The #1 vulnerability in cybersecurity is us

Secure Talk - Dr Abbie Marono

Justin Beals: Hello and welcome to SecureTalk, a podcast where we explore the critical world of information security, innovation and compliance. I'm your host, Justin Beals, founder and CEO of StrikeGraph. Together with our expert guests, we'll provide you tools and tips to help your business thrive in the rapidly evolving cybersecurity environment.

Hello everyone and welcome to Secure Talk. This is your host, Justin Beals. Really glad to have you joining us today. We have a little bit of a unique guest with us, not a deep cybersecurity expert, but a behavioral scientist. We're joined today by Dr. Abby. Dr. Abbey is the director of education at socialengineer.com and a PhD as a behavioral scientist. She's written numerous academic articles, including a sequence analysis of nonverbal behavior and deception, a behavior sequence analysis [00:01:00] of nonverbal communication and deceit in different personality clusters and unmaking a murderer behavior sequence analysis of false confessions.

Thank you for joining us today, Dr. Abbey. We really appreciate it. 

Abbie Marono: Thank you so much for having me. 

Justin Beals: Excellent. So you have been dragged into the security space, I believe. Yeah, from from your work as a behavioral scientist. Tell us why a security professional might be interested in behavioral science. 

Abbie Marono: Yes.

Any security flaw, anytime there is a breach or someone has hacked a computer or someone has your data, there's always a human that opens the door. So it doesn't matter how amazing the breach is. If a person doesn't open the door, it doesn't matter. So you can have the most advanced malicious software.

]And send it to me in an email, but unless I click it, it can't get into the computer. So when it comes to anything security, there's always a human number of sides. So if we understand what makes the human click that link, what makes a human answer that phone call and follow instruction, or makes that human actually think that when the hacker calls them up and says they're the bank, that they believe that they're the bank.

If we can understand what's going on with the person there, we can teach security practices that stop the social engineering attacks from happening. 

Justin Beals: Yeah. I, I think in talking with security professionals, this has got to be one of the aspects that they least like to deal with, you know, so, so many security professionals come from a technical background.

They might not be very extroverted or may actually enjoy working with the technology more than the people, but you're right. You know, at the end of the day, if everything were automated, we could really do a really good job of securing the, you know, the surface area, but. People tend to be the softest point of a breach to happen.

Yeah. 

Abbie Marono: Because the staff in a company  can either be your greatest security flaw  or your secret weapon. It really depends on the kind of security training that they have. When people come into work with a security mindset, then they can come in and protect the company. But also a lot of people don't realize it is.

The company, all of their employees, are still a security threat, potentially, outside of work hours. So, we go into the office, or we clock in, or, say, we work from home, we clock in, and we think once that 9 to 5 is done, we are no more a threat to the company, potentially. But we are. So, that's it. Because we still have knowledge of passwords.

We still have access to our devices, particularly if we work from home. So if an attacker calls you up looking for information and they grew up outside of work hours, you're less likely to be on guard. So there's a lot that we forget when it comes to the human aspect of security. And we think that we are secure.

But if you don't understand the psychology of social  engineering and the psychology of security, then we're putting our company, our employees and our data at risk. 

Justin Beals: We have a kind of a internal joke that you're not fully onboarded at my company, StrikeGraph, until you've gotten an SMS message. Not from me, but trying to get you to provide some data.

And at that point, You know, when the hackers have found you on LinkedIn, you're, you're onboarded. Yeah. 

Abbie Marono: Yeah. I remember when I first joined Social Engineer, one of our team forwarded me an email and said, was this you? And it looked like it was from me, but then used kind regards to end the email. I don't think I've ever used kind regards in my life to end an email.

I always put best wishes or if it's a password, that's what emails best, but I never put kind regards and it was interesting to see. Someone impersonate me because you think, wow, this doesn't just happen to people that you read about. This happens to, you know, who you think is just, you know, a small employee.

We're not Microsoft. We're not Google. So you think, oh, you know, it's just the big ones that are at risk, but it isn't. It's every line. It's every employee. If you have any kind of data, if you have any access to data, if you're out part of any kind of company that has money in and out, attackers want that.

They want your data. 

Justin Beals: Yeah, I'd love to get a little bit into your background and how you wound up in the type of work you do today. Were you always interested in psychology? Was it, was it something that was fascinating to you? 

