263: Security Education, Awareness, Behavior, and Culture with Kat Sweet

December 15th, 2021 · 46 mins 51 secs

About this Episode

02:01 - Kat’s Superpower: Terrible Puns!

08:07 - Security Awareness Education & Accessibility

20:58 - Making the Safe Thing Easy

22:43 - Awareness; Security Motivation; Behavior and Culture (ABC)

33:34 - Dietary Accessibility; Harm Reduction and Threat Monitoring

Reflections:

John: Internal teams relating to other internal teams as a marketing issue.

Casey: Phishing emails cause harm.

Kat: AIDA: Awareness, Interest, Desire, Action

Unconscious Bias Training That Works

The Responsible Communication Style Guide

This episode was brought to you by @therubyrep of DevReps, LLC. To pledge your support and to join our awesome Slack community, visit patreon.com/greaterthancode

To make a one-time donation so that we can continue to bring you more content and transcripts like this, please do so at paypal.me/devreps. You will also get an invitation to our Slack community this way as well.

Transcript:

PRE-ROLL: Software is broken, but it can be fixed. Test Double’s superpower is improving how the world builds software by building both great software and great teams. And you can help! Test Double is hiring empathetic senior software engineers and DevOps engineers. We work in Ruby, JavaScript, Elixir and a lot more. Test Double trusts developers with autonomy and flexibility at a remote, 100% employee-owned software consulting agency. Looking for more challenges? Enjoy lots of variety while working with the best teams in tech as a developer consultant at Test Double. Find out more and check out remote openings at link.testdouble.com/greater. That’s link.testdouble.com/greater.

JOHN: Welcome to Episode 263 of Greater Than Code. I'm John Sawers and I'm here with Casey Watts.

CASEY: Hi, I'm Casey! And we're both here with our guest today, Kat Sweet.

Hi, Kat.

KAT: Hi, John! Hi, Casey!

CASEY: Well, Kat Sweet is a security professional who specializes in security education and engagement. She currently works at HubSpot building out their employee security awareness program, and is also active in their disability ERG, Employee Resource Group. Since 2017, she has served on the staff of the security conference BSides Las Vegas, co-leading their lockpick village. Her other superpower is terrible puns, or, if they're printed on paper—she gave me this one—tearable puns.

[laughter]

KAT: Like written paper.

CASEY: Anyway. Welcome, Kat. So glad to have you.

KAT: Thanks! I'm happy to be here.

CASEY: Let's kick it off with our question. What is your superpower and how did you acquire it?

KAT: [chuckles] Well, as I was saying to both of y’all before this show started, I was thinking I'm going to do a really serious skillful superpower that makes me sound smart because that's what a lot of other people did in theirs. I don't know, something like I'm a connector, or I am good at crosspollination. Then I realized no, [chuckles] like it, or not, terrible puns are my actual superpower.

[laughter]

Might as well just embrace it.

I think as far as where I acquired it, probably a mix of forces. Having a dad who was the king of dad puns certainly helped and actually, my dad's whole extended family is really into terrible puns as well. We have biweekly Zoom calls and they just turn into everyone telling bad jokes sometimes.

[laughter]

But I think it also probably helps that, I don't know, having ADHD, my brain hops around a lot and so, sometimes makes connections in weird places. Sometimes that happens with language and there were probably also some amount of influences just growing up, I don't know, listening to Weird Al, gets puns in his parodies. Oh, and Carlos from The Magic School Bus.

CASEY: Mm hmm. Role models. I agree. Me too.

[laughter]

KAT: Indeed. So now I'm a pundit.

CASEY: I got a pun counter going in my head. It just went ding!

KAT: Ding!

[laughter]

CASEY: I never got – [overtalk]

KAT: They've only gotten worse during the pandemic.

CASEY: Oh! Ding!

[laughter]

Maybe we'll keep it up. We'll see.

I never thought of the overlap of puns and ADHD. I wonder if there's any study showing if it does correlate. It sounds right. It sounds right to me.

KAT: Yeah, that sounds like a thing. I have absolutely no idea, but I don't know, something to do with divergent thinking.

CASEY: Yeah.

JOHN: Yeah. I’m on board with that.

CASEY: Sometimes I hang out in the channels on Slack that are like #puns, or #dadjokes. Are you in any of those? What's the first one that comes to mind for you, your pun community online?

KAT: Oh yeah. So actually at work, I joined my current role in August and during the first week, aside from my regular team channels, I had three orders of business. I found the queer ERG Slack channel, I found the disability ERG Slack channel, and I found the dad jokes channel.

