What is Culture?


There is a major question I got asked more often than not: “What is culture?” Most of the time, the asker wonders from the perspective of cyber security and security awareness, even if I also get asked by non-security people. There is no single, clear-cut definition of culture, it all depends on your perspective, background and interest. In my upcoming book “Build a Security Culture”, I define security culture as:

The ideas, customs, and social behavior of a particular people or society that allows them to be free from danger or threats.

This definition is created by combining the definition of security, and adding that to the definition of culture generally used by anthropologists. The definition of security culture I use explains and frames the topic I discuss, and is most commonly the answer I provide when asked “What is Culture?”

You may or may not agree with this definition, and that is fine. Instead, let´s agree that there are many different definitions available, and the one we should use should be best able to describe the topic and framing we aim for. As an example of alternative perspectives of culture, let us consider a few other definitions.

culture: from farming, preparing and using the nature for farming, i.e. cultivating the landscape.

This is the original use of the word, and is a useful backdrop to the definition, as it makes us realize that culture is about changing something into a state that we want – from the wild nature into a form and state we can control.

In sociology, culture have many different definitions and perspectives too – from being the object of studies and explanation (cultural studies, studies of how culture is created, used and impacts us), to cultural sociology where culture itself is used to describe, initiate and explain change. According to the latter, culture is one of a number of objects we may change, thus by definition (again), culture is formable, something we can act upon and use.

In psychology, culture is mainly focused on the differences between groups (regions, countries etc), and used to explain how one group of people may respond to threats differently based on their collective mind being different.

My concern with culture is a practical one: I strive to build and maintain security culture. A definition that helps me frame the topic helps me understand what exactly we are working with, and what is not a part of the work. My needs are to identify the areas we can change, how to change those as efficient as possible, and document both the change itself and the failures. I am a pragmatic in that I focus on creating actual results, more than just describing an interesting (ab)normality.

Using the definition above helps me focus on my tasks and work towards my goal: build and maintain better security culture.

If you are interested in security culture, you may want to check out the Security Culture Framework.

2015: The Year of Security Culture

How to create a security culture program

Building security awareness has been shown to be a challenge in the past, with a general consensus of poor results, lack of direction and a missing agreeing of what awareness is in the first place. Let me dedicate this year: 2015: the year of security culture!

As you know, I have been focusing on security culture for quite some time, and the respond we see in the market is huge. The Security Culture Framework is being applied by organizations in the USA and Europe, and we are seeing a growing number of requests from Asia, Africa and South Americas. The reason is as simple as the framework principles are easy: the Security Culture Framework provide a process that is easy to apply, engages the whole organization and creates documentable, tangible, visible results. All without you having to replace existing content and trainings – instead it wraps around the activities used to help you build value and get real results. The best part? The Security Culture Framework is free. For all.

«This focus on security culture – will it take away all the risk and threats out there?»

Of course not. Just like adding a firewall to your network does not stop every cyberthreat, security culture is one of many tools that should be in your toolbox, and a strategy that should work together with and support both policies and technology. And vice versa: Technology and policies should be implemented in a way to support security culture.

2015 will be the year when security culture grows out of infancy and into adulthood. Security culture will slowly replace awareness, and create results instead of frustration. The first step was the Security Culture Framework. In a few weeks time, the book «Build a Security Culture» will hit the shelf in a (virtual) bookstore near you, explaining the concept and giving you direction. And later this year, The Roer Group are launching a series of new tools to help you structure, plan and execute your work with security culture and cyber security too.

There will be more on culture from me this year. The same, I believe, will be true with large (and small) hacks (not from me, though, except there are minds to be hacked! Those I am likely to continue to play with!) And like before, nature is going to be causing her fair share of disaster too.

Let´s stand together and fight back as best we can. May the most resilient survive!

A cultural 2015 I wish for you!

2014: The Year we Survived

It´s that time of year again, the time of reflection, the reviewing of goals and the defining of our future. I welcome you to 2015, after surviving 2014 despite best efforts by countries, criminals, nature and the cyber itself! I will not spend time on the Sony hack more than I have done, nor will I consider the other challenges faced by companies in 2014. It suffices to say that Troy Hunt´s excellent Have I been pwned service have grown considerably in size since he visited Oslo in June. Instead, I will review some of my goals, reflect a tiny bit and of course make my predictions for 2015.

