diff --git a/content/sessions/2023/mini-summits/Apr/Governance/Behaviour-Change-and-Awareness.md b/content/sessions/2023/mini-summits/Apr/Governance/Behaviour-Change-and-Awareness.md
index 9f7609e8e70d..f602096801f4 100644
--- a/content/sessions/2023/mini-summits/Apr/Governance/Behaviour-Change-and-Awareness.md
+++ b/content/sessions/2023/mini-summits/Apr/Governance/Behaviour-Change-and-Awareness.md
@@ -26,6 +26,934 @@ zoom_link    : https://us06web.zoom.us/meeting/register/tZIud-mprD0vE9xWCJLSzFi8
 ---
 
 
-## About this session
+## Session Transcript:
+
+Dinis Cruz - 00:00
+Hi, welcome to this open Security seminar session in April 2023 and we're
+going to have a very cool panel around behaviour change and awareness.
+It's definitely a topic that I'm quite passionate about. I think there's a lot
+of things that are related to it and a lot of activities that we can do that
+make a big difference. So I'm Dennis Cruz. I'm the chief scientist of glass.
+All I'm also the CEO of Holland Barrett, and I think it's about creating a
+system and then everything tends to fall into place with it, but also the
+reaction and the response element of it. I'm looking forward to explore
+maybe tim, over to you.
+
+Tim Ward - 00:40
+Yeah. My name is Danusia Rolewicz and I specialize in human factors, risk
+analysis and management, and particularly security awareness and culture
+change. I suppose our whole business is all about trying to take a more
+behavioral approach to security awareness and move us away from those
+traditional approaches where really it's just a bit of a tick box exercise,
+but we can come back to talk about that in a second.
+
+Danusia Rolewicz - 01:02
+My name is Donna Shara Levic and I specialize in human factors, risk
+analysis and management, and particularly security awareness and culture
+change. I am contracting at the moment around various organizations to
+improve security posture and security culture within the organization,
+most recently Apple. I've found that there is a shift in the industry at the
+moment towards more empowering and pathetic approaches towards
+staff, more employees, staff people rather than users. I think that's having
+a really positive effect. I think the more that we focus behaviour change
+and empowerment of staff rather than using that tired, weakest link
+expression, the further we can get really.
+
+Dinis Cruz - 02:03
+Cool. All right, so who wants to define what do you mean by behaviour
+change and awareness?
+
+Tim Ward - 02:11
+Pikey, do you want to go first and easier?
+
+Danusia Rolewicz - 02:17
+I think we all know what behaviors we want to change, right? There's a
+lot of talk about click rates, but really when you're looking at behavior
+change, you are also looking at the behavior and the dynamic within the
+company or the organization, like trust dynamics. Rather than focusing on
+things like click rates, you would try to empower your staff, foster a
+culture of trust within the company, where rather than focusing on the
+click rate, you focus on the reporting rate. You give the credit and
+celebrate the wins for those positive outcomes and for those achievements
+that often fall by the wayside. When you look at a traditional security
+audit and the metrics that go with that.
+
+Tim Ward - 03:08
+I agree with that completely. I think also just going back to your point
+about there being a shift, I think we've traditionally done security
+awareness training. It's just been a thing people did partly because they
+got that there's a human element and we have to help people know how to
+deal with the threats. Partly just because it became a compliance
+checkbox. If you step back and think about why you're actually bothering
+doing it, well, you go back to that kind of famous stat of 80, 90% of tax
+start with a human. If you actually want to reduce that risk, then
+awareness doesn't reduce the risk. It's just people are aware, great, well
+done. You've got to be trying to change behavior. You've got to be trying
+to build secure habits. It might be just reinforcing habits that are already
+taking place. I can see Janet just successfully come onto the call.
+
+Tim Ward - 04:03
+Because if you really want to reduce risk, then it does come down to
+different behaviors.
+
+Danusia Rolewicz - 04:10
+Yeah, that's right. I can see Jeanette's just successfully come onto the call.
+
+Janet Bonar Law - 04:17
+My sincere apologies. I am technologically incompetent and couldn't find
+the right setting in zoom. I lived my life in teams, so zoom is not familiar
+to me.
+
+Dinis Cruz - 04:34
+Just give me a quick intro, Jeanette, and then give us your views on
+behavioral change and awareness.
+
+Janet Bonar Law - 04:41
+Okay, so I work as a lead specialist in people's cyber risk management at
+the Coventry Building Society. We take a very broad view of what
+awareness is in the Coventry and we concentrate more on the end, which
+is that our function is to drive down risk through a secure behavior
+change. In order to do that, we'd like to think of ourselves more as human
+hackers. We try to get people to do the things that we want them to do by
+wanting to do them.
+
+Danusia Rolewicz - 05:25
+I think that's a really good point, Janet. I think if you make things easy
+and accessible for people, then you're more likely to get them doing what
+you want rather than taking a top down approach to controls and
+behaviors.
+
+Dinis Cruz - 05:45
+We can use science for this, right? Because there's already data that shows
+that, like you said, the more the users engage, the more you make sense to
+them, the more their behavior is safe, the better the outcomes, the better
+the return on investment that we have.
