SlideShare una empresa de Scribd logo

"Security on the Brain" Security & Risk Psychology Workshop Nov 2013

Adrian Wright
Adrian Wright

The document discusses using human psychology to improve security compliance, focusing on how people's perceptions of risk often differ from actual risks, and how compliance can be increased by appealing to different personality types and motivations. Various case studies are presented that leveraged psychological techniques like social comparison, gamification, and role-based messaging to successfully boost security awareness and adherence to policies. Effective word choices and framing issues in a positive light are emphasized as important strategies.

EmpresarialesTecnología
1 de 36
Descargar para leer sin conexión
Security on the Brain Using Human Psychology to Achieve Compliance ISSA-UK Transport Security Expo Workshop 2013 Adrian Wright CEO Secoda Risk Management Board & VP Research ISSA-UK
Human Psychology in Risk & Security 1 Risk Factors presentation 10:00 2 Workshop 1 – group exercise 10:30 3 Compliance Factors presentation 11:00 4 Workshop 2 – group exercise 11:30 5 Debate and closing remarks 12:00
How I arrived here • 20 years in IT Risk and Security – trying to make people aware and compliant • CISO Reuters 9 years: 17000 staff, 250,000 systems, 142 countries • Observed that some strategies work – and many that don’t… • Like Penicillin, some successes are discovered by accident • Follow-up research with security associations and CISO surveys • Incorporated useful NLP & psychology strategies • This is the story so far and proven strategies shown to actually work…
Its all about people • Need for security never been greater • • • • • Easy to convince ourselves it’s a tech issue • • • • Critically dependent on information Mandated by regulators, PCI, customers No fallback option Threats, vulnerabilities & losses growing Encryption, DLP, pen testing, patching will fix it? Hackers & fraudsters Investment in tech security measures growing Information security just isn’t sexy • • • • Especially the non-tech HR-sounding bits… Its all doom and gloom It’s a cost centre, not a profit centre Gets in the way of business progress • We’ve become used to all the problems • • • News full of breach stories every day Post PRISM the bar is permanently lowered… "If we once accept the unacceptable, the unacceptable becomes the norm" “We struggle with getting management and staff to accept that their behaviour must be modified in order to improve security practices.” [Security Survey Respondent, Manufacturing industry, Western Europe]
Causes of data loss breaches DataLossDB.org http://datalossdb.org/statistics
Most from non-technical errors Non-Technical breach Snail-mail Document disposal % Fraud 5 Fraud % Technical breach 9 Virus % Unknown 1 5 Hacking 7 Web 12 Email 4 Lost media 3 Stolen document 3 Stolen media 2 Lost document 2 Lost tape 2 Lost drive 1 Stolen drive 1 Stolen tape 1 Lost laptop 4 16 Stolen computer Unknown % 1 Misc loss/disposal <1% 2 Stolen laptop 19 Totals 58 9 29 Nearly 60% losses due to procedural error, carelessness, failure to adhere to policies etc 4
Human Perceptions of Risk “Security is both a feeling and a reality. And they’re not the same” Bruce Schneier
How well do we assess risk? National Safety Council – whole USA statistical averages: One year odds of dying (USA) as a direct result of:• Air / space transport accident 1 in 502,554 • Automobile incident – driver/occupant 1 in 20,331 • Automobile incident – pedestrian 1 in 48,816 • Hit by lightning 1 in 6,177,230 • Flood 1 in 24,708,922 • Earthquake 1 in 8,013,704 • Shot by firearm (assault) 1 in 24,005 • Shot by firearm (self inflicted) 1 in 17,440 • Some type of accidental trip or fall 1 in 15,085 • War 1 in 10,981,743 US National Safety Council – Injury Facts 2006: www.nsg.org
Example - Terrorism risk  You are 12,571 times more likely to die from cancer than from a terrorist attack  You are 11,000 times more likely to die in an airplane accident than from a terrorist plot involving an airplane  You are 1048 times more likely to die from a car accident than from a terrorist attack  You are 404 times more likely to die in a fall than from a terrorist attack  You are 87 times more likely to drown than die in a terrorist attack  You are 13 times more likely to die in a railway accident than from a terrorist attack  You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack  You are 9 times more likely to choke to death on your own vomit than die in a terrorist attack  You are 8 times more likely to be killed by a police officer than by a terrorist  You are 8 times more likely to die from accidental electrocution than from a terrorist attack  You are 6 times more likely to die from hot weather than from a terrorist attack Statistics from a 2004 National Safety Council report, the National Center for Health Statistics, the U.S. Census Bureau, and 2003 mortality data from the Center for Disease Control
Perceived Vs Actual Risk • “Security is both a feeling and a reality – and they’re not the same” – Bruce Schneier: The Psychology of Security, 2008 • We’re getting close to the truth of this now; or at least a useful definition • Million years of evolution • Finely tuned reptilian brain; instant fight or flight decision, in-your-face risks • Sabre tooth tigers, strangers entering camp. Crossing the road. Modern business? • Initial stimulus for starting cerebral risk management process is change • And most changes involve a conscious decision. Note the word ‘conscious’ • so... If you’re not making a decision, there’s no trigger for the risk process
Why do we get it so wrong? • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can’t control. • Last, people overestimate risks that are being talked about and remain an object of public scrutiny. • David Ropeik and George Gray have a longer list in their book “Risk: A Practical Guide for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You”
Emotional responses to risk • People focus on the emotionally perceived severity on the outcome, rather than on its likelihood • Example: since 9/11 western world preoccupied with terrorism – – – – US Homeland security expenditure since 9/11 exceeds 1 trillion dollars We live under increasing surveillance & security controls / restrictions Policy is shaped by focusing on worst-case scenarios Former Sec of Homeland Security Tom Ridge admits pressured to raise terror alerts to help Bush win re-election • In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes.