In December 2013, I defined some goals for 2014, the main one being a student at the University of Oslo, reading Psychology. A year on, and I am quite happy to say I have successfully completed the courses and exams of the first year, and I am continuing reading in 2015. As I stated last year, I believe it is of utmost importance for security people to actually understand people if we want to help them succeed with changing their security behaviors.

In addition to studies, I planned on working with the Security Culture Framework, which went through a facelift, we signed up several new consulting partners both in Europe and the US, and we did the Security culture Summer Camp 2014, where we certified a group of Security Culture Practitioners. With Mo Amin, we also kicked off the Security Culture Show, a monthly TV and podcast where we invite guests to discuss security culture.


In short, there were a lot of successful goal completions for me in 2014. What about failures, then? I had some of those too! One goal I had for the year was to write two books: «Build a Security Culture», in which I explain how to design and maintain a lasting security culture program; and a book on hacking peoples minds: the psychology that tricks us into doing the things we do. I failed utterly in writing the second book.

People did tell me that I may be setting too high goals for the year, and they were right. Although I do feel bad thinking of not meeting all of my goals, when I do look at my score card, I have ticked off most of them, and that is success for me.

There is no doubt that I set the stake high, and by doing so increasing the risk of failure. But let´s turn that up-side-down and consider what may have happened if I did not set my goals this tough? I may have had more «time» to watch TV or whatever, but I would not have achieved what I have done, and I would be settling for less. And those who know me, also knows that I do not settle for less.

Nor am I known for choosing the easy way out.

Smart people for great conversations

Some of the students I met at the Ljubljana Grad. Great minds from all over Europe indeed!

A brief look of my year includes guest lecturing security culture at several universities in Europe, speaking at a number of conferences (my October was particularly busy due to the Security Awareness Month NCSAM), writing a book, studying full time and traveling to new countries and places. Just like Colombia in 2013, I fell in love with Slovenia in 2014. I wonder which country I will fall in love with in 2015?


Oh, let´s not forget the CSA Norway Summer Conference 2014, where Thom Langford, Quentyn Taylor, Mo Amin and myself where rocking out to «How to Become an infosec Rock Star»!

Aquavita Chorizo. Ask me for recipe!

Aquavita Chorizo. Ask me for recipe!

I continued to cook too, and had a number of fantastic people visiting: Troy Hunt, Arron Finnon, Jack Daniel and Scott Thomas to name a few. To say they have been eating out of my hand would not be entirely true, yet not entirely wrong either!

Predictions for 2015: will be published in an upcoming post (next week), with the title: 2015: The Year of Security Culture


Thanks for 2014! It was a great year in many ways, and a desperate one for some. Most of us are still going strong, let us continue with that!

The Security Culture Show – a review of 2014


Earlier this year, Mo Amin and I kicked off the Security Culture Show, a monthly Google Hangout on Air or a TV-show on your computer if you like. This December, it was time to review what we had done, and to meet with our guests again.

The Security Culture Show is a 45 minute show where we discuss security culture, security awareness and how to change behaviors with guests like J. Wolfgang Goerlich, Dr. Jane LeClair of the National Cybersecurity Institute, Rebecca Herold the Privacy Professor to name but a few.

The Guests


Although the general topic of the show is security culture, we find ourselves discussing anything from passwords to phishing, setting up and managing security programs, and how to tell stories in a way that relates to the audience.

Feedback about the show is great too:

Great content and very professionally made! Lars


Very insightful! Looking forward to your hangout session today too. Eli

We are the lucky ones, with actively participating viewers who ask us questions and give us feedback and direction. Thank you all for watching – live and recorded!

In the December show we had a special guest too: Santa Mo came by and offered to give away a copy of my upcoming book “Build a Security Culture” to one of our viewers, and in the November Show Rebecca Herold gave away one of her books too. Thank you! Perhaps we have more give-aways in the year to come too!

Santa Mo

Why should you check out the show? When you struggle with getting your security awareness programs right, the Security Culture Show is there to help. We focus on different topics and challenges of creating behavioral change, and use the Security Culture Framework as a base for structure. Our guests comes with line-of-fire experience they share. And both Mo and myself have long experience in building security culture.

You may also consider watching just for laughs – the show is live, and we do follow a quasi-script, but things happens, stuff breaks, and laughs are to be had. It´s only human, right?

Would you like to be a guest? Or do you know someone who should be? Let us know! Ping us on Twitter, G+ or your preferred tool. Do you have some awareness program challenges, questions or topics you would like us to dig into? Let us know! We will not even use your name unless you are ok with it!

Now, head on over to the Security Culture Show and have a serious laugh!

Spying in Norway: IMSI-catcher used to spy on the Parliament of Norway

Image: Aftenposten.noLast week in Norway, hell broke loose. Aftenposten, one of the major newspapers here, published a story of how Oslo were set up as a spy-hub where the cellular networks had been replaced by a hostile 3rd party. Someone are spying in Norway, and both the Parliament and our Prime Minister are being spied on. Aftenposten published numbers that, according to their words, where extremely suspicious. So suspicious in fact that they alerted the government, the police and the public at the same time. Hell broke loose, everyone believing that the numbers were in fact as dramatic as claimed.

Let us step back for a minute to understand what happened. Aftenposten, together with a so-called secure cell-phone maker, ran (or drove) around Oslo a few weeks, collecting data from the cellphone towers. Out of some 50 000 (fifty thousand) records of cellphone connection data, some 1200 where considered suspicious. 1200 of 50 000, or roughly 2.4% of the total data being flagged by the device as suspicious. That may sound alarming, and we may even consider that number to be statistically significant, until we look at what kind of events the device will flag as suspicious:

  • Switching between cell towers
  • Change in cell tower power received by the device
  • Moving between the bands (2g, 3g, 4g etc)
  • Reflection of signals (as caused by bridges, tunnels, buildings etc)
  • Disturbance of signals (as caused by bridges, tunnels, buildings etc)
  • Signal abnormalities of any sort (tower down, tower having problems, general technical problems etc)

It does not take a lot of sense to realize that any of the sources above may create weak signals and signal drops, events that the device is considering suspicious, frequently and possibly without a trace. To remove such errors, the 1200 events initially flagged were filtered down to 122 highly suspicious events, or critical events, according to the news. So out of the 50 000 records, a mere 122 events are found to be critical. That is 0.244% according to my math. Here is my problem: 0.244% is not a statistically significant number. It´s not even alarming. It´s just a small number that can easily be explained by a number of possible reasons, where the use of IMSI-catchers is one, and one that seems highly unlikely. There are number of ways we may explain such a number just by looking at the cellular technology itself:

  • Cell phones use radio waves. Radio waves fluctuate, they are dynamic in nature. They move, they change and they bounce off of things.
  • Cell phone networks are computer networks. Computer networks are filled with systematic errors, some of which we don´t even find. A broke switch, an earthing error, a software glitch – so many possible sources of network errors. Tell me: in your networks, would a 0.244% of events be considered significant? Most likely not. You may consider to look into it, but it is no way you consider your network to be 100% free from errors.
  • Some companies and offices use repeaters to enhance their cell phone connectivity. These devices would trigger an event on the phone(s) used in the assessment.
  • Other devices may have interfered with the cell phone signals – both rogue and legal devices.
  • It could be devices owned and operated by police, e-services and other legal, Norwegian entities.
  • You are driving around in a city. When was the last time you did not have some occasional problems with connectivity?

In my understanding of technology (and mind you, I am not an expert on mobile and cell phone technology, I am just good at spotting the elephant in the room), a 0.244% anomaly is not really a big issue. Unless of course, someone is really out there trying to interfere and listen in on my phone calls. So let us consider the IMSI-catcher tech too. An IMSI-catcher is designed to get the IMSI number off of your SIM-card, and the IMSI number is a unique identifier that may be used to identify the owner of that card (this is not automatic, as the IMSI number don´t know the phone number). With that number, you are able to listen in on voice calls where that SIM-card is being used. Unless you are just picking random numbers to listen in on, identifying the right person to wire-tap may be a challenge. Of course, if you hack into the databases of each of the telcos here, you can just look it up yourself. But if you hack your way into the telcos, why not just do the wiretap directly? And get access to SMS, data and location? Or why not just create a secure communication app, which you have people register to use, and then you just listen in on everything they do? Or, why not do like Huawei did when they successfully replace the backbone of the two major telcos in Norway a few years ago? If you want to own me, own my network core!

From my perspective, this whole story is another example of cheap FUD – Fear, Uncertainty and Doubt. The newspaper Aftenposten is playing the kid who cries «Wolf! Wolf!», and everybody runs to the field to save the sheep and hunt the wolf. Only, there is no wolf. In the story, the kid got away with it a few times, before people started to ignore his calls. One day the wolf came and took the sheep, and no-one came to rescue because no-one no longer trusted the kid´s cries. The same may become the issue here: what if there are no IMSI-catchers, and there are no foreign entity spying on our parliament and the embassies and hotels and what not. All there is so far, are speculations without clear analytics, no proof, a lot of crying, and the usual panic of pretending to do something while we have no clue what is really going on and what we should really be doing. Let´s get back to the news stories:

As of December 17th:

  • No IMSI-catchers or other devices have been found
  • A number of the critical anomalies reported are being dismissed
  • Investigations are in place to find the IMSI-catchers the paper claims are there
  • The blame-game is going around the table («We did not know», «This is not our domain», «This is someone else´s responsibility»)

I may be too quick to dismiss this event as nothing but a trick to sell papers. Perhaps the journalists and the editor printed the story out of good will. Perhaps some nation, a group of criminals or some others do have a network of IMIS-catchers in Oslo. I still would like them, and their readers, to ask the question

«Who is benefiting from this story?»

The answer is pretty clear: the paper, the secure cell-phone maker, the FUDers out there, and very few others.

I would also love to have the paper consider it´s responsibilities towards the society – perhaps it would be better for all if the police / e-services were informed and allowed to investigate the issues before the story went public? Or was it more important to sell papers and create havoc?

—Disclaimer: technology is being used to spy on us on all fronts, and the possibility that rogue cell towers are being used, is real. —

Book Review: Data-Driven Security

It was a great pleasure to read the Jay Jacobs and Bob Rudis book Data-Driven Security: Analysis, Visualization and Dashboards. And there I spoiled the whole review. This book is solid. It´s amazing. It´s a great resource on how to understand, build and run your very own data-driven security systems. It is, basically, everything you need. So just go and buy it already if you don´t have it. No need to read more of this review. Unless of course, you want to.


The book (get the physical, printed one) is a beauty. It is not very often in the days of e-books and print-on-demand publishing that my hands and my eyes can behold such a well made and beautifully designed book. Yes, I am a book geek, who love the old hand-printed books of the past centuries, but now Im diverting. Although it is a soft-cover book, as soon as you open it up you realize that the design of the content and the cover was made by one team – the same colors and symbols are used throughout the book, making it a breeze to read and very easy to understand. Of course, Wiley know their stuff, and when they make an effort, they really do deliver. Why do I carry on writing about the books colors and design, you may ask. Well, when it comes to books like this one, where the authors have a clear mission to teach you a new skill set, in an area that may be considered extremely boring and technical (for some), presentation becomes key. Interestingly, Jacobs and Rudis makes presentation a key element throughout the book too: Not only are they deep into technical security, data modeling and analytics, they understand that presentation is vital if they are to 1. Make sense of the data, and 2. Help others (read: C-suits) to understand the data.

And I love nothing more than people who apply their own teaching in their actions. Kudos!

So what is this book all about?

Jacobs and Rudis set out to teach you how to better understand your security data by demonstrating how analytics and visualization of your data creates meaning out of numbers. They apply programming tools like Python and R, and the book is filled with sample code. Unlike most books with code examples, you can read the book cover-to-cover without coding anything, and still get their message and meaning. If you want to build tools and try it out yourself, the code examples and explanations are there to help you do just that. And the color coding of the book, the graphics and the visual appearance of the content make you want to go on. And on! Until you realize you have read it all.

The structure of the book is taking you on a journey from the history of making sense from data, via learning to use R and Python (and when one is better than the other), through different statistical methods, understanding outliers, means and modes, to visualization and which design you should use on your graphs to make them convey the most important information. They also look at dashboards, and their usefulness (and how some are not). I particularly liked the part where they use the SANS Institute Security Program Effectiveness Metric to show how you can build a security awareness metrics program, and visualize it.

I am not sure what complements the other best: the content and knowledge of the authors, or the design and layout of the book.

This is a well written, hands-on, great resource of data-driven security, presented in a package of high quality.

Oh, you also get a free Gnocchi recipe with the book, Rudis is a hobby cook!

What are you waiting for? Get it now! It is so worth it!

Not into affiliate links? Use this direct link.

Book Review: CSA Guide to Cloud Computing

I have been reading a lot lately, and it is time to write some reviews. First up is: The CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security which sets out to be the definitive guide to understanding the pro´s and con´s of cloud computing, based upon the Cloud Security Alliance (CSA) body of works across domains, industries and countries. Written by the Founder and CEO of CSA Jim Reavis, the CSA Ireland Chapter President Brain Honan (CEO of BH Consulting), and the CSA Chief Innovation Officer Raj Samani (EMEA CTO, McAfee part of Intel Security), the book is comprehensive and detailed, and well founded.


Disclaimer: I am myself the Chapter President of CSA Norway, and as such, I am biased towards CSA. 

The chapters of the book are well structured and comprise of anything from an introduction to cloud and a definition, via threat models and challenges with implementation, to best practices, research, opportunities offered by the cloud, and the future. I am particularly happy to see a full chapter dedicated to privacy issues and how to handle them in the cloud. Privacy is a growing concern, and one that companies can no longer avoid taking responsibility for. The chapter on incident response in the cloud is relevant and valuable to many SME´s who may not yet have such plans in place.

My favorite chapter is Chapter 5: Making the Move into the Cloud. This chapter lists requirements and a high-level checklist an organization should work through when (or before) moving into the cloud. Again, I see a high value especially to the SME market, who may not be very well adversed in all the aspects of managing risk. I find Chapter 6: Certification for Cloud Service Providers of special interest too. One challenge many customers face when they are looking for cloud providers is the question «How do I know that they know / do what they claim?», a question that can be very hard to find adequate answers to for companies. With the CSA STAR certification, the book explain what it is and the value to both providers and clients, and the question now can be answered with «We have the STAR certification. Here is our documentation.» This chapter also list a number of other certification bodies which may be relevant to cloud providers and clients.


A challenge a book like this faces is that of being too technical, thus rendering itself irrelevant before being printed. The authors have done a good job avoiding this pitfall by using business model examples, and generic technical examples.

All Good?

Is there nothing negative? Personally, I would have liked to see more directly applicable tips and checklists, and a focus of the book to be a tad bit more practical – in the sense that I would love to take the book and just work my way though it and end up with a viable cloud solution for my company (well, our clients, that would be).

A note to the publisher Syngress: The cheap paper and the black and white printing of what Im guessing are colored models, makes the physical book feel a tad bit cheap and amateurish. I expect a professional publisher of your caliber to be able to proof-print the book to check the readability of models, graphics and illustrations. Unfortunately, you did not, and the result is that most models, graphics and illustrations appear blurry and some even hard to read. Example figure 4.5 where the grey shades are hard to tell apart, making it impossible to make any practical use of the figure. Same happens on figure 4.6 and many others.


I like the book, I believe this book will be a valuable asset to both cloud providers and cloud customers. BUY!

Or if you do not want to be tracked by the affiliate link, use this instead.

A proud Fellow to the National Cybersecurity Institute

nciThe National Cybersecurity Institute (NCI) is an academic and research center located in Washington D.C. dedicated to assisting government, industry, military, and academic sectors meet the challenges in cyber security policy, technology and education. The NCI have appointed a series of special advisors to help them create more value and to better cover the cybersecurity landscape. I am one of these advisors, and they call me an NCI Fellow. I am very proud to be appointed a Fellow at the National Cybersecurity Institute.

As a fellow, I provide my insights, comments and questions regarding cybersecurity and security culture through discussions and my writings. The NCI explains:

The National Cybersecurity Institute draws on the best minds in cyber security to inform its strategic vision, and to fuel Excelsior College’s cyber security curriculum. This positive feedback loop ensures our students access the best education and talent in the world. NCI Fellows are important contributors, serving as key contributors, advisors, and presenters on behalf of the NCI.

I am not the only fellow, a number of very intelligent and knowledgable people are on that list, some of whom I have had the pleasure of working with in previous projects. You can see the impressive list here.

The NCI is owned by the Excelsior College which specialises in cybersecurity education. Excelsior College Cybersecurity Programs are certified to meet the Committee on National Security Systems (CNSS) Training Standards.

The cloud security rules: Five factors to consider with the cloud

Cloud services is a sector that is still growing strong. As part of the Information Security Buzz question for the Expert Panel in October, I looked into the five factors that every organization should consider when moving to the cloud. Cloud security is an important consideration for companies, and knowing what to consider is a great help. Use my advice to get you going!

The answer is based on the tips in the book The Cloud Security Rules from 2011, available here.

You may pop over to the Infosecuritybuzz website, or watch my answer directly below.

As always, your comments and questions are welcome!

Hacking Your Mind: How you are being exploited by hackers of all sorts!

As part of National Cybersecurity Month, I am traveling the country giving my talk on Hacking Your Mind – How you are being exploited by hackers of all sorts! pro bono to public and private organizations alike. Here are the slides, the notes and so forth! As always, I am better in person ;)

Below are each slide (and the videos) with my speaker notes. Enjoy!


Hi and thanks for attending this presentation on how you are being exploited by hackers of all sorts!

Welcome to Hacking Your Mind!

My name is Kai Roer, and this presentation is all about me. So let me start:


I have been working with leadership, computers and information security since 1994, a ride that has enabled me to write several books, travel to more than 30 countries, appeared on radio, TV and printed media more times than I can remember.

Simply put, as you can see on this slide, I am an awesome guy!

But don´t take just my word for it:


Rather, take a look at what some of the people that I have been working with over the years, say about me. Obviously, so many people saying so much great stuff means something, right?

Not only am I an awesome guy, I know what Im doing too!

And there is more! People from all over the world go nut´s when Im around. 

That is what I do. I hack their minds. Into doing what I want.

Today, I am sharing some of secrets about how the human mind helps social engineers and hackers to make you do what they want.


I will be talking about how your mind is being exploited by hackers of all kind – from sales people to your boss, from the social engineer who tries to gain access to your offices, to the phishing attempt you are receiving in this moment.

Broken down, I will look at three mental mechanisms that plays together to turn you into a victim.

  • I will look at how our social abilities and our need to be accepted and liked, makes it easy to ask for a favor.
  • I will show how our brains have evolved in to a dangerous tool that prefers to make shortcuts – shortcuts that make you click that phishing link.
  • Finally, I will explain how social structures are being exploited to make us follow those who lead us into temptation.

But first, let us establish a fact.


That fact is: You like me. Yes you do! I made you laugh, and I have established myself as an authority on hacking your mind. You are curious, and even if you don´t like the fact that you do like me, the fact remains. You like me. Enough to make you vulnerable.

As you saw in the #HolaKai video, requests can be small, and non-intrusive, making it easier to comply. 

This trick is being used by hackers of all sorts to convince you that it is perfectly safe for you to spend your time and money with this person. It works like this:

As social creatures, we form groups of our friends (and colleagues, family and others), groups of which we are members of. We call these groups in-groups. Everyone who are not a member of a particular in-group of ours, is automatically considered to be in an out-group – i.e. a group that may be competing with our resources, interests, politics and what not. Think of your favorite sports-team. Your team is the best, other teams are…well, not relevant, right?

Think of a fellow fan of your sports-team, let us call him John. John is approaching you, and ask you for a favor. You have never really spoken to John before, but because you both are fans of the same team, you accept to help him out.

Had John not been a supporter of your sports-team, the chances for you to help him out would be slim.

So how do hackers exploit this vulnerability? Easy! They do like I did: they make you laugh, they make you enjoy their company, and they quickly build an in-group where you both are members. An example:

These are musicians. Or pleasure-hackers, if you like. They are making you feel good, because they want you to give them money. Take a close look at how they flirt with the participants (the camera in this case), and how they interact with the audience. All is done to make you give up your hard earned cash so they can go and buy some beers (and there is nothing wrong with that, especially when they are also great musicians!)

A hacker would use similar tactics (possibly without the instruments!) to have you open a door to your office space, to ask you for information or to have you visit a website where they will automatically compromise your computer.

Now, let´s take a look at how your brain is handling those requests!


