1. © EXPRESSWORKS
It’s not just about the Technology,
it’s also about the Psychology
Speakers:
Hend Ezzeddine, Ph.D
Cyber security Practice Director
Flora Moon
Sustainability Practice Director
Bsides Austin
March 2016

2. © EXPRESSWORKS
Agenda
Why does the psychology of
security matter?
What are the pitfalls that
hackers exploit?
How to apply behavioral change
to reinforce cyber resilience?

3. Focusing on Results
• Accomplish the original (business) intent
• Achieve Return on Investment (ROI) goals
• Align behaviors and actions to business results
• Deliver value without destroying potential future value
• Develop the capacity to adapt more quickly to change
• Create higher expectations for future projects
• Strengthen the organization’s competitive position
Delivering Expertise
Our network of 120 change and learning
consultants leverage their years of
experience on change projects.
• Avg. experience: 17 years
• Avg. Expressworks tenure: 8 years
• 52% with a Master or PhD degrees
• 58% with “Big 5” experience
Creating Meaningful Sustainable
Change within Your Organization
Our collaborative approach allows us to
leverage our expertise with your keen
knowledge of your business and your people.
Aligning with Your Unique Culture
We’re not afraid to roll up our sleeves. We help you
get your arms around the actual work of change,
translating high-level strategy into concrete
outcomes that make sense in your organization.
Average over 200 Projects Each Year
Our consultants are working in Chevron, Shell, Phillips 66, Adobe and
USAA; and in Australia, the Philippines, Indonesia, Nigeria, Angola,
Thailand, the UK and the US.
1984 1990 Today
Founded in 1984
with a commitment to sustainable
change in diverse environments.
Guided by a Change Methodology
developed by Expressworks, following a multi-client
research project on successful implementation of change
01Change
Implementation
Expertise
04Results
03
Trusted
Collaboration
02
Adaptive
About
Expressworks

4. © EXPRESSWORKS
Who we are
• Hend Ezzeddine, Ph.D
Hend is the Cyber security Practice Director at
Expressworks, a change management
consultancy. She has over 10 years of
experience helping clients implement and
adopt cutting edge IT solutions.
Her focus is on designing organizational
capabilities that enable a complete business
transformation and maximizes ROI of major IT
Programs. In the Cybersecurity space, Hend's
work is primarily focused on the human
element and leverages cognitive behaviors to
reduce user errors and establish safer
behaviors.
She holds a Ph.D in Organizational Design
and Innovation Management. Hend is the
author of a number of scholarly articles and
blogs on various topics.
• Flora Moon
Flora Moon has been engaged in designing
user experience for her entire multi-decade
career.
As a filmmaker she engaged audiences with
award winning content. In high technology she
was part of the start up team that brought high
speed internet service to Houston.
As a management consultant she has been
responsible for user experience and insights
for web technologies and ERP systems.
Currently a Senior Manager for Expressworks,
a change management consultancy that helps
clients navigate systemic and culture change,
Flora has led change management strategy
and execution for enterprise programs since
2008.

5. © EXPRESSWORKS
Why does the psychology of
security matter?

6. © EXPRESSWORKS
Human vs. Technology: Who wins?
Technology
Training and
communication
Users

7. © EXPRESSWORKS
Human error was behind the Target data
breach and the user wasn’t even a
Target employee
Target suffered 440 million
dollars in revenue
losses as a result of
lowered consumer
confidence from the hack.

8. © EXPRESSWORKS
Who is your user?
Your tech savvy user who is
excellent at taking shortcuts
Your not so tech savvy user who
is doing his best, yet…

9. © EXPRESSWORKS
Let’s look at the facts
66%
Former and current
employees
84%
Nature of security incidents
Non-technical
90%
Could anything have been done?
Data breaches are preventable
Source of cyber security incidents

10. © EXPRESSWORKS
What are the pitfalls that hackers
exploit regularly?

