"Repeat Offenders" in Cyber Security - Black Hat Europe Executive Summit 2021 Keynote
Repeat incidents are a common issue in cyber security, and this problem often gets framed as the people involved being "repeat offenders".
In November 2021, I gave a keynote at Black Hat Europe Executive Summit on so-called "repeat offenders" in cyber security, exploring phishing simulations, behavioural change, language, and the need for greater empathy and compassion in cyber security.
If you missed my keynote at the time, watch the (13 minute) video now or scroll down to read the transcript (and head right to the bottom of the page for more info) ⤵️
Hi I’m Dr Jessica Barker, co-CEO of the cyber security company Cygenta, author of the number one bestseller Confident Cyber Security and co-author of Cybersecurity ABCs. I’ve been working on the human side of cyber security for over ten years and today I’m speaking about Stamping Out “Repeat Offenders”.
What is the problem with so-called “repeat offenders”?
We can answer that question in two ways. The easy way, and the right way.
Let’s start with the simple answer.
Many people would say that the problem with “repeat offenders” is repeat incidents, or at least repeat near misses. I know that’s the topic of discussion that was in mind when I was approached to give this talk. Most accurately, I often find that the term repeat offender is actually used – in cyber security – to refer to people who repeatedly click links in phishing simulations.
So, what do we do about that? That is, of course, a long answer and something I’ve spoken about many times over the years. What we’re essentially talking about is influencing security behaviours, no doubt as part of developing a positive and proactive security culture. There’s lots to talk about here and it will, ultimately, come down to the specifics of the organisation. Perhaps there is a culture of massively prioritising productivity over security, or of sending masses of email at the drop of a hat, in which case, your so-called “repeat offenders” might be overwhelmed with email and tasks. Perhaps people just don’t get the issue with phishing emails, in which case you really need to take a critical look at your awareness-raising initiatives because they’re not doing what you need – perhaps they’re not tailored enough, not often enough or not explaining the why of security well enough. That’s a really common issue I see with awareness-raising – campaigns that tell people what to do – or, rather, what not to do – but which miss the most crucial point: why. If you want people to change their behaviour, you need to show them why it matters.
If we’re talking about so-called “repeat offenders” in terms of phishing simulation clicks, I have to ask why there is a such a focus on phishing simulations and specifically on clicks in phishing simulations. When it comes to behavioural change, it is far more effective to focus on the behaviours you want – rather than punishing people who repeatedly click in phishing simulations, try rewarding people who repeatedly report phishing simulations (and the real thing). Make some noise about those rewards and why you’re doing it. People will always click; but you want people to report more than anything else. I also encourage the organisations we work with to take a more nuanced approach to clicks in phishing simulations – how long does it take people to click? Are there certain triggers in a phish which are more likely to prompt a click? A certain day of the week or time of day?
My second piece of advice with phishing simulations is not to use them to train people. This is essentially using a test, even sometimes a trick, to try to positively influence long-term behavioural change. It is not symbolic of a positive security culture; in fact, it is usually a sign of an ‘us and them’ security culture in which the people in an organisation as seen as “the weakest link”. Instead, use phishing simulations as one of many metrics to see whether your awareness-raising is working.
So, that’s the first way of answering the question: what is the problem with repeat offenders? Now to the real answer. The answer that gets to the root of the issue.
The problem with “repeat offenders” is with the term “repeat offenders”. The true definition of a repeat offender is “someone who commits the same sort of crime more than once”.
When you call someone a “repeat offender” in terms of security in your organisation, are you seriously saying that they have repeatedly committed a crime?
While preparing for this talk in October 2021, I searched news stories for the term “repeat offenders”, and I saw articles on domestic abusers, child abusers, racists and violent criminals. Do you really want to use the same terminology to label your colleagues?
And to be clear here, we’re not talking about the occasional malicious insider. We’re talking about the majority of folks in an organisation who want to do a good, or at least a decent, job and who don’t want to cause problem for their employer.
