Building Cyber Awareness with Craig Taylor

Show Notes

In this episode of "The Entropy Podcast", host Francis Gorman speaks with Craig Taylor, CEO of CyberHoot, about the challenges and innovations in cybersecurity awareness training. They discuss the failures of traditional phishing awareness programs, the importance of positive reinforcement in training, and the role of gamification in engaging employees. Craig shares insights on the evolving threat landscape, particularly the impact of AI on phishing attacks, and highlights the vulnerabilities of small and medium enterprises (SMEs) to cyber threats. The conversation concludes with a look at the economics of cybercrime and the future of cybersecurity training.

Takeaways

• Most phishing awareness programs fail due to low engagement.
• Traditional training methods show minimal behavioral change.
• Positive reinforcement is more effective than punishment in training.
• Gamification can significantly increase engagement in cybersecurity training.
• SMEs are more likely to be targeted by cyber attacks than larger enterprises.
• AI is being used to craft more sophisticated phishing attacks.
• Cybercrime is now one of the largest economies in the world.
• Effective training can lead to better client retention for MSPs.
• Continuous improvement is key in cybersecurity awareness.
• CyberHoot offers free access to individuals for training.

Sound Bites

• "Humans are the weakest link."
• "Reinforced behaviors are repeated."
• "AI is a game changer for hackers."

Additional Information:

Craig has arranged for Entropy Podcast listeners to receive a 20% discount on a one-year subscription to CyberHoot. You can access it using the coupon code: The Entropy Podcast. 

CyberHoot Resources:

• Main Website: https://cyberhoot.com/
• Individual Registration (Free Personal Training for Life): https://cyberhoot.com/individuals/
• Business Registration (Direct Power Platform Signup): https://cyberhoot.com/businesses/
• Reseller / MSP Registration (Partner Signup): https://nest.cyberhoot.com/partner-signup/
• Newsletter Registration: https://cyberhoot.com/newsletter-signup/
• Blog Articles: https://cyberhoot.com/blog/
• Cybrary (Cybersecurity Library of Terms in Layperson language): https://cyberhoot.com/cybrary/

Transcript

Francis Gorman (00:02.897)
Hi everyone, welcome to the entropy podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever you get your podcasts from. On today's show, I'm joined by Craig Taylor, the CEO, co-finder and chief evangelist of Cyberhoot, a platform reshaping how organizations approach cybersecurity awareness. With a background in both cybersecurity and psychology, Craig challenges the industry's over-reliance on fear-based training and gotcha fishing tests.

Instead, CyberHoot focuses on positive reinforcement using short, engaging, and gamified training to build real behavioral change. His mission is to make cybersecurity training effective, approachable, and something people don't trade. Craig, it's lovely to have you here with me today.

Craig Taylor (00:42.946)
Francis, great to be here, thank you for that.

Francis Gorman (00:45.767)
Not at all, not at all. And Craig, suppose security training and security awareness is always one of those kind of fields that people have to bet in but never really give the spotlight to. And you've identified this area. And when I think about cybersecurity training, there's always a guy who still clicks the link no matter what you do. So why do most phishing awareness programs fail or fail to deliver the expected outcomes that most businesses have?

Craig Taylor (01:16.514)
That is the heart of the matter, that very question. Recently, Francis, at the Black Hat briefings in Las Vegas in August of this year, literally two weeks ago, security researchers asked that very question after they studied 20,000 end users at a large US-based healthcare provider. And they made three conclusions in their study of phishing. First was...

they thought they could fish anyone at the company because they got over 55 % of the users to click on at least one fishing link over their eight month trial or study. They secondly realized quickly that the training mechanisms versus the control group did not effectively change any behaviors. In other words, they found a 1.7 % difference between the control group

who clicked on X number of phishing attacks and the trained groups, multiple different training groups. Some had interactive training, some had gotcha emails, some had videos, and some had all three. And they only saw 1.7 % difference. The third and final conclusion is the most striking of all, is that everyone that failed were assigned video trainings to say, here is how you failed and what you missed and how phishing works and please.

if you learn and look for these things as delivered via this video, you'll avoid phishing in the future. And they found the average person across all 20,000 users of whoever got assigned the video training as a failure condition spent 10 seconds watching the video before they checked out, before they left. They were watching the individuals do their training.

measuring their keyboard or whatever they were doing to measure it. They said 10 seconds, everybody gave up watching the video. so their conclusion was that engagement is very, very low when people fail tests. So the question that you asked is why is there not a better answer out there for teaching these cybersecurity skills to