No personal risk… Fact: 1 in 5 employees have personally provisioned a cloud service without IT’s knowledge [1] – – – – 61% say it’s easier to provision cloud services themselves 50% report it takes too long to go through IT 27% admit company’s policy actually prohibits the cloud services they want While 60% say they have corporate policies in place that prohibit such actions, respondents say there are no real deterrents for purchasing cloud services by stealth. – In fact, 29% report no ramifications whatsoever & another 48% say it’s little more than a warning. – Biggest issue is ¼ of execs don’t have open communication with the depts & business unit leaders that may be provisioning their own cloud services. – Enter “cloud sprawl” – the unmanaged spread of public cloud services inside the enterprise. [1] Avenade global survey 2011 ¦ 573 C-level execs, BU leaders & IT decision-makers in 18 countries
The Psychology of Why We Don’t Comply “The simple truth is that people are motivated for their own reasons, not ours"
WIIFM – world’s most listened to station • • • • We all listen to it – all the time (you are probably doing it right now) When we are asked to do something – What’s In It For Me? Where obvious potential benefit-to-self: its an easy decision Where no obvious benefit: avoid, put off, refuse, circumvent, argue – Result: introduction of penalties for non-compliance (reinforces negative perceptions • Human brain is bad at processing negative concepts – DON’T THINK OF DANCING BLUE FROGS!!! – The DON’T instruction can only be processed after you’ve thought of dancing blue frogs! – Tell a child “Mind you don’t spill that glass!”…then 2 minutes later… • Our security policies and mission are linguistically full of don’t(s) and negative consequences
Motivation What motivates people to do or not do certain things? – All of humankind can be divided into two motivational groupings: 1. People who are primarily motivated by staying away from certain situations and things; and 2. Those who are primarily motivated to move towards certain situations and things; Note: towards-motivated tend to have lower perception of and high tolerance to risk – Many of us in security and risk management will be of the away from motivated type: e.g. “we need to avoid that happening, therefore we need to do x”. An awayfrom employee might be thinking more about not getting fired, rather than being attracted by future success.
Linguistic signals Towards-motivated types use words such as: accomplish, attain, obtain, get, achieve, rewards, growth, goals, aim, expand, targets. Away-from motivated use words like: security, risk, avoid, steer clear of, prevent, eliminate, solve, fix, get rid of, prohibit. University of Austin Texas Information Security Office Mission Statement • “The mission of the Information Security Office (ISO), as required by state law, is to assure the security of the university's Information Technology (IT) resources and the existence of a safe computing environment in which the university community can teach, learn, and conduct research. The ISO collaborates with campus IT leaders and university audit, compliance, and legal units to support the university's teaching, research, and public service missions”. Toronto Marketing Group Mission Statement • • “It’s simple: we aim to be the best and we want to expand globally. We will to achieve this with an impeccable reputation and perfect track record for success in winning client satisfaction”. “We are targeted with opening the 20 biggest markets in Canada in the next 2 years. Our goal is to have 1000 associates in our company and to have 50 affiliated marketing companies that will run our campaigns and locations. We will be working with Clients in Finance, Telecoms, Business Services, Charities, Cosmetics, Property , Music…” Challenge: Couldn’t you rewrite this to read more like this?
Internal vs External (locus of responsibility) • People who assess their performance via own internal standards/beliefs or • Through information/feedback from external sources – Internal: own internal standards & beliefs, make own judgements on their work. Don’t accept outside direction & ideas. Don’t give or accept feedback, may be difficult to supervise. – External: like being managed & receive outside direction & feedback. Need to be externally motivated and know how well they are doing. • • Internal types motivated by: “I need your opinion”, “help us decide” External types motivated by: “others will think highly of you if..”, you will receive recognition”, “according to the experts..” – Unmasking question: “How do you know if you have done a good job?”
Options vs Procedures • Options: this group likes to do things another way. Like bending/breaking the rules. Start projects but don’t finish them. Explore new possibilities. – typical roles: fashion designer, inventor, process re-engineering or • Procedures: this group need to follow set rules/processes. More concerned how to do something rather than why. – typical roles: bookkeeper, commercial airline pilot • Options types motivated/ influenced / identified by words such as: – opportunity, alternatives, break the rules, flexibility, variety, unlimited possibilities, expand your choices, options. • Procedures types motivated / influenced / identified by words such as: – correct way, tried and tested, first ...then...lastly, proven path, set procedure, follow this to the letter.
Awareness isn’t working “Hello” “Yes?” “Did you finish the security awareness training?” “Yes” “So are you aware now?” “Yes” “Ok – thank you. Goodbye” Unfortunately my co-respondent has significant likelihood of being: • Towards-motivated (blind to, and unmotivated by away-from concepts like risk) • Internal (works to their own values & beliefs, doesn’t give feedback) • Options (breaks or circumvents rules ,doesn’t follow instructions, finds another way) So yes, they may have done the course – but they probably won’t buy-in or comply with it Conflicts with their own motivations, value system, modus operandi “We need to address culture change at the level of people’s motivation and belief systems”
