deep fake and the way it's being used. Unfortunately, you know hackers to third parties. They don't really care, right, they're all in for financial gain, reputational damage and the emotional toll that it leaves on the people, the identity, financial loss. These are all the things and it's very easy. So, if you think about it, if you're one of those people maybe again, elderly generation differences who's not using technology, that often Very easy for them to become a victim, right, it just takes one phone call from your granddaughter, right, saying oh, I'm in prison, whatever, I need this money transferred, otherwise, right, and then they do it because, right, it's humans' response and it's that fear and unfortunately we see a lot of cases around this. It just is going to take some time for us to get there. Awareness education it's a collective effort. Obviously we need to do it together, but it'll take some time to kind of pass this transitional phase.

Tolgay Kizilelma: 37:09

It's a new era, especially with the ai generic component, the way I mean you can't really rely on the video that you see on the internet, the phone, the voice that you hear, unless you hear, you touch physically, the person is in front of you. There's no 100 guarantee right. And, depending on what you do the implications whether it's a financial, your identity or emotional you have to take those proper measures right. Whether it's a financial your identity or emotional, you have to take those proper measures right. Whether it's calling and making sure, confirming so there are all these things. Obviously it's all part of the learning and there are so many resources out there. You can basically, what do I do with this current environment? Right about these topics? What do I need to learn? And that's really the key we need to push for different people, for the organizations. They need to do those right things in the right way and it's all part of the learning process for some. I agree.

Joshua Crumbaugh: 38:00

And I think it's that learning is so critical. I actually got a call the other day from a buddy of mine and he says hey, I have this friend and he tells me about this person that was actually showing up in person to these elderly homes and, you know, convincing them that their money wasn't safe, getting them them to go withdraw every penny, and then they would hand it to him and he'd just walk away. Um, and you know, I guess, conveniently enough, never uh on camera, at least not good enough for anything that the police could use. So uh certainly seemed to know what he was doing. And and my friend says hey, you know, I called you because I figured I know you care about this subject and I thought maybe you'd want to do something about it. And uh, and so we're actually working together on a side project to uh to see about putting together some, uh, some training that we can I don't know try and get in front of.

Tolgay Kizilelma: 39:05

I think one thing I'm going to mention is important we cannot, if you don't do those who have the knowledge skill set, we cannot if you don't do those who have the knowledge skill set right, like ourselves, if you don't contribute, if you don't, you know, provide that support right I'm not talking about financially part of our communities we have to go tell people like that actually should be the first part of any security awareness training is everything I tell you you need to take home to your parents, yeah, but also, I think cybersecurity professionals who have that background and experience know right, we need to, I think, be also very active, the better.

Tolgay Kizilelma: 39:40

That means being part of an association, part of a board, part of a volunteer entity. Right that to educate the society, to educate the community that we live in we need to do that.

Joshua Crumbaugh: 39:51

That's what we're doing right now on the podcast Getting out there into the community and talking about these things.

Tolgay Kizilelma: 39:58

It's our collective power.

Joshua Crumbaugh: 39:59

So many people all the time will talk about gamification, but I'm curious what your thoughts are about using gamification inside of security awareness.

Tolgay Kizilelma: 40:17

Well, I think that's also a personality thing, right, think about the younger generation. You know the people who are in the workforce. There are different levels. I think that we have at least five different generations in the workforce today at least. So some people, some, uh, they like gamification because they're into some maybe not, but I think it's. It's also, uh, the visual aspect. So that's how I look at it.

