Employee Vulnerabilities

This month we are joined by Connor Swalm of https://phinsec.io to address employee vulnerability with non-punitive training methods

Many security awareness programs attempt to address employee vulnerability through training methods that can feel punitive in nature. This can cause employees to disengage from the training they need to be completing and potentially removes all benefits of delivering the training in the first place.
Connor is the co-founder of Phin Security. He has been studying phishing and social engineering for the last 3 years in order to better understand human-based cybersecurity vulnerabilities and how we can prevent them. Connor started work on Phin Security in 2019 to help companies combat social engineering and human errors.

ITDUG Webinar «September 2021»

IT Documentation Users Group (ITDUG) is an online forum for IT professionals involved in systems and application management, process documentation, and compliance. IT Documentation Group strives to support today’s busy IT professional by providing them with a venue for sharing practical and usable information about documentation.

Video Transcript

Veronica Dunn  00:07

Welcome to your monthly webinar from the it documentation users group. This is a Facebook group founded in May 2018, originally as it doc by Tracy harden, whose pictures on the screen, she runs an MSP called next century technologies. And then Alan and Eureka process came on board to help admin the group. It’s been growing by membership pretty darn well, hitting 1000 2003 1000 members, and we’re certainly on target to break 4000 this year as well. The beautiful thing about more members is when you ask questions about documentation, you have more people to answer those questions. And let’s get into today. Allen Edwards founded Eureka process, helping msps to scale by aligning people process his strategy. Connor Swan is co founder of Vince security, helping small businesses protect themselves from cyber security threats. Today, we’re going to address a toy with vulnerability.

Allen Edwards  01:10

So yeah, let’s talk. Connor, you I and the rest of the team talk to a couple of times prior to the webinar about what this presentation was. First of all, while we have a few slides, this is not really a slideshow presentation. This is a conversation I think we said a few minutes ago Connors, this is a conversation about humans. Yeah, we’re gonna touch on some documentation and some process but this is the the people element. As you said, I think you weren’t smiling when you said that that’s the best part of business.


Yeah, their employees are your greatest asset. And I guess we’ll get into it later, you’re at some points, your greatest vulnerability as well.

Allen Edwards  01:51

Highly noted. Um, so let’s talk about let’s start with introducing the concept of employee vulnerability first, before we get into the grander, human piece. I believe I can show the slide here. Here we go. Yeah. Let’s go one more slide forward. Veronica. The reason this becomes an issue, you know, what, Connor, you’re the expert. You tell me why I care about this.


Um, according to you know, I’ll, I’ll say this insert any threat report you’ve ever read or vulnerability report. The most common form of the easiest way, I should say are the most, the most common way that hackers get into companies or way that cybersecurity incidents occur usually involves a human being at some level, and by human being, I mean, an employee in a company. So whether it’s through you put the two most common ways their social engineering, and phishing, whether it’s through that or whether it’s through using you know, compromised passwords or something like that. Humans are typically the most common form of entry into a company, which is something that’s interesting, something that should be talked about.

Allen Edwards  03:13

Yeah, and I find I find most people in our space IT services firms are at least aware of this, right? You know, the guy who accidentally paid a bill that wasn’t actually from that vendor? Yeah. Of course, the Nigerian, Prince’s


Yeah, or the the most common one that I’ve heard now is the I’m your I’m your CEO, and I need you to give me $300 in prepaid gift cards or something like that.

Allen Edwards  03:40

Right. Okay. Um, so, I figure the answer is we have to work with humans to make that better.


Yeah, absolutely. It’s a there’s a phrase that some some people use called the human firewall. I don’t particularly like that phrase because humans are humans they’re not ones and zeros. So it turns out that in order to help a human overcome this vulnerability or to change the way they act, you need to treat them like human beings and and work with them like they’re human beings and understand that humans make mistakes or not just these computers with what did you say when we talked last the computer we have is the gray matter between our ears or something?

Allen Edwards  04:21

Yeah, like, you know, our computers just too complex to understand yet.


Yeah, yeah, I’ll say forever, but I’ll let you say yeah.

Allen Edwards  04:30

I don’t know the future. So before we get too far, I am curious from our audience, what the stances on what they’re doing now for employee vulnerability, human vulnerability. So we do have a live poll that we’re going to share on the screen here. You’re going to be able to vote by going to swift polling calm. Just type that into your browser. You can also text to 760 enter the code 14795 and catch evoke. So first of all, do you have an expectation? Connor, whose audio we will can’t hear yet? I’ll ask him to come back on, on what you’re going to find in this poll?


Yes. So I, I cannot yet I expect frequently to be the most the most accepted one? Never I would. I would be worried if somebody but never but please don’t, I’m not going to know who you are. So please put that if it’s being honest. But I expect frequently or often to be the most

Allen Edwards  05:33

interesting. And well, what? So the question is, how frequent is the security training at your organization? So where you call security training?


There’s a difference between what I call security training what so let’s talk what is specifically security training, it looks many different ways. I’m sure everybody has been through a security awareness seminar, right? Somebody comes into your office and let’s it was pre COVID things, obviously, but security training could be anything from a live thing that somebody comes in and trains you for a couple hours to watching a video on your screen to attesting to a policy that you ended up getting prescribed to you, it could look many different ways. It’s just the the digestion of some form of content and then maybe an assessment at the end maybe not that’s that’s the definition of training in my mind.