Workshop Group Session 1 Security on the Brain – Workshop Session 1 30 mins • Warm-up Debate: Discuss and agree a list of 2 well-known celebrities from the business world who you believe are Towards motivated, and 2 who you believe may be Away-From motivated – and why (5 mins) • Write a Group Mission Statement for your virtual security team that will gain senior management attention and support for your security mission (15 mins) • Statistically there will be a number of employees who have a Towards Motivated + Internal + Options profile (!!). From what you’ve learned, suggest ways of reaching out to and gaining buy-in from these people (10 mins)
Dirty Tricks (not really) Leveraging Psychology to Achieve Results “Case Studies of What Actually Works” "A Man convinced against his will is of the same opinion still." — Benjamin Franklin
I’m better than you! • • • • • • • • Online training & testing campaign – major insurer Final knowledge test – user informed of pass/fail result Usual user apathy/resistance Added personalised, printable pdf ‘diploma’ for successful pass Then… we added more information to the certificate! Specifically, the percentage pass score. 1000 staff rushed to take the test on the same day - and the testing server crashed! Eureka moment #1: People can’t help competing with each other
I wanna be first – certainly not last! • • • Implemented security awareness & compliance system – user acceptance / tests Employees can see % progress Managers can see progress of their staff • • Useful improvement in levels of compliance: particularly as managers can view With towards-motivated Vs away-from trait in mind: added benchmarking display (shows how each user is performing against average of their peers) • • Eureka moment #2! Employees rushed to comply more than their colleagues. Effect of ‘ratcheting-up’ compliance to 100% within days
Divide & conquer: Psycho-linguistically • • • • • • Notice how some words seem to ‘work’ and others don’t? We’ve already seen how different words will register or appeal to different types (e.g. toward, away-from) We’ve also seen how certain job roles will attract personality types At the risk of generalising; appeal to those character types by role Select wording and values that work for particular character types Include motivators (positive & negative) and word to best influence each personality type Make Compliance Role-Based Word policies etc to appeal to specific char types Map char types to most likely roles Add Role-Based Guidance Map guidance to mandates – use words that motivate that type Opportunity to make guidance more useful / understandable Embed Motivators Results-driven incentives to comply, excel, achieve Risk-driven consequences for ‘do nothing’, ‘avoid’, ‘breach’
Surfing the Indignation • Organisations don’t think about security incidents – until they have one! • Management attention quickly subsides after cleaned up – evidence from series of risk assessment workshops – demonstrates phenomenon of short-term corporate memory… • Use this small window of opportunity to get what you want – pre-prepare projects, proposals, endorsements ready when window opens – Incidents are great opportunity to improve processes, controls, culture – I coined the phrase ‘Surfing the Indignation” for increasing profile of information security while management attention is still on the issue
Workshop Group Session 2 Security on the Brain – Workshop Session 2 30mins • Group discussion point: In your respective organisations, where do you believe your most influential target audience sits? (15mins) – E.g. what group, function or person will you target with your key message in order to: • Gain the most powerful support, endorsement, backing, funding? • Change the overall perception of your security team and its value? • Achieve best possible communication (attention + acceptance) of your security message across the organisation? • Reach a good level of staff compliance with your policies/procedures across the whole business • Given our new insight into the differences between actual risks and perceived ones, how will you improve the ways you measure, prioritise and communicate risk awareness across the business? (15 mins)
Selling the Unsellable “Lessons from other sectors”
Management attitudes (actual!) • “We don’t measure or catalogue our risks, because then we’ll have to do something about them” • “We don’t have any security policies. Our staff don’t like them” • “We perform hundreds of risk assessments a year and just store the results” • “We keep the results within the group. We don’t want senior management on our backs if they saw how bad it is” • “We have a well-used business impact assessment process, unfortunately nearly all our systems appear in the red category so we don’t have a means of deciding which ones are highest priority” • “We’ve adjusted the risk process so it shows fewer things as critical”
Lessons from the Insurance industry • Years ago Insurance was hard to sell. It was all doom and gloom, complicated and difficult to buy (sound familiar?) • The landscape has changed: insurance now legal requirement if you drive & cannot get mortgage without it • So now we sell the upside: faster to buy into, best price, visually entertaining, more options… • So…perhaps we could learn something here?
Conclusions • Its people not just technology that needs patching • It’s a people problem & people fall into defined personality groups. Understand what motivates and how to communicate with each type • Use role-based policies and awareness as a means of targeting each personality type with motivators tailored to that group • Make security function ‘towards-motivated’ – not just ‘away-from’ motivated. Combine towards and away-from to maximum effect • Get a neurolinguistic makeover – put a positive spin on your messages • If you are selling fear – make it graphic and hard-hitting • If you are selling a necessary chore – make it easier to buy into • Ideally don’t sell either – sell benefits, cost savings, efficiency
Crisis – or Opportunity? Weiji [way-jhee], modern Chinese for "crisis" "The word "crisis" is composed of two characters: One represents danger, and the other represents opportunity.
Final Thoughts  Raise your horizons…  Embrace the new opportunities…  But hey – be careful out there!
Suggested Reading
adrian.wright@issa-uk.org adrian.wright@secoda.com 44 (0)8456 4 27001
U.S. Centers for Disease Control Report Keep in mind when reading this entire piece that we are consistently and substantially understating the risk of other causes of death as compared to terrorism, because we are comparing deaths from various causes within the United States against deaths from terrorism worldwide.