[laughter]

That was a couple of jobs ago when I worked at Duo Security. I've been told that some of them who are still there are still talking about my puns because we would get [laughs] pretty bad pun threads going in the Slack channels there.

CASEY: What a good reputation.

KAT: Good, bad, whatever. [laughs]

CASEY: Yeah.

KAT: I don't know. Decent as a form of humor that's safe for work goes, too because it's generally hard to, I guess, punch down with them other than the fact that everyone's getting punched with a really bad pun, but they're generally an equalizing force. [chuckles]

CASEY: Yeah. I love that concept. Can you explain to our listeners, punching down?

KAT: So this is now the Great British Bake Off and we're talking about bread. No, just kidding.

[laughter]

No, I think in humor a lot of times, sometimes people talk about punching up versus punching down in terms of who is actually in on the joke. When you're trying to be funny, are you poking fun at people who are more marginalized than you, or are you poking at the people with a ton of privilege? And I know it's not always an even concept because obviously, intersectionality is a thing and it's not just a – privilege isn't a linear thing. But generally, what comes to mind a lot is, I don't know, white comedians making fun of how Black people talk, or men comedians making rape jokes at women's expense, or something like that. Like who's actually being punched? [chuckles]

CASEY: Yeah.

KAT: Obviously, ideally, you don't want to punch anyone, but that whole concept of where's the humor directed and is it contributing to marginalization?

CASEY: Right, right. And I guess puns aren't really punching at all.

KAT: Yeah.

CASEY: Ding!

KAT: Ding! There goes the pun counter.

Yeah, the only thing I have to mindful of, too is not over relying on them in my – my current role is in a very global company so even though all employees speak English to some extent, English isn't everyone's first language and there are going to be some things that fly over people's heads. So I don't want to use that exclusively as a way to connect with people.

CASEY: Right, right.

JOHN: Yeah. It is so specific to culture even, right. Because I would imagine even UK English would have a whole gray area where the puns may not land and vice versa.

KAT: Oh, totally. Just humor in general is so different in every single culture. Yeah, it's really interesting.

JOHN: Yeah, that reminds me. Actually, just today, I started becoming weirdly aware as I was typing something to one of my Indian colleagues and I'm not sure what triggered it, but I started being aware of all the idioms that I was using and what I was typing. I was like, “Well, this is what I would normally say to an American,” and I'm just like, “Wait, is this all going to come through?”

I think that way might lead to madness, though if you start trying to analyze every idiom you use as you're speaking. But it was something that just suddenly popped into my mind that I'm going to try and keep being a little bit more aware of because there's so many ways to miss with communication when you rely on obscure idioms, or certain ways of saying things that aren't nearly as clear as they could be. [chuckles]

KAT: Yeah, absolutely. I'm sure that's definitely a thing in all the corporate speak about doubling down, circling back, parking lots, and just all the clicking, all of those things.

[laughter]

But yeah, that's actually something that was on my run recently, too with revamping one of the general security awareness courses that everyone gets is that in the way we talk about how to look for a phishing – spot a phishing email. First of all, one of the things that at least they didn't do was say, “Oh, look for poor grammar, or misspelled words,” because that's automatically really exclusive to people whose first language isn’t English, or people who have dyslexia.

But I was also thinking we talk about things like subtle language cues in suspicious emails around a sense of urgency, like a request being made trying to prey on your emotion and I'm like, “How accessible is that, I guess, for people whose first language is English to try and spot a phishing email based on those kind of things?” Like how much – [chuckles] how much is too much to ask of…? Like opinions about phishing emails, or the phishing training anyway being too much to ask of people to some degree, but I don't know. There's so much subtlety in it that just is really easy for people to lose.

JOHN: Yeah. I mean, I would imagine that even American English speakers – [overtalk]

KAT: Yeah.

JOHN: With a lot of experience still have trouble. Like actually, [chuckles] I just got apparently caught by one of them, the test phishing emails, but they notified me by sending me an email and saying, “You were phished, click here to go to the training.” And I'm like, “I'm not going to click on that!”

[laughter]

I just got phished!

KAT: Yeah.

JOHN: But I think my larger point is again, you're talking about so many subtleties of language and interpretations to try and tease these things out. I'm sure there are a lot of people with a range of non-typical neurologies where that sort of thing isn't going to be obvious, even if they are native English speakers.

KAT: Exactly. Myself included having ADHD. [laughs]

JOHN: Yeah.

KAT: Yeah. It's been interesting trying to think through building out security awareness stuff in my current role and in past roles, and having ADHD and just thinking about how ADHD unfriendly a lot of the [laughs] traditional approaches are to all this.

