Secure Your Summer: Top Cyber Myths, Busted [Threat Vector]

Lisa Plagmire

You're listening to the Cyberwire network, powered by N2K. We've all done things with technology that we shouldn't. There was a time in your life when you reused a password or clicked on something you shouldn't, or almost clicked on one of those malicious texts that we're all getting all the time. You felt the emotion spike when somebody gave you some urgent message that one of your kids was in trouble or there's fraud on your account or something. We've all had the emotional reaction to that and hopefully caught ourselves before we did something. But I think it's leaving people with a sense of empathy that we all do these things. We're not going to solve for human error. And so designing software and systems and products that are more secure by design is really, I think, the way forward.

David Moulton

Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought leadership for unit 42. Today I'm speaking with Lisa Plagmire, Executive Director for the National Cybersecurity Alliance. Lisa is on a mission to eliminate the cliche of hackers in hoodies and bring a more human, relatable face to cybersecurity. Her career spans Fortune 100 brands, cutting edge cybersecurity training companies, and leadership roles across the cybersecurity landscape. She blends psychology, marketing and behavioral science to inspire real world change. She's also the co author of the annual Cybersecurity Attitudes and Behaviors Report 2024 25, a global study that reveals the truth about how people actually behave online, not just what they say they know. The myths we're about to unpack come straight from the gap between awareness and action. Lisa, welcome to Threat Vector. I am so excited to have you here.

Lisa Plagmire

Thank you for having me.

David Moulton

You've had this really unique career path from launching Ford Roadshows across Morocco to leading cybersecurity culture initiatives. What's one experience from your early days in international marketing that surprisingly prepared you for your current work in cybersecurity awareness?

Lisa Plagmire

I think it's understanding more about the creative process. So one of the most interesting things that I observed in working with highly paid ad agencies that, you know, auto manufacturers and tennis shoe companies and tequila brands all, all use to sell their product was that it's managing creatives is different than managing technical people or managing administrative folks. Giving them room for their brains to breathe, giving them time for the ideation process. More than a lot of jobs, they need to sit and think. They need to go take a walk and get ideas. And the other thing that I observed was that no matter what the deadlines were, there's times when you just can't force it. You can't force. I've been in ideation sessions where, like, the ideas just aren't flowing, the folks in the room are not clicking, and there's times when you just can't force it. And you have to be okay with that, and you have to be okay with that ebb and flow of the creative process and allow for times when suddenly something brilliant happens and you know you've got a diamond and you gotta run with it and. But you. It can be frustrating in the meantime. So I think that until you've worked directly with creatives, it's really hard to understand all that.

David Moulton

I feel that I sometimes tell the teams and the folks that I work with is we can let the brown water flow. Right? A lot of times the stuff that's coming out right away out of the tap, that's not the drinking water, that's not the clear ideas, and you just let it run. It's okay. Right? And then it will come. You just have to trust that process. Well, Lisa, we've got a lot to talk about today. Let's get right into it.

Lisa Plagmire

Okay, let's go.

David Moulton

Lisa, you've built your career at the intersection of psychology, persuasion, and cybersecurity. And now that you're shaping public perception through the National Cybersecurity alliance and this year's massive 7,000 participant report, what's one finding or a moment from this year's research that made you say we have to talk about this?

Lisa Plagmire

Probably the fact that we're not seeing the curves we want to see, we're not seeing things get better. So one of the most prominent examples would be password reuse and just general password habits. In general, people are using passwords that are too short. People are reusing the same password too often. People are using insecure methods to keep track of their passwords. They're kind of acting as their own risk managers and are doing things that they think are safer than a password manager because they have more control, for example. So it's the whole topic of passwords. People hate them. They haven't worked right as a means to protect our stuff. They've been a complete, abject failure, and people just don't like them. It was one thing 20 years ago, and you could have one password or two or three that you Remembered. And they didn't have to be that long. There was no such thing as complexity rules. We all kind of got by. And then we very quickly realized that that's not really going to protect our stuff. So we're big fans of things like password managers. Pass keys are a whole lot easier for people, but by and large, they've just been. They've been a failure. People don't like them and they haven't worked.

