Unveiling Cyber Security Insights: Research Report with David Shipley

Jim Love

Welcome to cybersecurity Today. For every complex problem, there's an answer that's clear, simple and wrong. H.L. mencken, the American journalist and essayist, said that. And frankly, I've been fascinated by science my entire life. Not as a concept, but as something that can have real utility. Because if you could find that thing that you called the truth, then you can understand cause and effect. And if you can do that, you can change the world. You can navigate through uncertainty. So it's not a surprise my hero in the Star Trek series was Spock. My favorite detective in fiction is Sherlock Holmes. And my favorite person to discuss cybersecurity research with is David Shipley. David and I are friends. We don't agree on everything. Catch our monthly news and review program if you want to find out more about that. But what we do agree on is that most of what passes for research in tech is marketing. You ask some questions, you pick the answer you like. And we're not the only people who feel that way. We want to know what causes things and hope to use that research to design something and avoid the mistakes that get made. Because when you do that, you get not marketing. You get what I like to call news. You can use facts you can leverage. And now that David is CEO of a security company, he's been able to sponsor his own research. So now we have to live up to what we've said. That's a big job. But I've called him in to bring us some insights. Now, listeners will remember that we had a preview of this earlier this year. But I thought and I wanted to bring him back to talk about the report now that it's in full final form and I guess everybody can get a copy of it. Welcome, David.

David Shipley

Thank you so much for the opportunity to do the follow up.

Jim Love

One thing, the first thing, and this is what I mean about stuff that jumps out to you in one in five is the number that jumped out of me in this report. One in five. Can you tell me more about that?

David Shipley

When we think about our highlight reel in the report. So the average number of real phishing emails that we've seen make it past email filters and land in employee inboxes over the past year is 1 in 5 or 20%. And that's we refer to as the fish leakage rate. Now we've seen it as low as into the low single digits, 5%. We had one outlier that was on the the high end, that was 32% of fishes. The total number of fishes landed inside of the Inbox. But on average, email Filters don't catch 99.99% of fishes. They have a leakage rate. And probably one of the most important things that we've learned is that your security awareness and behavior culture program the insights that you gain from your people doing the things that you want them to do. Spot and reporting. Phishing can be used to generate meaningful metrics to compare security technology controls. And that's not to say that email filters are needed or good. Like that's like saying seat belts, airbags are a bad idea. If you're in that camp, I'm not going to try and convince you. Seatbelts, airbags, driver safety things, great, but don't rely on them alone.

Jim Love

You still need a steering wheel and brakes, right?

David Shipley

Yeah, they still need a driver being responsible.

Jim Love

Absolutely. But this one in five and this is something, and I want to walk through the report, but this is something I've talked with you about since I've known you. I've got this brochure here from security company ABC and it tells me they can get my leakage down to nothing. Like I just got to get their tool.

David Shipley

So a couple of different things and actually this ties into another really important finding that we'll get into about technology bias. We've discovered something really powerful. This issue of technology bias is that we believe, and more and more of us believe that these technical tools solve all of our problems. And we as humans are wired to want to believe this. It means that I don't have to worry about this. It means like this is something that's off of my shoulders, the tech, the AI, et cetera. It's got it. And what happens is we've got this trap. And this is something that I think in terms of future research, we need to dive into more. And it's broader than just Boseron. Here's the issue I think of this happening. In order for a CIO or a CISO to get that scant resource of time and money from their organization, they first have to win the risk battle. This is a risk in all of the risks that we have in our business that is the most important for these dollars to be spent on in cyber has gen a decent job, sometimes disproportionately to all other risk. When you think about things that business apps deal with. But then when you get the dollars, you have to demonstrate that you have picked a solution that is the best possible solution to that problem. And so you go out to the market and now the vendors who, if they're Being honest. And we're giving you the full. Let's call this the pharmaceutical ad. This product may have the following side effects. They would be telling you that, yes, it has a 99.99% catch rate. The catch rate is subject to the following things. Did you configure it properly? Did you turn off certain features? Because you know that really important email that didn't make it to the CEO because there was a false positive and then you were given instructions, I never want to have that happen again. And so the lab results against a certain test results at that point in time aren't the actual in the field results. And the other part is it. It also ignores the incredible power of the human creativity in the hands of attackers. I wrote a report even just this week where one of them was using exceptionally targeted phishing emails. And then really it's this thing called polyglot formats. And so the ability to use multiple formats and then chain them together to bypass the email filter because the technical thing looks safe. As long as you have creative humans kicking up things, you're going to get by email filters. And you can't just rely on the tech alone to protect it. But a buyer looking to all the sellers is not going to reward the vendor that says, realistically we'll stop 90%. They will always go to the vendor that's going to say 99 and that's we can get into. The lemon car problem is a great economics explanation of information asymmetry between buyers and sellers. But this is also getting into the psychology. And this isn't just email filters. This is every email security product you buy.

