Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Users Are Not the Enemy: Dr. Angela Sasse on Human-Centered Security
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Awareness Month Without The Circus
SPEAKER_01So if you've if you've got this idea of the cybersecurity awareness month, you know, are we are we going to take all our employees off to cybersecurity camp for the month of October? No, right? The show in the productivity show has to go on.
SPEAKER_00I've seen some organizations that almost do. I mean, where like five days a week, every single uh week during the month of October, where they've got different lunch and learns that they're doing and activities planned. Uh, but you know, it's the same five people that show up to these things every single day, and a majority of the company still doesn't show up because I've never seen anyone do it daily and make it mandatory.
Priorities And The 28-Day Cycle
SPEAKER_01No, and and really what we have to do is like focus the this the successful approaches are basically is focus on, you know, get make a list of priorities, and those the priorities may be different for different groups of employees. Um, you know, because if you work in finance, there may be uh different risks from um if you work in in sales and marketing or something like that. Um but basically then work down the list of priorities. But as the the BMAP model says, you know, it takes about 20 a 28-day cycle is the minimum to actually establish a new behavior to get it embedded, right? So we need to do this. We can do only one or two at a time, and once they are embedded and have become automatic, then they're not really demanding um the employees time, you know, attentive time and attention anymore, you execute them automatically, then you go on to the next one and the next one. So that basically means you have, you know, it's a continuous effort, and staging it is um is is the only way of really reliably embedding those secure behaviors in your um in your staff.
Building Subconscious Phishing Reflexes
SPEAKER_00So when you say embedding secure behaviors, uh it just reminds me of something that I've uh focused on quite a bit. It's what I call human virus definitions. And uh and I I think we're basically saying the same thing, but it it's I I think about the guy that is, you know, it's a Friday afternoon, he's on his way home from work, he stops by the store, he's in the grocery line, you know, waiting to check out, and he's checking his email right then. He may normally be secure, but at that moment he's not thinking about security, and so he's more prone to click on a fish. And and the bad guys know this, that's why they fish you on the weekends, right before holidays, things like this. Um, and uh and so I I think about it because when it's a subconscious reaction, it doesn't matter where they are, how many distractions, what's going on around them, the subconscious is more reliable, predictable every single time it'll say, Whoa, something's going on, and the people will move on. And so that to me is where uh it's things like trust your gut, watch out for urgency, watch out for authority, and how it's used against you and these core principles uh to me that I I think we have to get through.
When Phishing Training Backfires
SPEAKER_00And the the second part, I'm curious what you think about it, is I believe that should be the goal of running fishing simulations, where if they click, they immediately get that uh training, that just-in-time training, they know they made a mistake and they're learning those core values. Uh, because one of the things that I found running uh, I don't know, it's it's a millions of fishing simulations, um, is that uh there are or once somebody goes through a specific type and they fall for it, um, they're less likely to fall for that same type of fish again in the future if they've gotten that uh that just-in-time training. So like by something like 70% less likely. Um so what do you think about that? Uh and what's your approach to it?
SPEAKER_01Um I actually um disagree um because I zoom basically if I zoom out and I see a situation where um employees during their normal working time when they're focused on their primary task, basically get kind of ambushed by these um by these simulated fishing males. And we just know that it has from from empirical studies that um it doesn't necessarily mean, you know, so sort of a lot of people actually just won't engage with the material at that point in time because the primary task is more important and it needs to get done. You know, if you basically have something to get to a client, you know, you have a deadline to meet or so on, you're not really going to engage with the material. Then of course, is one of the discussions we could have is how good is the training material you're given, right? I mean, the um uh there's there there's huge differences um in quality, you know, just some of them don't really give people, you know, they're just basically put generalities, but don't give um people actionable advice, right? If you give actionable advice and you explain exactly what the problem is with that particular email, and and from you know, you show from from the specific thing and then do the transfer learning, you know, enable the transfer learning to basically show the general principle behind it. Okay, yeah, yeah, that's basically that is um that is valuable, and then that is um it's likely to rarely being done, I agree, yeah.