Allen Edwards  06:28

Ah and so you think that most people are going to say that they do this frequently?


frequently or often? Yeah, I don’t know. I don’t know what the they they look the exact same to me. But maybe now that I said frequently, everyone’s like, No, I’m not gonna vote that way.

Allen Edwards  06:48

I was taught her to be wrong. Yeah,


I am. I’m okay being wrong, I’m wrong so much that when I start to get right, I start thinking about things differently, you know, but I would think often and frequently, we mean roughly the same thing. And we can I guess, if there’s gonna be some interaction with the the audience in a bit, they can tell me what often really means to them. Because, you know, Alan to some people often would mean every quarter. But to some people training would mean every day often would mean every day and to others, it means every week and every month. And

Allen Edwards  07:20

we actually created a rating system here to talk about how our meetings are. And we’ve switched away from numbers and stars and thumbs up and thumbs down. And we went back to words, feeling words, though bad, okay, good or great. We call it the bog reading bad. Okay, good, great. And this because first of all, we’re not actually scoring anything, just like in this poll, we’re just getting a feel for where people are. Yeah. And using these feeling words are good enough to get people to respond. Yeah, like I said, frequently was avoided. Connor does not want to be right. And what is continuously you Connor,


continuous means that there’s an an uninterrupted flow of new training that an employee is exposed to, that specifically addresses training needs that that specific employee has. So what I mean by that training often could be clicking go on a video through your learning management system, every week or every month. But training continuously would be if your employees enrolled in some kind of process that you have, where they get training, maybe that’s job specific to themselves, and it’s updated every week or every month with specific modules that they need, or maybe it’s updated based upon their previous feedback, or their surveys. One thing that I highly recommend companies do is I know it’s a weird concept, but ask the employees it’s like, hey, how do you feel about this, like your ball grading I love that idea. Ask them how you feel about this. And depending upon that maybe you want to adjust the the amount of training or the type of training employees get whatever it ends up being but the continuous training process would adjust itself to the employee to make it as good as possible as good as an experience as possible.

Allen Edwards  09:05

So there are a lot of powerful tools out there that people are selling monthly subscriptions, thought processes on how do you help train employees humans to do this, but there seems to be a lot of exploits still, I know my cyber insurance policy has tripled this month. Um, what’s what are the challenges that we’re still facing what’s what’s not working now? The hardest work these days.


How do we get it to work these days? Is that what you said? Yeah. The hardest challenge is the I’ve never put this into words. I guess the hardest challenge is the speed at which new new vulnerabilities can arise, right. Specifically, I mentioned this because we saw the same thing happening with phishing and COVID related emails. When COVID became a thing. It was all of a sudden in like January COVID wasn’t a thing you sent on a COVID email, everyone would just, you know, it’s spam. What, what, what is COVID, but then March and April rolls around, and phishing and clicks on just anything that had the word COVID in it went way up. And so what that’s an example of is the training that users or that individuals are receiving. It often lags behind the the need or the complexity of their real world of the real world of their job and the way they interact with people. That’s one of the challenges. The second is nobody likes training. Well, I don’t want to say nobody, because that’s a blanket statement. But very few people I’ve ever talked to enjoyed the training received in any area, not just cyber security. So that’s, that’s also pretty much that those two challenges, you solve those two things, and you’ve solved training for everybody. Sweet. Easy peasy. Yeah, just easy peasy.

Allen Edwards  10:51

It’s kind of like saying, Hey, I told you to do this. And then if it still doesn’t get done, why are all the 1000s of reasons I didn’t happen? Yeah, I don’t know how I didn’t want to run out of time and other priorities. So many. Alright, so we have to work on changing their behaviors, which is another science. Yeah. Um, you also mentioned like, don’t, they don’t like having to do these things. They’re just not interested in security. And I can see that, hey, you hired me to do X? Why do I have to learn all this stuff about security? How to verify an email address? And you also mentioned the concept of punitive training. Explain that to me.


So I’ll explain this through some conversations, candid conversations I’ve had with employees of our clients. When I asked them, What was your previous learning experience? Like? What is your current learning experience? Like? What did you describe the process? What did you like? What did you not like, the thing that they end up story they end up telling me is that they get specifically with security, or they get fished, they fail some form of assessment. And then they get enrolled in a video that they feel a couple of ways about, doesn’t actually help them recognize phishing emails, right? They they know they should, they should hover over buttons, and they shouldn’t click on things that that looks suspicious, but they do so anyway, because they’re in a tizzy or whatever, they’re moving along pretty quick. And the second thing is they feel they’re being punished. So when they feel that they haven’t been properly prepared to recognize these phishing attacks, or when they think the training is not going to benefit them, but then they’re forced to go through it. That’s when they start getting angry when they start getting upset. And every employee I’ve talked to about their training has told me a variation of the exact same story, I mute, mute the video, put it on my second monitor, or I walk away from my computer, I walk my dog and play with my cat, I just go see my kids, whatever the story is, it’s like, it’s like a sticking it to the man mentality, where they’re like, um, you know what, I’m not going to be a part of this process. Because I don’t need to be because I know that I don’t need this training. That’s, that’s where the punitive training brings out. That kind of mentality, which

Allen Edwards  13:02

you also said a key word in the very early part of the description that was the word fail. Yeah. I mean, is there any hope when you start with the concept of you failed something, therefore?


