Any time Ira Winkler, Chief Security Architect of Walmart and author of Security Awareness for Dummies, speaks, it's a can't-miss event. He's one of the field's most sought-after speakers and we were beyond thrilled to have "The modern-day James Bond" join the CISO Sandbox. And we were extra-excited when he singled out Hoxhunt for our innovative use of machine learning to deliver personalized, positive security awareness at scale. Such a fun, interesting conversation! Check it out!
Eliot: You have written a book called, "You CAN stop stupid," and now you've written for the iconic series, "Security Awareness for Dummies." I've got to ask, if we take the titles literally, who are the dummies this is for?
Ira: So here's the thing. Let me talk about "You can stop stupid." It's my belief that behind every stupid user is a stupider security professional who allows this stupidity to create harm. That's not to say there aren't stupid users. There are many really stupid users. Let's acknowledge that. But a user can only cause harm to the extent you provide the ability to cause harm.
Eliot: You spoke of gamification and phishing simulations. How do you implement those effectively in a security awareness program?
Ira: First off, the term "gamification" is one of my pet peeves, where everybody thinks gamification is a game. Gamification is not a game. Gamification is actually a very specific business principle that says, "We are taking game principles and applying it to solve a business problem." The game principles essentially involve creating a reward structure that says, "If you do the behaviors we want, we reward you and therefore provide positive reinforcement for the behavior... Let's say you make a fun game on how to learn good cybersecurity. You take a quiz and you say, "Here's a quiz, take this quiz, this is fun." Maybe they'll get an 80 and you'll give them a reward and say, "Here's a reward." Well, you're basically rewarding somebody for learning. That's providing them with information. That's not providing them with demonstrating (awareness); catching the behavior in the act and rewarding the behavior in the act. If you reward them with catching the behavior in the act, such as someone reports a phishing message and you congratulate them for the reporting of a phishing message or whatever the case is, that's gamification. On the other hand, telling people, "Here's a game! I will give you a reward if you play the game." That's not gamification. So implementing gamification requires determining the rewards, determining the program stucture, how you go ahead what bheavior you want to reward, how do you catch them, how do you track it, and so on. So that's gamification.
Phishing simulations: that's a plethora... of topics such as, which phishing tool do you run? What type of phishing lures are you going to use? How frequently do you do it? Again, I appreciate what Hoxhunt does. Hoxhunt sends out the phishing messages appropriate to the level of knowledge appropriate to the person. If you don't have a tool like that, you need to figure out, "How am I going to structure phishing messages that are going across the entire range of potential phishing knowledge?"
Ira Winkler, CISSP, is the Chief Security Architect for Walmart and author of the books, You Can Stop Stupid and Security Awareness for Dummies. He is considered one of the world’s most influential security professionals and was named “The Awareness Crusader” by CSO magazine in receiving their CSO COMPASS Award. Most recently, he was named 2021 Top Cybersecurity Leader by Security Magazine. He has designed and implemented and supported security awareness programs at organizations of all sizes, in all industries, around the world. Ira began his career at the National Security Agency, where he served in various roles as an Intelligence and Computer Systems Analyst. He has since served in other positions supporting the cybersecurity programs in organizations of all sizes.
This whitepaper on the technology driving the Hoxhunt platform, and its innovative applications for security awareness, was originally published by Ira Winkler in 2020. Much has happened since then! Loads of new features, products, and development of the machine learning model and cognitive automation on our side; and Ira has since joined Walmart as Chief Security Architect. To be clear, Walmart is not endorsing Hoxhunt. But with Ira's upcoming appearance on the CISO Sandbox to promote his recently published Security Awareness for Dummies, we thought it worth noting that "The Awareness Crusader" is a forward-thinking CISO who can see around corners and appreciate the difference between illusory, incremental, and game-changing innovation.
By Ira Winkler
There are so many buzzwords and trends in the security awareness industry that it is hard to determine what is useful and what is a gimmick. Every vendor out there has some sort of promise that they have some special characteristic about their product that makes it a revolutionary improvement to your security awareness posture that no other product can accomplish. After reviewing the Hoxhunt solution, it is safe to say that they actually do provide something unique that can really move the needle with your organization’s security awareness posture.
Machine learning and artificial intelligence are typically buzzwords and technologies that vendors tout as making a product unique. The reality is that machine learning and AI can be useful, however, they are just underlying technologies. It is how you apply the technologies that makes a difference. Hoxhunt uses machine learning in a way that provides a very unique and valuable method for improving security awareness in practice.
Specifically, Hoxhunt uses machine learning in a way to create individual learning experiences for every user within your organization.
When you create phishing simulation campaigns, you choose a pretext to send out to the organization. The simulations typically intend to get the user to click on a link, submit credentials, or download malware. The system then tracks the user action, and, if warranted, provides training for improper responses.
Usually, everyone in an organization receives the same simulation. More advanced programs might send out messages to different groups of people within the organization. This allows for simulations to be somewhat more tailored to the recipients but requires exponentially more work.
Organizations target users who fall for the phishing simulations more frequently, however, they send out messages to everyone else with the same frequency. This tends to annoy users who do not fall for the typical phishing messages and has little impact in improving awareness for the majority of users. Using an analogy, it is like trying to teach all students in the same high school the same basic math course, over and over again.
Hoxhunt takes a unique approach. Using artificial intelligence, Hoxhunt can tailor phishing education to each individual user. After an organization provides the platform with user information and the appropriate access, the system then sends out messages. Based on the responses of each user, the system itself then determines the appropriate frequency and simulations moving forward.
Should a user fall for the simulation, they receive the designated training, and the next phishing messages are of similar sophistication. However, when users do not fall for the phishing simulation, the system can then raise the sophistication of future messages. This has the impact of improving learning by making future simulations and any resulting training more advanced. Similarly, if a user consistently demonstrates awareness, they receive fewer simulations.
Should a user begin to fall victim to the simulations again, the system can throttle up the simulations to that particular user. This clearly provides for a very personalized learning experience that cannot be achieved through the competition.
The individualized nature of the messages and the training allows for yet another unique feature; customized spear-phishing messages. The Hoxhunt platform allows the tailored messages to appear as if they come from another user within the organization. Hoxhunt pulls the name of other users on the system, from within the same department. This simulates the targeted messages sent by more sophisticated attackers.
In short, there is simply no other platform available that allows for this level of phishing customization, automatically tailored to individual users. All of this is accomplished with little administrator input.
From a learning science perspective, this approach has very distinct advantages (editor's note: please see DocuSign Director of Trust & Security Training & Awareness, Lisa Kubicki's behavioral science-themed webinar: This is your Brain on Trust). Training needs to be appropriate to its targeted users. Training that is too complex will not benefit a novice user. Likewise, training that is too simple for a person with more expertise will not only be a waste of time, it will also be likely to aggravate the student.
In the case of phishing, hitting less experienced users with advanced attacks will lead to frustration, and will overwhelm the user. On the other hand, if you send out basic phishing messages to accommodate the less knowledgeable users, advanced users will never improve their expertise.
The Hoxhunt approach provides for users of all knowledge levels to increase their expertise at a reasonable and steady pace. No other tool out there allows for this customized learning experience. Having used most major phishing platforms, we have found that there are a few distinguishing factors. However, the Hoxhunt machine learning approach to customize the phishing simulation experience for each individual user is an incredibly unique and valuable feature, which means that all organizations should consider the Hoxhunt solution for their phishing simulations needs.