Craig Taylor (03:35.198)
today. mean, we've been doing phishing. Phishing has been the number one attack for 25 years, according to Verizon's data breach report. It's a summary of all the publicly known data that can be shared with Verizon. They take it from Interpol and Australia's CERC, Canada's CERC, the US CERC, security operations centers, and the breaches that are identified. Phishing is number one, password hygiene number two. Recently, as of last year, there was a big growth in

Unpatched systems and zero day attacks around SSL VPN stuff, but that's another matter entirely. But the reality is humans are the weakest link. The human firewall is the weakest link. And how do you get engagement when there's so much apathy out there and so much disengaged employees who won't pay attention, who don't do the exercises, don't watch the videos? Psychology has the answer, Francis.

If you were in your beautiful introduction, you mentioned that I have a psychology degree from 30 years ago. I had my CISSP 25 years ago. right out of college, I decided no PhD for me. I'm going to go work in the industry. And I got into cybersecurity at a firewall vendor before there was even a worldwide web. That's how old I am, Francis. I'm as old as dirt. But over the course of that time, and as far back as 10 years ago, when I founded my company, CyberHoot, co-founded it with some other folks.

There has to be, we asked ourselves, there has to be a better way than this gotcha fish testing and the punishment for clicking, right? Because the industry as a whole, cybersecurity as a whole, Francis has said, we got to stop the click because that's what leads to email compromise, session token theft, ransomware ultimately, or financial fraud, because as hackers get into accounts, they can interject new wiring instructions, all sorts of things.

And so the focus has been far too exclusively on punishing and stopping the click rather than, and think about this for a moment, anyone listening to this, think about this insight that we had at my company, rather than rewarding and reinforcing good behaviors, right? Just think about that. Let's punish the clicks to stop people from clicking. That's like putting a shock collar on a dog to never leave your property.

Craig Taylor (05:57.782)
and it gets close, gets zapped. So it walks back, steps back. What happens if a rabbit runs across the road though? Do you think the dog is going to say, I might get the zapped, but I want that rabbit. I'm going to go for it. What if your employee gets free Taylor Swift tickets to go see this, you know, worldwide concert for their 18, 15 year old daughter? Are they going to stop the click because they're like, no, no, I could get punished for this. I could get shamed. have to go see HR. No, they're going to click.

However, if on the other hand, you teach your employees with positive reinforcement rewards, you actually work them through an email as we do at CyberHoot that says, is this sender typosquatted or not? And we have an open book explanation. Typosquatting is where the in Amazon or Microsoft is turned into an R and an N by the hackers.

so that it looks like it says Microsoft.com or Amazon.com, but it's not, it's actually different. Or they put a period in, or they do these other things. And we work people through the positive behaviors we wanna see more of, and then we gamify it, we reward it with certificates of completion, we give continuing education credits. All of these positive experiences for the individual end user is based on psychological principles of reinforcement. 75 years ago, B.F. Skinner,

in psychology, you remember Pavlov's dog and the salivation of a dinner bell when they get fed and they start salivating whenever there's a bell. He said, reinforced behaviors are repeated. The opposite is not true. Punished behaviors do not extinguish. They keep occurring until you teach better behaviors, right? You're a parent, I believe, Francis, can I say that? And you have children who might have a temper tantrum.

If you scold the temper tantrum and punish the temper tantrum, does the child stop their behavior? Do they suddenly become better coping kids that don't have temper tantrums? Or if you say, hey, Johnny, let's talk about your experience. Why were you so upset there? Why did you get so upset? Yeah, that's frustrating. I appreciate that. What if we used our words instead of throwing a temper tantrum on the floor and you taught better behaviors?

Craig Taylor (08:16.277)
And then you rewarded those behaviors when they started to show them in minor small little ways. What's going to happen to your child? Will they develop better coping skills and less fewer temper tantrums? So why then don't we apply these principles to cybersecurity? It's that simple.

Francis Gorman (08:34.577)
And Craig, suppose, so you've kind of inverted the ask with cyberhood here to reward behaviors based on, I suppose, continuous improvement. Does your insight and your research then show that that actually has a more longer lasting impact on the individual? Does the click rate go down or do people become repeat offenders after a period? Have you got any insights there?

Craig Taylor (08:45.738)
Mm-hmm.

