Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, vulnerability and compliance tools, but at the end of the day, the weakest link is the user and his or her inability to make the right choices. It's enough to make a security professional cry. The one thing you can depend upon in an enterprise is that many of your users, even with training, will still make the wrong choices. They will violate BYOD restrictions, click on links they shouldn't, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet's name as passwords, etc. But what if this isn't because users hate us or are too stupid? What if all our ignored policies and procedures regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind's resistance to change? Humans are wired to be emotional beings. These emotions influence most of our decisions, both good and bad. In failing to understand how this is at the root of user non-compliance, no matter how much money we spend on expensive hardware and software, we will fail to achieve the goal of good organizational security. With a goal of understanding human behavior, the session will combine concepts from applied neuroscience with physical and interactive exercises based upon the principles of mindfulness and martial arts.

1. A New Model: Advancing Organizational
Security Through Peacebuilding

2. Who Are We?
Michele Chubirka, aka "Mrs. Y.,” host and official nerd stalker of
the information security podcast, Healthy Paranoia.
www.healthyparanoia.net
chubirka@postmodernsecurity.com
@MrsYisWhy
Joe Weston, workshop facilitator, consultant, and author of the
book Mastering Respectful Confrontation. Also founder of the
Heartwalker Peace Project.
heartwalker@joeweston.com
http://www.respectfulconfrontation.com/

3. Who We Aren’t

4. How engaged can you be today?

5. Introductions and Background

6. Language of Violence and Fear
 Taxonomy of information security is borrowed from the
language of war.
 How does this impact the user community?
 How does this affect our lives?
Does it make us better at security?

7.  18% of users will visit a link in a phishing email (Verizon
2014 Data Breach Investigations Report).
 86% of organizations have at least one high-risk
application (Check Point Security Report 2014).
 37% of Americans are not concerned about computer
viruses and spam. 27 % were “somewhat concerned.” The
numbers are similar for online banking and shopping.
(Unisys Security Index)
 2013 was the “Year of the Breach” with compromises at
Target, Neiman Marcus, Michaels, New York Times, and
the Washington Post. The human was the attack vector.

8. According to Sophos study, only 4% of IT
staff trust their users

9. Maybe Users Aren’t Stupid
 We spend millions of dollars on security products.
 The weakest link is the user.
 Even with training, users make the wrong choices.
 What if the problem isn’t about the user, but us?

10. FUD Doesn’t Work
What does?
 Leadership
 Engagement
 A “why” message.
 Build and develop relationship for user
buy-in.

11. Demo:
How Users See Us

12. "If you don’t understand
people, you don’t understand
business….”
-Simon Sinek

13. Or security

14. State of the Workplace

15. An "engaged employee”
 Is enthusiastic about work.
 Furthers the organization's reputation and interests.

16. 70% of American workers are “not
engaged” or “actively disengaged”
- Gallup’s 2013 State of the American Workplace

17. Stress
79 % of IT staff consider quitting due
to job-related stress.
-From GFI Software’s 3rd Annual IT Admin Stress Survey

18. Employee Engagement Matters

19. “Leadership is not a rank, it’s a
decision.”
-Simon Sinek

20. Group Exercise

21. Power and Leadership in the
21st century

22. Key Areas to Balance for
Successful Leadership
 Productivity
 Relationship
 Self Care

23. “Human beings have discretionary energy, and
they would give it to you if you treat them with
dignity and respect.”
-Paul O’Neill, former Treasury Secretary of US
under George W. Bush

24. When one moves into their vulnerability,
their true power is revealed.

29. Brain RTFM

30. "The human brain hasn't had a hardware upgrade in about
100,000 years."
Daniel Goleman, Author of Emotional Intelligence

31. Neuroscience 101
Limbic System: The interior of the cortex, includes the hippocampus and
amygdala. Supports emotion and long-term memory.
Prefrontal Cortex: Region responsible for planning, decision making and
moderating behavior.
Think of the limbic system to the prefrontal cortex as a horse is to a rider.

32. Demonstration: A Brain In the
Palm of Your Hand
 Hold up your hand and make a fist.
 This is a good representation of the brain and
spinal column.
 The brain stem, limbic system and neocortex.
* These two slides are oversimplifications of a very complex
system.

33. The Threat Response: Step 1
Cortex receives input from the thalamus, a component of
the limbic system responsible for sensory information and
pain perception.

34. The Threat Response: Step 2
Limbic system and prefrontal cortex (the executive or
evaluator of the brain) take in data simultaneously.

35. The Threat Response: Step 3
Amygdala, responsible for emotional response and
memory, acts as an alarm activating the fight/flight
hormonal response if threat is perceived.