David Moulton

Do you have a personal story or anecdote that you have found works? When you talk to somebody about their short password, their password reuse, they're saving it on sticky notes, they're saving it in an Excel file, and you know, in an insecure way that helps them understand that they need to break those habits.

Lisa Plagmire

I have one that I use all the time about password reuse, because a lot of people, I mean, I've even heard security professionals now kind of default to this. Like, well, for your really important accounts, you should use a unique password. And maybe for everything else, it's okay to use the same one, which I'm not a big fan of, because people aren't great risk managers. They're not good at assessing what's of value to a bad guy and what isn't. So what they deem an important account is probably different than what a cybercriminal deems an important account. So the story that I use is one, I try to remember as often as I can what it was like to work in marketing before I had any clue what this cybersecurity stuff was all about. Before I was assigned to work with the security team on thought leadership at the company I was at.

David Moulton

Right before you were really made aware of how dangerous some of the behavior is.

Lisa Plagmire

Before I understood the ins and outs, when I was just a normal consumer going about my day, reusing passwords, using passwords that were too short, opting out of mfa. Like, things like that. Just things that people do. I was just like everybody else. And if security professionals will admit it, they do some of these bad things still. We all do. That's how so many data breaches keep happening. We keep making mistakes with basic hygiene. So the. I can remember when it happened because I was, I was, for some reason, I think I was like, out for a walk. And I kind of remember that light bulb moment when I was walking in my neighborhood and I heard about the, the Yahoo breach years ago. I can't remember what year it was. Well, we all had a Yahoo account back in the day. Like, I can still remember my AOL dial up and the sound of the modem and like chatting with somebody on the other side of the earth. And because I was at that time I was living in Europe, so I had a lot of reason to be excited about things like that and not paying Deutsche Telekom a dollar a minute to call the US and when I heard about that data breach, it was usernames and passwords. I just thought, who cares? I haven't logged into that in 10 years. I mean if you ask anybody over the age of 50 or anybody who was getting online in the late 90s or the early knots, we all had a Yahoo account. And a lot of us, I would venture to guess, haven't logged in in a really long time. And I don't know if they've deleted our accounts or they're still, I'm guessing at the time of that breach they were all still active or valid usernames and passwords. And I just thought if a bad guy has access to my Yahoo account, like I haven't used that in a million years. I don't know what's in there. You know, like they can have at it. Like have fun with that. There's nothing there that's this of use, right? In my non security brain, I told myself like, well, if I reuse that password anywhere then they would have to know where else I have accounts that I've reused it. And like they're not going to take the time to figure that out, right? I didn't know it was spray and pray. I didn't know there was automation and that these guys were using technology. You have that image in your head of one person sitting at a laptop. It's the hacker in the hoodie image. Somebody's in the dark somewhere wearing dark clothing and usually masculine. Like there's, you know, the vibe we get from that imagery is usually masculine. And we don't think about teams of developers like I was working with at the company that I worked with at the time. Like we don't think about them as businesses. We don't think about them as using automation and being really smart and being agile and doing, really being a mirror image of the legitimate world, just doing what they do for illicit reasons instead of, you know, trying to run a legitimate business. So that's also the thought behind Cubicle, the Cubicle series that we shot and we, we have season two coming out soon. It's a video series like watching the Office, but it's the Office of the Bad Guys. And that's what I was Trying to provoke in people is maybe that light bulb moment of like, oh, wait a minute, there's somebody doing this for a living. It's somebody's job to hack me, and they're using technology to do it. So these little things, these myths that I tell myself that it's okay to do, the excuses I make for some of my bad habits with technology, or maybe I don't even understand that it's really a bad habit. That's what we were going for with that series is that light bulb moment that maybe people understand and they think twice. And maybe down the line with some more nudging and some more messaging and some more education, they actually change their behavior.

David Moulton

Yeah. As you were talking about, the Yahoo breach, for those of you listening who are curious, 2013 undetected for three years, three billion. Three billion different user accounts attacked. And as you were, as you're describing that, it's the rainbow table. It's the ability to say, well, Lisa's here and here's her password. Let's go try anywhere else that we can find Lisa and the password elsewhere. And I agree. I came into this after 20 years of being in design and didn't realize that that was what was happening, that it is a business. There are KPIs, there's a metric they're trying to get to their revenue number. And it's off of our mistakes, it's off of the things that we don't necessarily think about, or as you called it, these myth. And it allows for them to still be profitable. Otherwise this area would go away very quickly. This tactic would dry up if we would stop doing these things or if users would stop doing these things or even just change to something as simple as a password manager. I want to say it was an NSA story that got my attention. And I moved from Dave's clever. He can keep all of his passwords in his head if he just does a little bit of changing. And they really weren't all that different. It was like I added a one or two and I jumped.

