Interview with Kai Roer, “Hacking Your Mind” at Honeynet Workshop 2015
Kai Roer is focusing on user awareness, security culture and the study of how our human mind makes us vulnerable and exploitable. He consults with people and organizations on the interpersonal skills that are vital to a successful and trusted secure environment. He is the creator of the Security Culture Framework, a columnist at Help-Net Security and the author of a number of books about cybersecurity and leadership. His latest book is “Build a Security Culture”.
1) What was your motivation to enter Information Security field, and who inspired and helped you along the way?
I entered this field more by necessity than by choice. Working in the void between technology, communication and leadership, I soon realized how information security in its wider definition is key to control information in all channels, and as such a key to communication and thus leadership. There are a great number of inspirators out there, people I consider both mentors and friends. As is not uncommon in our industry, I prefer not to name names, just point out that there are a lot of extremely smart people around the world who contribute to the security community in a number of ways. If you do insist on a few names, look up some of the books I have coauthored, and who else did write in those books.
2) How do keep yourself motivated in this line of work and how do you handle the competition & failures?
I am probably an oddball in the infosec community in that I am not a technically skilled hacker, nor am I particularly interested in tech. What I do, and do very well according to clients and connections, is to understand how the human mind impacts our security behaviors, and by understanding the mind, I help advice on programs and actions to change security behavior into the kind of behaviors we want to see from people. I am a strong believer in intrinsic motivation, and have created the Security Culture Framework as a free and open method to build security culture and change security awareness, because by allowing anyone access to the framework, we allow any organization to understand how to build and maintain the kind of security culture they need. And by doing so, instead of creating a competing environment, we enable the community to learn from each others. And seeing the results emerging in organizations around the world, organizations who may never have been able to hire my services, now being able to help themselves to better security that is a great motivation for me personally, and to the community.
3) Why is Global Honeynet Project important and why should people support this cause?
Just like the Security Culture Framework, the Honeynet Project started, and thrives, as a community driven project focused on spreading understanding and building knowledge about how hackers infect and destroy systems. Before the Honeynet project, you were almost on your own, while with the Honeynet Project you now have a huge, global resource of people who understand your issues, and can help you understand how to protect yourself better. I strongly believe community driven projects are powerful bodies of knowledge that people should support and join. It is, however, important to understand how motivation works and what motivates yourself. If you find the areas of the Honeynet project of interest to you (and reading this, I think you may do that!), joining the cause will help you spread your knowledge, help you learn more, build a global network of people who understand and care for the same area of interest, as well as enabling you to personal growth.
4) What is your talk about and why people should join the event?
My talk Hacking Your Mind, is an exploratory drive true three basic psychological phenomena that makes the human hackable and subsequently, and exploitable. These phenomena are, possibly, hardwired into our brains, and as such, we need to understand how they work in order to build up our defenses. My talk explains each of the three areas and how social engineers of all sorts use these to trick us into doing things. Delivered with my passion, this is a mustnotmiss talk for anyone who needs to understand how to combat social engineering and to secure the socalled weakest link.
5) What Security issues are being exploited and how to counter them?
A very wide question, don’t you think? I will narrow down to my area of interest: the human mind and social behavior, or security culture as I normally call it. Within security culture, there are a number of security issues taking place from social engineering to the insider threat. The biggest challenge is that after almost two decades of training and security awareness focus, security awareness programs generally fail. There are number of reasons for this both on the local organization side, as well as systemic reasons. But perhaps most importantly, programs fails because information security people do not understand how people function. So instead of adapting the programs to the needs of the people they are trying to change, they focus on creating change where none is wanted the users do not understand the very basic WHY, the reason for the change you expect them to make. And yet, most information security officers in charge of awareness do not change their own perception of how to train people. Instead they conclude like this: “People are stupid. Awareness trainings do not work”. Guess what. You are wrong. People are not stupid (well, most of them). And awareness programs fail not so much because of the programs, but due to their failure to understand their own requirements to adapt to the needs of the target audience. Again, this is the major reason behind the creation of the Security Culture Framework, which helps the security officer to understand how to build and maintain security culture that actually yields results.
6) What are the gaps in today’s security methods?
Everywhere? Methods evolve, change and adapt to the current situation, as they should. Perhaps the biggest challenge is when methods no longer change, evolve and adapt? When we continue to do what we always did, yet we expect new results. Again, consider the security awareness focus, which the general consensus is that it does not work. If so, why do you continue to do the same old programmes all over again? And again? If it does not get you the results you need, get rid of it, and try something else! Just like the true hackers does!
7) What are your suggestions for upcoming professionals?
Never forget the human aspect of information security. And stop blaming the humans for the failures of security. Build secure systems which work together with humans to be secure, not something that works against every human behavior. To learn more about humans, security culture and security behavior, look up the Security Culture Framework (https://scf.roer.com). It is free and open, and consider joining peers in Oslo in june 2015 for the Security Culture Conference (https://scf.roer.com/conference). Perhaps even more important talk to your heros, your rockstars, your motivators, the speakers at the conference. Most of them are very kind, caring and knowledgeable people who want to help you. Network (with people), be humble, and never give up.