Abbie Marono: Yes. Yes. So since I was 16, I have loved psychology. I fell in love with the research aspect.

I fell in love with nonverbal communication. And I remember being 17 and saying, one day, I'm going to do a professor of psychology, professor of behavioral analysis. And then when I was 23, I became a professor of psychology. Wow. But I, I know that's what I wanted to do and I, when I was an undergrad, I published my first paper at 19.

And from the moment I published my first paper, being part of that understanding why was, was all it took. That one answer. Because with research, you ask a question that is unknown, something about human behavior we don't yet know. And then you're responsible for going and finding out. Yeah. Running studies and figuring out answers to questions that are unknown and just unraveling a tiny, tiny, tiny part of what it means to be human on those questions.

And being involved in that process was amazing. And ever since I've just been completely hooked. And I did my PhD in non verbal communication. Specifically using nonverbal communication to influence information elicitation. So it was in the security field. I was funded by the Center for Research and Evidence and Security Threats.

So I was an academic and my focus was security. And then when I became a professor, I loved teaching. I loved academia, but I had started to get into the media a little bit. I'd started doing podcasts and I was working with Joe Navarro quite a lot. And he's a big speaker, he's an author, he's ex FBI. And he said to me, I can see that you love academia, but you're not fully happy, are you?

And I said, I'm not, and I dunno what it is. And he said, you need to come into my world. So he brought me into his world a little bit and I saw the way that businesses were just so hungry for the knowledge and the way that they utilized it. And it was just very different to the academic sector that I was in.

I was. It was definitely wearing me down a little bit. It wasn't quite what I expected. And then he introduced me to Chris Hadnagy and I was telling him about my research in nonverbal communication and nonverbal communication is a huge part of what they do at social engineer. And he said to me. I don't suppose you know anybody that has any expertise in information elicitation and nonverbals.

And I said, well, of course, that's mostly the title of my thesis. And he said, don't suppose you want a job in Florida. So evidently, absolutely. I want to move from the UK to Florida to come work in the private sector. So it was just a match made in heaven. And although I'm not any security professional per se,  I'm an academic and a behavioral scientist that gets to translate the science to the security sector.

And I have a motto, which is both my professional and my personal motto, which is making science accessible.. And being able to take that science and translate it to practitioners has just been so rewarding. And I plan on never leaving . 

Justin Beals: Yeah. Well it, it is very unique to both have a foot in the research, you know, in, in the academic side.

And have a foot in the applied science, seeing that full circle relationship [00:09:00] brings the science to life in a way, doesn't it? 

Abbie Marono: Yeah, that's a great way to put it to bring the science to life because a lot of the time the answers are there for the security professionals, but they're behind a paywall or they're behind terminology that doesn't make sense to them.

And what I did notice coming into the security sector, it was academics and practitioners. We speak different languages. There was a complete mismatch when I first entered this field. People had no idea what I was saying. And it was like, they were speaking in code and it took me a lot of time to adjust to their lingo and their phrasing and being British as well, I have a very different way of speaking than a lot of people here and it took some time to adjust, but now you realize that the disconnect isn't because they don't want the information.

It's just .It's very difficult to translate the two. So, and often academics will safeguard their information. They don't like to translate it sometimes and they don't make it accessible and it makes it very difficult for practitioners to utilize that knowledge. So having just a small hand and being able to get that science out of science and into this sector has been so rewarding.

And like I said, I don't plan on ever leaving. 

Justin Beals: Yeah. Yeah, there is certainly some value in the precision of academic discussion. And, but the jargon can go too far and, and they can make it a gatekeeping situation as opposed to using very precise language. That's very technical. Be successful. As a matter of fact, I, I had a question.I have no, no idea what this is. But it was in a lot of your papers. So, what is behavior sequence analysis? 

Abbie Marono: Yes. So, behavior sequence analysis is a method of assessing nonverbal behavior. So, with feature detection approaches, they're very flawed. So, what you see when people look to understand  nonverbals is, you hear, have you ever heard, oh, he touched, his no, so he's lying or they cross their arms. So they're being defensive. And what that is, is it's feature detection. So they see one behavior and they go, ah, okay. I know what this means. Absolutely. Every time I see this, it means X emotion or it means X intention. Well, they do this and it means they're being deceptive and that's extremely flawed thinking because I might cross my arms because I'm being defensive or maybe I'm cold.