Lisa Plagmire

An exclamation point would have made all the difference. Dave.

David Moulton

It was already there. I had a. I had a fraternity room name that I used. I can't say that on this podcast. And then I would just be like, exclamation point one. Anyways, I got to 44 Lisa. That's just the number of times I was asked to change it before. I was like, this is a terrible password. I should stop. So, you know, I think people know and you guys call out in the report that people should use those unique passwords. They know that. But in the report, nearly half, I think it was, what, 46% still reuse their passwords. And this is wild to me. It's kind of like saying, you know, hey, here's the key to everything I have in my digital existence and I'm going to just make it a digital copy for everyone. And if I lose it, then you can get into all the things. But I don't think people necessarily get that. You were talking about that with the Yahoo hack and how that kind of gave you that light bulb moment. Lisa, what is it that causes this to be like such a persistent gap between what people know and the actual actions, the behaviors that they take?

Lisa Plagmire

I think some of it is just our own belief in our own superiority. We all trust ourselves more than we trust anybody else. We all think we're smarter than the average bear. And one of the other things we ask people is, do you think you can spot a fish? And it's a five point scale and everybody's like fours and fives except Germany. That was the one country in the report. Their confidence in themselves to spot something malicious is far lower than every other country in the survey. So it was all five eyes, plus Germany and India. Later this year it's going to be the U.S. the U.K. mexico. No. Yes, Mexico and Brazil or Brazil and Chile. I can't remember Germany and India again because the data out of India was really, really fascinating. Like, their confidence and their ability to recognize things is very, very high. But their rates of compromise is equally very, very high for things like romance scams. And just across the board, you know, people's beliefs in themselves and their own methods runs pretty deep. And their own conviction of wanting to feel like they're in control, which is why they don't trust password managers a lot of the time telling them, using education or some sort of awareness or whatever you want to call it these days, any kind of communications to say to them, no, this is the better way to do it. Or you could, you know, let's, let's use the phishing example. They don't think they're, they're, they think they're going to be able to detect something malicious. So just saying to them, no, you're at risk for fishing, that we're all contrarians. Like, you're telling me something I don't believe. You can't just say to me, you know, yeah, you don't think you're going to fall for it, but you could like that's not persuasion. Persuasion is. There's more of an art to it than that to persuade human beings. And I think we're still, at least in the security community, a little too guilty of just trying to be contrarians, trying to just tell them something that's the opposite of what they believe and thinking somehow that's gonna change their minds. And I don't think that's enough. You know, it takes a lot of knowledge. I mean, for the light bulb moment you had, or the light bulb moment I had, it takes that constant drumbeat of information. When something resonates with an individual for whatever reason that they, you know, that opens their eyes and they decide to make a change in their. In their habits.

David Moulton

Let's shift gears a little bit. AI has introduced a new myth. If I use AI tools correctly, they're safe. But your findings, they suggest that most people don't fully understand AI risks. What kind of misunderstandings did the report uncover?

Lisa Plagmire

Well, first of all, we learned that there are a whole, whole lot more employees that are putting sensitive company information into AI tools without their employer's knowledge. I think it's 43% or something like that. It's a pretty high percent. The other thing we learned is that 51% of organizations at the time of the survey hadn't given employees any training on the safe use of AI. So I think the risk there is that while we're all busy debating policies and how to enforce them and find the right tools and what we're going to allow when we're having all these conversations, meanwhile people are using this stuff anyway and finding ways to use it, whether it's on their own device or whatever. I would suggest that we navel gaze a little bit too much some organizations over their policies, and we need to have more of a bias for action. I think you can always go back and change things, but not taking action, starting to train people. I remember when I first got into cyber security and I was. I heard somebody at a. I think I was at a conference, at a roundtable discussion or something, and. And somebody said, well, we have policies that aren't finished. And I told the business, I can't train anybody till the policies are finished. And I said, do you think the bad guys aren't going to attack your people until your policies are finished? Like. Like, we kind of. We can get a little. We serialize. We have this tendency to want to serialize things, I think. And I think in the case of AI, that's. That's made it. That's Increased our risk. I think people fundamentally think of it like a search engine. They think about the result that they want. Their focus is on trying to solve a problem and what they're going to get back and they're not really thinking about what they're giving away.