Jim Love

All I have to say is I wouldn't have a podcast if technology prevented all cybersecurity problems. And, and just as an aside, before we dive into this, I picked up one this week. I might have fallen for this one if I'd seen it because I was doing something with PayPal that I just happened to be doing at it. And I was reading about the the story and somebody had tricked PayPal, a long story, but really actually not that hard, was trick PayPal into sending out emails for them. And so the phishing emails were coming out from a legitimate source with a legitimate name. All those checklist things that you tell people to check, check. Why didn't I when I looked at it? Why did wouldn't I have fallen for it? I just didn't seem right.

David Shipley

Absolutely. In terms of all the findings of the report, the technology bias one is the most important.

Jim Love

So can you go back and explain that this really well. So I'm back you up and explain this because I think this is really important and it leads out of where we came from. We like to believe that we're protected. I'm not saying that technology vendors are lying. I'm just saying marketing people are going to present their best case the best way they can because we can't change that part of the world. But the fact is there is a bigger leakage than we think. Yeah, and we're biased. According to what you've come up with in your research, we could be biased in a way that would make us more vulnerable.

David Shipley

So the, so in the Boseron process, since we launched in 2017, we've had survey capacity. So when hundreds of thousands of people have been onboarded into Boseron, they should complete this short five minute survey. It's about 25 questions. We've done two iterations of the survey. The one that we've had the longest now was developed in 2019. We've had 170,000 people complete the survey and we ask a very specific question.

Jim Love

We ask, so I want you, I'm gonna stop you there. I think 170,000 were statistically relevant at this point.

David Shipley

I, I, I, I, Yes. And again, going to our point about science, like you can make a lot of arguments about the perfect survey and the value of qualitative versus quantitative data. I'm not going to have those arguments like we created an instrument, we conducted an experiment, here have been the interesting results. So traditionally we would just look at what the trend changes were. The question that we asked that was the most interesting that kind of blew our minds. Was it actually developed from feedback from some brilliant friends in the airport lounge, in the airport in St. John's on a trip back and forth. It was a throwaway line and it said I'd love to know if people really think the security tools completely protect them. They say, okay, well what's the question? Having security tools like antivirus or firewall means I'm completely protected from Internet threats. One in three employees in organizations believes that the number of people who believe that is increasing. It's up 25% since 2021. If you strongly agree or agree on a five point like cartoon scale with that question, with that proposition, your average cohort click rate for that group is 140% higher than those who strongly disagree with that proposition. So if you don't believe the tools fully protect you, that cohort has an average click rate propensity of about 3%.

Jim Love

Let's just because people are listening to this for the first time, if I think that I'm fully protected, if I'm one of those people, I believe the technology protects me, I'm going to have a higher degree of leakage than the people who are suspicious and say maybe technology won't protect me.

David Shipley

So slightly different than the leakage rate. So this is the propensity to click. So leakage rate is okay. So leakage is how much stuff is actually hitting your people. It ain't 1% of all phishing emails, kids. Now how, how likely are your people to then click on those things dramatically increases based on their belief that they're not actually going to get that bad thing happen.

Jim Love

But that kind of makes sense. If I think that technology protects me from 100% of the risk, then whatever I've got out there, I should be able to click on.

David Shipley

It's exactly it. This is one of the first and largest scales attempt to actually put how much more dangerous is having this view than not having this view? And then the question listeners might be getting to so what or what do I do with this? What this means is that the most important focus for your knowledge dissemination, your security awareness, marketing internally to your organization, is to lower that percentage of people. Get off of the activity metrics of We've assigned the mandatory annual training course to all thousand of our employees and the average score was 80, which are activity based metrics and get to okay, we actually, geez, 60% of our people have technology bias. Now the average for Boseron is 30. There are some organizations who may have higher and lower than 30. That's the average. And he said we need to get that number down so we need to change that belief. So your key messaging needs to be on these particular areas.