36. The Threat Response: 4
Sympathetic nervous system sets up organs and muscles
for fight/flight response, inhibiting digestion and the
hypothalamus prompts the release of stress hormones.

37. Emotional Contagion
 Limbic system is an “open loop,” influenced by other
people’s emotions, aka mirror neurons.
 Mirror neurons activate when an animal performs an
action or when an animal observes the same action of
another animal.
 Basis of empathy.
 Also called emotional contagion.

38. The Power of Mirror Neurons
Researcher Marie Dasborough observed two groups:
 One group was given negative feedback accompanied
by positive emotional signs, nods and smiles.
 Another was provided positive feedback that was
delivered using negative emotional cues, frowns and
narrowed eyes.

39. Entrainment
 Those receiving positive feedback with negative
emotional signs felt worse than those receiving
negative feedback given with positive emotional cues.
Your emotions and actions are mirrored
by those around you.

40. Negativity
 The brain has a negativity bias because the limbic
system is quicker than the prefrontal cortex when
evaluating threat.
 Traumatic experiences are “stickier” than
positive, happy experiences, i.e. harder to un-map.
 It takes five to twenty seconds for positive experiences
to register in the brain.

41. No Escape From Threat
 Negativity is useful for a species to evolve.
 Most are in a permanent state of cortisol overload due
to the constant stressors of modern life.
 Stress hormones stay in the body for hours.
 Decreases intellectual capacity, memory and lowers
impulse control.
Stress makes you stupid.

42. Amygdala Hijack
Intense and immediate emotional reaction, followed by the
understanding that it was inappropriate.
 I thought that stick on the ground was a snake!
 I don’t like you or I’m bored, so I won’t cooperate or listen to
what you have to say.
 That guy who cut me off in traffic was trying to kill me!
 Why were you so insulting to me in that email yesterday?
(studies show there’s a negativity bias in email.)
 Other examples?

43. Thin Slicing: Warren Harding
Syndrome
 Human beings make quick decisions based on intuition.
 “Love at first sight” or a “gut reaction.”
 Called “Thin Slicing” or “Fast Thinking.”
 Example is “Warren Harding Syndrome.”
 A mediocre presidential candidate, Americans voted for
him , because he was tall, good looking and charming.

44. Harding has been
called one of the
worst presidents in
history.

45. Thin Slicing: Bedside Manner
 The likelihood of a doctor being sued doesn’t correlate
with the number of errors made.
 Psychologists can predict which doctors will be sued.
 They analyze the amount of time spent with patients
and if the tone of their voices sounded “concerned.”

46. There’s No Mr. Spock
 Neurologist, Dr. Antonio Damasio, had a patient who
had been a successful corporate lawyer.
 A tumor was discovered in his prefrontal lobes.
 When removed, the circuit between this area and
amygdala was severed.

47. Somatic Marker
 No damage to his cognitive abilities, but his life fell
apart.
 He couldn’t make decisions when presented with
simple choices.
 He no longer had any feelings regarding options, no
preferences.
 Basis for the Somatic Marker Hypothesis, a theory that
emotions assist with decision-making.

48. It is a gross
misconception that
reason can be
completely separated
from emotion.
Bounded Emotionality

49. Connections Matter

50. Big Brains Are Social
 Anthropologist Robin Dunbar found that a species’
brain size is linked to the size of its social group.
 We have big brains in order to socialize.

51. We’re Wired for Empathy
 In brain’s non-active moments, it reverts to a
configuration called the “default network.”
 According to researcher, Matthew Lieberman, this
resembles the social thinking brain, which is empathetic.

52. Is Efficiency Overrated?
 Study conducted by Gillian M. Sandstrom and
Elizabeth W. Dunn of the University of British Columbia.
 People who “smiled, made eye contact, and talked with
the cashier” at a coffee shop reported better moods
than those who avoided interaction.
 Small interactions with others can create a feeling of
connection according to researchers.

53. The Message Matters

54. “People don’t buy what you do,
they buy why you do it."
- Simon Sinek

55. Golden Circle

56. The Golden Circle + Human Brain

58. Security’s Golden Why
Security as stewards of an
organization’s reputation and
customer trust.

59. Delivering the Message

60. You’re the Threat
 The WAY we present information is just as important as
the WHAT.
 In the first few minutes we interact with someone, we’re
being assessed for threat.

61. “How To Break a Terrorist”
Interrogator, Matthew Alexander discovered that building
rapport with prisoners in Iraq was the most effective
interrogation method, not torture.