Or maybe you're crossing your arms and I'm mirroring you, or maybe it's just how I'm comfortable. Maybe it's my baseline. And the same with every other behavior. So just identifying the one and assigning an emotion is feral. So what some researchers do is they look for what's called clusters. So they look for multiple indicators of, say, deception or, say, an emotion.

And they will then say, okay, I have now a mirror of a well rounded opportunity to assess his behavior and I can make a more reliable judgment. That's still not quite effective enough because human behavior is dynamic. It moves. It is not happening in one moment. You know, emotions go up and go down and interactions are fluid.

So it's a lot more complicated than that. So what behavior sequence analysis does. As it looks at the sequence of behaviors. So if I'm looking to say that someone is being defensive, I'm going to look at the order in which behaviors occur. And if I want to look for a particular emotion, I'm going to look at how the intensity of those behaviors increase or decrease to make a judgment.

I'm going to look at this one behavior, look at the behavior that happened before and after and see if I can make a reliable judgment. Because if I see an indicator of, say, defensiveness, but before that I see openness and after I see openness, well, that's a good indication. There wasn't a defensive behavior.

And again, if I see a defensive behavior and then I see it decrease, maybe they weren't being defensive. Maybe they were just uncomfortable. And as the interactions going on, they're getting a little bit more comfortable. So it's a more nuanced way and a more effective way of understanding genuine nonverbal communication really tackles that reliability factor.

Justin Beals: There's a lot more precision in this type of data, especially where humans are changing all the time and the interaction between people are adjusting. You know what, what they're feeling right? We know that intrinsically, but maybe not extrinsically. Yeah. Um, so I'm one of the things that I wanted to ask you about a little bit, especially as we deal with social engineering is that humans, humans are social beings, right?

It seems that we're predisposed. To operating in groups. Is that correct? Is that your perspective as well? 

Abbie Marono: Yes. So, human beings are innately a social species. It's how we survived. If we look at our evolutionary history, there's no way that we could have survived without being social. Because, Within your groups allowed us access to things like resources and allowed us access to information.  Say there were poisonous berries and someone ate them or we communicate across the group that this is not to be done. If there's a predator, it's protection. So what's now happened is if we look at the brain, we've signed social connections. neurologically rewarding. And we find social pain. So the loss of social groups and social relationships as physically painful.

They are processed in the same parts of the brain that physical pain is processed because we are so deeply connected to one another. So when it comes to social engineering and we say, well, why is it so effective? Why do people serve for it? Because we are a social species because maintaining social relationships and trying to be liked and appease other people is human nature.

It's part  of how we have evolved. It's part of how we are wired as a species. 

Justin Beals: So cooperation is an innate sensation, right? Like we, we, I mean, we're making some broad assumptions here. It does obviously doesn't happen for everyone in the same amounts or in the same situations, but. Generally we're wired to try and cooperate with those around us.

Abbie Marono: Yes, just because we have a predisposition for something doesn't mean what it's going to show itself. It'll just means that we are predisposed to behaving in that way. And we know that we are because when we look at the brain when people are expecting the other person to cooperate with them, it's felt as rewarding and it's processed in the reward centers of the brain when we are receiving a physical reward Say I turn up at your door and I say you wanna clear?

She has two million dollars the same part of your brain is activated when I give you that physical reward It's the same part of the brain that's activated when I socially  cooperate with you because it's so rewarding Now if you cooperate with me and I don't cooperate with you Now when we think about punishing me, the reward centers activated because not only are we motivated to cooperate or predisposed to cooperate, we're also predisposed to punish those who act unfairly and do not cooperate.

So again, it is inside of us as a species. It's round, it's so easy to manipulate people and we have trust by default, too. Most people are innately trusting. Now, of course, everybody is an individual. It doesn't mean that because we have a predisposition, everybody's going to behave in that same way. It means on average, that this is generally what we're going to see.

And it's what's wired into us, but things like personality experiences, traumas, the relationship dynamics, obviously they have an effect and the context will have an effect, but the brain is wired for that. It is that cooperation is rewarding. 

Justin Beals: And given that predisposition, when you're designing an education around security, especially social engineering, how do you think about, you know, the, the construct of learning kind of going against the grain, maybe a little bit of, of how, how we're wired to behave 

Abbie Marono: in terms of teaching people not to cooperate with the tech is?

 Justin Beals: exactly.

Abbie Marono: So, the way that attackers will get us to act, because that's what it's about, is getting us to act, whether it's give them information, click a link, or anything, they want us to act, that is in a way that's not in our best interest. So, the way that they do that is they play on emotions. Because we are innately cooperative, and we're outward so, Predictably irrational is the phrase, we don't always make the most rational decisions, especially when emotions come into play.

Now, the problem is we were asked to think we are rational beings. We love to think we are these big  critical thinkers and we are to a degree. The problem is the emotional centers of the brain are much older than the prefrontal cortex, where critical thinking occurs. So when a signal is sent through, it first reaches the emotional centers and then the prefrontal cortex.

 So an attacker will play on that. And if they can get you to feel an emotion, and if that emotion is strong enough to get you to act, you're going to act quickly before you had a time to think about, wait, wait, wait, wait. What's the URL here? Wait. Does this make sense? Those kinds of questions that stop you committing an act that could harm the company or yourself.

So what happens here is, you know, you get an email from the IRS and instantly you think fear and you act straight away. Or it's from a CEO saying you need to do this. And logically no email needs to be replied to within 10 seconds. Krumble nothing's gonna happen in those 10 seconds, but now we see things with deep fakes No, we've  got a phone call and it sounds like our child and I'm in desperate need of help Purin's why are this money now so we'll do it.

We don't think we just do it because our emotions have taken over It is nothing, nothing is ever going to make the world crumble in those 10 seconds. You need to engage critical thinking. So what we need to do is we need to allow that signal to reach the prefrontal cortex. Because maybe it is a disaster, but that 10 seconds wouldn't have made it any worse.

 And if it is a disaster, at least you've been able to assess that. So what we do is we say, think a step back. And the most effective way to act is to think. Read it 5 to 10 seconds. That's it. It's that simple. When we recognize when you feel a strong emotion, when we feel that strong emotion, go, let me breathe on it, because then the signal can get to the prefrontal cortex, and then you can really, really let you can really examine it.

 If you want to step up and get a coffee. Do so and then come back to it because now you're allowing critical thinking to engage and you're going to notice things that you otherwise wouldn't like that bottom line of kind regards rather than best wishes or they had acted on emotion and I had say the email was something that in order to act within the next five seconds that would have missed that small detail.

But a really important detail, or maybe the URL was slightly different. Or maybe my name was spoke wrong. Something that gave it away, they would have missed it because the brain skips that information because it's just thinking about that emotion. I 

Justin Beals: i mean, I think that in, in our security practices. You've touched right on the exact issue and we do a lot to make this happen, you know, where we design plans for disaster recovery, right?

 We don't want you thinking emotionally in the moment about what to do in a disaster situation We want a playbook that  you can reference and drive through. Yeah, and Icertainly know in stressful situations I can you know, I'm driven to react emotionally first not logically necessarily Yeah, 

 Abbie Marono: absolutely.

 And it's a survival instinct. It's not a human flaw. It's how we've survived. Because when we feel emotions, emotions aren't just passive things that, you know, are no good to us. There is a perception that emotions make us less rational and emotions make us make useless decisions. And that's just not true at all.

They might make us less rational in this kind of situation, but emotions are information. We have them because they tell us something about the situation. If we feel fear, it's a signal we might not be safe. If we feel happiness, it's a signal that maybe don't have good intention, or if we feel curiosity, there's something going on here.

So that's They give us information, so I need to listen to them. We can't disregard them, but it can be overwhelming. And when we feel stressed, our brain is wired to listen to our emotions, because it's saying, what do I need to know to keep myself safe? And we forget that we're still living with the regions of the brain that we were. You know, thousands of years ago, hundreds of thousands of years ago. 

So then adapted to this computer environment, this world of technology that we have is so new. Why would we think that the brain has adapted to this? There's no way that the brain has evolved to adapt to this level of technical awareness.

Absolutely not. So we're still operating as if we're in this ancestral environment where we don't know whether it's a threat of, you know, my routine crashed, or I didn't pay this bill, or my CEO needs something from me, our brain says, so do to tiger, it's still reacts in the same way. It says danger. And we forget that we forget that we're still acting.

How we are innately programmed to act, so we have to listen to our emotions. 

Justin Beals: I think there, there must be a confidence boost in saying I created these computers. I wrote this code, I have, you know, swum in the deep end of our connected world. I must be managing it perfectly well. 

 Abbie Marono: Exactly. Yeah. And we don't like to talk about when we make mistakes and it creates this shame culture because what happens is if we do allow an attacker in, maybe we'll be click a link.

We answer a phone call and do an act and we think afterwards, Oh, Maybe I shouldn't have done that. If we tell quick enough, there is a chance we can minimize the damage. We can now, okay, quick, let's act now. Let's get it minimized and we can save the day. But what happens is when we don't like to talk about that we made a mistake because we feel shame because we feel flawed, we feel inadequate.

We feel like I now have failed everybody. I failed the company. I failed my boss. We feel shame for it. So we don't speak about it. We just pretend it didn't happen. Now, we let it get much bigger. So if we're not open about the fact that it's not what people say is, is a stupid human problem, it's not a stupid human problem.

It's just a human problem. Doesn't make you stupid. Doesn't make you inadequate because you accidentally engage in insecure or unsecure behavior. It just makes you human. It just means from that moment you were socially engineered. And our CEO, Chris Hadnagy, he tells a good story of he fell for a fish.

You know, it was at the right time. I fell for one that my company sent me, because it was, I was dealing with the U. S. tax documents and it was just completely confusing to me. Somebody that I'd never dealt with being in this country, I'd only just moved. And they sent me a fish. And it was about the U S tax system.

And it was terrible fish. I should have, I should not have fallen for it. I should have noticed it straight away, but I clicked on it because I was stressed and I just wasn't thinking. And if I now just pretended I'd never fallen for it, it makes other people who have fallen for it all dumb too. Feel less than we have to openly talk about it.

It's not because you're stupid. It just means attackers are smart and we are emotional beings. And once we have that awareness and we realize everybody falls for it, now we can create a more healthy security culture. 

Justin Beals: Yeah. Security incidents are common. You know, to me, the big issue is not recognizing them, following the security incident plan, not being ready to make the changes that we want going forward.

And to your point, if we have a culture of shaming people, which we've seen. In the tech industry too much, right? Like, I've seen, uh, senior engineers shame junior engineers for something that didn't matter at all. And they lose all confidence in being a great contributor. 

Abbie Marono: And it's really sad when it comes from the top down too, because what it does is, the leader thinks that this is going to help the company by having such a heavy hand.

 But what it does do is the opposite because now you're shaming people for fooling for these things. They're not being taught the right mindset. And now when they do fall for it, they're not gonna tell you because they're embarrassed, because they feel shame. And now you can't mitigate the effects of that attack if it does happen.

So it's not helping anybody. When we create this culture of shame around social engineering, it's so much more helpful when we understand the psychology of it and we openly talk about it and we implement more secure practices that do take into consideration human emotion because that's what's played on.

Like I said, you can have the most secure firewalls, but if a malicious email gets through, it's the  human that allows it in. So you can either make people your biggest weakness or your biggest defense, it's up to you and it's up to the training you provide them and that's up to leaders. So I hate when I see the top down shaming, it's really sad to see, but I do think that there is a change in the culture.

Whenever I go to these events, it usually is just me and maybe one other scientist and then everybody else is a practitioner and it can be a little bit intimidating, but slowly, I am seeing that  more behavioral science being implemented into companies and people realizing because we are having open conversations about it 

Justin Beals: About the flip side to going from something like shame or a mistake or a social engineer into trust, you know, it's easy to point out our flaws, but there's also, you know, business is done based upon trust.

It's deeply critical to individuals deciding to work together. How do you think about building the other side, developing trust with colleagues you want to work with? 

Abbie Marono: So that's a great question. And people say because everybody's a potential threat, trust nobody. And that's the best way to do business.

 The problem with that is, if you don't provide trust, you won't get it back. If you go into any business arrangement or any interaction skeptical, the other person will feel that inauthenticity and they're going to react the same way. So you're going to damage that potentially really great relationship and potentially run great business connection.

So we don't advise. Dilemma with this no trust mindset. That's just, again, it's against our human nature. I love that as a species, we are trusting it. It's a great thing to facilitate. What we need to do though is trust but verify. So go in assuming that they are trustworthy, but if they ask you to do anything that isn't completely by the book, you don't have to say, oh, I know you're a hacker.

Or instantly throw them back or be rude. Just, Oh, ] absolutely fine. I am going to need you to provide me this information just so, you know, we can follow the correct procedures. And if they'll ask you to do anything, anything that isn't exactly the correct procedures. And that sounds like a real simple advice.

And people are like, well, of course I wouldn't, but we're human. And we, once we have trust, we'll assume that the other person has our best interest and the other person is being genuine. Okay. And now, what people are unusually surprised by is how quickly we believe that the other person is trustworthy.

And we'll think again, we're so logical, it's all this information that they're giving us. We actually make judgments of whether someone is trustworthy in less than a second. There is no way that when we've collected enough information to make that accurate judgment, we'll drop that information from the non verbals.

So obviously over email it's different, um, because there is no non verbals, but say it's an interaction or a phone call. Especially if it's an interaction where someone says, you know, hello, I've come from this company, I need to assess your laptop, or hang on, I'm tech, you know, I need to fix this bug on your laptop.

The rest in a second, we have made a judgment, and it's all based on non verbal communication. Now that is, again, it's an innate ability to want to communicate. communicate non verbally and to observe other people and make judgments non verbally. We know this. We know from thin slicing, we make judgments based on someone's facial appearance and facial structure and emotional expressivity to do whether they're trustworthy.

Again, it's an evolved response. It's something that has been so advantageous to us as a species throughout evolution. But in world side judgment, so knowing that, knowing that we make judgments of trust based on non verbals gives us an extra level of awareness. So resign ask to request and don't feel yourself going, Oh, they are trustworthy.

[00:30:52] I'm going to do it. Register that feeling that you perceive them as trustworthy and critically sense why. Because what we like to do is we make a judgment based on non verbals. And then we don't like to change our judgments. Humans are very resistant once we've made a judgment. We like to think we're not, so what do we do?

We now pull information to justify that original judgment. So, ah, they are trustworthy because of this and this and this. But knowing that we are so susceptible to non verbals. Even if you're an expert on non verbals, you are still human, your brain is still wired the same way, you are still susceptible.

Step back and assess where that judgment came from. Have they actually given you any reliable, grounded, robust information that they are trustworthy? And if you are just in the first conversation with them, it's impossible to judge whether they are trustworthy or not, because just writing this is based on a consistency of behavior across the board time, but it's impossible to know if someone is trustworthy based on such a short interaction because you don't know how well they're perception managing. 

So trust, but verify always and recognize your susceptibility to the influence of non verbal communication. 

Justin Beals: Yeah. A couple of things really resonate with me there.

One is, is that coming in, you know, with a, with a sense of trust is mirrored by the person we're working with. It's the, so if I'm trying to build trust, I should walk in being trustworthy and expecting trust from the person I'm communicating with as well. I also love that this is a habit. Because one, one of the things that stands out to me is we may start with individuals and building a relationship, but we tend to apply that to a larger organization over time as well.

Right? Yeah. And, and so the organization stuff is happening as we interact with more different people or over time that we, since that as an organization, they. They have a habit of being trustworthy. 

Abbie Marono: Yeah, and I just want to throw up in the first point you made too, how much that our interactions and the way we approach an interaction will affect how the interaction goes.

Because say you get a phone call from your partner. If you start that phone call and go, Hey! Good to hear from you!. I guarantee you they're gonna be a lot more positive if you answer and go, Hey, Instant when you feel the reflection of your emotion on them, because they're emotional contagion, because they hear your mood and they react to it, as, They should, you know, if they hear anger, they go in to react to that, how they're involved to react to anger a little bit more, you know, is everything okay here? You know, someone walks into the room looking miserable, you know, maybe the boss comes in and you smell the energy drain from the room, but versus a different day, they come in and they got a great smile on their face, you feel the energy in the room, we catch that  emotion.

So if we go into a negotiation, we really want something from that other person that we go in with that attitude of they're not trustworthy. What we're doing is we're making them sort of the exact same way. And we're going to limit our ability to have a successful outcome from that interaction. 

Justin Beals: Yeah. Um, you know, one of the articles that I read, I think you have a couple of them in this space, is the, the myths of nonverbal communication. 

Abbie Marono: Yes, I love anecdotes. 

Justin Beals: I know. Well, I look, there were some myths that I believed in that you, um, disrupted for me. So thank you. Even though it's hard to convince us differently, I'm trying to be really open minded.

 And I learned one of the ones that you talked about a fair bit in my college career in theater, which is 80 percent of. Communication is non verbal. Yeah, no. Talk to us a little bit about this myth, Dr. Abbey. 

Abbie Marono: It was so, firstly,  just to say, we are all susceptible to myths. When I entered this field, I went into this field thinking you could 100 percent reliably detect deception with non verbal behaviors.100%. Yeah, I was incorrect. You know, I have flu and someness too, and then I learn more. I go, Ah, that's so frustrating because I don't want to have to change my opinion. I just argued with someone about it. You know, there's the ego effect as well, but that's science. We think one thing and then we'll realize something different.

Like, for example, like the left brain, right brain. There's a lot of myths around that, but it comes from the development of science and misunderstanding of science. So it's nothing to be ashamed about when we build all these myths and we realize that they're not true. It's just how science works and it can be a little bit frustrating, but this 80 percent myth.

I see everywhere and it, it gets to me. But again, this is because of a misunderstanding of research. So there is this perception and it goes from 80 percent to say 95.And I hear this all the time. 95 percent of communication is non verbal or 80 percent of communication is non verbal. And every time I hear it, a scientist in me screams a little bit.

And what it is, is there was a study done by Mimbraham, and it found, or he found that in that study, which was related to liking and disliking, 95 percent of the communication occurred through a non verbal channel. That's where the information was, and the 5 percent was verbal. But what it meant was, In that context, in that study, that was a percentage.

Human belongings are way too complicated for one percentage to be consistent across the board. For example, say I'm interacting with the same person, the exact same conversation, put me in a bar versus in a conference versus over the phone, put it in different contexts. It's going to change the dynamic.

If you're talking about something that is very technical, then the verbals are likely to pay. more of a role. So it really does depend. It depends on the relationship. It depends on the conversation. You know, all of those things will play much more of a role. So what we say is don't consider the per se, because it really doesn't tell you anything. Just increase your non verbal intelligence and a non verbal awareness. And that's much more beneficial than trying to pin down a percentage of what percentage is non verbal versus what's not. But it is great to see people recognizing the importance of non verbal, of non verbal communication, just, you know, to such a specific degree.

Justin Beals: Yes. We're complex creatures. Our interactions are exponentially more complex, you know, and I think also one of the things we have to accept that you pointed out about humans is that. We want easy answers that  make sense of the universe around us. Here are some other myths that I thought were great. If a person looks up to the right or down to the left to the answer, uh, they are lying.

Abbie Marono: I think this comes from people say, oh, but they're reaching their imagination centers. So now I'm reaching those centers of their brain when they're, you know, imagining a, a lie, they're constructing a lie. Why about you when you're telling the truth? Aren't you revisiting that memory anyway? So that doesn't really make any sense.

And sometimes I look to the left, sometimes I look to the right. All that does, that looking up, is absolutely we look up when we're lying. We do it when we're telling the truth as well. We do it because we are thinking. And you can think when you're telling the truth. I'm thinking about how did it really happen versus how did I say that happened?

I'm thinking either way. I'm just thinking about something different. The thing with non verbals is it tells youwhat. Like it tells you what emotion. It tells you that I'm thinking. It tells you that I'm under stress. It doesn't tell me why. And the deception is the why. You're going to ask me a question and you're feeling distress and discomfort because I am lying.

Or maybe I had an argument. prior to this interaction. And I'm showing what's called excitation transfer, where I'm carrying that emotion from my previous interaction into this interaction, and that's why you're seeing it. The non verbals don't tell you why, they just tell you what. Tell you why. So it's great.

There is a lot of science behind deception detection. Just not when it's completely through the non verbal field. Non verbal is just one piece of the puzzle. When you couple that with verbal analysis and statement analysis, then you can have really effective deception detection. 

Justin Beals: Yeah, that one stood out to me deeply because I do the look up to the right a lot.

I know this is a habit of mine, but it resonates to say that comes from imagination because I'm doing it usually when I'm trying to translate a very technical thing into a metaphor or something that is more approachable to someone that might not be a Uh, technology, uh, knowledgeable. Yeah. 

Abbie Marono: Yeah. Anything that increases cognitive load.

And you can look up because you're thinking, you know, again, it just, it doesn't necessarily read deception, but that is one I hear a lot. All the time. I've been brought up with me and I'm like, please, could you tell me the science of why? And when I say, you tell me the science of why, they stop and they go, I saw a lie to me. And I'm like. 