Even like you were just saying, “You got phished, take this training.” It seems like the wrong sequence of events because if you're trying to teach someone a concept, you need to not really delay the amount of time in between presenting somebody with a piece of information and giving them a chance to commit it to memory.

ADHD-ers have less working memory than neurotypical people to begin with, but that concept goes for everyone. So when you're giving someone training that they might not actually use in practice for several more months until they potentially get phished again, then it becomes just information overload. So that's something that I think about.

Another way that I see this playing out in phishing training in particular, but other security awareness stuff is motivation and reward because we have a less amount of intrinsic motivation. Something like, I don't know, motivation and reward system just works differently with people who have trouble hanging onto dopamine. ADHD-ers and other people's various executive dysfunction stuff.

So when you're sitting through security training that's not engaging, that's not particular lead novel, or challenging, or of personal interest, or is going to have a very delayed sense of reward rather than something that immediately gratifying, there's going to be a limitation to how much people will actually learn, be engaged, and can actually be detrimental. So I definitely think about stuff like that.

CASEY: That reminds me of a paper I read recently about—I said this on a previous episode, too. I guess, maybe I should find the paper, dig it up, and share.

KAT: Cool.

[laughter]

CASEY: Oh, but it said, “Implicit bias awareness training doesn't work at all ever” was an original paper. No, that's not what it said of course, but that's how people read it and then a follow-up said, “No, boring! PowerPoint slide presentations that aren't interactive aren’t interactive.”

[laughter]

“But the interactive ones are.” Surprise!

KAT: Right. That's the thing. That's the thing.

Yeah, and I think there's also just, I don't know. I remember when I was first getting into security, people were in offices more and security awareness posters were a big thing. Who is going to remember that? Who's going to need to know that they need to email security at when they're in the bathroom? [laughs] Stuff like that that's not particularly engaging nor particularly useful in the moment. But that DEI paper is an interesting one, too. I'll have to read that.

CASEY: Do you have experience making some of these trainings more interactive and getting the quicker reward that's not delayed and what does that look like for something like phishing, or another example?

KAT: It's a mixed bag and it's something that I'm still kind of – there's something that I'm figuring out just as we're scaling up because in past roles, mostly been in smaller companies. But one thing that I think people, who are building security awareness and security education content for employees, miss is the fact that there's a certain amount of baseline level of interaction and context that you can't really automate a way, especially for new hires.

I know having just gone through process that onboarding weeks are always kind of information overload. But people are going to at least remember more, or be more engaged if they're getting some kind of actual human contact with somebody who they're going to be working with; they’ve got the face, they've got some context for who their security team is, what they do, and they won't just be clicking through a training that's got canned information that is no context to where they're working and really no narrative and nowhere for them to ask questions. Because I always get really interesting questions every time I give some kind of live security education stuff; people are curious.

I think it's important that security education and engagement is really an enhancer to a security program. It can't be carrying all the weight of relationships between the security team and the rest of the company. You're going to get dividends by having ongoing positive relationships with your colleagues that aren't just contact the security team once a year during training.

CASEY: And even John's email, like the sample test email, which I think is better than not doing it for sure. But that's like a ha ha got you. That's not really [chuckles] relationship building. Barely. You’ve got to already have the relationship for it to – [overtalk]

KAT: No, it's not and that's – yeah. And that's why I think phishing campaigns are so tricky. I think they're required by some compliance frameworks and by cyber insurance frameworks. So some places just have to have them. You can't just say we're not going to run internal phishing campaigns, unfortunately, regardless of whether that's actually the right thing for businesses.

But I think the angle should always be familiarizing people with how to report email like that to the security team and reinforcing psychological safety. Not making people feel judged, not making people feel bad, and also not making them sit through training if they get caught because that's not psychological safety either and it really doesn't pay attention to results.

It’s very interesting, I remember I listened to your episode with Eli Holderness and at some point, one of the hosts mentioned something about human factors and safety science on the evolving nature of how people management happens in the workplace. How there was this old model of humans being a problem to be managed, supervised, and well, just controlled and how the new view of organizational psychology and people management is more humans are your source of success so you need to enable their growth and build them up.

I think a lot of security education approaches are kind of still stuck in that old model, almost. I've seen progress, but I think a lot of them have a lot of work to do in still being, even if they're not necessarily as antagonistic, or punitive, they still feel sometimes paternalistic. Humans are like, “If I hear the phrase, ‘Humans are the weakest link one more time,’ I'm going to table flip.” First of all, humans are all the links, but also – [overtalk]

JOHN: Yeah.

KAT: It's saying like, we need to save humans, which are somehow the security team is not humans. We need to save humans from themselves because they're too incompetent to know what to do. So we need, yeah – which is a terrible attitude.

CASEY: Yeah.