62. “The quickest way to get most (but not all) captives talking
is to be nice to them.”
Mark Bowden, author of Black Hawk Down

63. Effective Social Heuristics
Rule of thumb, experience-based problem solving
 Tit for Tat:
1. Be kind first, keep a memory of size one, and imitate your
partner’s last behavior.
2. Only the last behavior is remembered and imitated.
3. Political scientist Robert Axelrod found this to be the most
frequently winning strategy.
 Don’t Break Ranks

64. FBI’s Tips for Building Relationship
1. Understand the other’s priorities and goals.
2. Place their needs ahead of yours.
3. Listen without formulating your reply. Let the other person talk.
4. Ask for thoughts and opinions.
5. Suspend your ego, avoiding judgment and criticism.
Robin Dreeke oversees the FBI’s Counterintelligence Behavioral Analysis Program and author
of "It’s Not All About Me."

65. Experiment
Draw the letter “e” in the air in front of
you.

66. Methods of Engagement
• Interaction based on Emotional Intelligence: self-
awareness, self-regulation, empathy, and motivation.
• Social engineers and con artists use the same skills to
create emotional and social affinity with a target.
• Conflict resolution methods.

67. “We have to face the fact that either all of us
are going to die together or we are going to
learn to live together, and if we are to live
together we have to talk.”
- Eleanor Roosevelt

68. Communication Models Based On Empathy
 XYZ model
 NVC
 Respectful Confrontation

69. Marshall Rosenberg’s Non-
Violent Communication
 Facts or observations
 Feelings
 Needs or what’s “alive”
 Request

70. Joe Weston’s Respectful
Confrontation
 Behavior
 Impact
 Need
 Make a request

71. "Niceness can be a dodge to avoid engaging in
unpleasant interactions."
-Bill Kahn, Ph.D.

73. What’s Really Going On?

76. Goals
 Learn about empowered, collaborative
engagement.
 Reframe views on confrontation, assertiveness,
and true power.
 Achieve greater self-confidence, personal
freedom, fulfillment, and peaceful interactions
with others.

77. My truth ≠ The truth

78. Respectful Confrontation
 The practice of developing the respectful self
 The practice of respectful engagement
 The practice of respectful offense
 The practice of respectful defense

79. 3 F’s
Fight
Flight
Freeze

81. “Hmm, I’d like a cup of tea…”

82. 5 Steps of Clear
Communication
1. Contact with yourself
2. Contact with other
3. Desire/Impulse
4. Act of communication
5. Received message

83. True power = Brute force
Confrontation = Conflict
Assertiveness = Aggression

84. Brute force ≠ true power

85. Four Pillars of True Power
Grounding
Focus
Strength
Flexibility

86. Conflict ≠ confrontation

87. “Courage is what it takes to stand up
and speak. Courage is what it takes to
sit down and listen.”
- Winston Churchill

88. 1 : FIGHT, BATTLE, WAR 2 a : competitive or opposing
action of incompatibles : antagonistic state or action (as of
divergent ideas, interests, or persons) b : mental struggle
resulting from incompatible or opposing needs, drives,
wishes, or external or internal demands; see DISCORD
Conflict

89. Confront
con·front 1 : to face especially in challenge : OPPOSE 2
a : to cause to meet : bring face-to-face <confront a reader
with statistics> b : to meet face-to-face : ENCOUNTER

90. Respectful Confrontation
Definition
CONFLICT: an encounter that leads to the
further separation of individuals, the
breakdown of relationship, and the
disempowerment of the other.

91. Respectful Confrontation
Definition
CONFRONTATION: an encounter that
leads to individuals coming closer together,
deepening of relationship, and the
empowerment of all involved.

92. “If you fear making anyone mad, then
you ultimately probe for the lowest
common denominator of human
achievement.”
- Former President, Jimmy Carter

96. Aggression ≠ Assertiveness

97. Aggressive
1 a: tending toward or exhibiting aggression <aggressive
behavior> b: marked by combative readiness <an
aggressive fighter>
2 a: marked by obtrusive energy b: marked by driving
forceful energy or initiative : enterprising <an aggressive
salesman>
3: strong or emphatic in effect or intent <aggressive colors>
<aggressive flavors>
4: growing, developing, or spreading rapidly <aggressive
bone tumors>

98. Assertive
1 : disposed to or characterized by bold or confident
assertion <an assertive leader>
2 : having a strong or distinctive flavor or aroma
<assertive wines>

99. Respectful Confrontation
Definition
AGGRESSION: any
behavior, action, remark, gesture, or facial
expression that impacts another with the
goal to disempower and/or is received by
the other in a harmful, threatening way.