No, no, and it’s a sticky subject. And actually, there’s one of my good friends, his name is Jason, he’s also in security awareness. He actually helped me change my terminology around this, like adversarial mentality that exists around employees and training employees, instead of repeat offenders, like people who continuously like, as you said, fail these tests, call them repeat responders. They’re doing what you ask them to. They’re responding to these assessments, they may or may not be maybe responding in the exact same way you want or you’d like. But the act of responding is all you need. Because then you can step in, you can give that employee more support, you can help them in a different way, whatever it needs to be. But as long as they’re responding, they’re continuing to be a part of the process. I really like that.

Allen Edwards  14:02

Words matter. We have a couple of blog posts. And we talked about this internally as well. We have a whole vocabulary that we tried to eliminate and replace with different words employee is one of those words by the way. Team Member teammate,


I like it.

Allen Edwards  14:19

There is one exception to the employee rule, which is sometimes if you’re writing something like a handbook, you are actually possibly required by law to indicate that this is an employee relationship. But with the exception of those rare cases, yeah, teammate team member I just like we don’t say contract we say agreement. But words matter. And this is where we’ve talked many times in our pre webinars about humans, we have to do things that aren’t always logical to improve behavior. So we have to learn to speak the language like story broken eye shares, we had this tier three techniques. They’re always the worst. Nobody liked them because he was rude. A ball, everybody. But he got stuff done right? Like he was really good at the technical work. And he literally did not understand the human element. I asked for this, why did I might get this? Why are they crying and why there’s no tears in it?


Crying, there’s no tears in it like that.

Allen Edwards  15:23

And so after some coaching opportunities, notice these word changes, we’re here having your coaching opportunities, I realized he really did not understand was wired different than many of the rest of us. So I asked them for something ones and zeros like, Hey, could you please start every email and slack message with please end it with Thank you. Don’t worry about context, just do those two things. He did, he probably wrote a script for it. But a week later, the rest of our team has come back from like, Hey, what do you tell this guy? He’s so much nicer now. It doesn’t necessarily make logical sense that the wrote responsive, please, Connor, could you do this for me? Thank you. Um, those three words added made a difference in human behavior, because so we just have to actually speak to a language our audience understands. I love examples of empathy. For one more example. We’re keeping our roommates dog, a dog training. And the first question the dog trainer asks us is, hey, what language is your dog speak. And I live in a multicultural household or answer could have been English, Spanish, Czech, or Slovak? Turns out the answer was dog.


It makes sense that

Allen Edwards  16:42

this is how you communicate in dog language to your dog, so they understand you better. And I think that’s key for this problem of how to change human behavior.


Yeah, you um, you need to be really keenly aware of who is the audience because a lot of people, not just it not just cybersecurity, not just like that technician, you’ve talked about they, they start to lose the this, they start to lose a sense of who they’re talking to. They talk and they project how they would like to be communicated with, as you said, that’s exactly what happened to your IT guy, as opposed to thinking how does this person that I’m interacting with how would they like to be talked to how can I adjust my message to better connect with them? Because at the end of the day, the whole the whole point of communicating is, you know, you communicate what you want, and that supposedly has an impact on the way that person behaved. So go ahead, sorry,

Allen Edwards  17:39

about my bad. You gave me a great parable story about what happens when you judge people, based on how much how well they know security and check emails, what was that story?


If you judge a fish by its ability to climb a tree, it’ll leave it it will live it’s whole life thinking it’s stupid. So how many learn many things fishes are great at climbing a tree is not one of them. And I believe Well, yeah, hope nobody has epilepsy. I believe that’s Albert Einstein don’t quote me on that Albert Einstein’s quote, maybe. But you’re I believe you’re about to go into where’s the security connection to that right?

Allen Edwards  18:25

Well, I mean, to me, it’s obvious, but but tell me more, because I didn’t hire a bunch of security experts, right?


Yeah. Um,

Allen Edwards  18:31

you might have I didn’t,


I hired some software developer. Well, I guess we’re more security minded. But the whole point is, if you replace fish with anyone an employee, or doesn’t even a team member, I’m gonna start using that now you’ve convinced me now and already look for is there danger. They’re not you didn’t. As you mentioned earlier, you didn’t hire many of your team members to do cybersecurity. But they’re required to know it at some level, in order to interact with each other and with the outside world safely. But if you judge that I’m sorry, I almost said it, again, that team member on solely their performance in that area, they’re going to get super upset, they’re going to continuously. I don’t know what the word you guys use for fail, or they’re going to continuously not be able to interface properly with that with those assessments. They’re not going to respond well to any training they get after that point, because they feel like they’re getting judged based upon their ability to climb the tree. And you mentioned the mentality earlier and even though you may have been saying it tongue in cheek, like the employees like you hired me to do X, Y, and Z knots, stupid security. I’ve actually had that conversation with employees before. So it’s not it’s not something they’re unaware of, they’re acutely aware of like, I don’t want to do this because why need to be doing this and all these other things. And that’s where the whole concept of I’m gonna mute this and move on with my day because I got better thing. better things to handle comes from, so you’re absolutely Right.

Allen Edwards  20:00

I mean, speaking of the human condition, I mean, who likes change and who likes being in a position where suddenly you don’t know something? Right? You feel stupid, unfortunately, even our educational system, and I mean, this generally worldwide tends to give us the feeling that mistakes are bad. Yep. There’s a story I’m quoting from some famous book, so I have stolen this story. Please don’t quote me on this. You know, some some team member makes a $6,000 mistake is expensive. Oh, my gosh, we have to pay this bill has an employment mistake. And the CEO is sharing the story with one of his mentors over over coffee, and mentors, man, so did you fire him after that? It’s like, What do you mean, this paid $6,000 in training? It’s an opportunity to improve. That’s the whole point of the security awareness training, right is Yep. Hey, you have this learning opportunity. Let’s learn. It wasn’t a failure. Thank goodness, because you were actually testing ahead of time. Absolutely. Even for the big failures, if you learn from it, it had some value. Correct.