KAT: And I think it misses the point that first of all, not everyone is going to become a security expert, or hypervigilant all the time and that's okay. But what we can do is focus on the good relationships, focus on making the training we have and need to do somewhat interactive and personal and contextual, and let go of the things you can't control. [chuckles]

JOHN: Yeah, I think Taylorism is the name for that management style. I think it came around in the 40s and – [overtalk]

KAT: Really?

JOHN: Yeah, ruined a lot of lives. [laughs] Yeah, and I think your point about actually accepting the individual humanity of the people you're trying to influence and work with rather than as some sort of big amorphous group of fuckups, [laughs] for lack of a better word. Giving them some credit, giving them, like you said, something that's not punitive, somewhere where they don't get punished for their security lapses, or forgetting a thing, or clicking the link is going to be a lot more rewarding than, like you said, just making someone sit through training.

Like for me, the training I want from whatever it was I clicked on is show me the email I clicked on, I will figure out how it tricked me and then I will learn. I don't need a whole – [overtalk]

KAT: Yes.

JOHN: 3 hours of video courses, or whatever. I will see the video, [chuckles] I will see the email, and that is a much more organic thing than here's the training for you.

KAT: Exactly. Yeah, you have to again, give some people a way to actually commit it to memory. Get it out of RAM and into SSD.

JOHN: Yeah.

[laughter]

KAT: But yeah, I love that and fortunately, I think some other places are starting to do interesting, innovative approaches. My former colleague, Kim Burton, who was the Security Education Lead at Duo when I was there and just moved to Texas, gave a webinar recently on doing the annuals security training as a choose your own adventure so that it could be replicated among a wide group of people, but that people could take various security education stuff that was specific to their own role and to their own threat model. I really liked that.

I like being able to give people some amount of personalization and get them actually thinking about what they're specifically interacting with.

JOHN: Yeah, yeah. That's great and it also makes me think about there are undoubtedly things I'm pretty well informed in security and other things that I'm completely ignorant about. I'd rather not sit through a training that covers both of those things. Like if there's a way for me to choose my own adventure through it so that I go to the parts where I'm actually learning useful things. Again, a, it saves everybody time and b, it means I'm not fast forwarding through the video, hoping it'll just end, and then possibly missing things that are actually useful to me.

CASEY: I'm thinking of a concrete example, I always remember and think of and that's links and emails. I always hover and look at the URL except when I'm on my phone and you can't do that. Oh, I don't know. It has never come up in a training I've seen.

KAT: Yeah, you can click and hold, but it's harder and I think that speaks to the fact that security teams should lead into putting protections around email security more so than relying entirely on their user base to hover every single link, or click and hold on their phone, or just do nothing when it comes to reporting suspicious emails.

There's a lot of decision fatigue that, I think security teams still put on people whose job is not security and I hope that that continues to shift over time.

JOHN: Yeah. I mean, you're bringing up the talking about management and safety theory that probably came from Rein Henrichs, who is one of our other hosts.

But one of the things he also has talked about on, I think probably multiple shows is about setting the environment for the people that makes the safe thing easy.

KAT: Right.

JOHN: So that all the defaults roll downhill into safety and security rather than well, here's a level playing field you have to navigate yourself through and there's some potholes and da, da, da, and you have to be aware of them and constantly on alert and all those things. Whereas, if you tilt the field a little bit, you make sure everything runs in the right direction, then the right thing becomes the easy thing and then you win.

KAT: Exactly, exactly. I think it's important to put that not only in the technical defaults – [overtalk]

JOHN: Yeah, yeah.

KAT: But also process defaults to some degree.

One of my colleagues just showed me a talk that was, I think from perhaps at AppSec Cali. I'll have to dig it up. But there was somebody talking about making I guess, threat modeling and anti-abuse mindsets more of a default in product development teams and how they added one single line to their sprint planning—how could this feature potentially be misused by a user—and that alone just got people thinking just that little process change.

JOHN: Yeah. That's beautiful. But such a small thing, but constantly repeated at a low level. It's not yelling at anyone to…

KAT: Yeah.

JOHN: Yeah.

KAT: Yeah. And even if the developers and product designers themselves weren't security experts, or anti-abuse experts, it would just get them thinking, “Oh hey, we should reach out to the trust and safety team.”

CASEY: Yeah. I'm thinking about so many steps and so many of these steps could be hard. The next one here is the security team responsive and that has a lot to do with are they well-staffed and is this a priority for them? Oh my goodness.

KAT: Yeah. [laughs] So many things.

CASEY: It's layers. But I'm sure you've heard of this, Kat. The Swiss cheese model of error prevention?