Craig Taylor (09:01.492)
Anecdotally, yeah, we do anecdotally, Francis, we have tons and tons of evidence that it works better in the long run. So we have 300 plus MSPs using our platform. And before they adopt our platform, they hear that their IT department or their engineers are getting inundated with emails from their clients. Is this a fish? Is that a fish? I'm not sure. I don't want to click on anything. I don't want to make a mistake. People aren't sure they're report. Some are reporting it false.

phishing emails and others are just asking is this a fish? Is this not a fish? After the adoption of our platform to an MSP, they say those emails go way down. The reduction in the number of questions coming in are way down. The number of reports of this is a phish email, here's why, and I saw the type of squatter domain name or it's highly suspicious go up. But that's anecdotal evidence, right? I don't have a specific number.

We did do a study on one MSP that had 50 clients. 40 clients were put into the platform. And over a three-year period, there were no major security incidents in those 40 clients over the course of those three years. There were a couple minor ones, but nothing major. The 10 that refused had two major security incidents. And then the other data point that we teased out of that was

In the 40, not one canceled their MSP contract, two in the 10 did. So there was this client retention benefit as well from using and teaching cyber literacy skills, cyber smarts to each individual employee at all these companies over that course of time. Again, it's an N of one. So it's not empirically statistically significant, I would argue.

Well, we have a security study underway at CyberHOOT with three universities, two universities, three researchers at two universities here in the U.S. that have an IRB approved study measuring the affect and the effect to answer your very question with empirical evidence. Hopefully over the course of the next six to 12 months, we should get some numbers there. But what I can tell you for absolute certainty is that in psychology, when they study

Craig Taylor (11:21.198)
Intrinsic motivation. What is that? That is the inside of my body saying I want to do this thing that I've learned through these other exercises is best. The amount of intrinsic motivation to do certain things goes up dramatically when you reward with small rewards. You can't have huge rewards for this because it then keeps the mechanisms outside the person, but it goes up.

where behaviors change the most from small rewards given immediately upon completion of certain tasks and activities. The best example that I can give you for what most of your listeners might know of is dog training. And I'm not trying to compare employees to dogs. I'm just saying that dog training is the simplest explanation that you can give. You can take a dog to a dog park and put a shock collar on and try to teach them certain things and zap them when they make mistakes. Or,

you can bring treats and you can reward the dog when they do certain things. Come, he comes, you give a treat and then every other time you give a treat, then every fifth time you give a treat and that dog will internalize the word come and a potential treat and boom, they come and sit and stay and place and all of these different commands are so much more effective with a positive reinforcement of treat-based approach than a punishment of a shot collar approach. It's night and day. And by the way,

The owner and the dog love the treat-based approach and no one likes the shock-based approach. So it's that simple.

Francis Gorman (13:00.327)
And can I ask Greg, incentivize, so you talked about a few incentives there across the board. So I'm trying to think of the kind of cyber awareness platforms I know. So Microsoft C5 offering, you've got call fence, et cetera. Sometimes they do charts, different divisions in the business and who has, who's the lower click grade and all that sort of stuff to create a competitive edge potentially.

Craig Taylor (13:05.592)
Yes.

Craig Taylor (13:15.406)
Mm-hmm, mm-hmm.

Francis Gorman (13:27.059)
But you've, you've completely gone against that and you've, gone really much in terms of the individual and their behaviors. What, kind of rewards do companies provision in this space? Is there, is there some juicy stuff for someone who's a 0 % click grade at the end of the year? you get a, an extra bonus or what way you seeing people applying this in terms of the real world adoption?

Craig Taylor (13:46.35)
So those are fantastic ideas, Francis. And anybody listening to this today, whether you're using a positive reinforcement approach like we have here, or even the clicking on and the reporting of fish in traditional tools where you have the gotcha emails that get sent, reward the good behaviors no matter how you're getting them is going to make better success in the long run. You're going to create better human firewalls and it

and people will pay attention. A little healthy competition also works, right, to your early point, if a division A, B, and C are higher performing on the traditional fake email gotcha test, reward them. And don't punish the ones that are low performing, help them more. Go and do one-on-one remediation with someone, walk them through emails that are phishing emails to explain why it is, to give them the skills they need.

but reward the good things. What we do is fully automatic in our platform. So we give a certificate of completion on any assignment that gets completed, whether it's a video with a quiz that measures content against the video, you have a passing score, you finish your assignment and you get a certificate of completion. Inside that certificate of completion is continuing education credits, 15 minutes for having completed an assignment.