Recomendados

Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum Carolyn Slade, MS-HIM
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageSara-Jayne Terp
 
Lsc session
Lsc sessionLsc session
Lsc sessionJim "Brodie" Brazell
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 

Recomendados

Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum Carolyn Slade, MS-HIM
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageSara-Jayne Terp
 
Lsc session
Lsc sessionLsc session
Lsc sessionJim "Brodie" Brazell
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 
Information Management In The 21st Century
Information Management In The 21st CenturyInformation Management In The 21st Century
Information Management In The 21st CenturySteve Weissman
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Sara-Jayne Terp
 
Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Smith
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Dk neuro cog
Dk neuro cogDk neuro cog
Dk neuro cogDirk A. Kummerle
 
Keynote : CODE BLUE in the ICU! by Jeff Moss
Keynote : CODE BLUE in the ICU! by Jeff MossKeynote : CODE BLUE in the ICU! by Jeff Moss
Keynote : CODE BLUE in the ICU! by Jeff MossCODE BLUE
 
Foresight: Your Hidden Superpower
Foresight: Your Hidden SuperpowerForesight: Your Hidden Superpower
Foresight: Your Hidden SuperpowerJohn Smart
 
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
5 Keys to Managing Information as an Asset: The Ultimate Governance ChallengeSteve Weissman
 
The Business(es) of Disinformation
The Business(es) of DisinformationThe Business(es) of Disinformation
The Business(es) of DisinformationSara-Jayne Terp
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...Ben Tomhave
 
Circle of Thoughts, Feelings and Behaviour
Circle of Thoughts, Feelings and BehaviourCircle of Thoughts, Feelings and Behaviour
Circle of Thoughts, Feelings and Behaviourthecoupleconnection.net
 
Cognitive triangle
Cognitive triangleCognitive triangle
Cognitive triangleCreative Life Services
 
Observe and ask
Observe and askObserve and ask
Observe and askroshanrm
 

Más contenido relacionado

La actualidad más candente

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 
Information Management In The 21st Century
Information Management In The 21st CenturyInformation Management In The 21st Century
Information Management In The 21st CenturySteve Weissman
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Sara-Jayne Terp
 
Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Smith
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Keynote : CODE BLUE in the ICU! by Jeff Moss
Keynote : CODE BLUE in the ICU! by Jeff MossKeynote : CODE BLUE in the ICU! by Jeff Moss
Keynote : CODE BLUE in the ICU! by Jeff MossCODE BLUE
 
Foresight: Your Hidden Superpower
Foresight: Your Hidden SuperpowerForesight: Your Hidden Superpower
Foresight: Your Hidden SuperpowerJohn Smart
 
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
5 Keys to Managing Information as an Asset: The Ultimate Governance ChallengeSteve Weissman
 
The Business(es) of Disinformation
The Business(es) of DisinformationThe Business(es) of Disinformation
The Business(es) of DisinformationSara-Jayne Terp
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...Ben Tomhave
 

La actualidad más candente (19)

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
 
Information Management In The 21st Century
Information Management In The 21st CenturyInformation Management In The 21st Century
Information Management In The 21st Century
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...
 
Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
Dk neuro cog
Dk neuro cogDk neuro cog
Dk neuro cog
 
Keynote : CODE BLUE in the ICU! by Jeff Moss
Keynote : CODE BLUE in the ICU! by Jeff MossKeynote : CODE BLUE in the ICU! by Jeff Moss
Keynote : CODE BLUE in the ICU! by Jeff Moss
 
Foresight: Your Hidden Superpower
Foresight: Your Hidden SuperpowerForesight: Your Hidden Superpower
Foresight: Your Hidden Superpower
 
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
5 Keys to Managing Information as an Asset: The Ultimate Governance Challenge
 
The Business(es) of Disinformation
The Business(es) of DisinformationThe Business(es) of Disinformation
The Business(es) of Disinformation
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
 
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thou...
 

Destacado

Circle of Thoughts, Feelings and Behaviour
Circle of Thoughts, Feelings and BehaviourCircle of Thoughts, Feelings and Behaviour
Circle of Thoughts, Feelings and Behaviourthecoupleconnection.net
 
Observe and ask
Observe and askObserve and ask
Observe and askroshanrm
 
How to Analyze People on Sight
How to Analyze People on SightHow to Analyze People on Sight
How to Analyze People on Sightkikokaka
 
eXtension Working Group Update
eXtension Working Group UpdateeXtension Working Group Update
eXtension Working Group UpdateKevin Gamble
 
100 ways to motivate others
100 ways to motivate others100 ways to motivate others
100 ways to motivate othersYu Mun Hooi
 
100 ways to motivate your people and keep them motivated
100 ways to motivate your people and keep them motivated100 ways to motivate your people and keep them motivated
100 ways to motivate your people and keep them motivatedCarpedia Consulting
 