KAT: Yeah. Defense in depth.

CASEY: Yeah.

[chuckles]

I like to bring it up on the podcast, too because a lot of engineers and a lot of non-security people don't know about it.

KAT: Hmm.

CASEY: Do you want to explain it? I don't mind. I can.

KAT: Oh, yeah. Basically that there are going to be holes in every step of the process, or the tech and so, that's why it's important to have this layered approach. Because over time, even if something gets through the first set of holes, it may not get through a second set where the holes are in different spots. So you end up with a giant stack of Swiss cheese, which is delicious, and you come out with something that's hopefully pretty same.

[laughter]

CASEY: Yeah, and it's the layers that are – the mind-blowing thing here is that there can be more than one layer. We don't just need one layer of Swiss cheese on this sandwich, which is everybody pay attention and don't ever get phished, or it's your fault. You can have so many layers than that. It can be like a grilled cheese, really, really thick, grilled cheese.

[laughter]

KAT: Yes. A grilled cheese where the bread is also cheese.

CASEY: Yes! [laughs]

MID-ROLL: This episode is supported by Compiler, an original podcast from Red Hat discussing tech topics big, small, and strange.

Compiler unravels industry topics, trends, and the things you’ve always wanted to know about tech, through interviews with the people who know it best. On their show, you will hear a chorus of perspectives from the diverse communities behind the code.

Compiler brings together a curious team of Red Hatters to tackle big questions in tech like, what is technical debt? What are tech hiring managers actually looking for? And do you have to know how to code to get started in open source?

I checked out the “Should Managers Code?” episode of Compiler, and I thought it was interesting how the hosts spoke with Red Hatters who are vocal about what role, if any, that managers should have in code bases—and why they often fight to keep their hands on keys for as long as they can.

Listen to Compiler on Apple Podcasts, or anywhere you listen to podcasts. We’ll also include a link in the show notes. Our thanks to Compiler for their support.

CASEY: Earlier, you mentioned awareness, Kat as something interesting. You want to talk about awareness more as a term and how it relates to this?

KAT: Oh, yeah. So I – and technically, my job title has security awareness in it, but the more I've worked in the security space doing employee security education stuff as part of all my job. I know language isn't perfect, but I'm kind of the mindset that awareness isn't a good capture of what a role like mine actually should be doing because awareness without behavior change, or action is just noise. It's just we're all very aware of things, but if we don't have an environment that's friendly to us putting that awareness into some kind of action, or engagement, or response, we are just aware and scared. [laughs]

CASEY: Yeah, awareness alone just makes us feel bad. We need more than that.

KAT: Yeah. So I think security awareness is sometimes just a product of a term that got standardized over several years as it's in all of the compliance control frameworks, security awareness is a part of it. I don't know it's the best practice thing. I hope over time it will continue to evolve.

CASEY: Yeah.

KAT: As with any other kind of domains.

JOHN: Yeah. I think that maybe security motivation might be a better term for it.

KAT: I've seen a bunch of different ones used. So I end up speaking in terms of, I don't know, security education and engagement is what I'm working on. Security culture is my vision. I've seen things like security awareness, behavior, and culture, ABC, things like that. But all this to say security awareness not being in a vacuum.

CASEY: I like those. This reminds me of a framework I've been thinking about a lot and I use in some of my DEI workshops. AIDA is an acronym. A-I-D-A. The first one's Awareness, the last one is Action, and in the middle is Interest and Desire.

KAT: Nice.

CASEY: So the questions I use to frame is like, are they aware of, for example, if they're misgendering someone? That's the context I'm using this in a lot. Are they aware of this person's pronouns in the first place? Are they interested in caring about this person and do they want to do anything about it and did they do it? Did they use their proper pronouns? Did they correct their actions? It's like 4 stages – [overtalk]

KAT: I like that.

CASEY: AIDA. It's used in marketing a lot for like a sales funnel, but I apply it to all sorts of how do you get someone from aware to action?

KAT: I like that a lot.

It's been interesting working at a place that makes a product that's more in the sales and marketing space. Definitely learned a lot because a couple of previous roles I've had been with security vendors. I think one of the interesting ideas that was a new concept to me when I started was this idea of inbound marketing, where instead of just cold contacting people and telling them, “Be interested in us, be interested in us, buy our stuff,” you generate this reputation as being of good service by putting out useful free nuggets of content, like blog posts, webinars, and things. Then you get people who are interested based on them knowing that you've got this, that you offer a good perspective, and then they all their friend. They are satisfied customers, and they go promote it to people.