SPEAKER_00Um and so just I am 100% agree with you. I think that the way that fishing simulations are done, 99% of the time, the way that that follow-up training is done, all of it, is counterintuitive to what we want to have happen. And there's been a lot of studies that have shown it uh or demonstrated that, where they did phishing simulations, then they ran the you know hour-long security awareness training course, then they ran more simulations. And in almost every one of these, you find that the users are either exactly the the same susceptibility before and after, or sometimes they even get worse afterwards. Uh, so I I I agree. And I think that we have to do them right. And and number one, tell the user you're going to fish them. Don't make it a game where or a gotcha game, because that's not the goal of it. And and number two, I think it should start off easier and gradually get more difficult as the user's proficiency gets better. And as to that follow-up training, um, I I don't I agree. I don't think that at the moment they make the mistake, you should send them through this five-minute or 30-minute manageable, whatever it happens to be. Um, I don't think that that's very effective. I also don't think you should ever exploit your users in phishing simulations that are done for security awareness. What I mean by that is I I don't care if they type in their username and password. They already clicked on a malicious link. The damage is done. I'm way better off making sure that they realize that they clicked and that it was a simulation and that they can move on than I am to have them type out their password and go to some landing page. Uh, because then you run the risk where this person truly believes whatever it is, you know, I gotta raise, I got a bonus. And I've seen these terrible ones that create these, you know, just horrible experiences for the user. And so I'm I'm right there with you. I think that the way most phishing is done is a very negative, uh, sort of negative experience. And and I think that just in time training, um, the way I've always done it is a simple email that lands in that user's inbox the second that they click, and it highlights the red flags and has arrows pointing at the red flags in the email uh to do that transfer learning at the moment of the mistake.
How To Simulate Phishing Responsibly
SPEAKER_01But I what I actually um what one of the things I'm really concerned about is is that I think we really need to, you know, the with the with the email phishing in particular, I think you know what I see is a lot of companies could actually do more to just keep you know keep these attacks away from their users. Specifically email email phishing, right? But the amount of social engineering attacks that I mean, you know, that is is massively increasing, but it comes through all sorts of channels, right? It comes, you know, it it um and even uh through say social media, you know, basically social media sites, and actually really trying to get users to understand how the attackers operate, right? How they use open source intelligence, how these attacks are often multi-stage, and how the um the attackers are really trying to use, you know, they want to make you believe that there is something that you want, how they use your emotions and so on. It's a kind of like literacy that you need in the digital age, and and that's really what we want to want to help users with, you know, and and that you that is you know really valuable knowledge and and valuable skills that help people in their personal lives just as much as they do, you know, you know, of course, you know, because other people for romance scams or investment scams and those kind of things. And
Social Engineering Literacy Beyond Email
SPEAKER_01and actually really um, you know, but by basically just just explaining how social engineering attacks work and how they use you, how they play with your emotion, how they um basically promise, you know, that or they dangle things in front of you that you would really like to have, or things that you want to believe to be true. That kind of kind of self-knowledge, you know, and it leads to to um to to just a better literacy. And and that kind of awareness, I think, is is what what we really want to give people, right?
SPEAKER_00Um yeah, and people I don't think most people are aware of their own biases or their cognitive biases that are the number one thing exploited by social engineering. Um, and the more we can make them aware of them and conscious of them, the less likely they are to fall for them.