Positive psychology 11.06.10
Positive psychology 11.06.10Positive psychology 11.06.10
Positive psychology 11.06.10John Wright
 
The difference between PR and advertising. Helping students decide.
The difference between PR and advertising. Helping students decide.The difference between PR and advertising. Helping students decide.
The difference between PR and advertising. Helping students decide.edward boches
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Chap17 Public Relations, Publicity, And Corporate Advertising
Chap17 Public Relations, Publicity, And Corporate AdvertisingChap17 Public Relations, Publicity, And Corporate Advertising
Chap17 Public Relations, Publicity, And Corporate AdvertisingPhoenix media & event
 
Time management for students
Time management for studentsTime management for students
Time management for studentsnickthorntonclc
 
Personality Development Tips
Personality Development TipsPersonality Development Tips
Personality Development Tipssandeep chhaya
 
Time management ppt
Time management pptTime management ppt
Time management pptUzma Batool
 

Destacado (20)

Circle of Thoughts, Feelings and Behaviour
Circle of Thoughts, Feelings and BehaviourCircle of Thoughts, Feelings and Behaviour
Circle of Thoughts, Feelings and Behaviour
 
Cognitive triangle
Cognitive triangleCognitive triangle
Cognitive triangle
 
Observe and ask
Observe and askObserve and ask
Observe and ask
 
How to Analyze People on Sight
How to Analyze People on SightHow to Analyze People on Sight
How to Analyze People on Sight
 
eXtension Working Group Update
eXtension Working Group UpdateeXtension Working Group Update
eXtension Working Group Update
 
Personnel management
Personnel managementPersonnel management
Personnel management
 
100 ways to motivate others
100 ways to motivate others100 ways to motivate others
100 ways to motivate others
 
100 ways to motivate your people and keep them motivated
100 ways to motivate your people and keep them motivated100 ways to motivate your people and keep them motivated
100 ways to motivate your people and keep them motivated
 
Session 1 photoshop overview
Session 1 photoshop overviewSession 1 photoshop overview
Session 1 photoshop overview
 
A world without banks
A world without banksA world without banks
A world without banks
 
Human psychology management
Human psychology managementHuman psychology management
Human psychology management
 
Positive psychology 11.06.10
Positive psychology 11.06.10Positive psychology 11.06.10
Positive psychology 11.06.10
 
The difference between PR and advertising. Helping students decide.
The difference between PR and advertising. Helping students decide.The difference between PR and advertising. Helping students decide.
The difference between PR and advertising. Helping students decide.
 
PR vs. Advertising vs. Marketing
PR vs. Advertising vs. MarketingPR vs. Advertising vs. Marketing
PR vs. Advertising vs. Marketing
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Chap17 Public Relations, Publicity, And Corporate Advertising
Chap17 Public Relations, Publicity, And Corporate AdvertisingChap17 Public Relations, Publicity, And Corporate Advertising
Chap17 Public Relations, Publicity, And Corporate Advertising
 
Time management for students
Time management for studentsTime management for students
Time management for students
 
Personality Development Tips
Personality Development TipsPersonality Development Tips
Personality Development Tips
 
Time Management
Time ManagementTime Management
Time Management
 
Time management ppt
Time management pptTime management ppt
Time management ppt
 

Similar a "Security on the Brain" Security & Risk Psychology Workshop Nov 2013

ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 
Big Data and Next Generation Mental Health
Big Data and Next Generation Mental HealthBig Data and Next Generation Mental Health
Big Data and Next Generation Mental HealthCloudera, Inc.
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationStephen Cobb
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...Ann Johnson
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Journal of Physical Security 8(1)
Journal of Physical Security 8(1)Journal of Physical Security 8(1)
Journal of Physical Security 8(1)Roger Johnston
 
There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...
There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...
There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...Health Catalyst
 

Similar a "Security on the Brain" Security & Risk Psychology Workshop Nov 2013 (20)

2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
Big Data and Next Generation Mental Health
Big Data and Next Generation Mental HealthBig Data and Next Generation Mental Health
Big Data and Next Generation Mental Health
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and Communication
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Ht t17
Ht t17Ht t17
Ht t17
 
Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
kmd_hst_201312
kmd_hst_201312kmd_hst_201312
kmd_hst_201312
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced Analytics
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Security Awareness Training Summary
Security Awareness Training SummarySecurity Awareness Training Summary
Security Awareness Training Summary
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
whistle blowing.
whistle blowing.whistle blowing.
whistle blowing.
 
Journal of Physical Security 8(1)
Journal of Physical Security 8(1)Journal of Physical Security 8(1)
Journal of Physical Security 8(1)
 
There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...
There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...
There Is A 90% Probability That Your Son Is Pregnant: Predicting The Future ...
 