Justin Beals: Oh, that's great. Well, Dr. Abbie, this has been absolutely fascinating and really appreciate it. And you are going to be a good sport with us today. I really appreciate it. One of the things we like to do on SecureTalk is talk about a breach and we're going to caveat this discussion by stating that you're not deeply a security expert.

So we're going to bring forward some social engineering though, but I think it's a great discussion and we appreciate it. So I'll talk a little bit about, um, this particular breach. This happened, to, Bookings. com and in an October of 2023 attack, a threat actor. Initially emailed a member of a hotel's operations staff requesting help to find an ID document that they claim to have lost.

The message did not include an attachment or malicious link. With no reason to be suspicious, the employee responded to the email and requested additional information to help them assist the fake customer. Later that week, the threat actor emailed back identifying the idea as a passport and stating that they strongly believed they had left it at the hotel.

They included a link to a Google Drive URL that reportedly hosted the photos of the passport and the guest check in details. When the hotel employee clicked on the link, a .zip archive was downloaded to the computer's desktop. This was identified as VDAR InfoStealer, which executed on the device following multiple failed attempts.

The VDAR system was configured to steal passwords, and a day after the malware was executed, the hotel employee observed that multiple messages had been sent. to upcoming guests from the hotel's Booking.com account. A few hours later, customers started complaining that money had been taken from their account.

Thought this was a great example of a social engineering hack. 

Abbie Marono: Yep. 

Justin Beals: You know, one of the things that stood out to me on this one, Dr. Abbey, was that they waited an amount of time between the initial email and the second email. 

Abbie Marono: Yep. So what they've done is they've created familiarity. So because they first interacted and they didn't make a request, so there's nothing suspicious.

So they've brought the guard down because we go in every email that comes in, obviously they're going to be concerned about that. Security issues. So they made a very simple request. They created a similarity because I know this person would already communicated and their request was something very basic.

So it didn't bring up any red flags. So now that red flag, they're fine. So now they ask another request. They're like, Oh, I know this person. Yeah, we've already communicated they're fine because we overestimate the relationship already because they didn't do anything that was suspicious. So I trust them, It was it seemed like a genuine email. So they've played on that trust factor, you know, and you can do this in person to say, you know, going out and. going to the smoking room and say there's the same smoking area for two companies outside. You could go outside and talk about your job in this other building with the other person.

You don't belong there. You've never, you've never worked in this building, but you're talking about it. They interact with you. And then the next week you go in and you see them going in and you're trying to get through. I forgot my badge. I can't get through. And then, Oh, I know this guy. I mean, yeah, let him through.

He rocks here. He doesn't know anything about you, but what you've done is created prior familiarity. You didn't bring up, you didn't ask him for anything. You didn't bring up anything that was a red flag. So he was aware of those defenses. And now when you do, Oh, I know, I know this person. And it's really simple.

And once we met someone and we've had that acquaintance, we overestimate the relationship a lot of the time and just, Oh, just let him through. Well, I know this person. You know, they said they work in.

Justin Beals: You know, the other thing on the psychology of the threat actor is that they've taken a real amount of time to understand the behavioral sciences they're using. 

Abbie Marono: Yes. Yes. So sometimes it's insurative. So we forget that we're out. We're all social engineers. Even kids, people think that it's only malicious actors that use social engineering. Have you ever seen a kid ask their mom for something? Mom says no. So they go and ask their dad. That's social engineering.

You know, when you want something from a partner, but you don't want them to be annoyed about your request, you might You look lovely today. And then you ask them their request. You're lowering those defenses. You're putting them in a good mood because you know, they're going to be more responsive. We all do it intuitively.

Some do it more intentionally than others. So it's not just a thing that threat actors do. We all use influence. It's just the only difference is the intention to cause psychological damage and psychological harm. That's their intention. Ours might not be. You know, salesmen use it all the time. People who are charismatic do it all the time.

So it's not something that's limited to threat actors. So sometimes they do go off and research and do the psychology, but sometimes they're just intuitive to the fact that they know how people behave, because we are all prone to error. Nobody is a hundred percent secure all the time. So the best threat actors, they do understand the psychology.

Very, very well, they take the time to learn it because it's that human factor that will make them most effective. 

Justin Beals: Dr. Abby, this has been a fascinating discussion. I'm really grateful that you spent the time with us today, and I'm very grateful for your research work and your applied work that you're doing with us.

Thanks so much for helping illuminate this part of security for us. 

Abbie Marono: Thank you so much for having me and thank you for your time.