SPEAKER_01And also to teach them basically, basically, ways of um you know, of actually dealing with these things. Yeah. So um, you know, how for instance, you know, how to not get triggered, you know, but basically about how to realize that somebody is trying, you know, something is trying to trigger you. And sometimes all you need is just, you know, to just basically really not react immediately, you know, just defer to actually defer the response. Don't, you know, uh, how to to counteract pressure and how to do it in a polite way, a friendly way. So, you know, if you're not sure this is really a customer, um, you know, who just is really bad tempered and is really thinks, you know, um, you know, but or or is this an attacker? Sometimes you're not sure. So, and then and you see this that people are really that that they don't get the right sort of response because they don't want to, you know, they don't um want to to sort of like get in escalate the situation, right? They don't want to um ruin a potential you know a relationship that might be important or something like that. But we can teach them, teach them how to handle those situations better. And um I've I've found you know, in in when we when we do this, that actually employees are really, really grateful for um for that. And it and and those experiences really increase the interest in cybersecurity and security awareness and training, and actually then encourage, you know, basically people take take an interest and they start to take um work through some of these modules that we offer voluntarily because they've had an experience. This is actually useful, right? This is giving me giving me useful knowledge and skills that um that help me. And I think that's really what we want, isn't it?
One-Page Policies And Commitment Bias
SPEAKER_00I I completely agree. And to that, one of the things that uh that I did about a year and a half ago now uh was I I went back through all of my uh my company's policies and uh and we also make them available to all of our clients too. Uh but I I went through all the the templates and all of our internal stuff that we were uh we were utilizing and I completely rewrote it, and it all starts with a single paragraph that basically says, Hey, I understand that security awareness is part of my job, that it protects me at work, it protects my income, it protects me at home, and we connect all of it directly to their uh their livelihood, and they sign that at the very top, and then all of the rest of the policy, as opposed to having these long, long policies that look like they're written by lawyers, we put or put it into bullet points for the most part, and every single policy is a page and bullet points, one single page and bullet points, and it makes it easy for them to understand. Um, and I I think that there's a lot of stuff like uh like that that just helps to drive it home. Um, and I and one of the things that I like about policy is that um well there's a commitment to bias uh that we all have. And if we sign our name to something saying that we'll do it, we're most people are gonna try to do that because they want to make good on their word. Um, but then we create these policies that no one can understand, or if they don't care to, they're not gonna read anyway, even if they could understand it, it's so long they're not gonna read it. And uh, and so as a result, we're not ever taking advantage of that commitment bias because people don't know what they signed and said they wouldn't do that was in the acceptable use policy or was in the um you know, whatever policy, right?
SPEAKER_01Um you know what I do as part of, I mean, I totally agree, and and basically this this kind of like you know, we want rat uh we want um actually active, positive commitment agreement to these things. And um in in the you know, because I said I prefer to do it over that that basically you do one particular behavior at a time to re-embedding, but at the time when they basically actively say, Yes, I want to, I agree this is important and I want to do it, then you start your little kind of like your little book of um policies that you've committed to, and you can always, you know, uh go back to it. It's like you really it should be sitting on your desktop. Um that where and you see like what you've committed to. And I like to really make it very, very sort of like very specific, you know, make not just the policy, but the specific behavior. What am I going to do to enact this policy? And then keep that as a as a little book, as a as a list, uh a reminder of the things you're doing, you know, and as you go through the year and embed more and more of uh those more of those behaviors, you know, the list um starts to um, you know, you you you're acquiring more and more. But you can at any point in time go and look, what have I committed to and am I doing it? And if I'm not doing it, what's actually stopping me doing this? And is this something I you know where I need to do something, or have I really encountered some some obstacles or blockers in in um enacting this secure behavior, in which case I need to go and talk to the people in the security team and you know, let's fix this. Um, this is something, you know, we need to fix security together, the security experts and the employees. You know, we can only do it by finding where sometimes there is too much friction, there is too much pain, you know, there there may be edge cases where the policy doesn't work, but we need to fix that together.
Survey Users And Treat Security As A Team
SPEAKER_00So I had a guest on the other day that um I just found this part to be really interesting. Was that he surveyed his entire user population? He's a CISO, um, and he did on a regular basis. You know, do you what what's your opinion of cybersecurity? Is there anything we can help you with and make your jobs easier? Um, and it it really was a lot uh focused heavily on those uh wants and desires so that the security team could proactively go and address those for uh for team members and uh and win over those allies within the uh the company. And I I just thought that that was a brilliant way of going about it because you know, I mean, uh to your point, this industry has spent far too long not worrying about what the users thought or how they think or how they learn or how they change or behavior changes or any of that. Um, and so I I think that that's why it's uh you know an important element.
