1 00:00:03,250 --> 00:00:09,879 so hi my name is Royce Regina I am the 2 00:00:07,089 --> 00:00:13,059 digital security coordinator at an NGO 3 00:00:09,879 --> 00:00:16,450 based in Berlin that means that I do a 4 00:00:13,059 --> 00:00:19,210 certain amount of internal support I 5 00:00:16,450 --> 00:00:22,600 provide workshops for some of our 6 00:00:19,210 --> 00:00:26,140 partner organizations and I write and 7 00:00:22,600 --> 00:00:30,279 maintain external facing security 8 00:00:26,140 --> 00:00:34,290 education resources and I'm here to talk 9 00:00:30,279 --> 00:00:36,640 a little bit about social engineering 10 00:00:34,290 --> 00:00:39,879 improving security behaviors of people 11 00:00:36,640 --> 00:00:43,210 around you and how some of the skills 12 00:00:39,880 --> 00:00:47,230 that you can use from one are or aren't 13 00:00:43,210 --> 00:00:50,170 applicable to the other so social 14 00:00:47,230 --> 00:00:52,120 engineering getting people to change 15 00:00:50,170 --> 00:00:54,430 what they do it's kind of just 16 00:00:52,120 --> 00:00:59,260 manipulating folks to like do what you 17 00:00:54,430 --> 00:01:02,170 want them to do sort of sort of or not 18 00:00:59,260 --> 00:01:04,569 so there are a few major differences so 19 00:01:02,170 --> 00:01:06,490 when we're talking about social 20 00:01:04,569 --> 00:01:08,770 engineering you normally think of the 21 00:01:06,490 --> 00:01:11,048 person who is doing the social 22 00:01:08,770 --> 00:01:12,610 engineering being very much in control 23 00:01:11,049 --> 00:01:15,250 whereas when you're talking about 24 00:01:12,610 --> 00:01:18,610 teaching we really want to have the 25 00:01:15,250 --> 00:01:20,439 learner sort of driving everything so 26 00:01:18,610 --> 00:01:21,700 just backing up a moment like what do we 27 00:01:20,439 --> 00:01:24,658 mean by social engineering because 28 00:01:21,700 --> 00:01:29,619 there's this huge huge broad category of 29 00:01:24,659 --> 00:01:34,720 stuff that falls into that bucket and so 30 00:01:29,619 --> 00:01:39,158 that includes like fishing and fishing 31 00:01:34,720 --> 00:01:42,009 and smishing and and all of that but it 32 00:01:39,159 --> 00:01:44,560 also includes a lot of the stuff that 33 00:01:42,009 --> 00:01:47,920 generally gets talked about in terms of 34 00:01:44,560 --> 00:01:49,479 like physical penetration testing when 35 00:01:47,920 --> 00:01:51,340 you're not talking about lock-picking 36 00:01:49,479 --> 00:01:54,610 but instead you're talking about how do 37 00:01:51,340 --> 00:01:56,979 you walk in places but it can also just 38 00:01:54,610 --> 00:01:59,229 include this whole general category of 39 00:01:56,979 --> 00:02:00,429 things that I tend to think of this fun 40 00:01:59,229 --> 00:02:03,390 high jinks 41 00:02:00,430 --> 00:02:06,759 we're basically what you're doing is 42 00:02:03,390 --> 00:02:09,519 you're you're you're basically figuring 43 00:02:06,759 --> 00:02:12,400 out how to set someone up to have a 44 00:02:09,519 --> 00:02:14,209 specific emotional journey so that they 45 00:02:12,400 --> 00:02:17,629 more or less do what your hope 46 00:02:14,209 --> 00:02:20,269 the filter and then when we're talking 47 00:02:17,629 --> 00:02:22,219 about education in this context we're 48 00:02:20,269 --> 00:02:24,709 really talking about education for 49 00:02:22,219 --> 00:02:31,719 behavior change so this is not like 50 00:02:24,709 --> 00:02:36,500 memorizer times table or like learn what 51 00:02:31,719 --> 00:02:38,719 the like what any specific framework is 52 00:02:36,500 --> 00:02:40,579 about instead we're talking about how do 53 00:02:38,719 --> 00:02:44,569 you get people to have better passwords 54 00:02:40,579 --> 00:02:47,120 how do you get people to log out of 55 00:02:44,569 --> 00:02:50,000 accounts that they're not using things 56 00:02:47,120 --> 00:02:52,609 look more