+
+Tim Ward - 06:03
+I think there's a kind of a self efficacy thing, isn't there? If you kind of help
+people then get better at things, then you get that kind of positive cycle. I
+mean, I think one of the interesting because once you're talking about
+behavior, it does make you go to the academic stuff and think about
+behavioral theories. One of the interesting one is protection motivation
+theory that has you thinking about how do you make a decision when it
+comes to dealing with risk. Part of that is around understanding the
+threat. That's the only bit we've tended to focus on as awareness
+practitioners in the past. The other bit is the coping, like, do we know
+what to do? Can we cope? I think that's the self efficacy bit. If we give
+people more information of how to cope with the problem. We don't
+necessarily have to scare them quite so much a bit, maybe, to help them
+understand the risk, but we should focus more on the coping, like giving
+them an easy action to do.
+
+Janet Bonar Law - 06:58
+Yeah.
+
+Danusia Rolewicz - 06:58
+Also on the communication side, I think I'm muted. Am I muted? No. Also
+on the communication side of things, to really communicate what's in it
+for them, rather than going in and saying, oh, well, we have this objective,
+we need to improve our posture by this or that statistic, how will this make
+your life easier? Why should you be doing this? I think a lot of security
+communication, forgets the why and also just the connection with people.
+
+Dinis Cruz - 07:40
+What I like about the word behavior is because ultimately what we want
+to create is a certain of behaviors in organizations. I'm also a big fan of
+taking incidents like P three S and P four S and elevating them to P ones.
+In fact, again, I was mentioning that the presentation before this one was
+really cool because the guy that presented it was showing really good
+examples of real world incidents who costed like from half a million to
+multimillion pounds to the companies. He was showing all the things that
+the attackers did. In a way, when you look at list, you see this is every one
+of them was a failure in behavior in the organization. Something should
+have detected that there should have been behaviors in the organization
+that are looking for this. They're paying attention that look for this. I like
+the word behavior because we can measure that and we can basically say,
+look, we want the organization to behave in a certain way and we want
+the organization to behave in ways that then allow us to do X-Y-Z.
+
+Dinis Cruz - 08:38
+When you look at the real world data that either backs up or not the
+behavior that you want.
+
+Danusia Rolewicz - 08:45
+I think it's interesting that you're saying a failure in behavior, Dennis,
+because like Tim mentioned earlier, the Gartners of the world talk about
+90% of incidents could be attributed to human failure. That I mean,
+humans are responsible for every point in the chain. It human failure to
+correctly configure a system? It human failure to perhaps misunderstand
+the culture of the organization and impose a policy or a procedure that's
+probably unrealistic? Or is it the end user inverted comments that failed?
+
+Tim Ward - 09:37
+Yeah, I think it's an interesting one, isn't it, of that kind of risk of getting
+into that blame, starting to talk about repeat offenders and things like
+that when it comes to clicking links. I suppose we should recognize that
+we are giving people computers with email that has links in and half the
+time we expect them to click them and sometimes we don't. So it needs a
+bit more thought. I suppose I like doing this point around measurability
+because I think that is quite important and that's if you are thinking about
+behavior so old traditional awareness, all you can really measure is have
+people done it or not? And you get a completion rate. It's like, well, what
+does that mean? That doesn't tell you anything. Obviously, measuring
+incidents is far too lagging an indicator. With behaviors, you can do things
+like that. You can get really observable ones.
+
+Tim Ward - 10:32
+One of the things we're trying to do with our piece of software red flags is
+to try and actually get right there and measure, well, how often are people
+doing things like plugging in a USB or uploading files? When you
+intervene, are you seeing that change? There are lots of ways to make this
+more measurable. As Deniser said earlier, start with reporting rates, not
+necessarily quick rates, because reporting is a really positive behavior. If
+you've got a culture where that's a high number, then you're really onto a
+winner. If not, start building up that as a focus.
+
+Danusia Rolewicz - 11:04
+If you have a Champions program or thinking of starting one, then there's
+all sorts of things that you can use to join up the dots to the reporting rate.
+How has this changed? How many people have become involved in
+Champions programs? How many meetings have there been? How many
+times have they discussed security with their team? Join up the dots of all
+of those metrics and you can get an idea of why there's been a change in
+reporting rates, for example, or other measurable behaviors.
+
+Janet Bonar Law - 11:44
+That's a really good point. This idea that we have incidents because of
+some kind of single point of failure and this hideous metaphor, which I
+loathe about being the weakest link. Humans are the weakest link. Well,
+that's not true. Humans exist in a whole ecosystem of vulnerabilities, some
+of which are behavioral, some of which are technical, some of which are
+cultural. It just so happens that in a particular incident, one step, because
+it is never a single point of failure, one set of events happened which
+highlighted weaknesses in the ecosystem. And we need to recognize that.
+
+Danusia Rolewicz - 12:32
+I think that's a really good point, Jeanette. I think just saying the word
+weakest link or failure or whatever equivalent thereof, it doesn't send the
+right message to the rest of the organization. Why would anyone want to
+think of themselves negatively? You would never engage anyone by telling
+them a negative thing about themselves. If we have that behavior
+ourselves, of using language like that within our team, then how likely is it
+that's going to be perpetuated? We're going to spread that message
+consciously or unconsciously through the organization and create apathy,
+really like, do we want to motivate or demotivate? Really discourage
+language is so powerful in that, isn't it?
+
+Dinis Cruz - 13:27
+I think I could be a little controversial. I would say that 99%, if not 95% of
+what we call human error are system errors, right? We put the human in a
+place that it can create a huge amount of problems in a way that you
+don't understand the side effects. So that's a system error, right.