And that is why I just wrote a blog on this fail his first attempt in learning I really do like that.

Allen Edwards  21:17

I remember when Adam first shared that with me from our team, as I wrote that in the channel, channel, we have one that says shit Allen says love repeating things.


No, that that his first attempt in learning that’s absolutely right. is we all make mistakes. And if you jumped down a team members throat because they made a mistake that you almost certainly anyone thrown in that position would have almost certainly made as well. It’s not only a message to the rest of your team members, it’s a message to that specific team member. A whole bunch of leadership books on that and whatnot. But it’s a it’s absolutely right. Absolutely right.

Allen Edwards  22:01

I’ve got I’ve got to say I’m, I certainly make my share of mistakes, learning opportunities. But I remember the stuff that we teach you, we try to be experts in what we teach, practice what we preach. And I’ve been working on some of our new our new team members here. Okay, now that we’re past the training period, we need to like start putting time on tickets and following your systems, right? And yesterday, I almost posted a message and they’re gonna now see through me, that was like, Okay, guys, we’ve got to get these numbers up. These metrics, these KPIs, I stopped myself and I recognize that I pretty much said that a few days ago, the numbers have improved. My response was, hey, these pieces are heading in the right direction, great job team. Adam added a Attaboy to the list. And I mean, we got the message across, we’re still working on it. But everybody did improve. So why break progress?


Absolutely. I gotta meet this Adam guy sounds like he has a lot of good quotes.

Allen Edwards  23:07

I can see his video in the green room, and he’s making the offer. And I think he’s pretty stoked.


Yeah, no, you’re absolutely right. To put it in a different context, the exact same thing in a different context. Very popular clinical psychologist Jordan Peterson, he has roughly the same quote, when it comes to relationships is if you see something that your spouse or that your significant other is doing, that you really like, you want more of that go out of your way to recognize it, yes, go out of your way. Because if you want more of that action, or that thing, or that, the way they communicate, they need to be aware of that you need to communicate the at that point, now it’s an expert that you need to communicate that expectation with them.

Allen Edwards  23:45

And for those of us who are owners, we’re so used to you know, tweaking your systems getting things flowing, right. And we’re looking for exceptions, right? Like, okay, what, what is what’s wrong here? What can we fix. And, by necessity, we can’t look at every success, right? We have to expect those, we have to deal with those first attempts at learning. But at the same time, we’ve got to find we’ve got to work with the humans, our audience to get the responses that we want out of them. which typically comes from a place of positivity typically comes from I know we use this analogy a lot in the pre planning carrot versus stick. Yeah, you know, you click the wrong link, you must watch the video. That’s a stick. Right? So premium is back to employee vulnerability. What are some possible solutions on how to make this easier, better, more comprehensible by all humans?


Can we say less sticky and more clarity?

Allen Edwards  24:42

I those are definitely words. Absolutely.


I’m all for making up words right? As long as it gets the point across. Exactly. The first step is really on the employee or CSM, team member side on the team member side is getting them to To understand, okay, why is this training that I’m going through specific to me? So oftentimes it has nothing to do with the way you’re delivering the training or whatever it has to do with the actual training itself as this employee, either it’s not Can you set it again, team member?

Allen Edwards  25:16

Connor doing great.


Not a, it’s not communicated to them properly. Okay, why do I need this? How is this important for me for my job to make me a better part of this team, essentially. So the first step that I would say is communicate the need for the training. And one way that we do that is we ask every single specifically one of our clients is like, you should have the stakeholder make a video that says, hey, this is why the training is important. And we put the list together, we’re like you need to, you need to tell them, it’s important because it keeps everybody secure, make sure you wake up and you can come to your job tomorrow, make sure that you can continue like we can continue employing you and make sure that our company is still here, the culture we’ve created still exists.

Allen Edwards  25:55

So okay, why that’s that’s an important concept for everything you do. I mean, every time you write a documentation, are you answering the question? Why I mean, every process be right, aligned. Hearing, every process we write, usually has a short sentence or two at the very beginning about why do we have this process? Hey, you know, besides the generic, every process, why do we have it? It’s like, okay, we have this process, because, you know, once a month, we’re trying to achieve this result, this is why we chose once a month, this is how we got here. And then the process, so we understand the why. So I do think that’s critical. Great idea.


Yeah, absolutely. And the second is being acutely aware of so this is more on the employer side of the what’s the opposite of a the team member for employee, but what’s the phrase for the the employer, the owner, or the

Allen Edwards  26:47

M? Yeah, owner, employer, boss,


yeah, um, as a, as an owner, you need to be acutely aware, or whoever’s in charge of this of the of the employees. ongoing training, be aware is, is a punitive in any way. And what I mean by that is, when they when they say fail here, because it’s what people expect, but when they respond in a way that you don’t enjoy, you don’t want or you want to change, how do you how do you respond to that as a company? If the answer is load them up with more training, right, there’ll be good to go, you know, give them another hour, essentially missed the point, the employee respond, the team member responded in, maybe not the way you wanted, but what they need, instead of more of the exact same thing they they failed, is they need support. So there should be a whole different process that you end up going through with that employee that encourages them to behave differently. So it’s still encourages behavior, but encourages different behavior, and doesn’t really make them feel like they’ve been like, if you want to look, you know, any of the old movies you watched about, you know, nuns and schooling is like, wrapped across the hand with the wooden stick employees hate that everybody hates that

Allen Edwards  28:03

was supposedly built either superheroes or super villains, and rarely an average person.