along those lines so so that's 57 00:02:50,000 --> 00:02:54,169 what I mean what I'm talking about these 58 00:02:52,609 --> 00:02:57,139 two general topics 59 00:02:54,169 --> 00:03:00,109 so aside from who's in control or who's 60 00:02:57,139 --> 00:03:02,079 empowered in the situation there's also 61 00:03:00,109 --> 00:03:04,489 a pretty major difference between 62 00:03:02,079 --> 00:03:06,760 whether you're aiming for trust or 63 00:03:04,489 --> 00:03:10,609 whether you're just aiming for rapport 64 00:03:06,760 --> 00:03:12,700 the timeframe for doing some social 65 00:03:10,609 --> 00:03:14,959 engineering very different than like 66 00:03:12,700 --> 00:03:17,089 trying to teach your colleagues how to 67 00:03:14,959 --> 00:03:19,639 keep themselves safe how to protect your 68 00:03:17,090 --> 00:03:21,379 company whatever your context is even if 69 00:03:19,639 --> 00:03:23,989 it's like your parents or your 70 00:03:21,379 --> 00:03:25,370 housemates or anyone that you are 71 00:03:23,989 --> 00:03:36,799 desperately trying to give security 72 00:03:25,370 --> 00:03:38,479 advice to okay sorry about that and then 73 00:03:36,799 --> 00:03:41,689 the other thing is the way that you use 74 00:03:38,479 --> 00:03:42,949 emotions in social engineering should be 75 00:03:41,689 --> 00:03:45,319 very different than the way that you're 76 00:03:42,949 --> 00:03:50,829 using emotions in any kind of 77 00:03:45,319 --> 00:03:56,030 educational process so part of this is 78 00:03:50,829 --> 00:03:58,220 in terms of who's in control we have 79 00:03:56,030 --> 00:04:01,849 this idea called self-efficacy it comes 80 00:03:58,220 --> 00:04:04,939 from alfred bandura who's a psychologist 81 00:04:01,849 --> 00:04:06,439 and basically it's the idea that someone 82 00:04:04,939 --> 00:04:08,180 believes in their ability to do a 83 00:04:06,439 --> 00:04:10,280 specific thing and this ends up being 84 00:04:08,180 --> 00:04:11,449 really important when you're teaching 85 00:04:10,280 --> 00:04:13,790 someone to do something because 86 00:04:11,449 --> 00:04:15,530 basically if they believe that they can 87 00:04:13,790 --> 00:04:19,339 do it you're going to have a much easier 88 00:04:15,530 --> 00:04:21,228 time supporting them in doing it because 89 00:04:19,339 --> 00:04:22,760 when you're talking about social 90 00:04:21,228 --> 00:04:24,859 engineering you're generally talking 91 00:04:22,760 --> 00:04:25,340 about like how do I get someone to do a 92 00:04:24,860 --> 00:04:26,550 thing 93 00:04:25,340 --> 00:04:29,008 but when you're talking 94 00:04:26,550 --> 00:04:30,629 about digital security education 95 00:04:29,009 --> 00:04:33,270 interventions you're generally talking 96 00:04:30,629 --> 00:04:39,360 about how do I get someone to get 97 00:04:33,270 --> 00:04:41,669 themselves to do a thing and part of 98 00:04:39,360 --> 00:04:44,490 that kind of relies and part of why 99 00:04:41,669 --> 00:04:45,960 there's this difference is when you're 100 00:04:44,490 --> 00:04:47,909 talking about social engineering you're 101 00:04:45,960 --> 00:04:49,560 generally talking about like just 102 00:04:47,909 --> 00:04:52,590 building rapport like how do I just get 103 00:04:49,560 --> 00:04:54,330 someone to like me so rapport is about 104 00:04:52,590 --> 00:04:56,489 just like having this connection that 105 00:04:54,330 --> 00:04:58,378 you can kind of joke with someone you 106 00:04:56,490 --> 00:05:01,800 probably also have rapport with like 107 00:04:58,379 --> 00:05:03,539 your colleagues which you should and and 108 00:05:01,800 --> 00:05:05,250 it's generally helpful like having a 109 00:05:03,539 --> 00:05:07,250 nice rapport with someone is going to 110 00:05:05,250 --> 00:05:11,490 help you regardless of what your goal is 111 00:05:07,250 --> 00:05:13,409 but when you're dealing with like trying 112 00:05:11,490 --> 