Tolgay Kizilelma: 40:44

I do teach data, storytelling, visualization. I think that that has a big impact. So when you gamify something, you're really making the audience, the employee, the user, more involved and more committed, more aware, paying more attention, because of the even I mean at least the visual aspect helps, of course, in a part of the gamification. Certain people, depending on their personalities, maybe they like to be, they're very competitive, for example, they want to be, they want to be the person of the week or the month or what that right. But certain people may not. But still, the visual aspect of how you provide these trainings and educational awareness programs is very important compared to the usual traditional, I don't know, once a year training programs. So, and again, it's doing it the right way and gamification is definitely one of those ways, because of the visual aspects. Because of the interactivity and if people are involved right, it's easier for them to pursue through the gamification, to learn, to exercise, to practice. It makes the learning process easier.

Joshua Crumbaugh: 41:57

Yeah, there's a lot of like gamification products out on the market that like literally have these little video games that you can play. I personally not a big fan of those, but when I discovered or really discovered, the need for gamification rather was, I don't know, somewhere around my 10 million fish. I don't really know the number, but when you send a bunch of fish you inevitably at some point will get somebody upset with you. At some point will get somebody upset with you. And so I've, at this point in my career, run hundreds of millions of fishing simulations and early on, with particularly those more sensitive fishing simulations, I would have people get mad, yes, and I would get this call and I'd explain well, this is why we're doing it, it's important, we got to do it and you know all the normal stuff that you would say.

Joshua Crumbaugh: 42:58

But I realized that this is a negative user experience.

Joshua Crumbaugh: 43:02

We just promised Kathy from accounting a raise and she wants her raise not to get in trouble for clicking on a fish, not to get in trouble for clicking on a fish. And so I thought at that point, what if we gamify fishing? We say, hey, let me tell you about this threat, this type of fish that pretends to be from your HR team, and then we say now be on the lookout, because the next time you see it it could be me or it could be the bad guys trying to get you. But we gamify just that experience of fishing to take the sting out of it and and also I think it in my opinion helps to create this hyper vigilance. You tell them the fish is coming, they're on the lookout for it, which means they're less likely to fall for it when it, if, if a real one actually does come, and uh, and I think that at the end of the day, that's the goal, and if they they spend enough time being vigilant waiting for that fish, all of a sudden it becomes second nature.

Tolgay Kizilelma: 44:04

Yeah, no, I completely agree. And again, that also, as I mentioned, is kind of very similar to the change management, change process, the awareness. So if you're saying you want to make sure people are aware and phishing nowadays is part of our lives it's happening. But if you tell them, if you notify them, they are, they become aware. And you want to make sure you address that desire component. So, look, this is happening, this will come today, tomorrow, when we don don't know. But this is coming, so that you are aware, you know and here's the reason why you want to pay attention for the carrot or the stick. That's that's important. So that, so that they know what is in it.

Tolgay Kizilelma: 44:40

For me, right, you need to make sure very clear to them, addressing the desired component, but at the same time, going one level up. Is the knowledge, right? Yeah, they are aware, they know it's coming and they might have the desire based on the stick or the carrot. But do they know what to do, what not to do? Right, how to recognize those patterns and click on the link or open the attachment or not to. So that's the knowledge and ability. So you have to provide that as well.

Joshua Crumbaugh: 45:06

And those are the human virus definitions to me, making sure that they understand those basics. At the end of the day, there's what 10 principles they need to know to avoid clicking on a pitch. It really isn't as complex, I think, as we sometimes make it. Now I'm noticing we're running out of time and I know before the show we were talking and you have a little bit of a soapbox, something you're passionate about. Maybe you could talk to us a little bit of a soapbox something you're passionate about.

Tolgay Kizilelma: 45:34

Maybe you could talk to us a little bit about that. So, essentially, it's really how we you know being more proactive about these awareness, training activities. I kind of draw similarities when, like for kids, for example, when you teach them new habits, new, new skills, it just starts at the early age, right, they learn. You're being proactive. It takes time and effort. Uh, so it's I. I think it's more like a risk, risk, risk management, right, versus you're trying to identify, you're trying to protect them. So, with phishing, this is not new. It needs to start early in the process so that we're not being reactive to these incidents in our organizations. Yes, I mean today, where we are, we have to deal with that. But this issue going forward will only get increased that how we educate, how we provide training, awareness programs to our kids, starting as early as you know, four or five, six years old, so that While we're asking them to look both ways before they cross the street, before they click a link.