Right? Absolutely.

Allen Edwards  28:12

How are you this? So why he said, answering Why is one of them and of course, having authority by the leader of the company? Yeah. What are other ways,


so not being punitive the second, or I guess it’s on the screen right here? Well, I’m looking at it over here. Make it interactive. When it’s interactive, when you’re doing something, not only do you tend to retain that information for longer, because you had to involve many different parts of your brain in learning these things and going through it. But when it’s interactive, it feels like you’re a part of the process, not just the recipient of it. I probably just touched on something process oriented, that you would love to discuss being a part of the process as opposed to receiving it is a very important thing. In my mind. It’s

Allen Edwards  28:53

huge. So many times we dictate from home Hi, yeah, delivering the lie certainly helps. And it’s a great way to deliver vision perhaps. Yeah, but when you’re talking about somebody else, doing all the work, being held accountable for the process, getting their involvement in the process is is so key, we recommend, you know, people are in the meetings, people are part of the decision making process, and that the people are doing the execution of creating the process. He’s rolling out the structure, the sense of pride, sense of belonging and that true teammate mentality.



Yeah, absolutely. When people feel like they’re a part of something, it creates this weird, I say weird but creates a sense of camaraderie creates a sense of as you said, pride in what you’re doing and who you’re doing it with. And is if you took it from the other perspective, and as you said, dictated from on high, and your team members are no longer a part of that they’re the recipient of something in the same way that you know, they can hold out their hand and get something handed to them. That doesn’t make them appreciate what was put there just makes them a recipient.

Allen Edwards  30:00

Right, which is a very different type of stakeholder,


correct, almost like customer of source. And then the third, the third thing that I would recommend is the training needs to be continuous. So we talked touched on the continuous nature of training, and I described it a little bit earlier. So why is that necessary? People act. No one say people like, but behavior is a constantly changing thing. So if you’re not continuously updating not only expectations, but continuously updating the type of support your team members are getting, through ongoing training, their behaviors gradually going to diverged from what you expect, right? There needs to be this continuous process where you are reminding people of what to do, how to do it, when to do it, why they should be doing things, remind them of the why I guess, is the biggest the biggest reason for ongoing training.

Allen Edwards  30:56

Very good. So obviously, today is not been specifically about security. Right? It’s it’s been about human nature, what we have to do as humans, and it applies to so many things. Connor, I’ve noticed that several of the quotes or references you’ve had, it sounds like you’ve been reading psychology books, in order to implement a successful vulnerability assessment scanning training program. Is that something you identified early on is a necessary step?


Absolutely. Um, I think human beings are the one part of cybersecurity that is not well solved. It’s an interactive or intractable problems, as what I’m trying to say is, we’re consistently changing. So software is not going to make a human do much better. But what will do better is if humans begin to relate to humans better and change the way humans behave together. So absolutely, I actually started this journey. Reading psychology textbooks, understanding leadership principles, and reading probably all of the same, some of most of the same books you are. And then that’s actually also in a way, I’m glad you brought this up in a weird way as influenced the partners we’ve made as a company. So not just our clients, not just the people that I’ve decided to work with that I’m very happy are part of our team, the partners in terms of professional relationships that we that we’ve made in this industry specific specifically now security awareness, also hold the same perspective. What I’ve found is it’s a really rare, it’s rare for a cybersecurity company to start not with the cybersecurity but with the psychology behind it, which is where I start, which is where I thought was the best place to start. But super important.

Allen Edwards  32:48

So I’m always cautious during your it dog presentations. We’ve had a few sales pitches that we didn’t want to hear. But I’ve got to know more about your products. I’m trying to understand the difference in the I’m not a security expert, by any means I do. I’m aware of some names, some vendors, what there’s roughly do so yeah. So within security, what is it? What does it do and how is it different?


So there’s a few ways we’re different. I’ll start with where we started in insecurity is we got completely away from secure traditional security awareness training, we actually didn’t even have a learning management system with content up until a few months ago, because we wholly believed that was not the thing that was going to change employee behavior. We started with creating kind of handheld towards of the vulnerabilities that employees end up responding to incur, I’ll say that I’ll use my own phrase responding to incorrectly. Where give you a very specific example, an employee gets fished with one of our emails that we selected for them, instead of a video instead of a blog instead of a YouTube link instead of some type of static process that they’re put in front of. It is the exact same fish that they just responded to incorrectly with a handheld guided tour that they need to walk through. So they need to hover over links to see what ends up coming up. They need to open up sending information to see what is there, they need to hover over the file so they can sit verify what’s the extension is so it’s not an executable, it’s an actual CSV file. And what we’ve seen is that process instead of taking five minutes for an employee, or sorry, a team member to end up passively receiving, they spent 30 seconds, hovering over links, clicking things, looking at things, reading the text that we put in front of them when we highlight things, and it gets specifically to the exact type of training they need. It’s these are the three things you missed. You didn’t miss a video about you know, you didn’t miss the things that are in a video but a fish that everybody’s seen 47 times. You missed these three specific things in this fish today for these reasons. So sorry, go

Allen Edwards  34:56

ahead. I love drawing parallels, even though I don’t want to redo Anything to some simpler concept?


No, making it simple makes it way better, please do it. Yeah.

Allen Edwards  35:05

Which is my team tells me that simplification is not my superpower.