100. Respectful Confrontation
Definition
ASSERTIVENESS: any behavior, action,
remark, gesture, or facial expression that
impacts another with the goal to empower
and/or is received by the other in a positive
way.

101. Respectful Offense:
Giving Feedback
1. Prepare (come with facts, times, dates).
2. Make contact. Be sure it is a good time and place.
3. Introduce the topic. Let the other know why you are having this conversation
4. Share what you have NOTICED about the behavior in question. Give
examples.
5. Express how it affects you (feelings, state of being, unmet needs)
6. Identify desired need. Be open to listen to the need of the other.
7. Mention the desired behavior and collaborate on solutions.
8. Sum up. Make clear goals, agreements for the future, and how to follow up.
9. End the confrontation.

102. Important Feedback Points
 You are addressing someone’s BEHAVIOR, not them
as a person.
 You MUST share how their behavior affects you,
otherwise you are not giving feedback, you are
criticizing.
Name, behavior, effect, need, desired behavior,
followup

103. “With realization of one’s potential, and self-confidence in
one’s ability, one can build a better world.”
- His Holiness the Dalai Lama

104. “Water is fluid, soft, and yielding. But water will wear away
rock, which is rigid and cannot yield.... what is soft is
strong.”
- Lao Tzu

105. http://www.respectfulconfrontation.com/

106. Key Takeaways
 Bad trumps good in the human brain.
 You can’t turn your emotions off, they’re critical for
decisions.
 We’re all responsible for the quality of the emotional
landscape.
 Stress makes you stupid, by shutting down blood flow
to the pre-frontal lobes.
 If you set off a stress response in someone, you
minimize the chance of having a rational dialogue.
 Confrontation isn’t always negative. Resistance to
change can be valuable feedback.

107. Cyber Peace
 Peaceful doesn’t mean passive.
 Peace isn’t the absence of war or conflict.
 Violence isn’t always physical. There are subtle ways to
commit harm.
Stop blaming the victims and work in partnership with
our users to empower each other in our mutual goal
of security.

108. Where Can You Find Us?
Michele Chubirka, spending quality time in kernel mode.
http://www.healthyparanoia.net
Twitter @MrsYisWhy
Google+ MrsYisWhy
networksecurityprincess@gmail.com
Joe Weston, writing and teaching workshops.
http://www.respectfulconfrontation.com/

109. References
Chubirka, Michele. "Is Cyber Security a Form of Violence." Web log post. Packetpushers. Packetpushers, 31 Jan. 2012. Web.
Esfahani Smith, Emily. "Social Connection Makes a Better Brain." The Atlantic 29 Oct. 2013: n. pag. Print.
Goleman, Daniel, and Richard Boyatzis. "Social Intelligence and the Biology of Leadership." Harvard Business Review Sept. 2008: 74-81.
Print.
Goleman, Daniel. Working with Emotional Intelligence. New York: Bantam, 1998. Print.
Hanson, Rick, and Richard Mendius. Buddha's Brain: The Practical Neuroscience of Happiness, Love & Wisdom. Oakland, CA: New
Harbinger Publications, 2009. Print.
Kryder, Suzanne. The Mind to Lead. N.p.: NeuroLeap, 2011. Print.
Luders, Eileen, Florian Kurth, Emeran A. Mayer, Arthur W. Toga, Katherine L. Narr, and Christian Gaser. "The Unique Brain Anatomy of
Meditation Practitioners: Alterations in Cortical Gyrification." Frontiers in Human Neuroscience 6.34 (2012): 1-9. Print.
O'Connell, Andrew. "HBR Blog Network / The Daily Stat." Harvard Business Review. Harvard Business Review, 30 Oct. 2013. Web. 02 Nov.
2013.
Pink, Daniel H. Drive: The Surprising Truth about What Motivates Us. New York, NY: Riverhead, 2009. Print.
Pink, Daniel. "Why Bosses Need to Show Their Soft Side." The Telegraph 17 July 2011: n. pag. Print.
Rosenberg, Marshall B. Nonviolent Communication: A Language of Life. Encinitas, CA: PuddleDancer, 2003. Print.
Siegel, Daniel J. The Mindful Brain: Reflection and Attunement in the Cultivation of Well-being. New York: W.W. Norton, 2007. Print.
Weston, Joe. Mastering Respectful Confrontation: A Guide to Personal Freedom and Empowered, Collaborative Engagement. Emeryville,
CA: Heartwalker, 2011. Print.
Zehr, Howard. The Little Book of Restorative Justice. Intercourse, PA: Good, 2002. Print.