Tolgay Kizilelma: 46:41

You're right. I mean we tell them don't talk to strangers, right? We provide these basics, so that we protect them.

Tolgay Kizilelma: 46:47

And in our current, you know landscape, the business environment today, right, with the technology being part of integral, the dependable line, that's another, you know element that we need to protect and that's when we need to start. Otherwise, you know, when this, when they become, you know, 20, 30 and kind of joined the workforce, the behavioral aspect, it's not easy to change right, we need to start addressing that element very early. There are programs out there starting K through 12, but as families, we also need to educate ourselves. There are a lot of resources out there, as I mentioned, you know FBI, cisa, cybersecurity, infrastructure Agency, and you know our organizations and that's the other thing, right, our organizations, all the resources and materials. Let's take it, make sure how to use online, online safety for our kids, right, so that they learn at a very early age and then after, as you mentioned, it becomes a repetition, right, that's how you, it becomes a second nature, so they recognize something when they email oh, this is fishing right away Versus, you know, 30, 40 years down the road.

Tolgay Kizilelma: 47:48

If technology comes in, those old habits is not easy to change. I think that's one thing we want to do. So I kind of draw similarities with this is the csf, the how we be, how we become very proactive versus, uh, respond to incidents after the fact, like be a bit more reactive. So we should, I think, be more proactive and deal with this, especially for our kids, so that when they join to the workforce they know what to do there, that it becomes easier for them to handle these. You know changes, technology related changes.

Joshua Crumbaugh: 48:18

Yeah, well, hey, we should be teaching it in school. I we actually got a chance to work with a CISA funded group called cyberorg to help them create some content at those younger grades that teachers will play in the classroom, and so we were really excited about that Because, you're right, we need to be teaching it when people are younger, not waiting until they're entering the workforce. It shouldn't be that our oldest people and our youngest people are our two most vulnerable groups. Oldest I get that. That's acceptable. Technology wasn't always around.

Joshua Crumbaugh: 48:57

But for the youngest, they've always had technology and you know, the threat's always been there. There's always been predators in the game chats and online and in the chat rooms. So even for this younger generation, that's callous. The threat's been there. But I think we as a society have not done enough to educate people when they're young and educate children, and we're seeing it now in the whole social like political environment, where there's a lot of talk right now about protecting children on social media and things like that. So I'm I'm hopeful that with that comes a little bit about let's train them of the threats yeah, I mean actually with that.

Tolgay Kizilelma: 49:40

I remember I think it was australia they passed a law for kids yeah yeah, in result to abandon using florida or oklahoma or something like that.

Joshua Crumbaugh: 49:48

Yeah, I mean, there's that the governmental uh, law x uh too.

Tolgay Kizilelma: 49:53

But eventually, at the end of the day, right, there are things we have to do as families, there are things we have to do as businesses, there are things we have to as the government at the highest level. It's again all about the awareness, education, training. Uh, if you don't know something, you know there are resources out there that you might just ask ChatGPT to learn, I guess at the GenAI. It's just a willingness to know what we don't know. We cannot afford not to know anymore.

Joshua Crumbaugh: 50:22

No, and to your point about ChatGPT, that data is readily available. Heck, I had Google write a report for me on advanced pen testing tactics and it nailed it spot on with the exact controls. So, like, even obscure data is right there if you know where to look.

Joshua Crumbaugh: 50:43

And it'll only get better. Oh, I agree, and quickly. I mean we're looking at these models that are being trained at one tenth of the price. That means smarter models. So yeah, no, it's been fabulous talking to you today. Thank you, this has been another great episode and for the audience. We'll see you again next time.

Tolgay Kizilelma: 51:07

Thank you for having me.