David Moulton

Yeah, I think that the business model also makes it tricky, especially if you're paying for a service. I've always had that model and I was recently disabused of this theory that if I'm paying for something, it's private. Right.

Lisa Plagmire

It's.

David Moulton

It's my right. You know, in that space is an ethical relationship between me and a service. And I think with, with the chatbots and some of the LLMs in particular, that's a really gray zone, mostly moving towards. That's not the model. Like you're getting amplified service, you're getting more tokens, you're getting more faster capabilities delivered. And the free model is the model for privacy. I keep coming back to is it the system design? Right. Is it not on the individual? And have we built systems that allow you to do dangerous things that don't feel dangerous? You could also claim driving a car is more dangerous than other modes of transportation per mile kind of thing. And statistically that's true. And yet I think you get more anxiety out of a flight than you do out of a drive around the corner. But one has a higher probability of a problem.

Lisa Plagmire

It's the perception of your control of a situation. When you're driving the car, it's different than the pilot flying the plane.

David Moulton

Yeah, yeah. And so I think that going into a chatbot and having a conversation or putting in information, it's just you and that chatbot and that's the edge of it. You can't see the actual larger, larger frame of danger. So that's an interesting space of like, how do you make for human security? And we have so far to risk management.

Lisa Plagmire

Sometimes I'll see these debates pop up on like LinkedIn where, you know, the debate about designing software securely to begin with and really what is the user's responsibility? Like people should still know to do xyz. And it's not any one individual's fault. It's system thinking. And I think we just have a long way to go. I mean we've, I think those of us in security will tell you, you know, we all. There's the old adage, the Internet was never designed to be secure and now we're trying to play catch up and it's impossible. Like it's, it's really, really, really hard and really expensive. And at some point we'll get better because we'll redesign some things. And it's just like anything else. Any sort of new technology, you look back at some point, Maybe it takes 50 or 100 years, and you look back and you go, you know what? We shouldn't have built it that way to begin with. We shouldn't have designed it that way to begin with because now we've seen all these bad things happen and, and we need to rethink it. So I think we have a long way to go yet. But I'm glad that it's even a topic of conversation. Right. I'm glad that there's folks like Bob Lord talking about secure by design and things like that.

David Moulton

So when you're talking about this idea, is it this, is it that, and this idea of fixating on or, or focusing on one area, I think it's a lesson we could take from economics, right? You want a diversified portfolio, you want to get a couple percent. You want some things that are going to be slow growth and hold you over time, like a bond. Maybe you need stocks, maybe you need some real estate in your portfolio. But you wouldn't say, like, let's just put it all in one area. And I think in security, when we do that, then a very clever attacker will figure out how to break that one thing that was so very strong. And then it doesn't really help all that much. Like, you get to the point where a couple years ago, MFA was the sort of silver bullet for identity. And then very clearly it's not right. Like, you look at what scattered spider or muddled Libra is doing with social engineering, and they're just like going around the MFA or making the MF extraordinarily annoying and getting past it anyway. So it's like each time that we go like, ah, that's the one thing. Yeah, that's the, the red flag for me. I'm like, you're beckoning for somebody to destroy this.

Lisa Plagmire

Somebody's gonna break it. It's somebody's job to break it. Yeah, but like, you wouldn't not use MFA just because somebody's figured out.

David Moulton

Definitely use it.

Lisa Plagmire

Right. It's the same argument when people say, well, how do you know that any kind of security education or awareness or any of it ever has any effect? And I think I'm. I came from the world of marketing and advertising, so I'm going to say, well, you know, Ford Motor Company can't tell you that their Super Bowl Ads are quote, unquote effective, but they're not going to not do them. I mean, exactly, because we know you have to think about the whole, the whole picture, not just one tactic. And you know, I would challenge any security professional who says, well, you know, I don't think this stuff is working. Well, then, okay, do you want to stop? Like, do you think you should just stop messaging anything about security to any of your employees?