I think about this as it applies to security teams and the services they provide, because even though corporate security teams are internal, they've still got internal customers. They've still got services that they provide for people. So by making sure that the security team is visible, accessible, and that the good services that they provide are known and you've got satisfied customers, they become promoters to the rest of their teams. Think about like security can definitely learn a lot from [chuckles] these sales and marketing models.

CASEY: I can totally imagine the security team being the fun team, the one you want to go work with and do workshops with because they make it so engaging and you want to. You can afford to spend your time on this thing.

[laughter]

KAT: Oh yes.

CASEY: You might do it.

[laughter]

JOHN: Yeah, and I think marketing's a great model for that. Marketing sort of has a bad reputation, I think amongst a lot of people because it's done badly and evilly by a lot of people. But it's certainly possible and I think inbound market is one of those ways that you're engaging, you're spreading awareness, you're letting people select themselves into your service, and bring their interest to you. If you can develop that kind of rapport with the employees at your company as a security team, everybody wins.

KAT: Yeah, absolutely, and it can absolutely be done.

When I was working at Duo a couple jobs ago, I was on their security operations team and we were responsible, among other things, for both, the employee security education and being the point of intake; being the people that our colleagues would reach out to with security concerns to security and it definitely could see those relationships pay off by being visible and being of good service.

CASEY: So now I'm getting my product manager hat on, like team management.

KAT: Yeah.

CASEY: I will want to choose the right metrics for a security team that incentivizes letting this marketing kind of approach happen and being the fun team people want to reach out to have the bigger impact and probably the highest metric is like nobody gets a security breach. But that can't be the only one because maybe you'll have a lucky year and maybe you'll have an unlucky that's not the best one. What other metrics are you thinking of?

KAT: That's the thing, there's a lot more that goes into not getting pwned than how aware of security people are. There's just way too many factors to that. But – [overtalk]

CASEY: Yeah. I guess, I'm especially interested in the human ones, like how come – [overtalk]

KAT: Oh, yeah. And I mean like – [overtalk]

CASEY: The department allowed to do the things that would be effective, like incentivized and measured in a sense.

KAT: Yeah, and I think a lot of security education metrics often have a bit of a longer tail, but I think about not – I don't really care so much about the click rates for internal phishing campaigns, because again, anyone can fall for a phish if it's crafted correctly enough. If it's subtle enough, or if just somebody's distracted, or having a bad day, which we never have. It's not like there's a pandemic, or anything.

But for things that are sort of numbers wise, I think about how much are people engaging with security teams not just in terms of reporting suspicious emails, but how often are they reporting ones that aren't a phishing simulation? How much are they working with security teams when they're building new features and what's the impact of that baseline level before there's, I don't know, formal process for security reviews, code reviews, threat modeling stuff in place? What does that story look like over time for the product and for product security?

So I think there's quite a bit of narrative data involved in security education metrics.

JOHN: Yeah. I mean you could look at inbound interests, like how often are you consulted out of the blue by another team, or even of the materials you've produced, what's the engagement rates on that? I think that's a lower quality one, but I think inbound interest would be fantastic.

CASEY: Yeah.

KAT: Yeah, exactly. I was thinking to some degree about well, what kinds of vulnerabilities are you shipping in your code? Because I think there's never 100% secure code. But I think if you catch some of the low-hanging fruits earlier on, then sometimes you get an interesting picture of like, okay, security is being infused into the SDLC at all of these various Swiss cheese checkpoints.

So think about that to some degree and that's often more of a process thing than a purely an education thing, but getting an education is an enhancer to all of these other parts of the security programs.

JOHN: So in the topics for the show that you had suggested to us, one of the things that stood out to me was something you called dietary accessibility. So can you tell me a little bit more about what that means?

KAT: So earlier in this year, in the middle of all of this pandemic ridiculousness, I got diagnosed with celiac disease. Fortunately, I guess, if there was a time to be diagnosed with that, it’s I'm working remotely and nobody's going out to eat really. Oh, I should back up. I think a lot of people know what it is, but just in case, it's an autoimmune disorder where my body attacks itself when I eat gluten. I've described it in the past as my body thinks that gluten is a nation state adversary named fancy beer.

[laughter]

Ding, one more for the pun counter. I don't know how many we're up to now. [laughs]

CASEY: I have a random story about a diet I had to do for a while for my health.

I have irritable bowel syndrome in my family and that means we have to follow over really strict diet called the low FODMAP diet. If your tummy hurts a lot, it's something you might look into because it's underdiagnosed. That meant I couldn't have wheat, but not because I had celiac disease; I was not allergic to the protein in wheat flour. I was intolerant to the starch and wheat flour. So it would bother me a lot.

People said, “Do you have celiac, or?” And I was like, “No, but I cannot have wheat because the doctor told me so, but no, it's not an allergy.” I don’t know, my logical brain did not like that question.