It’s not mine. I’m never taking certification

Allen Edwards  35:12

tests back in the 90s. I’m dating myself. And a few of them got really cool. They were called it well, it was not just interactive, it was progressive testing. So instead of having 100, question, Microsoft test, this might have been like Norton, or something, you take a test? And if you did, well, you could do it in like 20 questions. But if you showed a weakness in an area, they would kind of expand the line of questioning two dozen different topics, to really drill down if you know the material or not. Yeah. And the really good ones that were also interactive, you know, they would give you a task, and they would give you just enough program inside the system, to click through the proper screens to achieve the tasks listed. Is that a valid parallel to what you’re describing to me?


Yeah, absolutely. So the now we give our clients the full control over, they can send out anything they want at any time. But we have these, if you want to call the campaigns on rails, where it will for every employee, see their behavior in previous assessments, or previous trainings. And it’ll say, Okay, what is this employee likely to respond to incorrectly? Is it like I said, the $300 Visa gift card scam? Is it a brand impersonation? Is it business email compromised, you know, throw any common word out that any common type of social engineering scam, that an employee specifically is vulnerable to them to them differently in different ways. Whereas if you take any other employee, they’re vulnerable to different things. So our first step was, let’s pair the assessment with the training that the employee actually needs as opposed to blanketing them with common things and saying, that’s good enough, we’re good to go. They’ve gotten their training.

Allen Edwards  36:52

interest, Is there ever a time where a team member has been with you long enough? They received various trainings, they don’t make very many opportunities for improvement. And so they don’t get these very often or never.


Yep, absolutely. And we love to see it. So it’s not a won’t continue to receive them is that they, they begin to respond to every variation thereof properly. So what are specifically what our campaign will do is, if we recognize an employee’s improving, will not only give them the feedback, when they when they report things to us that we won’t be like, hey, you did great. Like you’ve caught the last five out of six assessments and responding, your trainings, you’re on fire. If you’re doing stuff every week, we’ll give them that positive feedback. But when we notice, hey, they’re scoring 100% and all the assessments, it’s like, Okay, well, now it’s time to ratchet it up. Let’s look for more vulnerability and, and other areas. Let’s make the difficulty a little greater let’s, let’s start to really test the boundaries of this person’s behavior. And then, instead of creating some kind of super training process on the back end, where now they’re going to get a 20 minute video, if they fail the super assessments, it’s just the exact same process that they’ve already responded to properly. And they’ve already enjoyed going through it’s the same handheld tour, the same walkthrough, the same kind of support they already expect. Now it’s just throughout the they’re at a different level of assessment.

Allen Edwards  38:17

So it starts off easier so that you don’t start off with the hardest one and the employee looks sorry, team member Okay, I did it now.


Oh, look how bad influence on Yeah, you’re out

Allen Edwards  38:27

in front of the team member can feel smarter, right? Instead of saying, hey, fish, you can’t climb a tree, you’re actually saying, hey, fish, we’re gonna swim a little this way. Oh, great job. Now we’re gonna swim a little further. And then next thing, you know, your salmon swimming upstream over rocks and valleys? Yeah, um, interesting. Very good.


Absolutely. If you give your team members the opportunities to succeed, though, sometimes shocking, they really will. And most importantly, when you let let’s extrapolate that to employees, if you don’t give employees the opportunity to succeed, to pass these assessments, to feel good about the assessment that they’re going through, it only leaves room for a negative interaction, or at best, a mediocre interaction. So if you can never get better, and your only possibility is getting worse, you’re gradually going to refine that process into the ground. And everyone’s gonna end up hating the process that they’re a part of, if you can’t give that positive interaction,

Allen Edwards  39:28

right? Finding a process into the ground, something I always have to check for, you know, always be improving negative examples, you know, I have clients who we set key performance indicators, and we things start getting very smooth there underneath the key performance indicators, goals, we’ve refined the goals down until they feel like hey, if we can do this, we’re great. Yeah. And then the tendency of the leaders of the organization is Oh, well, let’s just do better. Let’s just make it tighter. It’s like, hang on now. We’re already getting exceeding customer expectations in this case, and it’s a single key performance indicator, not all of them. Right? Right? Well, if we keep turning the screws too tight, this is suddenly no longer fun. You know, you’re trying to get 101% out of your team members instead of a nice calm 90%, you know, enjoy working here. So we definitely have to be careful not to over process or over improve things.


Yeah. How does that process go over improving things are ratcheting down to are being too much of a stickler for the constraints, I guess is a, how do you deal with that? How do you how do you avoid?

Allen Edwards  40:37

One I hold accountable for results? Okay. That was a really big question. So a very short answer for one asset. I know I kind of dropped it on Yeah, is, uh, is, you know, holding accountable to results. So for example, you know, the result is you don’t want to be hacked, you don’t want to be compromised, and you’re in your examples. Okay, we’re gonna make some mistakes along the way. But that’s a mistake in actions. The result is, we don’t want to get hacked, as long as people are progressing. Do not rate progress. My own lesson I learned today. Um, as long as they’re making progress, and we’re not being vulnerable and exposed. Okay, that’s results. Yeah, the trip we had to take to get there is not as important and that’s also how you avoid micromanagement. If you’re holding a help desk technician to resolving 10 tickets a day, and they’re resolving 11 tickets a day, everybody’s happy with them. Don’t complain about how they work the tickets. Right? Maybe that’s a bad time to talk about a spelling error. If it’s rare in there, take it, you know, don’t look for just every way to improve. Look for results.