00:05:15,449 to actually get someone to learn and 113 00:05:13,409 --> 00:05:17,819 change their behavior what you probably 114 00:05:15,449 --> 00:05:19,440 need is actually trust what you probably 115 00:05:17,819 --> 00:05:22,020 need is not just someone to be like oh 116 00:05:19,440 --> 00:05:23,219 yeah that person I am you know they seem 117 00:05:22,020 --> 00:05:25,500 friendly I'd like to have a beer with 118 00:05:23,219 --> 00:05:27,300 them but probably what you need is for 119 00:05:25,500 --> 00:05:28,650 someone to believe the things that 120 00:05:27,300 --> 00:05:30,539 you're saying and to believe that 121 00:05:28,650 --> 00:05:32,219 they're accurate and to believe that you 122 00:05:30,539 --> 00:05:34,289 have their best interests at heart or 123 00:05:32,219 --> 00:05:38,279 that it's like close enough that they're 124 00:05:34,289 --> 00:05:40,409 willing to roll with it so the other 125 00:05:38,279 --> 00:05:42,630 thing in terms of like trust versus 126 00:05:40,409 --> 00:05:44,849 rapport is like you can find all sorts 127 00:05:42,630 --> 00:05:47,190 of excellent and excellent guides to how 128 00:05:44,849 --> 00:05:49,469 to quickly build rapport trust tends to 129 00:05:47,190 --> 00:05:52,800 take a lot more time you can also break 130 00:05:49,469 --> 00:05:54,719 rapport and Trust fairly quickly but 131 00:05:52,800 --> 00:06:01,889 Trust is what you really need to like 132 00:05:54,719 --> 00:06:03,389 build in in your relationships so just 133 00:06:01,889 --> 00:06:05,819 like trust and rapport take different 134 00:06:03,389 --> 00:06:07,199 amounts of time to establish when you're 135 00:06:05,819 --> 00:06:09,270 dealing with social engineering you're 136 00:06:07,199 --> 00:06:12,750 almost always only needing to like keep 137 00:06:09,270 --> 00:06:13,948 stuff together until you get out like if 138 00:06:12,750 --> 00:06:16,080 you're doing some kind of like 139 00:06:13,949 --> 00:06:18,270 face-to-face thing you just have to make 140 00:06:16,080 --> 00:06:20,400 sure that they believe you as long as 141 00:06:18,270 --> 00:06:21,930 they're looking at you or as long as 142 00:06:20,400 --> 00:06:23,340 they're less likely to call someone 143 00:06:21,930 --> 00:06:26,150 who's going to get you in trouble like 144 00:06:23,340 --> 00:06:29,429 that's all you need the glamour to last 145 00:06:26,150 --> 00:06:32,489 but when you're dealing with any kind of 146 00:06:29,430 --> 00:06:33,779 behavior change education what you 147 00:06:32,490 --> 00:06:35,669 really need is something that's going to 148 00:06:33,779 --> 00:06:36,419 stick with people and that's going to be 149 00:06:35,669 --> 00:06:39,280 long-lasting 150 00:06:36,419 --> 00:06:40,659 so it's not just like 151 00:06:39,280 --> 00:06:46,000 while I am standing there with my 152 00:06:40,660 --> 00:06:47,470 coworker get them to do the one thing 153 00:06:46,000 --> 00:06:48,850 I'm asking them to do this one time 154 00:06:47,470 --> 00:06:51,520 while I'm looking over their shoulder 155 00:06:48,850 --> 00:06:53,139 but can I set them up so that they're 156 00:06:51,520 --> 00:06:55,299 gonna do this thing that I've asked them 157 00:06:53,139 --> 00:06:58,570 to do and shown them how to do 158 00:06:55,300 --> 00:07:00,460 repeatedly over time and as long as 159 00:06:58,570 --> 00:07:02,680 we're talking about timeframes it's 160 00:07:00,460 --> 00:07:05,138 really good to remember that everything 161 00:07:02,680 --> 00:07:08,290 fades over time so when you're thinking 162 00:07:05,139 --> 00:07:10,090 about education and when you're thinking 163 00:07:08,290 --> 00:07:11,620 about like teaching or training people 164 00:07:10,090 --> 00:07:13,630 around you it's good to remember that 165 00:07:11,620 --> 00:07:16,630 they will probably need blake little 166 00:07:13,630 --> 00:07:18,070 refreshers and to just plan on