SPEAKER_01Yeah, absolutely. I think this is really, you know, we need to get away. So users are not the enemy, you know, they are um they are part of the team, you know. I like um sort of a metaphor is that it is a team sport and different different uh partners you know, different um stakeholders in the team have different responsibilities, um, but they need to be clear to to everyone, and then we need to work together to to help us. And if uh if something isn't working, we need to talk about it. Yeah, and and I think that's that's also one of the things I always really want to see in an organization is that that people talk to each other about security, even if they're this is better than if you get into an organization and there's absolutely deafening silence, right? Nobody's talking about it, then you know there's trouble, might you know that yeah, yeah.
SPEAKER_00I've definitely been uh I worked for the federal government for a while. I may have been one of those people complaining about the security, so um, but I mean I I I absolutely uh get it. Now I'm curious what your opinion is, because uh to me, there's a new huge,
AI Code And The Shadow IT Explosion
SPEAKER_00just massive risk with end users and it's AI, uh, but it's not them pasting data in or whatever. And I mean that's of course a risk, but I I think we've done a good job of addressing that. The part that concerns me is AI writing code, not when my developers are using it inside a mature CI CD pipeline uh where it's going to assess security, it's going to have code evaluations, everything it's going to go through this whole intelligent process. But the code I'm worried about are the project managers, the sales uh you know staff, the you know, whoever it happens to be the finance team that don't understand technology to a point that they should be building out infrastructure or whatever. And all of a sudden, we've got shadow IT everywhere in the form of custom app development because everyone's a software developer now.
SPEAKER_01I I couldn't agree more. And we have seen, you know, I work in a in a really um very big security research um faculty, and um we have seen, we've already seen quite a few examples of um users basically having code written by by an LLM and then you know starting to connect it to other bits not understanding what it's doing, you know, and um yeah, the the amount of data and and and the sensitivity of some of the data that is you know is is basically exposed by this is staggering. It's um yeah, you know, great story on that.
SPEAKER_00Uh the my CTO that I I work with uh for the parent company, and I I still work as their CESO. Um he comes to me and uh and he he shows me this application that was developed by a Project manager. And uh and it's brilliant. I mean, it it it shows every their logistics company, so it shows every single bit of inventory from warehousing to trucks to you know whatever you want to search, every single asset in the entire company. Um, and it shows it, and I'm just like, okay, this is very impressive. But what about security? He seems to be connected to everything. Uh, but I mean, that is the the new world that we're seeing everywhere, and it's happening so quick that security is not getting the opportunity to fully evaluate these things. Um, what what is uh do you have any recommendations for companies struggling with this? I know we're all sort of learning as we go right now, but uh what what are your thoughts there?
SPEAKER_01Well, maybe we need we need something similar to to what we do with our students, right? Um, which is that uh we say if you use it, you need to declare that you've used it, right? So don't come and basically pretend you wrote this on scratch if you didn't, um because of the risks that that are are involved in it. I mean, the other, as you said, if you um maybe we need to, you know, we we just can't have code being put put in like that, the reviews, the processes, you know, it it all would need to to uh be if people do it at home, that's one thing, but basically having code that they've generated and then not really sure what it does if they don't know anything about about security risks and so on, that that just can't, you know, you can't basically put that into production.
SPEAKER_00Well, it's not just the security risks, it's the architecture, the infrastructure around it. And that's the reason that it concerns me. It's also the models that they're using. Um, I know my development team is only going to use approved models that uh that they've been given access to. Um, and so I'm a I'm a really big fan. In fact, I will go so far as to say that AI writes more secure code than humans. Um in general it does. And uh and I I say that I've spent a lot of my career in application security. I've looked at thousands of applications and uh and AI generally writes better code, but AI is not gonna tell you if you left a bucket wide open on Amazon. AI is not going to tell you if you left default credentials on stuff. And to me, that's the part that uh that really concerns me there. Um I I I really just think we have to be proactively giving our employees those capabilities and some sort of lab access so that we control it because it seems that they're gonna do it regardless of if we give them a safe place to do it in or not.