+
+Tim Ward - 13:52
+I was going to say one of the quite important things when you start to take
+a behavioral approach is to think about what you're going to do with that.
+Because you could take a behavioral I mean, phishing simulations
+arguably are a behavioral approach, but they have a tendency to then
+result in a bit of a stick that says you failed, we're going to tell you off,
+thing. What you need to be doing is thinking about what that data can tell
+you. To your point, Dennis, it can tell you that your business process is
+putting people in a position where the only way they can meet the deadline
+the boss is set is I know, Gmail, and send something to their Gmail account
+at home. The behavioral data can give you really interesting insights. It
+does take a bit of a mental shift, I suppose, to think about what are you
+going to do with that information?
+
+Tim Ward - 14:36
+How are you going to take a more behavioral approach so that it just
+doesn't become a consequences culture where you're just telling people off
+when they do things wrong.
+
+Dinis Cruz - 14:44
+I think it's about what question you're asking, right? For me, I always
+think that the users should have common sense, right? They should really
+understand how to report things that they observe that are a bit weird and
+they should be rewarded by positive behavior, right? It means that in a
+way, you want over reporting, right? Because in an interesting way, over
+reporting is a side effect of your users actually thinking, oh, this is a bit
+weird. Oh, this is not very good. Right in the middle of it, there should be
+the real scenarios, but also it gives you good data. It allows you to
+understand, are you an organization that has a huge amount of problem
+with that kind of activities, or which division of your organization has lots
+of problems with phishing or abuse and what other divisions don't have,
+right? You can look it again at the incidents or the practices and see what
+do we have in place to prevent that?
+
+Dinis Cruz - 15:42
+I feel that again, I like the behavior because behavior allows us to look at
+incidents and going, why didn't we detect this here instead of there, right?
+Who saw this in all the activities and didn't raise an alarm bell that
+suddenly you only got raise an alarm bell because XYZ had happened,
+right? You can think about what technology you put in place and what
+solutions you put in place so that in a way, when something happens, you
+have immediate understanding and reaction about it because the user
+clicks on a link, the user doing an action, a stressed engineer doing
+something that makes a mistake. It's not at fault. We put the engineers in
+that location, right? We put users in that environment. They not at fault,
+right. They're just behaving if anything, we should be celebrating the other
+99% of the times that they saved, but they didn't do it.
+
+Dinis Cruz - 16:38
+Right. It's we have this thing where we force the users to drive a car down
+the mountain, right, with no rail guards at a crazy speed, and then we
+complain about the ones that fell over, right? Actually, actually you should
+be celebrating the ones that made it true. Right. Because we gave them a
+really dangerous environment to operate in.
+
+Tim Ward - 16:59
+It does raise some interesting questions about how you think about
+security. You can have that traditional approach. Well, everything's going
+to be really secure if you lock everything down and control it. That's
+perhaps quite an old fashioned approach to security, but that was the way
+things work. We can lock everything down, it'll be fine. Turn off the
+Internet, we'll all be secure. Actually, if you're starting to understand
+behaviors at the level you're talking about Dennis, then you can start to
+go, well, actually, these people over here, the way that they work, they
+could actually have more human based controls. They don't need to be
+locked down. We could just help them behaviorally and therefore your
+whole business could work. It could access these tools that will add to
+creativity rather than being that we're a bank, therefore we turn off the
+internet. We turn off everything.
+
+Tim Ward - 17:45
+They can't do their home stuff, they can't plug in USBs. Obviously that's
+going to have an impact on an organization getting talent to some degree.
+I think you can create quite an interesting kind of trade off and say, well,
+look, can we take a more behavioral approach? I think that's going to be
+hard for security. Some security professionals will find that kind of, well,
+hold on with this control. This is really black and white. It's really binary.
+They can either do it or they can't.
+
+Dinis Cruz - 18:08
+I think you need to work first. I think you need to add behavior and risk to
+it because they are very connected, right. It also you need to take into
+account the threat agents and in a way the regulatory compliance that you
+might exist. Right. But the threats are important. The threat agent is very
+important because the threat agent determines the level of risk that you
+have. If you're an environment that has highly sophisticated, super
+efficient, like they can act crazy fast, then yes, you probably need to have
+more security controls in place. Majority organizations, that's not where
+we are, right? Majority organizations is criminals, is vigilantes, people
+who disgruntled employees, even the users. Right. The biggest attacker
+when you track this properly that the company has is the company itself.
+We just don't call them cybersecurity incidents. Right, but the company
+itself will cause a lot of damage to itself.
+
+Tim Ward - 19:04
+Yes.
+
+Dinis Cruz - 19:06
+And that's all behavior. Right. It's all behavior because we put users in
+places that they can make a lot of those mistakes. And it's not even
+mistakes. It's almost a margin of error. Right. If you force a team to
+operate at a certain level of conditions, you will have, say, they operate
+well 90% of the time, okay, there's going to be 1% mistakes. That's it. You
+have to assume that is just almost the cost of that environment that you
+set up in place. Right. That your behavior there determines and your risk
+appetite determines what that percentage is.
+
+Tim Ward - 19:38
+Right, absolutely. I mean, I'd be interested in kind of Janet in your kind of
+world of commentary, kind of how you go about taking a behavioral
+approach. It about just walking through the risk register and saying,
+what's the behavioral perspective of all of these things? Where do you
+start?