Jim Love

But this is the CISO's challenge. You can't go up and say we paid $200,000 to buy all this stuff or x hundred thousand dollars buy all this stuff. By the way, it's only 80% effective. Even though we all know in the industry that you layer your defenses because none are perfect. In other words, the internal discussions we can have, you can never have with a board. Or maybe you should, I don't know. You've got that problem. And now you've got people who are believing that this stuff will protect them because then they'll start to use it. And now you got to go back to them and say but it's not perfect.

David Shipley

Yeah, there are many paradoxes for the ciso, but this is a hard one. I Think this is where CISOs who have the benefit of both technical enough background, but also a managerial, business, strategic background. You hear the debates that CISOs should have their laundry list of credentials and the technical aspect and those are important and understanding those domains. But I would argue that it is equally important to understand people, process and culture and internal politics and these type of things. The most successful CCUs I know have this fascinating mix of these particular skills. Because this is a problem. And I guess that's the thing that I want to say is that 30 years of security awareness training and you can find a research paper from the US DOD from the 1990s talking about gamified security awareness and computer based training. We've been talking this a long time, we've been doing it a long time. And the definition of insanity is doing the same things over and over again. So what I'm trying to say is where we're landing at is the messaging matters. And so there is a way of shaping these things. And the analogy that we use and we talk about is the evolution of driver safety aids in modern cars is fantastic. These are helping save lives. But you wouldn't just throw an untrained 15 year old into the latest car with all these features and say, close your eyes, push the gas pedal, the car has got it. We're going to do some driver training. So you got to have that balanced approach. And I think the other part, in addition to the messaging matters, that that's probably the one thing I can say. There's lots from our work, from this report that lead to more questions than I have answers to. And I think that's the definition of good science, is that we keep peeling this thing back and we keep coming up with more questions.

Jim Love

Yeah, another one, and we talked about this before, that was this idea of they always say you can never have too much training, but you've actually in your report said there are limits to the effectiveness of training.

David Shipley

Yeah. So what we found in our research is that people, if you took more than one hour of training, saw weaker results. So poorer results when it comes to click rates, less engagement on reporting than those whose training time fell between 30 and 35 minutes. More is not always better. What our research is leading us towards, and some of it does show, is that if you do too much training, you could have two potential negative effects. The first is something that's very well researched. It's called the Dunning Kruger effect. That is the propensity of people with a little bit of skills to vastly overestimate Their competence early on in the learning cycle or at a particularly dangerous point in the learning cycle versus experts when they cross through this valley. On the other side of this, they actually, ironically, underestimate their skill. They're less confident in it, but they're actually more competent. So that's problem number one. Too much training too fast or the wrong training might make someone too confident. I'm not gonna fall victim to a fish. I've done my training the amount of times I've seen where people have just completed the training and then clicked on the F fish. How do we make sure that it's the right amount of training at the right frequency? And the other part is this, and this is really important because there are vendors in our space and I deeply disagree with some of the things that they're doing. One of the things they're doing is they're saying, fish people as much as possible and train as much time as you can possibly get from the organization. Nope. There is, in economic force, diminishing returns. We have now demonstrated there is an optimum amount. We've also been able to see that there's an optimum frequency out every 90 days. So those doing annual training of an hour long are going to have poorer outcomes than those doing 30 minutes split up over four interaction points in the year on top of monthly fishing. So there's a right balance, but most importantly, there's a return on investment. That's an important point.

Jim Love

I would have thought people would be cheering for this because, and we've talked about this before, when you actually take an hour out of everybody's day and you have a thousand employees, that's a lot of time.