that and 167 00:07:16,630 --> 00:07:19,150 it doesn't mean that you've failed and 168 00:07:18,070 --> 00:07:21,099 it definitely doesn't mean that they've 169 00:07:19,150 --> 00:07:26,859 failed if they need a little bit of a 170 00:07:21,100 --> 00:07:28,870 reminder from time to time so another 171 00:07:26,860 --> 00:07:33,400 area where there's this huge huge gap 172 00:07:28,870 --> 00:07:35,970 but a certain amount of shared shared 173 00:07:33,400 --> 00:07:39,510 skills is when we talk about the role of 174 00:07:35,970 --> 00:07:42,550 fear especially in social engineering 175 00:07:39,510 --> 00:07:44,020 and education so like when you're doing 176 00:07:42,550 --> 00:07:46,330 social engineering if you get someone a 177 00:07:44,020 --> 00:07:48,099 little scared it's generally good 178 00:07:46,330 --> 00:07:49,990 because people who are scared don't 179 00:07:48,100 --> 00:07:52,720 really respond the way they probably 180 00:07:49,990 --> 00:07:54,010 should so if you're trying to like get 181 00:07:52,720 --> 00:07:56,050 someone to do something that they're not 182 00:07:54,010 --> 00:07:57,610 technically supposed to getting them a 183 00:07:56,050 --> 00:07:59,710 little bit scared can mean that they 184 00:07:57,610 --> 00:08:01,950 don't have the presence of mind and they 185 00:07:59,710 --> 00:08:04,479 can't Center themselves well enough to 186 00:08:01,950 --> 00:08:08,380 really like think through what they're 187 00:08:04,479 --> 00:08:10,360 supposed to be doing however when you're 188 00:08:08,380 --> 00:08:12,659 doing something that is about teaching 189 00:08:10,360 --> 00:08:17,280 that's the opposite of what you want and 190 00:08:12,660 --> 00:08:17,280 you generally have a situation where 191 00:08:17,729 --> 00:08:21,580 when you're teaching someone if they get 192 00:08:19,990 --> 00:08:23,080 scared they're going to zone out they're 193 00:08:21,580 --> 00:08:25,690 going to tune out they're just going to 194 00:08:23,080 --> 00:08:27,969 like shut down a little bit and some of 195 00:08:25,690 --> 00:08:30,130 that is because just like you can get 196 00:08:27,970 --> 00:08:32,289 really really successful or some people 197 00:08:30,130 --> 00:08:34,450 can get really successful with like 198 00:08:32,289 --> 00:08:38,338 creating fear and then immediately 199 00:08:34,450 --> 00:08:40,810 offering a solution like the classic is 200 00:08:38,339 --> 00:08:43,870 you have a virus install this software 201 00:08:40,809 --> 00:08:45,729 to remove it all that's doing is 202 00:08:43,870 --> 00:08:48,730 creating fear and then offering a 203 00:08:45,730 --> 00:08:53,370 pathway to release or relief from it and 204 00:08:48,730 --> 00:08:53,370 so when you're talking about education 205 00:08:53,440 --> 00:08:59,120 the pathway for relief tends to be 206 00:08:56,690 --> 00:09:01,430 shutting down and ignoring you so if you 207 00:08:59,120 --> 00:09:03,380 if you if you're hitting that fear 208 00:09:01,430 --> 00:09:04,969 button a whole bunch it may be great 209 00:09:03,380 --> 00:09:05,930 when you're trying to manipulate people 210 00:09:04,970 --> 00:09:07,910 but it's going to be very 211 00:09:05,930 --> 00:09:10,279 counterproductive when you're actually 212 00:09:07,910 --> 00:09:13,300 trying to get people to understand and 213 00:09:10,279 --> 00:09:16,430 internalize what you're talking about 214 00:09:13,300 --> 00:09:18,410 so the other thing that's worth 215 00:09:16,430 --> 00:09:20,300 mentioning is like yes you may talk 216 00:09:18,410 --> 00:09:23,120 about scary topics depending on what 217 00:09:20,300 --> 00:09:24,769 your work is and depending on what kinds 218 00:09:23,120 --> 00:09:26,029 of trainings you may need to talk to 219 00:09:24,769 --> 00:09:29,149 your colleagues about some of them are 220 00:09:26,029 --> 00:09:34,069 scary but if you can figure out ways of 