+
+Janet Bonar Law - 19:58
+It's interesting, isn't it, that Dennis mentioned how risk and response to
+threats varies across various pieces of an organization. For that very
+reason, in the Coventry, we're moving to a more functionally aligned
+pattern of delivering security awareness for wanting a better word so that
+particularly high risk functions such as finance and the people team will
+have a dedicated awareness specialist who becomes almost part of the
+tribe. So it's like being a cultural anthropologist. You go in and you find
+out how people are working and what it is they need to be doing and what
+support we can put in to take away as much of the pain points as possible
+in process and technology and then whatever remains the residual risk we
+address through dialogue and behavior change.
+
+Tim Ward - 21:06
+Yeah, it's interesting because I think it does make you have to think and
+take a slightly different approach because for example, if you want good
+behaviors around passwords, then you could obviously be and obviously
+we focus quite a lot on nudging, but you could be intervening nudging,
+saying stuff around passwords. What are you going to tell them to do
+instead? If you haven't got a good thing like an action you want them to
+do, like you haven't got a password tool or a way of storing them, then
+what are you nudging towards? It's much easier to nudge towards a good
+behavior than just say, don't do that, without giving any guidance, well,
+what do you want me to do? It changes the way you have to think about
+things.
+
+Janet Bonar Law - 21:48
+I think it's interesting you talk about passwords because we have a
+particularly horrible password policy, which is super complex and no
+password manager to assist with that at all.
+
+Dinis Cruz - 22:03
+That's a good example of bad security. Right?
+
+Janet Bonar Law - 22:06
+Makes no sense. We have nothing to help. We have instead of a helpful
+password manager, we have a super strict password policy that if your
+password on audit quarterly is found not to be secure, you go on a very
+serious naughty list and miss disciplinary action. That is shocking and that
+needs to change.
+
+Dinis Cruz - 22:34
+I was in a very interesting meeting where I was saying that we should
+weaken our password policy if they had MFA. I was saying if you have
+MFA, then in a current setting environment we should have long password
+expiration dates and we should allow for weaker passwords compared to
+freaking crazy stuff, right? I'm not saying that you allow password one,
+but I'm saying that it's about saying the single most important thing to do
+in passwords today is multifactorification MFA.
+
+Danusia Rolewicz - 23:07
+That's like, how are you introducing MFA? How are you facilitating them
+to get on board with MFA? Because I was in a bank environment in
+another country and the procedure for customers to download the app
+and go through all of the motions to get that meant that I heard at least
+two different conversations where a customer had come in. It was quite
+open concept layout as well, on top of everything in the bank. I could hear
+two different people getting help from a clerk on how to set up their MFA,
+but in such a way that they were exposing data to anyone that could hear
+even a temporary password that the clerk suggested to them was
+everything was audible. You can have this really amazing secure app, but
+if people are going to find these workarounds and not be able to get on
+board and to download it and to get onto it.
+
+Dinis Cruz - 24:19
+Then it's worth not usable. Absolutely right. That scales more, right, in a
+way which actually takes to a point where you could only have behavior if
+it's usable. That's what I like about, again, the word behavior because
+you've all seen that picture of what's it called the gate, right? All the cars
+go around it, right? Because in a way to go around it, again, I like
+behavior because behavior you can answer why are we trying to do this?
+Right? Why we're trying to do this to protect the users. Actually, again,
+there's data that shows that sometimes if you make it more secure, it
+actually becomes less safe because people will you actually push users
+away. That's why I always talk about safety versus security. When I
+presented the boards, I said my job here is not to make to not to have
+incidents and not to be secure.
+
+Dinis Cruz - 25:18
+Our job is to be safe. And that's very different. Right. Going back, Tim, to
+your point, you can make a great secure system that's connected to
+anything, right? It might be very secure, but it's not very usable and it's
+not very safe. It doesn't meet the risk profile of the organization.
+
+Tim Ward - 25:35
+Your definition of safe is kind of secure and usable.
+
+Dinis Cruz - 25:39
+Well, I would say it's aligned to the business risk appetite. Right. There's a
+balance, right.
+
+Tim Ward - 25:44
+Appropriate security.
+
+Dinis Cruz - 25:47
+Here's the irony, right? If you live in a place where you have to have a
+house with 25 locks and a machine gun and a guard outside, I can argue
+that house has a lot of security. Right? There's a lot of security features on
+it. Right. But which one is safer? That one or a house that you can leave
+your door unlocked? Now remember that you can only leave your door
+unlocked if you're in an environment, in a neighborhood that is safe. And
+why is safe? Because there's a lot of other things that will do that from the
+geographical location, from the neighbors. There's a lot of other things
+that come into play, right, to allow you to leave your door unlocked and
+also the kind of attackers you have there. I think you have to balance who
+is attacking you, what's your requirements, why are you doing stuff, what
+assets you have that should determine the security and the implications of
+a compromise.
+
+Dinis Cruz - 26:39
+Clearly, if I have a pile of medical data and the pile of data is not really
+relevant, the security requirements should be very different. Even the
+definition of safety is very different from one to the other. Again, context
+and behavior matters, right?
+
+Tim Ward - 26:57
+Yeah. I think arguably some of that is taking that risk based approach,
+isn't it? Because even in ignoring behavior, I've been in organizations
+where they've just had these well, if it's got data, it's got to be encrypted.
+You're like, well, no, what's the threat? Like, what different data has
+different kind of requirements? The saying comes down to where people
+are involved, I suppose, is just thinking about what's the risk profile and
+what behaviors are the ones that we want to see. You get into the whole
+world of, okay, and then how do you get those behaviors? How do you
+help change and steer people to work in those ways?