Último

Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperityhemanthkumar470700
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...daisycvs
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...lizamodels9
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...amitlee9823
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 

Último (20)

Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 

"Security on the Brain" Security & Risk Psychology Workshop Nov 2013

  • 1. Security on the Brain Using Human Psychology to Achieve Compliance ISSA-UK Transport Security Expo Workshop 2013 Adrian Wright CEO Secoda Risk Management Board & VP Research ISSA-UK
  • 2. Human Psychology in Risk & Security 1 Risk Factors presentation 10:00 2 Workshop 1 – group exercise 10:30 3 Compliance Factors presentation 11:00 4 Workshop 2 – group exercise 11:30 5 Debate and closing remarks 12:00
  • 3. How I arrived here • 20 years in IT Risk and Security – trying to make people aware and compliant • CISO Reuters 9 years: 17000 staff, 250,000 systems, 142 countries • Observed that some strategies work – and many that don’t… • Like Penicillin, some successes are discovered by accident • Follow-up research with security associations and CISO surveys • Incorporated useful NLP & psychology strategies • This is the story so far and proven strategies shown to actually work…
  • 4. Its all about people • Need for security never been greater • • • • • Easy to convince ourselves it’s a tech issue • • • • Critically dependent on information Mandated by regulators, PCI, customers No fallback option Threats, vulnerabilities & losses growing Encryption, DLP, pen testing, patching will fix it? Hackers & fraudsters Investment in tech security measures growing Information security just isn’t sexy • • • • Especially the non-tech HR-sounding bits… Its all doom and gloom It’s a cost centre, not a profit centre Gets in the way of business progress • We’ve become used to all the problems • • • News full of breach stories every day Post PRISM the bar is permanently lowered… "If we once accept the unacceptable, the unacceptable becomes the norm" “We struggle with getting management and staff to accept that their behaviour must be modified in order to improve security practices.” [Security Survey Respondent, Manufacturing industry, Western Europe]
  • 5. Causes of data loss breaches DataLossDB.org http://datalossdb.org/statistics
  • 6. Most from non-technical errors Non-Technical breach Snail-mail Document disposal % Fraud 5 Fraud % Technical breach 9 Virus % Unknown 1 5 Hacking 7 Web 12 Email 4 Lost media 3 Stolen document 3 Stolen media 2 Lost document 2 Lost tape 2 Lost drive 1 Stolen drive 1 Stolen tape 1 Lost laptop 4 16 Stolen computer Unknown % 1 Misc loss/disposal <1% 2 Stolen laptop 19 Totals 58 9 29 Nearly 60% losses due to procedural error, carelessness, failure to adhere to policies etc 4
  • 7. Human Perceptions of Risk “Security is both a feeling and a reality. And they’re not the same” Bruce Schneier
  • 8. How well do we assess risk? National Safety Council – whole USA statistical averages: One year odds of dying (USA) as a direct result of:• Air / space transport accident 1 in 502,554 • Automobile incident – driver/occupant 1 in 20,331 • Automobile incident – pedestrian 1 in 48,816 • Hit by lightning 1 in 6,177,230 • Flood 1 in 24,708,922 • Earthquake 1 in 8,013,704 • Shot by firearm (assault) 1 in 24,005 • Shot by firearm (self inflicted) 1 in 17,440 • Some type of accidental trip or fall 1 in 15,085 • War 1 in 10,981,743 US National Safety Council – Injury Facts 2006: www.nsg.org
  • 9. Example - Terrorism risk  You are 12,571 times more likely to die from cancer than from a terrorist attack  You are 11,000 times more likely to die in an airplane accident than from a terrorist plot involving an airplane  You are 1048 times more likely to die from a car accident than from a terrorist attack  You are 404 times more likely to die in a fall than from a terrorist attack  You are 87 times more likely to drown than die in a terrorist attack  You are 13 times more likely to die in a railway accident than from a terrorist attack  You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack  You are 9 times more likely to choke to death on your own vomit than die in a terrorist attack  You are 8 times more likely to be killed by a police officer than by a terrorist  You are 8 times more likely to die from accidental electrocution than from a terrorist attack  You are 6 times more likely to die from hot weather than from a terrorist attack Statistics from a 2004 National Safety Council report, the National Center for Health Statistics, the U.S. Census Bureau, and 2003 mortality data from the Center for Disease Control
  • 10. Perceived Vs Actual Risk • “Security is both a feeling and a reality – and they’re not the same” – Bruce Schneier: The Psychology of Security, 2008 • We’re getting close to the truth of this now; or at least a useful definition • Million years of evolution • Finely tuned reptilian brain; instant fight or flight decision, in-your-face risks • Sabre tooth tigers, strangers entering camp. Crossing the road. Modern business? • Initial stimulus for starting cerebral risk management process is change • And most changes involve a conscious decision. Note the word ‘conscious’ • so... If you’re not making a decision, there’s no trigger for the risk process
  • 11. Why do we get it so wrong? • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can’t control. • Last, people overestimate risks that are being talked about and remain an object of public scrutiny. • David Ropeik and George Gray have a longer list in their book “Risk: A Practical Guide for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You”
  • 12. Emotional responses to risk • People focus on the emotionally perceived severity on the outcome, rather than on its likelihood • Example: since 9/11 western world preoccupied with terrorism – – – – US Homeland security expenditure since 9/11 exceeds 1 trillion dollars We live under increasing surveillance & security controls / restrictions Policy is shaped by focusing on worst-case scenarios Former Sec of Homeland Security Tom Ridge admits pressured to raise terror alerts to help Bush win re-election • In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes.