221 00:09:29,149 --> 00:09:36,620 reducing the height of the fear that 222 00:09:34,069 --> 00:09:37,819 they're experiencing or the the height 223 00:09:36,620 --> 00:09:40,699 of whatever emotions they're 224 00:09:37,819 --> 00:09:44,599 experiencing you're much less likely to 225 00:09:40,699 --> 00:09:48,560 have that whole search for relief and 226 00:09:44,600 --> 00:09:51,110 avoidance of the topic so basically 227 00:09:48,560 --> 00:09:55,279 feelings matter feelings matter a whole 228 00:09:51,110 --> 00:09:57,380 lot and they matter not just for the 229 00:09:55,279 --> 00:10:00,410 people your training or teaching but 230 00:09:57,380 --> 00:10:01,819 they also matter for yourself so there 231 00:10:00,410 --> 00:10:04,910 are a few really counterproductive 232 00:10:01,819 --> 00:10:06,500 effects of using like standard social 233 00:10:04,910 --> 00:10:08,959 engineering where you're just like I 234 00:10:06,500 --> 00:10:10,459 know how to manipulate some folks I know 235 00:10:08,959 --> 00:10:11,750 how to get places I'm not supposed to go 236 00:10:10,459 --> 00:10:14,180 I know how to get a free cup of coffee 237 00:10:11,750 --> 00:10:16,220 like all of that if you're using that on 238 00:10:14,180 --> 00:10:17,599 your co-workers there's a really good 239 00:10:16,220 --> 00:10:20,240 chance that you might be normalizing 240 00:10:17,600 --> 00:10:22,069 certain types of risky behaviors so that 241 00:10:20,240 --> 00:10:23,810 can include like getting them to 242 00:10:22,069 --> 00:10:25,719 override security controls instead of 243 00:10:23,810 --> 00:10:27,768 really talking them through it can be 244 00:10:25,720 --> 00:10:29,180 getting information from them because 245 00:10:27,769 --> 00:10:30,620 it's easier to just get it from them 246 00:10:29,180 --> 00:10:33,649 than until I go through the right 247 00:10:30,620 --> 00:10:36,500 pathways just all of that your you're 248 00:10:33,649 --> 00:10:38,660 training them into being vulnerable to 249 00:10:36,500 --> 00:10:41,990 the kinds of techniques that you or some 250 00:10:38,660 --> 00:10:44,269 actual bad guy might be using or mom so 251 00:10:41,990 --> 00:10:46,040 the other really major problem with a 252 00:10:44,269 --> 00:10:50,600 lot of social engineering techniques 253 00:10:46,040 --> 00:10:52,370 especially in a work place is kind of 254 00:10:50,600 --> 00:10:54,380 inherently when you go in and you try to 255 00:10:52,370 --> 00:10:58,009 manipulate people you are being a creepy 256 00:10:54,380 --> 00:11:00,529 creeper like it's just not nice and so 257 00:10:58,009 --> 00:11:01,579 sometimes you're totally successful and 258 00:11:00,529 --> 00:11:02,810 you get away with it and you have the 259 00:11:01,579 --> 00:11:03,829 problems I mentioned on the last slide 260 00:11:02,810 --> 00:11:07,489 but 261 00:11:03,830 --> 00:11:10,700 sometimes you have a colleague who's a 262 00:11:07,490 --> 00:11:12,320 little bit more sensitive and who has 263 00:11:10,700 --> 00:11:16,490 maybe like gone through some of that 264 00:11:12,320 --> 00:11:19,340 training and instead what you're doing 265 00:11:16,490 --> 00:11:21,110 is you're you're pushing the bad guy 266 00:11:19,340 --> 00:11:22,720 buttons and this can potentially set off 267 00:11:21,110 --> 00:11:25,280 their spidey sense and have them just 268 00:11:22,720 --> 00:11:28,460 immediately categorize you as sort of a 269 00:11:25,280 --> 00:11:30,319 bad actor and that means that you end up 270 00:11:28,460 --> 00:11:32,960 alienating the people who are best 271 00:11:30,320 --> 00:11:35,030 positioned to help you you it means that 272 00:11:32,960 --> 00:11:37,520 you are alienating the people who have 273 00:11:35,030 --> 00:11:39,020 the sensitivity to this stuff and could 274 00:11:37,520 --> 00:11:41,630 be bringing it to your attention when it 275 00:11:39,020 --> 00:11:43,760 