That does make sense. How do you deal with I guess, then the follow up question, then when you know that you need to be adjusting the expectations.

Allen Edwards  42:06

As every consultant will tell you the answer. It depends. Um, yeah, there has to be. Well, in some areas, there’s a good enough. When all areas are good enough, that does become the enemy enemy. It’s a great you know, because if you’re doing badly, chances are you’re well aware and you’re ready to improve. When you get together enough, you’re like, Okay, it’s good enough, I don’t have to improve anymore. So I think you have to just analyze each little piece and say, is this really something I need to I need to improve and sticking to the the conversation we’re having today? I think, predicting how this is going to impact morale, and human behavior is probably the best way to look at that. It’s not an easy answer. I mean, kind of your reading psychology books. I mean, some so many leaders, you know, even though many of them are voracious readers, and they still can’t seem to read enough leadership books or business books or it books and keeping up with security standards, and how to manage teammates, team members. It’s not an easy task, we have to learn to be human and work with humans. One more interesting challenge is, I want you to think about the types of weirdos in the world who give up a paying job to go start their own business for no pay.


So me, Miko paths is what we call them in the industry. Right?

Allen Edwards  43:41

And yeah, and hacking as they grow. They agreed to pay other people except for themselves for a time possibly, or at least they’re at risk of not being the last person before the money runs out. Yeah. Those leaders us. We’re not normal. Yeah, your team members that have agreed to work for a paycheck are different than you. And that is a hard thing to understand. It’s hard to put yourself in somebody else’s shoes when those aren’t the same exact things that you value. Some people value security. Yeah, people value freedom, some value control. And we got to speak that different language to our audience. And importances.


Absolutely, I’ve one thing I really liked to talk on that point about disc profiles, the personality profiles was the clear separation between this is how you view yourself and this is how everyone else views you. So that you can kind of start to begin to understand it’s like, Okay, how do I need to, as you just mentioned, understand what what’s going to motivate and drive other people on how can I talk back on our other point, how can I adjust my message to fit with this person needs right now? super important.

Allen Edwards  44:51

So on that note, we’ve been developing your own analysis is not quite a personality profile. It’s the Six leadership superpowers.


I took it.

Allen Edwards  45:04

What did you think? I’m curious? Because I am not a psychologist, but I wrote the questions that bothers me a little bit.


You made a pull up my answers.

Allen Edwards  45:13

Oh, that’s up to you. Um,


I really liked the, what I would have liked is a verbal explanation that I could have read through of like this is this is why your strengths. This is why we’re Pat putting them these ways.

Allen Edwards  45:28

That is, that is on the next revision list. Thanks for the feedback. And the reason I thought about it as an assessment, but you also mentioned the disc profiles, there’s your answers. And then there’s also how the world sees you. Yeah. Which can frequently vary. Yeah. Everybody thinks we’re impartial. But that’s automatically an impartial, a partial statement. Right? Yeah. So in the early days of the six leadership superpowers, we would always do a 360 review. The catches it was very subjective, based on mood, who was in the room and how we collected that data, and very lengthy. So hence, we developed a quiz. And now I probably need to add to two versions from now maybe allowing other people to answer for you as well. Because that would be cool.


That would be cool. Or it’s, you know, it would be awesome as if maybe they can see your response, like others can see your response, and they can grade it. This is this person lying through their teeth, because like, I’ve taken enough of these tests, and if I wanted to get a specific result, I know exactly how I need to start answering things. But that gets rid of the the purpose of the test is to understand what you really are and how you’re really going to act. So maybe you should have like a BS meter that other people can be like, no. Just an interesting thought.

Allen Edwards  46:49

Yeah, we tried to word the questions in such a way it was a little harder to cheat. But it also made the wording tricky. Yeah. And then there’s this whole principle, and this is probably applicable as well. So many folks, they I’ve already if everyone’s going, self aware,


responding incorrectly to assessments on purpose.

Allen Edwards  47:16

Oh, behavioral versus innate? Yeah. I’m one of the few people in the world whose disc profiles have changed over time. And there’s some personality profile testing, like color code, and some others that they they really want to get down to. Who are you? Like, as a child, like, before you learned all this stuff? Who are you? And I think, in my wisdom, I’ve come to the conclusion in my self proclaimed wisdom, I’ve come to the conclusion that I don’t care as much about who you were, I really do care more about what you’ve learned, and how, how you apply that in your life. So I have people who won’t hire somebody based on a past history, they don’t hire based on disc profile, all their astrology can’t have that in this position. Now, I can agree with you a position might lend itself. Yeah, so one thing or the other. And so what I use, I use this personality profile test to ask the right questions during the interview afterwards. Hey, I see here, yeah, we have this challenge with your personality profile, and the position profile. Let’s talk about ways you deal with this. And see if they have adequate answers to deal with that.


Yeah, absolutely. The there’s a tie into this specific thing, I’d love to get your opinion on this, maybe maybe it’s not an offline conversation. But something you need to think about is unless a person when they’re growing up when they’re young, is dedicated to the process of change, like is dedicated to changing based upon new information, new facts and all that. It is very hard to change their their ways, like as an adult. But if the one thing that individual values is changing for the sake of just being better, however they define that then changing is easier and possible, because I believe once humans have grown up once we’re, we’re really solidified in the way we are who we are, that we’re not humans, by and large, don’t change at their core. It’s my philosophy. But there’s one caveat, it’s if the person is dedicated to change for the act of just being better than that. That’s when it’s doable.