I was recently working with a client on so-called repeat offenders in their organisation and they came up with a great analogy that evolved in my mind in the days following the conversation. The analogy was a child playing in their room and accidentally knocking over a glass of water. My client’s argument was, if it happened once, you wouldn’t be annoyed, but if it happened repeatedly, you might expect the child to learn and be more careful. It’s a great analogy. For me, it sparked loads of further questions: rather than expecting the child to learn and be vigilant whilst also trying to play, couldn’t the glass of water be placed somewhere else? Could the water go in a drinking cup or a bottle so it doesn’t spill? Maybe a waterproof mat could be used in the play area so any spills are contained (that’s a reference to data segmentation, just in case it wasn’t clear). Essentially, instead of trying to attribute blame, we could look at the whole scenario and work out, to paraphrase Sydney Dekker, what went wrong rather than who is at fault. That way, we deal with the actual underlying cause rather than, most likely, just making the problem worse.
I quote Sydney Dekker because his work on a Just Culture is vital here. Dekker’s work explores the importance of a restorative just culture, in which the root cause of incidents is explored, rather than a retributive culture in which people are blamed. What happens in the latter? Of course, you don’t see a decline in incidents, you just see a rise in people hiding incidents.
What are the most important objectives when dealing with influencing behaviours in security?
We want people to listen to us
We want people to communicate with us
We want people to trust us
We want to be able to trust people
We really, really, really want people to report incidents!
Let me ask another question: Why do we hold people to such high standards? What about your “repeat offending” technology? Instead of being annoyed with people who repeatedly click links in phishing emails, take a look at the technical solutions you have in place to filter out your phishes. Or the awareness-raising training platform that is meant to be helping people be more secure.
I’ve been giving keynotes on the problem with calling people “the weakest link” in security for most of my ten-year career in security. To begin with, there were only a few of us so vocally going against the tide. Now, most people would – I hope – agree that we shouldn’t call people the weakest link. And yet we think it’s ok to call people “repeat offenders”? Not only is it de-humanising, it is actually part of a narrative that makes it harder to engage people in being part of the solution in security. Labelling people as the problem, makes them more of a problem.
We don’t just need to change the words we use; we truly need to change our whole approach to people. We’ve been talking about a people-centric approach to security for a while. It’s about time we made it happen.
The answer is empathy and compassion. As a way to tackle so-called “repeat offenders” in an organisation and as a way to tackle the negative narrative we have around people in security. If we had empathy and compassion in security, it would never occur to us to call people the weakest link or to refer to them as repeat offenders.
Why empathy and compassion? Empathy is where we imagine being in the place of the other person, we put ourselves in their shoes. Empathy is emotional and compassion is more cognitive, more focused on the help we can offer. When it comes to empathy, we feel what the other is feeling and so empathy alone can drain our own energy and resources. Empathy and compassion combined enables us to feel what another is feeling with an authentic desire to take action to help. The combination of the two is better for us and better for the other person.
Of course, if people are repeatedly ignoring security advice and either being malicious or wilfully negligent, that needs to be dealt with. That goes beyond being just a security problem into a HR or people management problem.
But maybe, this is a cultural issue. Most people want to be secure. Most people want to do a good job, or at least not a bad job. At Cygenta, our cyber security culture assessments of organisations consistently find patterns in which security values and awareness are high, perceptions and behaviours are not. And where people are consistently engaging in weak security behaviours, it is usually due to one of three common issues:
Perceptions of security as a blocker / the department of no – behind this is generally a failure of the security team to explain the ‘why’
Perceptions of security not being a priority in the organisation, for example an organisation that values productivity over security – led from the top
Perceptions of a retributive culture (so people don’t report incidents) as opposed to a restorative just culture, where people know that reporting incidents will lead to an investigation of what went wrong – to stop it happening again – rather than who is to blame – to punish them
And you know what language is at the heart of a retributive culture, the kind of culture that drives weaker security behaviours? Yep, you've got it: “repeat offenders”.
For More Information
Sydney Dekker's book Just Culture: Restoring Trust and Accountability in Your Organization
Cygenta Human Services
The book I co-authored Cybersecurity ABCs: delivering awareness, behaviours and culture change