shows up instead you're making yourself 276 00:11:41,630 --> 00:11:46,760 someone that those people specifically 277 00:11:43,760 --> 00:11:49,189 do not want to approach and that just 278 00:11:46,760 --> 00:11:51,950 generally drives people away and it can 279 00:11:49,190 --> 00:11:58,040 also really feed into shadow IT type 280 00:11:51,950 --> 00:12:01,370 problems so this is a pretty good 281 00:11:58,040 --> 00:12:02,780 example of things that go wrong when you 282 00:12:01,370 --> 00:12:04,940 think that social engineering is the 283 00:12:02,780 --> 00:12:08,780 appropriate way to approach everyone in 284 00:12:04,940 --> 00:12:11,390 your mind so I've talked a bunch about 285 00:12:08,780 --> 00:12:13,490 like the disconnects and what doesn't 286 00:12:11,390 --> 00:12:15,170 work but there are a whole bunch of 287 00:12:13,490 --> 00:12:16,700 skills from social engineering that do 288 00:12:15,170 --> 00:12:18,979 work really well when you're doing 289 00:12:16,700 --> 00:12:20,840 educational interventions with both of 290 00:12:18,980 --> 00:12:22,490 them you need to handle someone else's 291 00:12:20,840 --> 00:12:24,830 emotions and you should create this nice 292 00:12:22,490 --> 00:12:27,080 journey that takes them along the path 293 00:12:24,830 --> 00:12:29,810 that they need to go either to give you 294 00:12:27,080 --> 00:12:31,760 something they shouldn't or to like get 295 00:12:29,810 --> 00:12:35,000 to a point where they can get themselves 296 00:12:31,760 --> 00:12:36,710 to have better security behaviors and 297 00:12:35,000 --> 00:12:39,710 it's really about like orienting towards 298 00:12:36,710 --> 00:12:42,080 someone else's needs there's a huge 299 00:12:39,710 --> 00:12:45,050 benefit to being able to really respond 300 00:12:42,080 --> 00:12:47,990 to emotional cues and elicit to a CA and 301 00:12:45,050 --> 00:12:50,630 techniques are huge in both like being 302 00:12:47,990 --> 00:12:52,850 able to ask good questions that either 303 00:12:50,630 --> 00:12:54,590 help you get good information or help 304 00:12:52,850 --> 00:12:56,150 steer other people to where they need to 305 00:12:54,590 --> 00:12:58,400 be is incredibly powerful 306 00:12:56,150 --> 00:13:01,280 um and with that just like know your own 307 00:12:58,400 --> 00:13:02,600 strengths and weaknesses build on your 308 00:13:01,280 --> 00:13:04,400 strengths figure out how to counteract 309 00:13:02,600 --> 00:13:09,290 your weaknesses ideally not the other 310 00:13:04,400 --> 00:13:11,150 way around so when you're dealing with 311 00:13:09,290 --> 00:13:13,370 adults one thing that can be really 312 00:13:11,150 --> 00:13:15,720 useful is this idea of adult learning 313 00:13:13,370 --> 00:13:18,990 theory 314 00:13:15,720 --> 00:13:20,819 and so it's this like whole area there 315 00:13:18,990 --> 00:13:23,790 are many many books on it you could read 316 00:13:20,819 --> 00:13:26,219 thoughts um or or not because it can 317 00:13:23,790 --> 00:13:27,779 basically be summarized as it's not just 318 00:13:26,220 --> 00:13:30,000 that the person is in the dot meaning 319 00:13:27,779 --> 00:13:32,069 it's not just that they're over 18 it 320 00:13:30,000 --> 00:13:33,540 has to do with being ready to learn and 321 00:13:32,069 --> 00:13:36,269 open to what you're saying 322 00:13:33,540 --> 00:13:37,709 so this is not about awareness-raising 323 00:13:36,269 --> 00:13:39,629 this is not about getting someone to 324 00:13:37,709 --> 00:13:41,670 recognize that security is a problem 325 00:13:39,629 --> 00:13:44,970 when you're talking about actual 326 00:13:41,670 --> 00:13:47,430 education and actual learning that part 327 00:13:44,970 --> 00:13:49,470 has to already be addressed that's 328 00:13:47,430 --> 00:13:51,329 actually somewhere where a rapport can 329 00:13:49,470 --> 00:13:53,189 be really helpful if you're having