Allen Edwards  49:26

Connor, you just revealed something to me was that, um, I actually agree with you completely, despite it being the opposite of what I just said. I personally happen to have that trait of constant self improvement, self awareness and change. Yeah, I embrace it. If I send somebody a document and they go, yeah, that’s fine. I don’t value their opinion at all. I love feedback and love change. I can’t read improvement or business books before bed, because I’m too busy like changing. I read books I’ve forgotten To quote which book did what but it all becomes a part. It’s how I became a consultant. Somebody recently asked me in a sales call, hey, you know, why are you? How did you get this way? You’re in an IT business now you’re consulting your business business, like what’s going on here? And the answer was, well, I did what you did is I sought help. And I loved it. And I learned and I changed. And I saw lots of help from lots of different people over many, many years, books, coaches, consultants, webinars, conferences, and it all actively added to the pool of knowledge and experiences that I pulled from. Even back to the six leadership superpowers, Adam did want to add that when we were first testing it, we rated each other internally. Oh, yeah. Now we just got to get that on to our our quiz system that if you want some additional feedback to enable you to be able to do it.


That would be that’d be awesome. Almost like if you could share it with everyone you wanted to rate, the BS meter? Or tell me what you think about these answers. I would be interested to see how the difference between the way you performed on it versus the way other people rated you that’d be an interesting. Maybe you throw that into a blog post or LinkedIn, or something like that. That’d be it. Is it already there? Am I just touching on something already?

Allen Edwards  51:19

No, we have the data. It’s I haven’t I don’t recall the results and analyzing when we first did it, not the online quiz, we did it in person, using our bog grading scale for each other. There were definitely a few things that were different. And sometimes it’s just how we describe the rating. And sometimes it was, Oh, I’m not very self aware here. Yeah, there’s another neat one called the Joe Harry window test. It’s broken into four panes of glass, but the basic premises, there’s stuff that you and everybody knows about you for stuff that you know that others don’t know about you. There’s stuff that they’re aware of about you that you’re not even aware of. And then of course, there’s the stuff that nobody knows, including yourself. And it’s a quiz that you take yourself, but you also send to others and it kind of shows you where those things are. Just the more self awareness. That was called the Jo hari JOH a RI. window.


Take a look at that. Yeah, was there a

Allen Edwards  52:20

very short thing and you could get some period feedback from it? Very good. Um, oh, we are running out of time that went so fast. on your phone, right? Yeah, Connor, thank you for coming. Thank you for engaging leading a engaging discussion about human psychology I believe. It applies so much more than we know to it to documentation to processes because we’re all doing this for humans by humans. And especially applies as the weakest link and security vulnerability.


Absolutely. It only takes one person not knowing what to do to bring your whole company to its knees and I hate using the fear the uncertainty, the doubt of cybersecurity to sell. That’s the reality if one person’s not bought in, everyone’s at risk. And so you need to make sure everyone feels like they’re a part of the team and they’re ready to go. It’s important

Allen Edwards  53:18

Alright, so Connors contact info as you can find his website at fin security.io I’m sorry, let me spell it out. In sec.io pH I in sec.io also certainly for Connor Swalm that my name right


Swalm. Yep, you got it right. But a couple generations ago way over my head so that changed the name

Allen Edwards  53:43

simplified it for us people’s Yeah, human behavior. So Connor Swan find them on LinkedIn Feel free to connect. We are coming close to our year in for it dog and I can tell you we’ve already got some exciting webinars planned for the future. January February’s plan October is planned. Veronica Do we know October announcement Who’s coming? Yes,

Veronica Dunn  54:12

we have Tim coming. I’m sorry I can’t I don’t remember.

Allen Edwards  54:18

All right, we do have one planned for October we will get that posted this week. So you can see that in the IT dog Facebook group. If you are seeing this elsewhere, besides the it dog Facebook group it is fb.com slash groups slash it Doug. We’ll get you straight there. We’d love to have you join the conversation about it documentation. There will be no planned webinar November December for us and other holidays. However, we’re probably going to put together a little event early December just a meet and greet hang out and say hi to each other. Um, alright and the webinar for October is Tim golden the compliancy guys will be working on there. A presentation like this that I hope sticks true to it, but it explores a little more beyond just just documentation, though compliancy certainly is a big piece, much like Dave Savelle talked to us about a few months ago as well. Thanks again, Connor. It was great getting to know you. And we’ll see everyone again soon. Next month. Have a great one.


It was great chatting with you. Thanks for having me.

Allen Edwards  55:26

Thanks, Connor.

IT-what?? What is ITDUG?

IT Documentation Users Group (ITDUG) is a Facebook group for sharing tips and tricks for documenting IT systems using any documentation platform recommended for IT Service providers, including internal IT departments. Join IT documentation professionals for discussions on IT documentation analysis, planning, and implementation of best practices in IT Documentation.

The group originated by Tracy Hardin, IT/MSP owner in 2018 to co-learn ITGlue​ and later adapted it into a forum for all IT documentation platforms. Shortly thereafter, Eureka Process joined as co-admins. ITDUG now has over 3000 members and growing! Organized by a community of like-minded professionals united by a passion for documenting IT infrastructure and processes.

Team Eureka contributes a documentation-related webinar on the last Wednesday of every month. You can watch previous ITDUG webinars here. Share and learn the latest practices and strategies for documenting technology infrastructure, systems, policies, and procedures.

Leave a comment below with your suggestions on topics you’d like to see covered and discussed. 👇