David Shipley

And here's the other thing. There's a second class that training over training creates. And we have more work to do on understanding how dangerous this is. But this group is what I'll call the security detractors. These are your absolute opposite of security champions. They are disengaged at best. At worst, they actively may start working against the security team. Because if you're a busy salesperson at your most critical quarter and your bonus is on the line and you feel like you were robbed of an hour of the most important time that particular quarter for what you felt was unnecessary training, you're going to remember that. And that has a cost. So optimizing, making every single minute you take away from someone's time to focus on security, to do that, there's a balance. And salesperson's. One example, Canadian example, healthcare. We are desperately short of healthcare. Professionals, they desperately need to be engaged in the fight to protect their hospitals and be aware about cyber threats. But if you can take 20 minutes from an ER doctor's year and get the same effect or better than an hour, take the 20, because that just makes sense on that. But the other part is currently, and I see this in the market dynamics, is that the biggest emphasis right now that's irrelevant because you don't. You'll never use it.

Jim Love

So.

David Shipley

Sure. But the second most dangerous trend is we need entertaining content because then people aren't complaining about it. So you see this trend towards. We're going to do a Netflix style dramatic television series about cyber security and we're going to have a whole series. Isn't this great? Are taking it. They're talking about the TV show. Yeah, but did it drive the outcomes and the results, did it actually move the needle? How do you measure that against things like technology bias?

Jim Love

This is so funny. I actually, in my past life as head of content for IT world, I actually saw people who had developed this incredible training. It was so high quality and I was, I had to say I was impressed. They did these big scenes and they're great actors and great production values and you know something? Can't remember a single fricking thing I learned from these things, except that you shouldn't tear the cables out when you're attacked by ransomware. Not that I've ever seen anybody do that, but that was, that's all I can remember. And they were brilliantly done.

David Shipley

But, but the thing is, and to the folks listening to this, we need more research to establish boring might be good. Like boring may actually be remembered. But more importantly, going back to what I was talking about, the content needs to focus on the core actual problems and the core problems, number one, technology bias. I got tools. I don't actually have to worry about this. So forget the focus on are we entertaining our users? Are we actually making sure they don't have this particular preconception, this particular bias?

Jim Love

Yeah.

David Shipley

The other part in our research that's interesting is optimism bias. And so optimism bias is a natural force. It's in every single human being to varying degrees. It's as unique as every human is under the sun. And the only people who don't have some element of optimism bias generally are going through major depressive disorder. Optimism bias is the natural propensity to think something bad is more likely to happen to Jim than me did. What's interesting is we see this in organizations. People that think they're not a Target or think the organization's not a target, behave in demonstratively more dangerous ways. So again, tying back to my point about your content needs to focus on yes, it can happen to you and you need to measure if people believe that.

Jim Love

The classic one in this though is it happens to everybody who's attacked. We're too small. We're not. No, we. We used to call it security by obscurity, but it was that whole idea of they're not gonna, nobody's gonna attack us. And guess what? There's a whole industry involved in attacking smaller and mid sized businesses. Yeah. So that the optimism bias. Interesting.

David Shipley

Now what, what's really interesting is one of the things that we are promoting people to do is and in our report we talk about our most popular courses and we laid out this table about not just about which courses people were taking and how much time they spe, but what were the actual outcomes. So the three most popular courses in our platform so that they have the highest self enrollment rate. Cyber bullying in the work, in the workplace. Have I been pwned? So an exploration of data breaches, et cetera, and a video that we did years ago, low budget, one that had a kind of a humorous take on all the smart assistants at the time. So it was called Rainforest Repeat. You can guess which company we were having a little bit of fun with. And the folks who actually took these courses we actually laid out, well, what was the average click rate for folks who took the cyberbullying in the workforce? So it was 4.5%. What was their report rate? These folks actually had a 44% report rate. Now what I can't tell you is did this course cause this behavior? But we've started the conversation of, okay, what are some of the variables we're looking at? How can we study this at a deeper level? What content matters? And that's a more important discussion to have than our users complaining if our training is boring.

Jim Love

I'm going to backtrack. Just, I'm going to take you off track again. But you're used to that with me. Just give me some context for those numbers you just used.44% report rate. Is that good? Is that bad? How should I react to the data you gave me?

