Now, more than ever, it is important for organizations to embrace a new approach to security awareness training. In this presentation, we present a new field of "Psychological Security" to update the way people are trained to recognize technological manipulation.

1. Psychological Security
Introduction to the emerging field of PsySec.

2. Presented by:
Zachary Eikenberry
CEO & CoFounder of Hook Security Inc;
world’s first PsySec company.

3. First things first. The vast majority of
human history, security
dealt with physical
security. (PhySec)
● Guards
● Gates
● Guns

4. Let’s set this up one step further.
Computers + Internet =
Information Security (InfoSec)

5. 70+ InfoSec Areas
Cyber Security Product Categories (in alphabetical order) / Application Control Application Security Testing / Authentication (User Authentication,
Biometric Authentication and PKI) / Automotive Cyber Security / Behavior Analytics (User and Entity) / Big Data Security / Browser Security (Secure
Virtual Browser and Remote Browser) / Cloud Access Security Broker / Cloud Security / Compliance Management / Container Security / Maneuver
(Network Masking) / Cyber Threat Hunting / Data Discovery / Data Loss (Leakage) Prevention (DLP) / Data Masking / Data Security / Data-at-Rest
Encryption / Data-in-Motion/Transit (Network) Encryption and VPN / Database Security / DDoS Protection / Deception-Based Security / Digital
Forensic Investigation and Computer Forensics / Digital Rights Management / Digital Risk Monitoring / Embedded Security /Endpoint Protection
and Anti-virus / Endpoint Threat Detection and Response /File Content Security / Firewall Configuration and Management / Fraud Prevention /
Governance/Compliance Management / Hypervisor Security / Identity and Access Management / Identity Theft Detection / Industrial Security
(ICS/SCADA Security) / Internet of Things (IoT) Security / Intrusion Prevention Systems (and Intrusion Detection Systems) / Malware Detection and
Analysis / Managed Security Service Providers / Messaging Security / Mobile Data Protection / Mobile Device Management / Network Access
Control / Network Behavior Analysis and Anomaly Detection / Network Firewall (includes Next Generation Firewalls) / Network Monitoring and
Forensics / Password Manager / Patch Configuration and Management / Penetration Testing / Pervasive Trust Services / Risk and Compliance
Management / Risk and Vulnerability Assessment/ Secure File Transfer / Secure Web Gateway / Security Configuration Management / Security
Incident Management and Response / Security Information and Event Management (and Log Management) / Security Operations Automation and
Orchestration / Security Rating / Security Training Software / Specialized Threat Analysis and Protection / SSL and Digital Certificate Authority and
Management / Threat Intelligence and Signature Feeds / Transport Access Control / Trusted Computing, Cross Domain / Security and Multi Level
Security / Unified Threat Management

6. What if?
Computers People

7. Furthermore,
What if?
Computers Brains

8. What is a “field?”

9. New Fields are
often a Synthesis;
combining 2
distinct knowledge
domains.
Old Field +
New Knowledge
Insights =
A New Synthetic Field

10. What are some of the
latest psychological
insights that could lead to
a new field?

11. A brief listing of scientific phenomena.
Blindsight: The “unconscious” ability to see once a
person becomes blind.
Serial Position Effect: The ability to only recall the
first and last thing is a list of 4 or more items.
Fundamental Attribution Error: The inability to
describe another’s behavior from one’s own
personal characteristics.
McGurk Effect: When someone watches a dubbed
video different from the voice, so that the audience
makes up a new third understanding of the
presentation.
Apophenia (Patternicity / Agenticity): The
phenomena of recognizing patterns in chaos or
assumptions of patterns.
Template Matching Patterns: The foremost going
theory that we only recognized patterns based upon
inherited narratives or previous experience.

12. Multiple Brains:
Multiple
Theories
One Thousand Brains:
The multi-processes for object
recognition to determine against
a series of other objects.

13. What if InfoSec solutions
are training the wrong
part of the brain?

14. Cognitive
Security: CogSec
High Resolution work and
training engaging the deals with
increasing complexity and
multiple variables.
This is where security
professionals live and learn.
Example: This presentation.

15. PsySec
Focused on the ability for
individuals to recognize and
respond to security threats and
manipulation.

16. An early PsySec Manifesto
1. Psychographics > Demographics
2. Culture eats compliance for breakfast.
3. Feedback, Feedback, Feedback
4. Security is too important to take
seriously.
5. Stories Matter.
6. Brains are not computers.
7. Don’t make it easy a.k.a. Build
games.

17. Psychographics. Training should be based
upon your people’s
interests, opinions,
conceptual focus, and
motivations.
*Not synonymous with
Myers-Briggs, DISC,
Strengthsfinder, or Enneagram.*

18. Culture. Training should be owned
by all levels of the
organizations and
unconscious by every
member.
*Yes, this means security lives in
the mission and vision of all
organizational levels.*

19. Feedback. Training should include
feedback and multiple and
ongoing reinforcement.
*The greater the distance between
training and reinforcement
diminishes the training’s
effectiveness.*

20. Importance. Training should be
self-aware, own its faults,
and disarming
(non-punitive).
*Seriousness and fear-based
training counteracts effective
training recognition.*

21. Stories. Training should be based
upon narrative structures
and mirror best practice
content delivery.
*Think memes, YouTube, Netflix,
and widely (not critic) acclaimed
content. Also, think game-based
narratives and stories like Candy
Crush or Angry Birds.*

22. Brains. Training should be aimed
to engage the subcognitive
elements.
*Security folks see and experience
the world differently; do not select
or endorse training that is effective
for you or you prefer without larger
considerations. *

23. Ease. Training should be
challenging and aim at
growth.
*All purpose of training is lost if
becomes a theatrical act by
members if there is experience
discontinuity between professed
importance and challenge.*

24. This is only the beginning.
Will you build with us?

25. #psysec

26. Contact Us For more information, please contact
us at:
hello@hooksecurity.co
Or follow us on LinkedIn:
https://www.linkedin.com/company/
hooksecurity/