+
+Dinis Cruz - 27:39
+Can we now then move to the second word, which I really like, or third
+actually, which is awareness. And I would just throw this. I think
+awareness by the users is also crazy important. Sometimes we try to get
+awareness by scaring, which is not always the right way to do it. I think
+once the users understand what they're dealing with, they actually tend to
+be very protective and they actually tend to do the right thing in how they
+operate.
+
+Tim Ward - 28:09
+Yeah, I suppose we quite often go back to BJ Fogg's model in this because
+from a behavior perspective and that has in it that element of motivation.
+BJ Fox says that any behavior has got a bit of motivation, a bit of ability,
+but also some prompt or trigger to act and obviously the tools around you
+give you the ability bit and your knowledge. Also you've got to have that
+motivation and some of that I think comes from the awareness you're
+talking about, didn't it? You've got to help people understand that yes, this
+is a threat and that it's relevant because if they don't have that motivation
+they're not going to necessarily act. Slightly counter that you've also got
+to expect that quite often people aren't going to act securely because
+they're busy, they've got other things to do. Therefore when it comes
+behaviour change and want to work as hard as you can to make the
+easiest behavior the one you want and that's a great example when it
+comes to passwords, how hard are you going to make?
+
+Danusia Rolewicz - 29:15
+Yeah, and equally I think going back to what you were saying Dennis,
+about scaring them, I don't think it's ever really the right way. Fear,
+uncertainty, doubt, FUD or EPPM, these are strategies that we can see
+being exploited historically in marketing or by social engineers. Really,
+why not focus more on the positive empowerment? We're pre programmed
+to react to positive prompts more. Again, creating security messaging,
+creating programs where we can talk and involve people and give them a
+feeling of shared responsibility because it's their choice to get involved.
+Once they have the buy in of being involved in for example, a Champions
+program, then that buy in, that investment that they've made, they're not
+just going to throw that away, that's going to be used much more
+powerfully. I think something that Tim often talks about is social force.
+Once you recruit a few people and they start talking about something and
+what they're getting out of it, like how they're benefiting and growing,
+then other people will want to join immediately.
+
+Tim Ward - 30:43
+Yeah, social proof can really be a great helpful thing to bring any behavior
+and you can kind of do things like say well, so and so has reported this,
+have you reported anything when it comes to fishing? You're just even in a
+simple behavior you can kind of frame it like that. We're all social animals
+so we want to be helping socially, we want to be seen to be doing what
+other people do. There's other cognitive bus like reciprocity which is kind
+of similar where you can well, the security team have done all of this work
+blocking this stuff, we've given you this, we block this much, could you do
+your bit? People kind of feel like they ought to give back a bit? Probably
+depends how you word that slightly but there's some useful ways that you
+can kind of encourage those behaviors.
+
+Dinis Cruz - 31:34
+As a Google strategy, which I just want to prefix that I've also seen a very
+interesting. Paradox that when you have a supply chain that goes from
+very small individuals to very large companies, you actually tend to have a
+weird situation where the ones that are most secure are, I would say, the
+large companies that have already regulation, compliance, bigger teams
+who actually are able to take security a lot more seriously. Right, not more
+seriously. They actually have very color resources and they understand
+better. Also the smaller companies tend to have that because they
+understand the problems and the side effects of cybersecurity in their
+world. Sometimes it's the one in the middle that tend to be the worst ones
+who tend to actually fall into you want to give us your question? Yeah.
+
+Speaker 5 - 32:24
+Basically, from what Dennis was saying about the appetite for security,
+where a company might have all they might have a situation where they
+feel that they're secure enough, but they might think that they have this
+false sense of security mindset where they believe that they're too small to
+be targeted, which in essence is like for a lot of people that might go after
+cybercriminals, they prey on those, but they just don't realize that. It's just
+hard to really get them in that mindset that, hey, actually you should be
+taking things more seriously. And here's why.
+
+Tim Ward - 33:27
+It's a good point, Billy, and it goes back to that awareness point Dennis
+was making, that there is a bit of need to help people understand the
+threat and possibly of highlighting the risk. Not too much fear, but
+because just to help people understand that they might not even being
+targeted, but they're going to be collateral damage, potentially. Quite
+often the way that attacks work is that they're not targeting anyone,
+they're targeting just general weaknesses. They'll be firing this out across
+thousands of kind of endpoints or people. If your small business hasn't got
+some of the basics right, you're not the target, but you've become the
+target because you had a week.
+
+Janet Bonar Law - 34:18
+Yeah.
+
+Danusia Rolewicz - 34:18
+Especially with this at ransomware as a service model and the outsourcing
+involved in that anyone could be targeted just because why not? It doesn't
+take very much, really effort on the part of the attacker, but.
+
+Dinis Cruz - 34:37
+I would follow the assets. If you go back again to behavior change, one of
+the places where you can see huge amount of policy behavior is on the
+third party supply chain where you start to see pressures from the more
+mature companies downwards to do the right thing. To be honest, that is
+correct because ultimately it's about understanding that you might be a
+company that has quite large, but you depend on a chain of suppliers that
+if they are compromised down here, that is going to affect you. Also that's
+an awareness for the company because the company might think, well, we
+are a small provider who would attack us. If they are aware, going back
+to the second thought of the word, right, if they're aware that they can
+actually cause a huge amount of damage and the asset or whatever
+they're providing is actually a mission critical element of a bigger
+company, then they need to take it where?
+
+Dinis Cruz - 35:27
+Again, I think it's that behavior that you can also drive by creating
+economic models or social models. Because again, you talk about security
+champions, but it's also to do with the companies who hold key elements
+of the supply chain. You can push security downstream and also allow
+good investment in security. Going to Billy's point or why should we do it?
+What's the value for us? Well, guess what? If companies also can get
+rewarded in the marketplace for having good security practices, for
+having good security investment, which there's a direct correlation
+actually between security investment and good engineering, right, and
+good practices. Because most of the stuff that we want to do is common
+sense, right?
+
+Tim Ward - 36:09
+Good governance is quite often means yeah.
+
+Dinis Cruz - 36:13
+There's a direct correlation even on potential due diligence. I always tell
+the companies I work for get us involved in due diligence because we'll
+lower the price, right? Because of acquisitions, because security is a great
+way to do due diligence. Because you ask really good questions about how
+things work, not that they work, it's about what actually is happening
+under the hood. A good company, when you ask how things operate,
+doesn't go to the whiteboard and start drawing it, right? That's crazy.
+Immaturity right. They should know how things behave. Right. I think that
+behavior is super critical across organization. I know who mentioned that
+we hacked the organization, but that's how I think about this. We're trying
+to find the ways to nudge the organization, to behave in the ways that is
+on their own interest, to be safe and more efficient.
+
+Tim Ward - 37:04
+Yeah, I mean, that's an interesting kind of much higher macro level
+version of the behavior, isn't it? It's the regulatory environment that the
+kind of the market can provide to steer people. Obviously people like
+NCSC have been trying to do that with things like cyber essentials, haven't
+they? They've been trying to create a framework where, well, okay. Now
+you do get, I mean, as a supplier, you get asked, have you got these
+different frameworks? And that has a positive impact. I suppose there's
+then an interesting debate about where regardless of all these
+frameworks, where behavior becomes that entry point where people can
+still do something that breaks the whole bottle. How are you going to help
+those people? How are you going to help the individuals within those
+organizations as well to behave?
+
+Dinis Cruz - 37:56
+Well, that's why I think we should be measuring behavior, right? Because
+behavior, again, driven by incidents, is real. It's not theoretical. Basically,
+when something occurs let's take Phishing as an example, right? If a
+company is targeting with phishing, what happens? Do people click on
+things and then hide it? Do people click on things and then report it? Do
+people don't click on things? Right? What's the behavior that you want
+from a security team? From my point of view, yes, it's better if they don't
+click, but they're going to click on things, right? I much prefer somebody
+who's comfortable enough to go to the security team and give us advanced
+warning that something just happened than somebody clicking, going, oh,
+I hope nothing went wrong, and then not give us advanced warning. We
+actually had an incident that was like that. We actually went back to users
+and says, look, the problem is not you did XYZ, the problem is you didn't
+tell us that you just did that.
+
+Dinis Cruz - 38:55
+The fact that you did this, the fact that you went to a website and entered
+your credentials, for example, we would have done that. I cannot look a
+user in the eye and says you had fault when members of my team probably
+could have fault for the same thing, right? It looked just like the real stuff
+was very authentic. You cannot expect users not to fall for that. Once they
+notice that something was weird, what they should have done is tell us
+straight away because then we can make sure that the users of that
+password is not problematic. Again, what's the behavior you want the
+users do you want the users not to click on things and they want the users
+to tell you and to be the your eyes and ears on the ground that stuff is
+happening. I prefer the second one.
+
+Tim Ward - 39:42
+Yeah, we talked about it earlier, didn't we? This idea of understanding
+what are the behaviors you want to see in your organization, then thinking
+about how you can measure them. I think there's of just thinking about
+what are you going to do with that? That you don't become so we try our
+hardest to try and intervene with behaviors before or as they're
+happening, or we use the behavioral psychology of ideas of like priming
+and things to steer people before the event. I think there are obviously
+tools out there that are looking at kind of post instant and post event and
+behavior. There's just a worry in my head there that then you get into this
+cycle of punishment with training where you're trying to change the
+behavior by going, we spotted that you did this thing, now we're going to
+come. However hard you try, I think it's quite hard for that not to be seen
+as telling someone off and trying to correct their behavior.
+
+Tim Ward - 40:39
+Whereas I think if you can try and do it before or as it can be a bit more
+looks like this might be about to happen. Are you sure you don't want to
+do it this way and you can try and be a bit more back to January, bit more
+gentle, a bit more supportive, empathic and help people. I suppose.
+
+Danusia Rolewicz - 40:58
+Even in the post click scenario I think it doesn't have to be about training.
+It could just be a discussion starting off a dialogue that actually could go
+into a security champion session or some situation where you could not
+expose that person but use their experience to understand the triggers and
+the context that are floating around.
+
+Janet Bonar Law - 41:37
+I would argue that in the post click situation that is possibly the worst time
+you could choose to try and deliver any kind of training because they've
+just clicked on the email, they're annoyed that they're being caught out
+and they're quite upset about it and that is not a good receptive base for
+new information. I would argue it's next to pointless.
+
+Dinis Cruz - 42:06
+I completely agree. We should be thanking them. The other thing is
+training should be in context to what their day job is. Then it makes sense,
+right? Or else it doesn't again doesn't secure. Billy, I had a follow up
+question. Do you want to yeah.
+
+Speaker 5 - 42:22
+Basically, I spent of time as a truck driver. One of the things one of the
+companies did was when went to pick up our load, we would have to do
+our pre trip inspection. Sometimes they would hide gift cards in places
+where we need to look for our inspection. Like $10 at the local coffee shop
+kind of a thing. Just as a reward for doing your job. Of course if you don't
+do it properly then well, you lose out. I'm thinking you could do the same
+thing in the office space for some things like for instance setting it up in
+the office where a policy where if you have a suspicious email send it to
+suspicious@thecompanyname.com and then it will look at it, analyze it,
+see if it is and then maybe give that person reward. Like hey, you protected
+the company by reporting this suspicious email.
+
+Speaker 5 - 43:53
+Here's a gift card for Amazon or something along those lines. Maybe if
+someone at the end of the year, if someone gets whoever gets the most
+maybe gets some kind of a reward or something like that, just like a
+recognition for doing that. I think that could put people in a proactive
+disposition where they're more looking for these so they can report them.
+Otherwise it's just like they just don't really care about them. Even if they
+do see them as suspicious they might just ignore them or whatever. This
+way they're being proactive and I think that would inspire others to do the
+same when they see people actually getting rewarded for that.
+
+Dinis Cruz - 44:42
+Absolutely.
+
+Danusia Rolewicz - 44:43
+I love the suspicious atcompanyname.com address. That's amazing.
+
+Janet Bonar Law - 44:49
+I am going to steal that immediately.
+
+Danusia Rolewicz - 44:53
+There's a lot of things that I've seen around in different organizations of
+gamifying security. One thing is like a Pokemon Go kind of approach to
+reporting or flagging issues, which it depends on the type of
+organizational culture that you're looking at because it might not be
+appropriate for everybody, but I think what you're saying could fit in quite
+nicely on that gamification shelf.
+
+Tim Ward - 45:24
+Yeah, I've seen it done quite well with fishing where it's less about tricking
+and catching out and it's more about saying, right, we're going to run a
+phishing competition. It's going to start really easy and then it's going to
+get really hard and the people who get through to the kind of spot, the last
+most difficult email will win a prize or something. You've changed it,
+you've turned it on its head, you've made the whole thing quite fun and
+interesting and people step. The only slight issue is the self selection of
+people who are already probably the ones who don't need to know the
+trading. You have to think about what you're trying to achieve, but it gets
+people liking and talking about security.
+
+Dinis Cruz - 46:03
+Tim, you tell my question, because the question I was going to ask you is
+that when you do a phishing campaign exercise, do you tell the users and
+the It team or not?
+
+Tim Ward - 46:14
+So we don't tend to do them. We think that there are other ways to tackle
+this, but I think it all comes down to what you're trying to achieve with it.
+Because the reason we don't use I don't think the click rate is so variable
+depending on the bait, that you have to think like, why are you doing this?
+What are you trying to achieve? I don't think the training afterwards is
+that effective, as Janet says. It's kind of, why are you even doing these
+things? Maybe it's useful to understand the difference between different
+sectors of your organization, like who's most prone to authority based
+type attacks, in which case, no, you wouldn't tell them because you are
+trying to get some useful insightful data which you can then use. I don't
+know, janet, do you tell people?
+
+Janet Bonar Law - 47:05
+I don't tell anybody. I just set the campaign up, let it know that the box is
+going to be busy and hit the Go button. Really? That's what I do.
+
+Tim Ward - 47:17
+Stand back. Like the blue touch paper.
+
+Danusia Rolewicz - 47:22
+There was one organization that I was at where people were actively
+requesting phishing campaigns that was an indication of and it was
+specific teams as well. I think that ties into what Tim was saying, how you
+might get a group that really goes for that thing and that really wants to
+prove themselves and then maybe the other groups or teams within the
+organization, something else could work. Maybe developing a tailored
+approach where not everybody gets hit with the same thing or the same
+strategy could be useful.
+
+Dinis Cruz - 48:05
+Yeah. Let me share a couple of things here. Because I think this is on a
+topic, maybe some of you guys are already aware of this, but I think it's
+quite cool. Can you see my screen? Do about the knife and framework?
+Have you heard of this framework?
+
+Janet Bonar Law - 48:20
+No.
+
+Dinis Cruz - 48:22
+If you haven't heard about this is pretty awesome. The other one is Worthy
+Maps, which we've done a lot of sessions, but I think for this one, it's a
+really good behavioral framework created by Dave Snowden that breaks
+the world into this different worlds. It's very interesting to understand
+where you are and what behaviour change and to see in each of these. It's
+a really good way of thinking about how people will react, how systems
+will react, how almost like trying to get an understanding of the behavior
+that you see is almost a consequence of the environment that exists. But
+the environment evolves, right? The evolvement goes from chaotic to
+complex to complicated and simple. Also each of these has certain
+resilience. A simple, for example, you might think is what you want, but
+actually a simple could be a monoculture. There's one thing that happens,
+everybody does it, which then is very successful to massive disruption
+because if that thing stops working, everything so you actually sometimes
+fall from simple to chaotic because things can occur.
+
+Dinis Cruz - 49:24
+This is quite interesting again how you respond, like you act sense,
+respond here, you probe sense and respond. So it's quite cool. Again, I'll
+put the links in there and there's some really interesting stuff about the
+framework, how you behave, et cetera. I definitely recommend you guys to
+see this in the presentation. And then the other one is.
+
+Tim Ward - 49:46
+Yeah, looks really interesting.
+
+Dinis Cruz - 49:48
+Yeah. The other one, I see this recently, but have you heard about this one
+by this guy Nicholas Means, who talk about the My Line incident. It's a
+great story about how this was a nuclear incident occurred in US. How
+you can look at this from two different angles completely. One is kind of
+what happened in hindsight, almost looking for what went wrong, but
+then you can have another view. We does it the second part, which is what
+was the behavior that you would expect the individuals and that moment
+in time with that background, with that experience, with that stuff, to
+respond. You see they actually did what you would expect them to do,
+right? Of course, in hindsight you go why do you turn that valve along?
+Why do you do this, why do you do that? You would make in how those
+individuals were thinking, how they got brought up to their experience,
+what the signals they see, even the design of the place where you have all
+the alarms that was badly designed, had really bad usability, right?
+
+Dinis Cruz - 50:49
+It's a great example of you say why did you miss the alarm? Okay, but if
+the alarm is on a table with 30 other freaking LEDs and things, and the
+mission critical flashing light is next to the splashing light that the elevator
+doesn't work. Well, clearly that's a problem. Right. From a Usability point
+of view, and there are tons of others. Right. I think these are really cool
+examples on behavior, that it's about thinking about the environment that
+you create that then leads to the behavior of the individuals, which is,
+again, why I think if we can measure the behavior, you can sometimes
+even predict the behavior because you know that the ecosystem will occur
+on this in this good kind of environment.
+
+Janet Bonar Law - 51:37
+I think you touched on a really powerful thing there about the power of
+stories and connecting with an audience instead of just giving the facts. If
+you can weave the facts into a compelling story, the narrative kind of
+carries it into the brain. Remember stories better than remember list.
+
+Dinis Cruz - 52:01
+Absolutely. The story is critical. Yeah. Simon Worley on the worldly maps.
+If you haven't seen the sessions on Worldly Maps on the Summit, just
+search the Summit website. There's some amazing sessions there, right?
+Yeah. Simon Worley talks about how you want maps and how maps give
+you context, allowed to understand things, allowed to create a story about
+what happens, a narrative that then you then remember. Cool. Well, we
+want to talk about the hour. This is a really good session. We need to do
+more of this. I love this session. Definitely what the semi is all about. Any
+final words? Let me just go around the table. Any final words?
+
+Danusia Rolewicz - 52:42
+Yeah, I just think definitely I've got a few recommendations that I'm
+putting in the chat as you were showing us those great resources. I'm just
+trying to it's not really working very well, but yeah, just try to understand
+your main audience, try to key into their needs, understand their
+behaviour change and empathetic route, and try to marry that bottom up
+approach with your top down compliance needs. If you take that route,
+then you'll see more positive impact and behavior change than the
+compliance focused approach.
+
+Dinis Cruz - 53:31
+Tim?
+
+Tim Ward - 53:33
+Yeah, I suppose I've talked about this idea of kind of thinking a bit
+differently about security awareness and thinking about the behaviors that
+you want to see and then work out how you create a choice architecture, I
+suppose, where you make it easy for people to do the secure behavior. Our
+approach would tend to be to try and as you said, Dennis, measure things
+baseline, see what behaviors are taking place. Once you've understood
+that, start thinking about how you're going to steer people in the right
+direction. We would talk about trying to do that as in real time as you
+possibly can. So you're steering the right behaviors. I'll put some links.
+We've got lots of behavioral science articles and awareness articles on our
+blog, so I can share that as well.
+
+Dinis Cruz - 54:19
+Yeah. Also send it to Alana because we can add it to the page. Right. Once
+we put the video there, we put it there. That would be really cool. Jeanette,
+any final words?
+
+Janet Bonar Law - 54:30
+Yeah, I think in the past, awareness has sometimes been seen as a
+broadcast activity, that we have the information and we broadcast it to
+everybody. Because everybody needs to know the same thing, we deliver it
+in the same way. Clearly we now understand that's not the case. It's not a
+broadcast activity at all. It's a very interactive fiber anthropology exercise
+in trying to understand your audience and their needs and fit in your
+communications to shape their behaviors.
+
+Dinis Cruz - 55:08
+Yeah, couldn't agree more. Good stuff. Oh, sorry. Finish any final? You
+look like you're going to chip in with a final comment.
+
+Danusia Rolewicz - 55:17
+No, I just managed to send my message, that's all.
+
+Dinis Cruz - 55:22
+Yeah. The other one that's really powerful is the checklist, if you see in the
+book. What I really liked about that one was the idea that you don't create
+a checklist for everything you want to do. You create a checklist to
+actually nudge the behaviors and the things that people miss. Right. It's
+like, think about a pilot has a checklist, doesn't have a checklist.
+Everything they want to do is almost a checklist of either the things they
+forget to do or to miss or the things that would trigger other behaviors
+that will then get you to do the right in. Right. Again, the way you design
+that system makes a big difference. So again, we can end on that. So
+thank you very much. This was a really cool session, and I'll see you
+around in the other session of the summit. Let's do come up with another
+session for the next summit.
+
+Dinis Cruz - 56:04
+This is really good.
+
+Tim Ward - 56:06
+Thank you very much.
+
+Dinis Cruz - 56:07
+Good.
+
+Tim Ward - 56:07
+See. Bye bye.
+