David Shipley

In our industry, when you talk about the outcomes from a phishing simulation exercise, there are typically two metrics that are talked about the most. The first is did someone engage with the fish in a way that in a real world scenario could have been harmful? And that's everything from clicking on a link, opening an attachment, scanning a QR code, going to a landing page and entering credentials. That's typically the way that we quote, unquote, measurements, failure of those tests. And click rate is an important metric, but it is highly manipulatable. And what do I mean by that? The difficulty of the actual phish lure, the maturity of the audience receiving it, the type of lure it is. There's incredible variability into click rate. There are three ways that you end up engaging with a phish. You accidentally clicked like you were trying to hover over it in your phone, et cetera. You serendipitously clicked that through. Pure, just bad luck. You were genuinely expecting an Amazon package that day. And my little fishy arrived just at the same time. So serendipitous and accidental. And then the third is it genuinely engaged me on the emotional cognitive level and I was curious, afraid, sad, happy. I was actually affected and driven to act. But which, by the way, dear listeners, is actually something. We've just put a new research tool in place in our platform to study. I don't have the data yet. We have a new survey after people fall victim to ask them questions about why they click so we can better understand what actually drove the click and what interventions may or may not work. So one of the things that can frustrate people is like, why is the click rate so variable? Why is this not working? Why is it not dropping? There are so many different variables happening. And for those listening, I'm gesturing madly with my hand at that particular point. Now, report rate is a much more important metric. So report rate is the percentage of people who received that phishing test who then took the step of. And typically this is done with a button clicking the report, a phish button, and sent it on to the organization. And so in the positive, most positive scenario, they saw the email, something triggered in them and said, this doesn't feel right. They didn't click on it and they reported. That's amazing. And that's what that 45% report rate. And across most organizations, the average is actually about 25%. So to put that 44%, you have a population that's self identifying as being more engaged in security. These are the topics they're interested people who have this. And again, these are correlated. They're not necessarily causation yet. It's just interesting so far. And then I mentioned that's typically the binary did they click or did they report? But there are two other really important metrics that I just want to highlight on as you're having this discussion about outcomes, one of which is one that we just started talking about this year and I have to give a shout out to the Verizon data breach report because they planted this seed in my head. In the Verizon data breach report, they highlighted a new metric, post click report rate. So the post click report rate is the percentage of people who fell victim to a phishing simulation test who would go on to report. And taken as a rough proxy, if someone does the wrong thing, are they going to tell your IT team? And I now believe that is the most important metric we need to focus on for the next few years. It's great that I have my highly engaged, highly aware audience that's going to report and not click. But more important to them is the folks that do click. Will you ask for help? Now, for Verizon, it was 11% for our population and this is interesting, it was 15%. That's a noticeable difference. That's statistically relevant.

Jim Love

I want to tie that to another piece in your report that where you've got 4.5 hours after after a fish. Like if somebody makes that mistake, you have a really short window to do something. Did I read that right?

David Shipley

So the 4, 5 hours is the average. 4, 6 hours is the median time to click after a fish is received. The first four to five hours is your greatest opportunity. What's important about how we got to that conclusion is that when we have our clients default set up, we encourage them to do randomized monthly fishing, ideally on a 24 by 77 day a week. Because attackers don't exactly schedule. Some of them are more sophisticated than others. Others are just running scripts. They're firing the stuff all over the place. So we wanted to better approximate some of the randomness that happens in the real world. That's why that number is different than some of the other research reports that others put out, because they are more focused on when these are sent versus how fast they click. This is more about from the time the phish is actually received by the email inbox to when a user potentially engaged with it on a 7 by 24 basis. That gets really interesting because you might be thinking, well, 4.6 hours, my security team's in place from 9:00am to 5:00pm we got this Monday to Friday. How do you use security awareness data to understand your actual overall risk as an organization? And do you have the appropriate service provider services teams resources to respond when A the fish will get through, B a portion of your population will click on the fish and that's not going to always happen. When you're ready for it to happen.

Jim Love

Somebody does something stupid, I've done it, everybody's done it sooner. And you say, wait a minute, I clicked on something I don't think I should have. I am now in a position to isolate that machine, check things out, do all kinds of things, and maybe save us a mountain of hurt. So encouraging people to report when they've made a mistake is gotta be a great thing.

David Shipley

It's absolutely essential. And lastly, the last metric that I want people to understand about phishing outcomes is something that we've talked about a lot, it's the ignore rate. So the ignore rate is people who didn't click but they didn't report. They've exercised the old school advice of if you think it's a fish, just delete it. Deleting protected that individual. Absolutely did not protect the organization by not reporting it. You denied the organization a chance to see of what kinds of attacks got by the email filter, who's getting targeted, who actually knows how to spot a real fish. How effective is my security awareness program? Interesting. Is this fish around other inboxes and you might be thinking, David, there are technology solutions that will automatically remove phishes that are detected post delivery. And I could name off four vendors that do them if they are weaponized in that particular way, if they have a link attachment, et cetera. But if it's just got a telephone number in it, straight text, and it's saying your McAfee is overdue and you've been billed 700, call this number now. They're not going to detect that dude. Or it's a regular innocuous, non malicious conversation at the start of a wire transaction. These tools are not going to detect that. But if someone goes, geez, I did reply back to that person and I said, yeah, I can engage, I want to talk to the security team, you can learn about that. And again, one of the most important things that we've learned, and I apologize if I get this wrong because I have so many different numbers in my head at any given time. But when you close the feedback loop, when people report I made a mistake or I suspect this, I didn't make a mistake, you drive engagement, they're 40 to 50% more likely to report things because now you're worth something to them. It's easier to do the right thing than it is to do the wrong thing.

Jim Love

What else did I. And again, I've been through the report before with you. I've looked at it again this time. What did I miss? What did I not bring up that you thought was that amazed you or interested you out of the report? Not that we're going to cover it all. We will provide some sort of instruction so people can download it. What did I miss?

David Shipley

I think one of the things that was interesting was, and I don't have all the answers for this, but we saw some pretty wild swings in changes in click rates. We saw a massive increase in click rates in hospitality and so we are much more likely to click this year than last year. Healthcare and pharmaceuticals saw a 69% increase in click rates along with some reductions in report rates, some disengagement on that side. So it's interesting what I would say is the next stage of understanding why things are changing. One is we're doing some more work to better understand did it change because the phishing got harder? And that's where really want to recommend people to start looking at the NIST Phish scale, which is a vendor agnostic industry academic standard for rating how difficult these things were. This gets back to my point about click rates being very variable at various points. That was interesting. On that side we've also saw some really positive things. So for example, the insurance industry, props to you guys. They actually had a 102% increase in reporting. That was a fantastic. You can see that people, when shown that there's a better way, rather than clicking going to the button, gives them value, not just helping the company, but they can actually get feedback. You can drive that loop. So those were some of the big things that we, we wanted to highlight in the report. Usually the industry list is the most popular of our reports. Everyone rushes over to see what industries are most likely to click and how they stack up against their industry peers.

Jim Love

That's how we're better than somebody than the other team.

David Shipley

Exactly. We talk a little bit about year over year changes in report rates. Not all of the reports out there do that. I think that's a positive sign. And then when we talk about organizational size, the other part that I think is probably impactful is just thinking about the trends in sentiment changes. I highlighted technology bias, which is the most important one. But we've also seen some positive ones. 15% increase in people who agree that information in their custody could be a target for cybercriminals. That's a positive trend since 2023 and that means that people are going to be less likely to be susceptible to optimism bias. That's amazing. And we've also seen a Decrease in the portion of the population that thinks ah, cybersecurity. That's primarily an IT issue. That's a view we want to see keep decreasing. So that's good. So those are some of the big highlights on things. Obviously what phishing templates worked the best. Performance review, a very Microsoft SharePoint theme worked well. We did note that there was a particularly stealthy template and this is something we want to do more research on. The stealth template is one that has a high click rate and a low report rate. So it really gets them, but it doesn't seem like it's a fish, so they don't report it. And there is much more work we have to do on that. But I think this is an attack technique we have seen criminals use where they purposely disguise phishes as spam so they decrease the propensity. People will try to report it while maximizing their chance of actually getting them to engage with it. Which is interesting and it's a, a new level of sophistication.

Jim Love

Now it seemed to me though that that use. You could use this report also to, to just benchmark where you are right now.

David Shipley

Yeah, that's goal number one. Honestly, when we publish this report we want to say okay, here's how you stack up. Goal number two is here are some really cool questions and things to think about as you think about how do I get better, where do I go next? How do I think about this differently? And really drawing on new information sources that particularly some of the security awareness managers or IT centric security awareness managers may not have been exposed to psychology, neuroscience, other things. How can we contribute to the body of knowledge and upskilling that side?

Jim Love

Yeah. And so how has this changed what you do with what you've learned from.

David Shipley

This, that post click report rate? Honestly, I have been thinking about that nonstop since we really started focusing on it. What do we need to do to further incentivize people to draw the connection to make sure that you report? Because if we're at 15% which is better than the 11% average that Verizon published, how do I get that to 25%? What is the business value and impact if I can get it to 50%? Like how much risk do I tangibly reduce for the organization? So we're having some fascinating conversations and that's for those that that do work with us and we've got about 1200 organizations and a million people and I think I announced in the November when we did the pre thing that we had crossed the million mark where we're blowing by that now, but that's what you're getting when you work with us is this relentless drive to actually follow the data, ask more questions and focus on the areas we think that are going to drive the most value. I'm concerned that the bias in my industry is to sell what they hear from the buyer, which is people complain too much about security awareness training, make it less boring. How do I solve that particular problem? That may not be your biggest problem. Post Click Report Rate is your biggest problem. You need people to be more engaged with this. So that's the part is arming yourselves with better knowledge and more questions. The rewards and consequence model. This is something I'm thinking about more. We hear a lot about this from should I fire someone if they fall victim to three fishes in a year? And this ties back into the point about Post Click Report Rate the culture that you create. If people are too afraid to admit they made a mistake, then you may never hear from them when they do. Click. Because they may assume my risk of getting fired is too high. I'd rather chance that wasn't that big of a deal and no one's going to notice. What happens when you engage the manager and you teach the manager how to have a positive conversation about why being more vigilant about security matters to them. And by the way, when people think their manager care, they care more about yeah. So those are some of the big things. I think there's so much more work that we have to do. I hope the report leaves people with the distinct impression that the human side is got tremendous opportunity for positive security ROI with incremental investment that there's so much more we can yield and it doesn't take that much more but it takes a curious mind and wanting to go can we do more than just check the box? And I believe there's a business benefit to doing that and how do we drive that. And I do believe that there's this drive towards how do we be seen as an enabler to the individual in being successful. If I had to end sort of my overall kind of what this research has taught us. People know security is a thing. You can deliver targeted messages to help them overcome some of the most prominent biases that they have of technology. Their own optimism bias. You can avoid over training them, you can engage them enough to make it valuable and you can build and sustain motivation and that's where the focus needs to be. But don't just think about your people as a liability, as a risk to be Managed. Do not get trapped by human risk management and think that is the peak of where this industry is at as a sub function of where we're at and that the most successful programs will be able to incorporate human risk management into that broader security awareness and behavior change program.

Jim Love

How do I get a copy of.

David Shipley

It so it's available on our website and you can fill out the form if for some reason you're like I'm I super don't want to go through a gated thing. My marketing people would really appreciate it because they would like to sell stuff. But you can also just reach out, just ask for it. Just reach out to our info@voseronsecurity.com and just ask for the annual report. If you don't want to go to our website we'd appreciate people going to the website filling it out so we know who's looking at it and the impact it's having. It helps justify the not insignificant amount of resources that we pour in. Is probably about tens of thousands of dollars worth of staff time and other time have gone to packaging this up. But the other ask I have give us feedback what we have in there that resonated. Where do you think we're wrong? And that's the part where people ask me how do you say that you're science driven versus competitors that are more marketing driven. Definition of science is that you can be provably wrong and you can go and you try and figure it out and then you can keep digging help us advance the state of this field and get engaged. And yeah that's the asks and obviously we would love to work with you as a client and this is what we're about the journey we're on. And for those who are listening who are Canadian, we are 100% proudly Canadian made, Canadian supported. We appreciate our many Canadian and American and global customers.

Jim Love

There you go. My guest has been David Shipley and you're back to work next week. Shipley as a commentator now that is the CEO of Boseron securities and you can find them and as he said if you're in the Canadian frame of mind right now, 100% Canadian company and doing some great work. But aside from that, even if you don't buy anything from check out this research worth doing. David, I will see you back at our next show. Thanks for coming in. This has been cybersecurity today. I'm your host Jim Love. Wherever you are. If you're having a coffee and a Saturday morning listening to this or back at work, whatever you're doing. Hope you're having a good time doing it. Thanks for listening.