"No Mr. Cyber Threat!" - A Psychological Approach To Managing the Fail-to-Challenge Vulnerability

Using behavioral science and psychology can help organizations become more cyber resilient by centering motivation and streamlining the problem.

• Behavioral science and psychology can help organizations become more cyber resilient
• Motivation should be centered in training and learning
• Streamlining the problem can help people see and identify issues and communicate them
• Gamification and micro doses of training can be effective
• Exercises should be done safely and with the right controls in place

The speaker discussed an exercise they conducted where they placed USB sticks with malware in a company's parking lot to see if employees would pick them up and plug them into their computers. They found that many employees did, showing a vulnerability in the company's security. This exercise helped the company understand the importance of training and awareness.

An unrecognised individual enters a busy workplace. They are not wearing any ID and they are asking people if they can use their laptops or plug in an unauthorised USB device. Even though people typically know this is a problem, staff often fail to challenge resulting in an exploitable vulnerability. But our individual is wearing a brightly coloured t-shirt with the words "CHALLENGE ME" in large friendly letters on the chest and they are overtly trying to engineer risky behaviours. It is all far too obvious - almost like they want to be caught doing something wrong…That is exactly the point. They want to be caught because each time they are challenged, our work indicates that their target becomes more secure. This is the "Malicious Floorwalker" exercise, an impactful behavioural intervention designed and delivered by the UK MOD Cyber Awareness Behaviours & Culture team. Grounded in robust psychological theory interwoven with social engineering practice, it is a way to manage human vulnerability rather than just uncover it. Taking only two minutes, it puts people at the heart of their own story around challenging a threat. By making it as obvious as possible that a challenge is required it leverages the social cues and psychological tensions felt by the individual, leaving them with no option but to raise a challenge. Importantly this is done in a safe, fun, and light-hearted way, free from fear and punishment; it is simple, yet complex and effective. Engaging with the Floorwalker allows individuals to develop their own narrative towards challenging and to build a psychological script to work from in the future. When challenged, the Floorwalker coaches a good outcome and as a result, fosters positive sentiment towards the ideal behaviour. We have delivered this across several sites to excellent effect with quantifiable success.