11. © EXPRESSWORKS
Hackers play on humans’ emotions and
exploit their psychological and cognitive
pitfalls
If they follow a script, for
instance, I know they’re
a low-level employee or
recently hired. And
they’re the types of
employees we can
exploit.
Former Hacker
“
”

12. © EXPRESSWORKS
Deception is more of a science than an
art…
Cognitive
science
Psychology
Behavioral
Economics

13. © EXPRESSWORKS
What hackers try to exploit…
BEHAVIORAL ECONOMICS:
• Most people are less afraid of a
risk they choose to take vs. a
risk that has been imposed on
them
• Most people are willing to take a
risk if they believe that it also
provides them with some sort of
benefits (framing effect)
A penetration test
targeted the finance
directors of 500
publicly-quoted
companies. They
were sent a USB
memory stick as
part of an
anonymous
invitation saying
‘For Your Chance to
Attend the Party of
a Lifetime’; 46%
of them put it into
their computers

14. © EXPRESSWORKS
What hackers try to exploit…
PSYCHOLOGY:
• Most average users really want
to be helpful and the illusion of a
reason is as effective as a valid
reason
• Most users respond obediently
to authority, hence the
effectiveness of “CEO fraud”
type of attacks
According to the US
Federal Bureau of
Investigation,
CEO Fraud has cost
businesses around
the globe more than
$2bn in little over two
years.

15. © EXPRESSWORKS
What hackers try to exploit…
COGNITIVE SCIENCE:
• Frequent changes to a
memorized item interfere with
remembering the new version of
the item
• When required to change their
passwords, users tended to
create passwords that followed
predictable patterns, called
“transformations”
An attacker who
knows the previous
password and can
carry out an offline
attack can guess the
current password for
41% of accounts
within 3 seconds per
account.

16. © EXPRESSWORKS
What does it mean to think like a
Hacker?
Psychology
of security
Cognitive
Patterns
Actions/
Behaviors

17. © EXPRESSWORKS
How to apply Behavioral Change
to reinforce cyber resilience?

18. © EXPRESSWORKS
Cyber resilience is often a balancing act
Security
behaviors
Human
errors
The most successful
results are exhibited
when we take a
system approach
where the “human in
the loop” is at the
heart of the cyber
security initiative

19. © EXPRESSWORKS
How to design a cyber resilience framework
around behavioral change?
Leadership
commitment
Organizational
structure
Operating
model
Talent
management
Culture
 How to get the board
and the C-suite to
demonstrate
commitment?
 How can you guide
them to support you?
 What’s the best
organizational structure
for your initiative?
 How to empower
employees to make the
right decisions at the
right time and level?
 Do you have a clear
cross-functional
cooperation model?
 Do you have clear
cyber security
activities?
 Why is culture key to
your success?
 How to develop a
strong cyber security
culture?
 What are your needs in
terms of skills and
resources?
 How to train and retain
the right talent for cyber
security?
This material is protected by copyright. No further reproduction or distribution is allowed without explicit permission from Expressworks.

20. © EXPRESSWORKS
How to leverage behavioral science to
reduce human error and reinforce safe
behaviors?
Design to reduce
human errors
Maintain compliance by
reinforcing the right
behavior
Train users to recognize
Cyber threats
Perceptual learning:
Consider training specific
visual skills to develop users
ability to recognize cyber
threats and extract meaningful
patterns instantaneously.
Human Performance
Engineering:
Consider which type of security
warnings will be most effective
in triggering the right behaviors.
For example, active warnings
will require the user to
deliberately decide accessing a
web site or downloading an
attachment.
Choice architecture:
Consider minimizing decision-
making when users are trying to
focus on their day to day tasks
by defaulting external emails to
be filed as spam.
Social proof:
Consider communicating the %
of people who are compliant to
motivate users to comply.

21. © EXPRESSWORKS
Once people adopt the right behaviors,
complying with cyber security will become a
second nature
I have diversified work
assignments and
access to the right
training.
I understand our
cybersecurity solution
and how to measure its
effectiveness.
I own cybersecurity for
myself and my
organization
I feel empowered to make
the right decisions and
can access the C-
suite/board as needed

22. © EXPRESSWORKS
Contact Information
Visit our website: http://www.expressworks.com/
Email us
hendezzeddine@expressworks.com
floramoon@expressworks.com