The Magic Behind Effective Training Programs


Posted on by Greg McDonough

On the last day of RSA Conference 2024, it’s best not to assume that everything has already been covered in depth and there are no mysteries left to explore. In fact, Thursday’s panels traversed novel ground by addressing the human factor with presentations on misdirection and magic and the minds of Gen Z, proving that RSA Conference still has a few tricks up its sleeve in terms of how organizations can improve cybersecurity training to make it fun, interesting, and interactive while creating a stronger, more secure community.

While most of the presentations this week that involved hacking the mind usually did so in an effort to fight the rising tide of burnout in the cybersecurity industry, Hacking the Mind: How Adversaries Use Manipulation and Magic to Mislead, on Thursday morning at Moscone West with Robert Willis dazzled an almost full crowd with sleights of hand and stories of social engineering as he went on to explain the various parallels between magicians and malicious actors. 

According to Willis, both use “ttps - tools, techniques, and procedures,” to misdirect their audience and fool them into looking at the wrong thing. In both instances, tricksters take advantage of the way that humans' brains are wired in order to create deception. For this reason, he urged the audience to break the cycle of shaming those who fall prey to social engineering attacks and look at them as what they are - the victims of a crime who deserve sympathy. He advises that the cybersecurity industry needs to change its training in regards to social engineering so that the industry views adversaries with the same sense of “curiosity, amazement, and appreciation,” that they would show a magician. This, along with gamifying training by making it “fun, interactive, and immersive,” will result in more effective recognition of social engineering approaches. In the meantime, he advised the crowd, “wind your watch,” by taking a momentary step back before acting, instead of immediately reacting.

As protectors, the cybersecurity industry is constantly looking forward to ensure that future threats are anticipated and that the next generation is adequately prepared to continue the fight. In Decoding Gen Z: Cultivating Cybersecurity’s Next Vanguard, Jax Scott gave an in depth presentation on some of the aspects that make Generation Z (those born between 1997-2012 with a current age range of 12 to 27 years old) so unique by giving audience members insight into their thoughts, values, and how to effectively communicate, cooperate, and collaborate with them. Scott explained that members of Gen Z are digitally fluent individuals who have grown up in front of devices and screens and value authenticity, inclusivity, and transparency. However, it is this same fluency that makes them so susceptible to social engineering and other forms of cyberattack. 

The problem, as Scott sees it, is that current forms of cybersecurity education are outdated and ineffective. In order to adequately prepare this generation, it is important to utilize novel training techniques like gamification and online forums or working with influencers and making short, digestible videos. She discussed various effective case studies ranging from users engaging training via a mobile app to interactive cyber escape rooms.

In order to provide for truly effective training, Scott recommends working with members of Gen Z explaining that it is important to “understand, empower, and collaborate” on effective methods of training to ensure the safety and security of the next generation of the cybersecurity forefront.


Contributors
Greg McDonough

Cybersecurity Writer, Freelance

Hackers & Threats Human Element

Security Awareness / Training security awareness security education innovation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs