informa

Cybersecurity In-Depth

6 min read
article

Overcoming the Fail-to-Challenge Vulnerability With a Friendly Face

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

Once we acknowledge that one of the weak links in cybersecurity is us humans, the natural next step is to shore up that vulnerability, usually through training. But does watching a video or clicking through a quiz help you know what to do when you're actually faced with a security threat in the flesh? Probably not. So logically, you have to practice with a physical threat to learn how to deal with them — even when it comes in the form of a fellow who smiles at you in a goofy T-shirt.

cyberthreat-Atkins-authorprovided.jpg
Don't let this man use your computer, even if he asks nicely. (Source: Atkins)

The United Kingdom's Ministry of Defence (MOD), like most organizations concerned with matters of war and national security, is well aware of the importance of a security-savvy workforce. Military-affiliated organizations also have a strong built-in hierarchy that emphasizes compliance and makes it difficult for workers to contradict authority, sometimes known as the fail-to-challenge vulnerability. MOD needed its workforce to be able to assert themselves should they see a potential problem. To that end, the ministry teamed up with outside experts to create a program that gives people opportunities to practice recognizing — and even more importantly, responding to — physical security risks in what the UK MOD Cyber Awareness, Behaviours & Culture team (CyAB&C) calls a "malicious floorwalker" exercise.

Essentially, someone walks into a workplace and wanders around, trying to get people to do risky things, like letting them borrow a computer or scan a USB key.

"Grounded in robust psychological theory interwoven with social engineering practice, it is a way to manage human vulnerability rather than just uncover it," wrote behavioral scientists Simon Pavitt and Stephen Dewsnip in their Black Hat presentation. "By making it as obvious as possible that a challenge is required it leverages the social cues and psychological tensions felt by the individual, leaving them with no option but to raise a challenge."

Exercise Makes You Stronger

Back in 2020, Pavitt, a UK army veteran and civilian employee of MOD, solicited proposals for contractors to "help improve cyber awareness, behaviors, and culture" at the government agency. A consultancy named Atkins won the contract, which became the CyAB&C project.

The project's malicious floorwalker exercises involved a person wandering around an office site trying to provoke workers into challenging his conduct and presence. "

Lots of people have done penetration type tests where they try not to get caught doing something risky – but we've not yet seen anything else where people are actively trying to get caught and in a lighthearted and humorous way," Dewsnip, the Atkins consultant co-presenting at Black Hat, tells Dark Reading.

Far from a tabletop exercise, the malicious floorwalker is an in-person effort that aims to get people more comfortable with the idea and practice of challenging other people's unsafe behaviors.

"We are using all the techniques of a social engineer, and the things that an SE would use to manipulate people, but we're doing it for good, not evil," Dewsnip adds. "What we do is not a test — it's an opportunity to practice a set of behaviors, in a safe space, that we're rarely given the opportunity to practice." 

Dewsnip is careful to point out that nobody fails this exercise since the focus is on getting workers comfortable with new actions, not to assess their current state of security knowledge. "We leave people with a positive sentiment toward challenging [unsafe behaviors].," he says.

And the data bears out that assertion. According to post-exercise questionnaires, 91% of the people who engaged directly with the floorwalker said they would now directly challenge things they thought were a risk.

'What Are You Lot Up to Now?'

While training employees to improve their security practices at a defense office is serious business, this lighthearted exercise prompted some hilarious interactions. For example, after one exercise, Dewsnip says that when the floorwalk team went outside to have their lunch, "we were suddenly heckled from that second story with people shouting things like, 'What are you lot up to now?' and, 'We can still see you!'"

Some people, especially those who were already confident in their security practices, took things more seriously, he adds. "We have had cyber policy quoted at us to prevent us from getting our way. We have been marched to security offices and have had others contacting the security team in secret via MS Teams, whilst keeping us occupied so that we couldn't leave."

Dewsnip points out that the funny reactions showed that the exercise was working. 

"People are engaging with the floorwalker," he says. "They understand that the floorwalker is there to be challenged and in a safe space, and in doing so, they're ... building that mental script required to challenge successfully and are beginning to become comfortable with it, overcoming some of the social anxieties or uncertainties that exist with challenging in the workplace."

Learning Lessons All Around

Almost everyone who engaged with the floorwalker felt more confident in challenging the next dodgy visitor. What other benefits has this project sown? Dewsnip says that managers of the sites they visited report that their employees "have successfully challenged others on things they were doing that could have been risky – including people challenging upward," meaning they're challenging those more senior than them, which is a big deal in a military setting.

The project emphasized making the exercise fun, giving people a chance to practice free from fear and punishment – hence the amiable floorwalker in the picture above, who has helpfully labeled himself "Cyber Threat." This reassuring attitude dovetails with the push in other sectors to create a culture in which people feel secure enough to admit when they've made an error.

"Far too often security and IT professionals assume employees know better or that they'll know how to act on or report suspicious behavior," Brian Wrozek, CISO at Optiv Security, told Dark Reading earlier this year. "Organizations can institutionalize a healthier security culture by conducting tabletop exercises to ensure employees receive hands-on practice in responding to different scenarios."

A security culture like that is especially important in life-or-death industries like medicine and aeronautics – and defense.