PEBKAC Rebooted: A Hacker’s Guide to People‑Patching in 90 Days
Unknown
BSides Las Vegas 2025 · Day 1
**David Shipley** opens by reframing “**PEBKAC**” from an insult about user stupidity to a more constructive idea: people as **partners** between keyboard and chair—capable, human, and shaped by biology and cognition. The talk argues that cybersecurity’s decades-long emphasis on using technology to **control** human risk is incomplete without programs that align with how brains actually work. Shipley positions the content as empirical, drawn from a large multi-industry dataset (more than **1,300 organizations** across **20+ industries**, with global reach though skewed Canadian), combining learning outcomes, phishing simulation metrics, real phish reporting behavior, and survey-derived attitudes. The central operational claim is that **security awareness** and **phishing simulations can work**, but not as annual compliance theater; frequency, fairness, feedback quality, and neuroscience-aligned design determine outcomes.
AI review
A data-heavy culture-and-behavior talk with several memorable quantitative hooks; useful for defenders running phishing programs, light on novel security mechanisms and occasionally survey-self-report fragile.