David Moulton

No, I think that don't want to do that.

Lisa Plagmire

Like that sounds, that sounds like dangerous. That sounds irresponsible. Well then, okay, do it, but do it well. You know, do a good job at it. It's still worth doing well even if you're not sure that it works.

David Moulton

So you've talked about some storytelling. You know, I've biased myself. I'm a big fan of storytelling as an effective model for getting through to people. You've obviously used humor. Are there other types of interventions that you've noticed that have the long term effects that we're all going for? With some of the training, I think.

Lisa Plagmire

We can do better at storytelling in different ways. So one of the projects we're looking at now is it's real simple. Every, you know, Friday night when I'm going through all the streaming channels trying to find something to watch and decide nothing looks good, I'll default and end up watching like Dateline or 2020 or one of those things. And, and every time I'm like, okay, it, you know, she killed her husband. Like, what's new? Like, it's kind of the same old, same old in the world of physical crime. And maybe there's a little fraud thrown in there too. Like, where's my cybersecurity story? Where's my story? That, that. Because those of us who've, who've, who've come from the world of marketing or someplace else, you know, we've had a sideways path to get into cybersecurity. That's one of the things I think that makes you make the jump is you start to peel the onion and you're like, holy cow, this stuff is fascinating. And nobody knows what's going. Like, most people are not paying any attention. And I'm even shocked. We do a lot of media interviews. We get a ton of earned media as a nonprofit, which is great. And I talk to a lot of investigative reporters and I'm even surprised at how little they're paying attention sometimes, which is great. It's an opportunity for us. I get to, I get to, you know, drip a few little hints at what's happening out there. And they're like, really? I should do a story on that. I'm like, yeah, you should. So we're working with dhs, with hsi, Homeland Security Investigations because they investigate crime committed by people who are not in the country legally. And some of those crimes involve technology. I think you're hard pressed. Any organized crime these days, you're hard pressed to find things that don't involve technology in some way, shape or form. So what we're going to focus on and we're also working with the Secret Service. So one of the things we're going to focus on are cases where you have, we think it's going to be easier to communicate to the public in the 22 minutes you have in a 30 minute episode. Cases that involve both physical crime and there's a physical aspect to the cybercrime. So things like ebt, skimmers or in the case of it was Operation Red Hook is the story that we're looking at with HSI that involves gift card scams, things that have a physical tangible. Because I think that's one of the hardest things about storytelling in cyber is it's intangible. You can't just show binary floating across the screen. People don't know what that means. It's a trope. It's not relatable. Instead of demystifying this topic, it mystifies it even further and it also makes your audience feel stupid. I don't know what those ones and zeros floating around the screen are or that green screen that you're showing me that you're scrolling through, you know, while somebody's, there's a narrator telling the story. I don't know what that is, so I must be dumb and I don't want to feel dumb when I'm trying to be entertained with a story. So we're going to really focus on the tangible aspects of some of these crimes and show how the technology has enabled those crimes. And I think those will be stories that, you know, you can go to the, the fridge and get a Coke and you're not going to lose track of the story. Like it's got to be super easy to tell and it's got to resonate very quickly if you're doing that kind of very digestible content. There are other things out there that communicate about this topic where we're, I think, expecting a little more undivided attention from the audience. And if we want to scale then I, I have to be honest about how much attention we're going to get. You might be scrolling Facebook while you're watching tv. You might go to the fridge, go to the bathroom, your kids might ask you for something. It's gotta resonate in a way that accounts for the fact that we don't have people's undivided attention.

David Moulton

Yeah, so both that, like, quick hit, snackable bit, but then something that allows you to follow through all 15, 18, maybe 22 minutes if it's a television show, but also kind of stews in your head and makes you think about it, you know, as you were talking. We kind of need an Ocean's Eleven, but instead of having the, you know, the, the trapeze artist and the guy who's, you know, able to crack the safe and you know, Brad Pitt who's always eating right. Like it's, it's just the hackers and what they're doing. Maybe you have like a little bit of affinity for them, but at least it shows like it's a business and what they're doing. So maybe that's like, I mean, look.