  • 13. No personal risk… Fact: 1 in 5 employees have personally provisioned a cloud service without IT’s knowledge [1] – – – – 61% say it’s easier to provision cloud services themselves 50% report it takes too long to go through IT 27% admit company’s policy actually prohibits the cloud services they want While 60% say they have corporate policies in place that prohibit such actions, respondents say there are no real deterrents for purchasing cloud services by stealth. – In fact, 29% report no ramifications whatsoever & another 48% say it’s little more than a warning. – Biggest issue is ¼ of execs don’t have open communication with the depts & business unit leaders that may be provisioning their own cloud services. – Enter “cloud sprawl” – the unmanaged spread of public cloud services inside the enterprise. [1] Avenade global survey 2011 ¦ 573 C-level execs, BU leaders & IT decision-makers in 18 countries
  • 14. The Psychology of Why We Don’t Comply “The simple truth is that people are motivated for their own reasons, not ours"
  • 15. WIIFM – world’s most listened to station • • • • We all listen to it – all the time (you are probably doing it right now) When we are asked to do something – What’s In It For Me? Where obvious potential benefit-to-self: its an easy decision Where no obvious benefit: avoid, put off, refuse, circumvent, argue – Result: introduction of penalties for non-compliance (reinforces negative perceptions • Human brain is bad at processing negative concepts – DON’T THINK OF DANCING BLUE FROGS!!! – The DON’T instruction can only be processed after you’ve thought of dancing blue frogs! – Tell a child “Mind you don’t spill that glass!”…then 2 minutes later… • Our security policies and mission are linguistically full of don’t(s) and negative consequences
  • 16. Motivation What motivates people to do or not do certain things? – All of humankind can be divided into two motivational groupings: 1. People who are primarily motivated by staying away from certain situations and things; and 2. Those who are primarily motivated to move towards certain situations and things; Note: towards-motivated tend to have lower perception of and high tolerance to risk – Many of us in security and risk management will be of the away from motivated type: e.g. “we need to avoid that happening, therefore we need to do x”. An awayfrom employee might be thinking more about not getting fired, rather than being attracted by future success.
  • 17. Linguistic signals Towards-motivated types use words such as: accomplish, attain, obtain, get, achieve, rewards, growth, goals, aim, expand, targets. Away-from motivated use words like: security, risk, avoid, steer clear of, prevent, eliminate, solve, fix, get rid of, prohibit. University of Austin Texas Information Security Office Mission Statement • “The mission of the Information Security Office (ISO), as required by state law, is to assure the security of the university's Information Technology (IT) resources and the existence of a safe computing environment in which the university community can teach, learn, and conduct research. The ISO collaborates with campus IT leaders and university audit, compliance, and legal units to support the university's teaching, research, and public service missions”. Toronto Marketing Group Mission Statement • • “It’s simple: we aim to be the best and we want to expand globally. We will to achieve this with an impeccable reputation and perfect track record for success in winning client satisfaction”. “We are targeted with opening the 20 biggest markets in Canada in the next 2 years. Our goal is to have 1000 associates in our company and to have 50 affiliated marketing companies that will run our campaigns and locations. We will be working with Clients in Finance, Telecoms, Business Services, Charities, Cosmetics, Property , Music…” Challenge: Couldn’t you rewrite this to read more like this?
  • 18. Internal vs External (locus of responsibility) • People who assess their performance via own internal standards/beliefs or • Through information/feedback from external sources – Internal: own internal standards & beliefs, make own judgements on their work. Don’t accept outside direction & ideas. Don’t give or accept feedback, may be difficult to supervise. – External: like being managed & receive outside direction & feedback. Need to be externally motivated and know how well they are doing. • • Internal types motivated by: “I need your opinion”, “help us decide” External types motivated by: “others will think highly of you if..”, you will receive recognition”, “according to the experts..” – Unmasking question: “How do you know if you have done a good job?”
  • 19. Options vs Procedures • Options: this group likes to do things another way. Like bending/breaking the rules. Start projects but don’t finish them. Explore new possibilities. – typical roles: fashion designer, inventor, process re-engineering or • Procedures: this group need to follow set rules/processes. More concerned how to do something rather than why. – typical roles: bookkeeper, commercial airline pilot • Options types motivated/ influenced / identified by words such as: – opportunity, alternatives, break the rules, flexibility, variety, unlimited possibilities, expand your choices, options. • Procedures types motivated / influenced / identified by words such as: – correct way, tried and tested, first ...then...lastly, proven path, set procedure, follow this to the letter.
  • 20. Awareness isn’t working “Hello” “Yes?” “Did you finish the security awareness training?” “Yes” “So are you aware now?” “Yes” “Ok – thank you. Goodbye” Unfortunately my co-respondent has significant likelihood of being: • Towards-motivated (blind to, and unmotivated by away-from concepts like risk) • Internal (works to their own values & beliefs, doesn’t give feedback) • Options (breaks or circumvents rules ,doesn’t follow instructions, finds another way) So yes, they may have done the course – but they probably won’t buy-in or comply with it Conflicts with their own motivations, value system, modus operandi “We need to address culture change at the level of people’s motivation and belief systems”