a 330 00:13:51,329 --> 00:13:55,439 little bit of a rough time meeting with 331 00:13:53,189 --> 00:13:57,990 someone having a report can help them 332 00:13:55,439 --> 00:14:00,300 open up a bit and be receptive to what 333 00:13:57,990 --> 00:14:03,120 you're trying to teach them but the four 334 00:14:00,300 --> 00:14:05,219 principles are basically you need to 335 00:14:03,120 --> 00:14:07,259 have the people you're trying to teach 336 00:14:05,220 --> 00:14:10,740 be involved and this can be asking them 337 00:14:07,259 --> 00:14:12,649 about their concerns or just like asking 338 00:14:10,740 --> 00:14:14,490 what things they want to learn 339 00:14:12,649 --> 00:14:17,339 you should be drawing on their 340 00:14:14,490 --> 00:14:19,259 experiences so like talk to them and ask 341 00:14:17,339 --> 00:14:21,120 them what they have noticed that relates 342 00:14:19,259 --> 00:14:24,000 to this or if they've ever gotten like a 343 00:14:21,120 --> 00:14:26,339 spammy email or whatever it is so that 344 00:14:24,000 --> 00:14:31,309 they're able to access and connect it to 345 00:14:26,339 --> 00:14:34,500 things they already now make it relevant 346 00:14:31,309 --> 00:14:37,559 people are generally not willing to like 347 00:14:34,500 --> 00:14:40,620 spend lots of time learning stuff that 348 00:14:37,559 --> 00:14:42,180 they don't see the point of and then try 349 00:14:40,620 --> 00:14:43,800 to be problem centered instead of 350 00:14:42,180 --> 00:14:47,849 content centered to teach them how to 351 00:14:43,800 --> 00:14:50,670 address something but you know also 352 00:14:47,850 --> 00:14:52,709 balance it out with like based knowledge 353 00:14:50,670 --> 00:14:58,769 that that can be helpful for them more 354 00:14:52,709 --> 00:15:00,779 broadly as you're learning how to get 355 00:14:58,769 --> 00:15:03,089 better at teaching other people it's 356 00:15:00,779 --> 00:15:05,399 really good to learn from others as well 357 00:15:03,089 --> 00:15:06,930 so when you go to talks when you go to 358 00:15:05,399 --> 00:15:08,480 presentations think about what people 359 00:15:06,930 --> 00:15:11,758 have done that have worked really well 360 00:15:08,480 --> 00:15:16,889 but when you do that just keep in mind 361 00:15:11,759 --> 00:15:18,240 that different kinds of situations have 362 00:15:16,889 --> 00:15:20,009 different goals in terms of what people 363 00:15:18,240 --> 00:15:22,309 are learning sometimes it's just about 364 00:15:20,009 --> 00:15:25,040 facts sometimes it's broad frameworks 365 00:15:22,309 --> 00:15:27,139 sometimes it's about behaviors and habit 366 00:15:25,040 --> 00:15:28,279 and you also have different kinds of 367 00:15:27,139 --> 00:15:29,449 audiences some of them are more 368 00:15:28,279 --> 00:15:33,050 technical some of them are less 369 00:15:29,449 --> 00:15:34,579 technical how familiar you are or how 370 00:15:33,050 --> 00:15:37,310 formal the setting it is I'll make a 371 00:15:34,579 --> 00:15:39,380 difference so just be mindful if you see 372 00:15:37,310 --> 00:15:41,268 something that works really well it may 373 00:15:39,380 --> 00:15:47,290 only work really well for that kind of 374 00:15:41,269 --> 00:15:50,600 learning or for that kind of audience so 375 00:15:47,290 --> 00:15:52,310 hopefully either in a place if you're 376 00:15:50,600 --> 00:15:54,199 doing this kind of like teaching to 377 00:15:52,310 --> 00:15:58,130 others where you really want to support 378 00:15:54,199 --> 00:15:59,569 them in being successful and some good 379 00:15:58,130 --> 00:16:02,120 ways of making sure that you're really 380 00:15:59,569 --> 00:16:04,759 supporting them and that they have a 381 00:16:02,120 --> 00:16:06,290 much greater likelihood of succeeding 382 00:16:04,759 --> 00:16:09,829 and you have a much greater likelihood 383 00:16:06,290 --> 00:16:11,630 of not getting called