Your brain is an amazing computing unit. It handles a large number of different information at any time – even when you sleep. It is also amazingly fast at arriving at conclusions, and there is bound to be false positives and negatives. In other words – amazing as your brain is – it is not without flaws.

According to Daniel Kahneman, your brain consists of two kinds of circuits: Lightning Fast Shortcuts; and Process Intensive Hard Work. Shortcuts or Hard Work – what do you think your brain prefers?

Just like me, your brain is lazy, and tries to avoid hard work as best as it can! So if you leave the choice to your brain, it choose shortcuts every time. Plain, simple and fast.

So how does your brains laziness make you vulnerable to hackers?

Let´s take a look!

(Recommended reading: «Thinking fast and slow» by Daniel Kahneman)


The best trick you can play on anyones brain, is to tell it that something is urgent. Somehow, when your brain thinks that we are running out of time, it just accept anything at face value.

This shortcut has been used by marketeers since forever to make you buy stuff you never needed in the first place. A bad manager also use this shortcut to make you do things he believes should be done (while good managers have learned a lesson or two from Dr. Stephen Coveys Time/Importance Matrix).

A hacker may use urgency in any number of ways. In a spear phishing attack, a hacker may send you an e-mail that resonates well with you, perhaps referring to a current and important project you are managing. The email may even be sent to you at a time when you are heading into an important meeting, and the email may use a title that relates to the current project to catch your attention.

Because you are in a hurry, and the project is important to you, you are more likely to open the email and any attachments, effectively opening your computer and your workplace to malicious code execution.

Stress and urgency make you vulnerable to attack. Hackers know that. Hackers exploit that. Your job is to slow your brain down and review the information requests you receive – every time, all the time.

Suggested reading: «The seven habits of highly effective people» by Dr. Stephen Covey


Humans are social creatures, we live in groups, we form complex societies. To make such complex societies work, we need rules and policies, and we need to be able to recognize friend and foe – preferably before said foe kills us. More importantly, we need to be able to recognize who is in charge – what is the pecking order, and where do we fit in?

Some studies suggests that humans are able to decipher the pecking order automatically, just like Kahnemans shortcuts from earlier. What is more, it seems like this is so ingrained in our organism that even small babies are able to recognize the power structure of a group of people.

And there are, of course, tricks to use to make other people perceive you as an authority – tricks used by hackers all the time. You have already witnessed one such trick today:


By showing off what I have done, what I do, and what people say about me, I have effectively shown that I am someone who matters on this topic. I have established myself as an authority on the subject.

Of course, since I am here as a speaker, and you are here to listen to me, we have established that authority-relationship even without the need for me to show off. However, by enforcing the message, and giving you even more reason to build that awe, you are less likely to challenge me, and more likely to accept my claims at face value.

Just like the hacker want you to do too.


There are many kinds of authorities out there, this is just one example. The important about the power of authorities is the perceived value of their requests and orders, which make them harder to refuse. In this picture, the command structure is clear and not disputed, and the soldier to the left follows the orders without questions.

When you encounter people who you perceive as an authority, you are less likely to question their instructions and requests. You are more likely to accept their arguments, and to do their bidding. You are, after all, accepting them as more knowledgable, smarter, better or just more worthy than yourself, effectively stripping yourself off the power to say No!

Hackers use this strong urge to comply with authorities to force their way with you. One example is the so called Windows Support phone call scam, where the suport person on call tell you to open your browser and visit a particular link. As a support person, (s)he is perceived by you as more knowledgable, an authority, and because of that, you do not question the perhaps strange request to have you visit a website, a website that will have you download malware.


I have just told you about how your mind is being exploited by hackers of all kinds. Sales people, managers, social engineers – and your kids too!

The fact that you like someone, makes you more likely to do what they request from you. So as a social engineer, I will use this to befriend you, and then make a request you would otherwise decline.

Next, I looked at how our heuristics, the shortcuts in our brains, makes us vulnerable to urgency. Remember that, next time you see a Limited Time Offer!

Finally, I shared some of the ways authorities may be using us, and how hackers use the pecking order to have you stop questioning their actions.


What questions do you have?

I may be hanging around the shadows if you have any questions and comments you´d like to share with me.


Thank you for being here! I hope you had as great a joy as I did!