[laughter]

That was an invalid question. No, it's not a preference. I prefer to eat bread, but I cannot, or it hurts my body according to my doctor.

KAT: [chuckles] So you can't have the starch and I can't have the protein. So together, we can just – [overtalk]

CASEY: Separate it!

KAT: Split all of the wheat molecules in the world and eat that. [laughs]

CASEY: That's fair. I literally made gluten-free bread with gluten. [laughs] I got all the gluten-free starches and then the gluten from the wheat and I didn't have the starch in the wheat and it did not upset my stomach.

KAT: Oh man.

JOHN: Yeah. I've got a dairy sensitivity, but it's not lactose. It's casein so it's the protein in the dairy.

CASEY: Protein, uh huh.

KAT: Oh, interesting.

CASEY: I apologize on behalf of all the Casey.

[laughter]

Casey in.

KAT: Who let Casey in?

CASEY: Ding!

KAT: Ding!

No, but it’s made me think a lot about as I was – first of all, it's just I didn't fully appreciate until I was going through it firsthand, the amount of cognitive overload that just goes into living with it every day. [laughs]

Speaking of constant state of hypervigilance, it took a while for that to make it through – I don't know, me to operationalize to my new life that's going to be my reality for the [laughs] rest of my life now because it was just like, “Oh, can I eat this? Can I eat that?” All of that.

Something that at least helped ease me out of this initial overwhelm and grieving period was tying some of the stuff that I was dealing with back to how would I do this in my – how would I approach this if this were a security education and security awareness kind of thing?

CASEY: Oh, yeah.

KAT: Because it's a new concept and it's a thing that is unfamiliar and not everyone is an expert in it. so I’m like, “How would I treat myself as the person who's not an expert in it yet?” I, again, tried to get myself back to some of those same concepts of okay, let's not get stuck in thud mode, let's think about what are some of the actual facts versus what’s scaremongering. I don't need to know how much my risk of colon cancer is increased, because that's not how helpful for me to actually be able to go about my day. I need to know what are the gluten-free brands of chips? That's critical infrastructure.

CASEY: I love this parallel. This is so cool.

KAT: And so I thought about to – I've mentioned earlier, decision fatigue as a security issue. I thought about how can I reduce the decision fatigue and not get stuck just reading all the labels on foods and stuff? What are the shortcuts I can take? Some of those were like okay, let me learn to recognize the labels of what the labels mean of a certified gluten-free logo and also just eat a lot of things that would never have touch gluten to begin with, like plain and raw meat, plain potatoes, plain vegetables, things like that. So just anything to take the cognitive load down a little bit, because it was never going to be zero.

It's interesting. Sometimes, I don't know, I have tons of different interests and I've always interested in people's perspective outside of security. A lot of that stuff influences the way I think about security, but sometimes the way I think about security also ends up influencing other stuff in my life, so.

CASEY: Yeah. I think that's brilliant. Use – [overtalk]

KAT: And interesting to connect with those.

CASEY: The patterns and you're comfortable with, and apply them.

KAT: Exactly.

CASEY: A lot of really cool ideas come from technology.

KAT: Yeah, and go for harm reduction, not nothing because we don't live in a gluten-free world. It’s like I can try to make myself as safe as possible, but at some point, my gut may suffer a data breach and [laughs] when I do, should be blameless and just work on getting myself recovered and trying – [overtalk]

JOHN: Yeah. I mean, thinking about it as a threat model. There's this gluten out there and some of it's obvious, some of it's not obvious. What am I putting in place so that I get that 95th percentile, or whatever it is that you can think of it that way? I like that.

KAT: Exactly. It's an interesting tie to threat modeling how the same people – even if people have the same thing that they can't eat, they may still have a different threat model. They may, like how we both had to avoid wheat, but for different reasons and with different side effects, if we eat it and things like that.

CASEY: I love these parallels. I imagine you went into some of these in that talk at DisInfoSec. Is that right?

KAT: Yeah. A little bit.

So DisInfoSec, it's a virtual conference in its second year of existence, specifically highlighting disabled speakers in the InfoSec community run by Kim Crawley, who's a blogger for Hack the Box. There was a really interesting lineup of talks this year. Some people, I think about half of them touched on neurodiversity and various aspects of security through lenses of being autistic and ADHD, which is really cool.

For mine, I focused on those of us who have disability-related dietary restrictions and how that affects our life in the tech workplace, where compared to a lot of other places I've worked, there's a lot of free food on the company dime hanging around and there's a lot of use of food as a way to build connection and build community.