to solve the same 384 00:16:09,829 --> 00:16:13,339 problem that you've solved like 12 times 385 00:16:11,630 --> 00:16:16,579 previously they may be a little sick of 386 00:16:13,339 --> 00:16:18,829 is figure out how you're actively going 387 00:16:16,579 --> 00:16:20,870 to support self-efficacy like be aware 388 00:16:18,829 --> 00:16:23,810 of like what people say when they're 389 00:16:20,870 --> 00:16:26,120 like oh I don't feel like I can do this 390 00:16:23,810 --> 00:16:29,420 and actually address it and help them 391 00:16:26,120 --> 00:16:31,910 figure out what is holding them back um 392 00:16:29,420 --> 00:16:34,819 when something is hard like sometimes 393 00:16:31,910 --> 00:16:38,060 learning is hard to validate it don't 394 00:16:34,819 --> 00:16:41,300 say well I think it's easy one trick 395 00:16:38,060 --> 00:16:45,469 that I use a lot is saying yes it is 396 00:16:41,300 --> 00:16:47,000 absolutely hard now but once you've once 397 00:16:45,470 --> 00:16:48,769 you've done it a couple of times it's 398 00:16:47,000 --> 00:16:50,480 not going to feel hard like it's hard 399 00:16:48,769 --> 00:16:53,060 now but it's not going to be and that 400 00:16:50,480 --> 00:16:54,860 also helps set expectations because it 401 00:16:53,060 --> 00:16:56,510 may be a situation where if it continues 402 00:16:54,860 --> 00:16:59,269 to be hard for them they're doing 403 00:16:56,510 --> 00:17:00,410 something wrong and so this can also be 404 00:16:59,269 --> 00:17:01,940 a way of making sure that you're 405 00:17:00,410 --> 00:17:04,369 catching people who might fall through 406 00:17:01,940 --> 00:17:06,230 the cracks and it's also just generally 407 00:17:04,369 --> 00:17:07,819 good to a providing encouragement like 408 00:17:06,230 --> 00:17:13,939 we could all use a little encouragement 409 00:17:07,819 --> 00:17:16,339 from time to time so basically social 410 00:17:13,939 --> 00:17:17,319 engineering and education different 411 00:17:16,339 --> 00:17:21,319 goals 412 00:17:17,319 --> 00:17:24,619 don't don't normalize bad stuff don't be 413 00:17:21,319 --> 00:17:27,530 creepy it really helps when you know 414 00:17:24,619 --> 00:17:29,239 what you're trying to do so even if it's 415 00:17:27,530 --> 00:17:31,460 just like writing down point by point 416 00:17:29,240 --> 00:17:32,960 what your goals are what kind of things 417 00:17:31,460 --> 00:17:34,429 you want to cover what success looks 418 00:17:32,960 --> 00:17:36,490 like for you what success might look 419 00:17:34,429 --> 00:17:38,020 like for them all that can help you 420 00:17:36,490 --> 00:17:42,160 put together something that's more 421 00:17:38,020 --> 00:17:44,370 likely to actually work and then just 422 00:17:42,160 --> 00:17:46,780 like be decent to the people around you 423 00:17:44,370 --> 00:17:49,780 it's not just about like being a nice 424 00:17:46,780 --> 00:17:52,000 person it also really does help and it 425 00:17:49,780 --> 00:17:53,800 really will make you more effective but 426 00:17:52,000 --> 00:17:56,340 you should also just be decent to people 427 00:17:53,800 --> 00:18:02,620 like it's not it's not that big an ass 428 00:17:56,340 --> 00:18:04,000 so that's it I am happy to take 429 00:18:02,620 --> 00:18:08,340 questions but I think I have like a 430 00:18:04,000 --> 00:18:11,830 minute and a half before I'm done but 431 00:18:08,340 --> 00:18:15,399 come find me afterwards I will be around 432 00:18:11,830 --> 00:18:16,750 and you should all stick around because 433 00:18:15,400 --> 00:18:20,200 the next clock looks really interesting 434 00:18:16,750 --> 00:18:24,640 and that's about a hire machine learning 435 00:18:20,200 --> 00:18:26,350 machine armor very different but clearly 436 00:18:24,640 --> 00:18:30,420 no one has taught me balling up from the 437 00:18:26,350 --> 00:18:30,419 newsroom is right now anyway thank you