  • 21. Workshop Group Session 1 Security on the Brain – Workshop Session 1 30 mins • Warm-up Debate: Discuss and agree a list of 2 well-known celebrities from the business world who you believe are Towards motivated, and 2 who you believe may be Away-From motivated – and why (5 mins) • Write a Group Mission Statement for your virtual security team that will gain senior management attention and support for your security mission (15 mins) • Statistically there will be a number of employees who have a Towards Motivated + Internal + Options profile (!!). From what you’ve learned, suggest ways of reaching out to and gaining buy-in from these people (10 mins)
  • 22. Dirty Tricks (not really) Leveraging Psychology to Achieve Results “Case Studies of What Actually Works” "A Man convinced against his will is of the same opinion still." — Benjamin Franklin
  • 23. I’m better than you! • • • • • • • • Online training & testing campaign – major insurer Final knowledge test – user informed of pass/fail result Usual user apathy/resistance Added personalised, printable pdf ‘diploma’ for successful pass Then… we added more information to the certificate! Specifically, the percentage pass score. 1000 staff rushed to take the test on the same day - and the testing server crashed! Eureka moment #1: People can’t help competing with each other
  • 24. I wanna be first – certainly not last! • • • Implemented security awareness & compliance system – user acceptance / tests Employees can see % progress Managers can see progress of their staff • • Useful improvement in levels of compliance: particularly as managers can view With towards-motivated Vs away-from trait in mind: added benchmarking display (shows how each user is performing against average of their peers) • • Eureka moment #2! Employees rushed to comply more than their colleagues. Effect of ‘ratcheting-up’ compliance to 100% within days
  • 25. Divide & conquer: Psycho-linguistically • • • • • • Notice how some words seem to ‘work’ and others don’t? We’ve already seen how different words will register or appeal to different types (e.g. toward, away-from) We’ve also seen how certain job roles will attract personality types At the risk of generalising; appeal to those character types by role Select wording and values that work for particular character types Include motivators (positive & negative) and word to best influence each personality type Make Compliance Role-Based Word policies etc to appeal to specific char types Map char types to most likely roles Add Role-Based Guidance Map guidance to mandates – use words that motivate that type Opportunity to make guidance more useful / understandable Embed Motivators Results-driven incentives to comply, excel, achieve Risk-driven consequences for ‘do nothing’, ‘avoid’, ‘breach’
  • 26. Surfing the Indignation • Organisations don’t think about security incidents – until they have one! • Management attention quickly subsides after cleaned up – evidence from series of risk assessment workshops – demonstrates phenomenon of short-term corporate memory… • Use this small window of opportunity to get what you want – pre-prepare projects, proposals, endorsements ready when window opens – Incidents are great opportunity to improve processes, controls, culture – I coined the phrase ‘Surfing the Indignation” for increasing profile of information security while management attention is still on the issue
  • 27. Workshop Group Session 2 Security on the Brain – Workshop Session 2 30mins • Group discussion point: In your respective organisations, where do you believe your most influential target audience sits? (15mins) – E.g. what group, function or person will you target with your key message in order to: • Gain the most powerful support, endorsement, backing, funding? • Change the overall perception of your security team and its value? • Achieve best possible communication (attention + acceptance) of your security message across the organisation? • Reach a good level of staff compliance with your policies/procedures across the whole business • Given our new insight into the differences between actual risks and perceived ones, how will you improve the ways you measure, prioritise and communicate risk awareness across the business? (15 mins)
  • 28. Selling the Unsellable “Lessons from other sectors”
  • 29. Management attitudes (actual!) • “We don’t measure or catalogue our risks, because then we’ll have to do something about them” • “We don’t have any security policies. Our staff don’t like them” • “We perform hundreds of risk assessments a year and just store the results” • “We keep the results within the group. We don’t want senior management on our backs if they saw how bad it is” • “We have a well-used business impact assessment process, unfortunately nearly all our systems appear in the red category so we don’t have a means of deciding which ones are highest priority” • “We’ve adjusted the risk process so it shows fewer things as critical”
  • 30. Lessons from the Insurance industry • Years ago Insurance was hard to sell. It was all doom and gloom, complicated and difficult to buy (sound familiar?) • The landscape has changed: insurance now legal requirement if you drive & cannot get mortgage without it • So now we sell the upside: faster to buy into, best price, visually entertaining, more options… • So…perhaps we could learn something here?
  • 31. Conclusions • Its people not just technology that needs patching • It’s a people problem & people fall into defined personality groups. Understand what motivates and how to communicate with each type • Use role-based policies and awareness as a means of targeting each personality type with motivators tailored to that group • Make security function ‘towards-motivated’ – not just ‘away-from’ motivated. Combine towards and away-from to maximum effect • Get a neurolinguistic makeover – put a positive spin on your messages • If you are selling fear – make it graphic and hard-hitting • If you are selling a necessary chore – make it easier to buy into • Ideally don’t sell either – sell benefits, cost savings, efficiency
  • 32. Crisis – or Opportunity? Weiji [way-jhee], modern Chinese for "crisis" "The word "crisis" is composed of two characters: One represents danger, and the other represents opportunity.
  • 33. Final Thoughts  Raise your horizons…  Embrace the new opportunities…  But hey – be careful out there!
  • 36. U.S. Centers for Disease Control Report Keep in mind when reading this entire piece that we are consistently and substantially understating the risk of other causes of death as compared to terrorism, because we are comparing deaths from various causes within the United States against deaths from terrorism worldwide.