Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2FzyYux.
Masha Sedova talks about how to measure an organization's current security culture and how to define where to go. She looks into techniques and cases studies of how to begin to shape an organization’s security culture to become more resilient and enable people-powered security. Filmed at qconsf.com.
Masha Sedova is co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, she was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers.
2. InfoQ.com: News & Community Site
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
techniques-security-culture/
3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com
4. Elevate Security 2
About me
Built and ran Salesforce
trust engagement team
Co-Founder, building the
Behavioral Security Platform
Passionate about the intersection
of security & behavioral science
Cyber Analyst for
defense community
9. Elevate Security 7
What is culture?
Behavior
Artifacts
Beliefs
Values
Assumptions
Experiences
“The way we do things around here....”
Our experiences shape our
beliefs, values, assumptions
Our behaviors aredriven by beliefs
21. Elevate Security 19
The Five Whys- Example
Problem Statement:
My car battery is dead
1. Why? – The alternator is not functioning.
2. Why? – The alternator belt has broken.
3. Why? – The alternator belt was well beyond
its useful service life and has never been
replaced.
4. Why? – I have not been maintaining my
alternator belt according to any recommended
service schedule.
5. Why? I didn’t realize this had to be done.
22. Elevate Security 20
Investigate Root Cause
● Can this be solved with technology?
Do it! Changing mindset is the hardest way to go about enforcing change.
● “I didn’t realize that security was part of my job.”
Communication, marketing, awareness campaigns
● “I didn’t know what to do about it.”
Training and skills
● “I didn’t have the resources or support to do it.”
Management alignment
● “I didn’t want to.”
Gamification and incentives
25. Elevate Security 23
Behavior change model
*Dr. BJ Fogg
Motivation
Ability
High
Low
Hard Easy
Triggers
Fail
Triggers
Succeed
26. Elevate Security 24
Behavior change model
*Dr. BJ Fogg
Motivation
Ability
High
Low
Hard Easy
Triggers
Fail
Triggers
Succeed
27. Elevate Security 25
Remember 20 unique
characters across 40+ sites
Install a password manager
Install a man-trap or
in/out badging
Social accountability
Look up correct email,
reporting guidelines & send
Install a “report” button
Security action can be simplified
Have secure
passwords for all sites
Report
suspicious activity
Stop
tailgating
HARD
EASY
28. Elevate Security 26
*Dr. BJ Fogg
Motivation
Ability
High
Low
Hard Easy
Triggers
Fail
Triggers
Succeed
What about things that are hard to do?
30. Elevate Security 28
People will do things
because they matter, they
are interesting, part of
something more
important.
Daniel Pink, Drive
What motivates us?
“
”
31. Elevate Security 29
How to Create Positive Motivation
Competition Altruism Access AchievementStatus
33. Elevate Security 31
Social proof
in security
Control
Keep Your Account Safe
108 of your friends use extra security settings. You can
also protect your account and make sure it can be
recovered if you ever lose access.
Keep Your Account Safe
You can use security settings to protect your account
and make sure it can be recovered if you ever lose
access.
Social context
1.36x more successful
when using social proof
37. Elevate Security 35
Understand your security culture
Assess if its a positive or negative security culture
Identify the blockers to positive security culture
Reinforce and motivate positive behaviors
Takeaways