SPEAKER_01Okay, yeah, you could you could you could have a policy saying and you can't, you know. Um, you know, you're not you're not basically um, you know, some people fancy themselves as medics, but you're not going to let them operate on patients. So I think you can um you I think but but there's definitely a lot of lot of rethink, you know, I think there's there's new policies and new processes are going to be needed to to to actually deal with um to to deal with this and tell people very clearly what they can and can't do.
SPEAKER_00Yeah, I mean this is an exciting time to be in cybersecurity. Scary, but but exciting because I mean it is changing. I mean, I thought it was changing quickly 10 years ago, um, but it's really just evolving so quickly that uh it's hard to keep up uh with uh just all of the technological innovations from a vendor perspective, from a technology perspective. Um it it's it's like drinking from the fire hose 24-7.
SPEAKER_01Yeah,
Signed Macros And The Pop-Up Trap
SPEAKER_01but maybe we also need to need to get back there for some applications, you know, where you don't need anything fancy. Maybe you just want really simple, you know, simple, secure components and building blocks that you can make, make simple, simple things, you know, um things other for the home, um so that might actually be um be a be a way forward, you know, that you that you can basically get secure components that you can combine um in a way and put together as an end user rather than go and have the whole code written from scratch written from scratch by um by AI. Um I think I think for many for many applications um in in in the home context or also for for users who don't have super um sophisticated requirements, you know, who are just trying to to have certain simple forms of automation and so on, that may be maybe a better way forward.
SPEAKER_00Yeah, yeah. Well, to that, I'm really surprised that Excel macros have not made a bigger comeback.
SPEAKER_01Um well, actually, that was I I I think it may have been coincidence, but they um, you know, this was to me, this was one of the biggest triumphs in you know of actually enacting the spirit of of what I I call human-centered security. Because um that they um the um well, you can still have macros, right? But they have to be signed, meaning the experts in the company have to look at it. But I think what went on in the 10, 15 years before, that you asked users whether they wanted to enable a macro or not, and then there was like an absolutely lousy UI that actually effectively like cued them into enabling them, right? And we published this study where we showed that even people who use IT for six hours a day um and used all these Microsoft things, that they enabled macros even if they didn't need them. Um, and that that really out of you know, that that 95% of the people in our sample didn't really know what a macro was then. So how how can you know, and I I I think, I mean, for me it was really quite important that you know that this is one of the examples where you gave where you pushed sort of like the responsibility onto end users to decide something that really they shouldn't decide. Um, and I think you know, having having only signed macros um is is the better way. And basically, frank, frankly, the end you the the uh users are of course just absolutely happy not to basically have these click boxes being thrown into their face every three minutes, right?
SPEAKER_00Well, and we saw with Java that it didn't work, okay. I mean, I don't know if you remember at the very end before we finally got rid of Java, um those those pop-ups were just bright red, the biggest bold letters you ever saw. And people would still click allow, allow, allow every single time.
SPEAKER_01And it doesn't, it doesn't work. We've known this for there's actually a really um a really important book um called The Lunatics Are Running the Asylum by a software engineer called Alan Cooper.
SPEAKER_00Um I've not heard of it or read it, but I'm gonna have to check it out. I love the title. Sorry, go ahead, tell me more.
SPEAKER_01He was, I mean, Alan Cooper is a soft, you know, is a software engineer, but he really understood usability, you know, and he said basically, he said, this is these pop-up boxes are an absolute scourge, you know, and he said, you know, you're abdicating responsibility and throwing something to the user that you know almost certainly they can't decide. And he said, you know, good software is is is self-confident and and polite, you know, and you're not abdicating responsibility and throwing it to the users. So he, I think he really pointed out 20 years ago. But the le you know, I think I still remember, I think it was in about 2000 that at a um at a big sort of tech conference, Bill Gates was actually asked by by somebody about whether these whole boxes, whether they made them just pop up because they wanted to defer legal responsibility to the users. And he actually stood there for about 30 seconds. And then he said, yes. And tells you, tells you, you know, this is this is like, I mean, from a usability point of view, those pog up boxes were almost always a disaster. You know, you look at them and then you just have created, you know, we're back to the behavior thing. You you create a habit of swatting things away, you know, not reading, you know, then the users don't read this anymore. And um, yeah, it's just just not good design.
SPEAKER_00I mean, I'm a security professional and I have caught myself looking through those things before. Um, I mean, it it's it's rare, but like I can't say that I've never just clicked and then thought, oh wait, what did I just click on? Um, because I have, and uh, and I I highly doubt that I'm the only one. I may be the only one that'll admit it, but I highly doubt that I'm the only one. And so um, no, I mean, I it's you get so used to clicking through those things. And uh at least, you know, for me, it's been my entire life. Now, maybe we're finally re-engineering computers and younger people won't have that inherent just oh, click accept. Um, but I still think they will because of things like the you know, end user license agreements and all of that, um, that uh that are you know a hundred pages long and no one's ever gonna read them. Um, and so we we sort of create this uh condition where you know people are just used to clicking through stuff. It is what it is.
Leader Playbook For Lasting Change
SPEAKER_00Um okay, so we are uh running low on time here, and so I just wanted to, I guess, throw it to you as sort of a last question and just leave it sort of open-ended. What's the top bit of advice you have to security leaders listening to this podcast that want to improve their programs?
SPEAKER_01Uh the top bit of advice is to actually do um uh profile, you know, half um profile your employee population um by risk. You know, look at what are the the top risks that those particular employee groups face, which are which are the relevant risks for them, um, and then start basically writing just as you did in simple terms, uh, what you what behavior is required to um you know to manage that risk or to not basically enable an attack. And then um we um we really advise to take a two one to two year change management framework and prioritize, uh then work through those those priority uh risks. And and we we borrow quite a lot from change management um theory as well, you know, such as actually rewarding people, celebrating when it's a huge part of the thing. You know, then that's uh have they have have really embedded their top three security behaviors, you know, sort of sort of celebrating that. And it's really, I think the the thing that I very often um that that I think for for leaders in in bigger organizations, I I find that a lot of them don't understand that they can't just abdicate it to the experts, right? The the the experts have knowledge, they know how to manage some of those threats, but to really embed that in the hearts and minds of the organization and in the behavior of your workforce, you need this program, you need to make a plan and you need to find the capacity. It's the organizational leader's job to find the capability and the capacity in the organization in various, you know, whether this is in HR, whether this is in training, you can learn an awful lot for if you've got uh a safety, a workplace safety program. The people who set up those and runners have an awful lot of experience already. The comms, uh, the internal comms department, you know, they know how to what what kind of frequency of messaging works, they know how to how to formulate them. So you need to bring those things together. Um, and that's why I said it's it's a team sport, and but the leaders of the organization have to set those goals and they have to bring the people together and tell them what they want them to achieve when it comes to security.
SPEAKER_00I I couldn't agree more. In fact, uh I'll I'll echo it with this one quick story. Um, there so for the longest time, the whole industry was security is everyone's responsibility. And then uh all of a sudden, some marketing people got involved and they changed it from everyone's to security is your responsibility. And while it's only a one-word change, it makes a world of difference. And uh and that it to me is the reason you know we should be including the other departments, communications, marketing. Um they can help us craft our message and make sure it sticks. Absolutely.
SPEAKER_01I agree, Joshua.
SPEAKER_00Well, thank you for joining me
Final Thoughts And Farewell
SPEAKER_00today. It's been a fabulous episode, and uh well, we'll be back again next week.
SPEAKER_01Thank you. It's my pleasure.