Lisa Plagmire

At the shows lately I'm watching. I'm currently watching Friends and Neighbors and we watched Bad Sisters lately. There's a lot of shows lately that are getting you to really root for the bad guy. Like you have huge empathy for the criminal. Yeah, it's. Yeah, it's pretty disturbing.

David Moulton

I think it started with Sopranos and Breaking Bad where the anti. Yeah, Wright was the, the main character and you're kind of into it, even if they were awful. And then it showed that there was a way of telling the story from a different point of view. Not necessarily always like the police drama where the, you know, the law enforcement was chasing the bad guys, but you're kind of rooting for the bad guy to get away. So, Lisa, I want to take it back to, to the report. And if, if there are security leaders out there who want to really use this report to, you know, to drive the changes in their organizations that they know they need to, you know, where should they start? What's the, like, jump off point for them?

Lisa Plagmire

Well, if you're trying to find the report, you can go to staysafeonline.org or I would just Google Stay safe online. Oh, behave. And that'll get you to the landing page. You can download the report.

David Moulton

We'll put that URL in our show notes. So if you're listening and you're thinking, I don't think I can remember that. Just check the show notes.

Lisa Plagmire

I think a lot of organizations have very mature, large organizations have Very mature training and awareness programs. Maybe they're transitioning into human risk management. They're looking at more sources of data. They're using more behavioral science like nudges to get employees to do the right thing or to help them to do the right thing. They're using more solutions that help employees in the moment to make a good decision. And so I think that's all good stuff. But I think a lot of the security, communications or awareness materials that we're using aren't making enough use of what advertisers know about behavioral science and like basic human psychology and being more persuasive and being better at storytelling because being really good at those things is, is really, really hard. Not, not every person out there can write a really good article. I, I used to teach a certification class for people in training and awareness and I give everybody an assignment once to use Dr. Cialdini's principles of persuasion. I explained the principles and then the assignment was, here's a, here's an FBI alert. You know, one of the alerts that they put out about a particular problem. And you want to tell your employees about this. The CISO has said to you, you know, here's this thing we need to tell everybody. And you can't just post the FBI notice because nobody will read it. What is the title based on these principles of persuasion? Which one are you going to pick to use and how would you title the article you're going to write that talks about that topic? Because I'm a big old David Ogilvy fan. When you've written your headline, you spent 70 cents of your advertising dollar. If you don't write a good subject line to your email or title to your article in the company newsletter, nobody's going to read the article. No matter how much good stuff is in there, everybody in the room chose to use the principle of authority because I told you so, right? The heavy handed, you know, or doctors recommend you know that that principle of like, well, we know better than you do. Nobody wants to be told that by an IT person. Even though it's true, people don't. That just doesn't resonate. So the next time I taught the class, I had to say, you can pick from any of these except the principle of authority. That's off limits. That's not compelling enough. So I think we still have a little ways to go in, in using some of the advertisers trickery and some of the persuasion techniques that are used in the business world, in the consumer world to get us to buy products and do things and we can do better. It's the story that we wrap it in and it's the demographic that we target that makes the difference.

David Moulton

I suggest that if you're curious, you should definitely go read this report. It's been fascinating to talk to you today and I really appreciate that you took time out of your day. I know you're really busy to share your insights and you know, just throughout the year, not just today on threatvector, you know, you're out there trying to make sure that the people who need this information are able to get it. And not only in a report, but in video, with humor, with story, and really maybe to like raise up some of the myths so we can go like, wait, I see myself in that thinking. I think attaching information in different ways allows different people to learn and change their behavior and to start to be a little bit more safe. And that's awesome. I also like the fact that you've combined that marketing and cybersecurity and behavioral science together for doing good. So thanks for coming on today and sharing with me about about the report and some of your thoughts and experiences.

Lisa Plagmire

It was absolutely my pleasure. Thank you so much for having me.

David Moulton

That's it for today. If you've liked what you heard, please subscribe, wherever you listen and leave us that review on Apple Podcast or Spotify. Your views and your feedback really do help me understand what you want to hear about. And if you want to reach out to me directly about the show, email me at threat Vector Palo Alto networks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benacourt and Virginia Tran. Elliot Peltzman edits the show and mixes our audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

Lisa Plagmire

SA.