CASEY: Yeah, and a lot of stuff, a lot of people can't eat. I'm with you, uh huh.

KAT: Yeah. I just took stock of all of the times that I would take people up for lunch interviews, go out to dinner with colleagues when they're in town, all of these things. Like snacks in the office. Just there not being a bathroom on the same floor as me for multiple jobs where I worked. [laughs] Things like that.

So I really wanted to – the thing that I wanted to highlight in that talk in general was systemic level accommodations to be made for people with be they celiac IBS, food allergies, diabetes rather than relying on people individually requesting accommodations.

This universal design model where you've got to make sure that your workplace is by default set up to accommodate people with a wide range of disabilities including dietary needs and a lot of times it doesn't come down to even feeding them. It comes down to making sure their health insurance is good, making sure people can work remotely, making sure that – [overtalk]

CASEY: Higher levels of Swiss cheese on that. They are various levels.

KAT: Yeah, the levels of Swiss cheese. A lot of stuff cascades from lunch interviews, making sure that if you do them at all, that you're really flexible about them.

JOHN: Yeah. I can definitely relate to the being able to work from home, which I've done for the last decade, or more, has been huge for being able to have a solid control of my diet. Because it's really easy to have all the right things around for lunch rather than oh, I've only got half an hour, I can run out to the sub shop and I'll just deal with the consequences. Because that's what's nearby versus, or trying to bring food into the office and keep it in the fridge, or the free – that's a whole mess.

So just like you said, good health insurance, working from home, these are things that allow for all sorts of different disabilities to be taken care of so well that you don't – that's the base, that's table stakes to formatting kind of inclusion.

KAT: Exactly, exactly.

CASEY: Yeah.

KAT: Exactly. Yeah, and I think what sometimes gets missed is that even there are other things that I need to – the ability to just sometimes lay down, the ability to be close to a bathroom, and things that are not food related, but definitely are my reality. [laughs]

CASEY: And companies went out, too. By accommodating you, they get all of your expertise and skills and puns. In exchange for flexibility, they get puns.

KAT: [laughs] And I still make puns about gluten, wheat, rye, and barley even though I can I eat them anymore. That will never go away.

CASEY: They just keep rising.

KAT: Wheat for it. Wait for it.

[laughter]

CASEY: Ding!

KAT: That's just my wry sense of humor.

CASEY: All right. We're getting near end of time for today. This point, let's talk about reflections and plugs.

JOHN: I can go first.

I think the thing that's definitely sticking with me is thinking about the internal teams relating to other internal teams at a company as a marketing issue. Security is obviously one where you need to have that relationship with pretty much every team. But I'm thinking all sorts of all the way around development, DevOps, tech QA. Everyone can think this way and probably gain something from it as a what are we presenting to the rest of the company, what is our interface, and how do we bring more things to it such that people like working with our interface a lot so that we have great relationships with the rest of the team? I think I’m going to keep thinking about that for a while.

CASEY: I'll share a reflection.

I liked noticing that those phish emails can cause harm to people—they can feel bad and then make them less receptive. I've always been a fan of them overall. But thinking about that impact, I might have even been the one to say that, but it was still surprising to me when that came out of my mouth. Say, oh yeah, it hurts people in a way, too. We don't have to have that painful experience to teach people. It can be done in a safer environment.

I wonder what else we can do for training of things like that to make it more positive and less negative. I'm going to be thinking on that.

KAT: Yeah. And I wrote down AIDA. Awareness, Interest, Desire, and Action. Did I get that right?

CASEY: Yeah.

KAT: I'm definitely going to look into that. I think that's a great model for education of all kinds.

CASEY: Yeah. If you want to go even deeper, there's like 6 and 7 tier models on the Wikipedia page links to a bunch of them. That's just the most common.

KAT: Awesome.

CASEY: For plugs, I just want to plug some homework for you all.

Everyone listening, there's this Unconscious Bias Training That Works article that I've mentioned twice now. I hope you get to read that. And I guess, the AIDA – It'll be in the show notes for sure. And then the Wikipedia page for AIDA marketing just so you have a spot to look it up, if you forget about it. Try to apply that to situations, that's your homework.

KAT: I think something I plugged on Twitter quite a bit over the years and a lot when we were talking about the language that we use earlier, I'm a huge fan of the Responsible Communication Style Guide, which was put out by the Recompiler, which is a feminist activist hacker publication. So they've got guides on words to avoid, words to use instead for when talking about race, gender, class, health, disability status. It's written for a tech audience and I really like that as a resource for using inclusive language.

JOHN: Yeah. It's great stuff.

CASEY: I love it. All right, thanks so much for are coming on our show today, Kat.

Support Greater Than Code