You can get about 16 to 20 of those a year out of the cyber root platform. That's, you know, six hours, four to six hours of continuing education credit towards your industry certification requirements on an annual basis. So it's, these are small rewards, but they all count and they matter. We give an avatar, a little baby owl in the nest when you're starting out, because you're just green. You're a baby. You're just learning your cybersecurity smarts. But as you complete assignments, you get a.

bigger, more mature owl with armor and a sword and then a shield and as you grow your cybersecurity smarts and people care. We get emailed to our support, Francis, that my colleague went faster than me as a better avatar than me. Why is that? Well, you didn't do your assignment on time. So just like in school, if you are late turning it in, you get a penalty, your scores or you get fewer points. I don't like to use the word penalty, but you get fewer marks towards your avatar growth and

Craig Taylor (16:05.164)
you probably didn't get perfect scores when you answered the quiz. You could pass without perfect scores, but your colleague might've had perfect scores. So pay attention and do it to the best of your ability and you'll get more marks. So all of those things combined for a gamification that creates ultimately, what are we trying to do, Francis, is engagement. If that's the biggest problem that was cited in that Las Vegas

study of 20,000 users was engagement was very poor. Meaning all the different training, gotcha emails and things like that didn't do a good job of training people because they kept clicking on things. But then when they failed, they had zero engagement. Like 10 seconds is not enough to learn how to spot and avoid phishing. So there was this apathy and this lack of engagement. And that's the real problem. That's the real.

What do you call it? Devil in the details of fake email phishing. When you punish people, they shut down. They disengage. They don't want to participate. I had a really smart fellow. I think he had a PhD. Tell me once. I forward everything to IT. I failed the test once too many times. These fake emails they sent to me. So rather than chance failing, I just forward everything that looks suspicious to IT and I let them decide. And that way I never fail again. And I get credit sometimes for.

Reporting phishing emails, but they didn't take the time anymore to engage enough to learn the rubric of how to spot and avoid these things What happens at home when they're on their personal email and they get a phishing test? There's no one to send it to right? So they're gonna get caught and maybe that could have devastating effects on their personal finances it's a real problem that the industry as a whole is Focused on punishment and it's leading to disengagement which is leading to apathy and

an inability to really learn the rubric and the skills you need to be successful.

Francis Gorman (18:05.043)
I have to ask Craig, are you seeing a change in the types of phishing emails with artificial intelligence and generative AI now starting to play a more prominent role across the industry? what I mean by, to me as a cybersecurity professional, a lot of the emails, your second sense would almost kick in and go phishing email, phishing email, phishing email. But now I'm seeing emails coming in that are customized individually to me. They have details that they've gathered from my background from

You know, stuff that's been scattered in either data breaches or, you know, just out there naturally and internet and it's been collated and it's been, it's been almost with military exercise put together and it's, it's, there's a spear on it. It's directed at me. It's specific to me. It knows things about me that really shouldn't be in the open. And if you're not working in the industry, would say even in the last 18 months.

the chance of getting caught and caught badly have increased? you seen anything in that space? I'm just, I'm just hypothesizing that. What have you seen that in terms of the industry as you're kind of front in this, this sort of, of,

Craig Taylor (19:12.718)
100 % I'm not a proponent of like, he put in 110 % energy and effort. No, there's no such thing. It's 100 % true what you just said. There's no two ways about it. AI is being used to consume your social media presence and my social media presence to create what we call five years ago, 10 years ago, spearfishing attacks.

Wailing attacks as anyone listed on a website as a person of importance at a company They get targeted you can ask AI tell me everything you can find about this person Francis Gorman or Craig Taylor and It will spit back loads of information because we've got big big big footprints not just from our own publicly disclosed information that we put out there but from breach data that we had on private, know, you have the public web you have the the

paywall web where you have all your personal private information that's out on social media that you haven't shared with the public. But because of breaches, more and more of our data is out there. There was a breach last fall called the NPD breach, the National Public Database Breach. This was a clearinghouse of financial information that fed the big four credit agencies in the United States, Experian, Equifax, TransUnion, and InnoVis. And my social security number, this is the...

one number you keep safe and secure in the United States was there eight times for every house and location I'd ever lived at in the last 20 years. Even my ex-wife's house, which I never lived at, it was listed there as well as, maybe, I don't know why, but our data is out there and these attacks are getting very dialed into people of interest into persons because the AI tool and the revolution of AI is being used heavily by

hacking organizations to put very, very enticing emails into our inboxes. With an N of one, many of the tools on the market, Francis, that are designed to help protect that one person who never learned phishing and is going to click on anything, they're designed to measure, well, we have five of those similar emails coming into five different people at my company. That's a red flag and block them all. But when it's an N of one,

Craig Taylor (21:37.784)
the tools fall on their swords. They can't identify it as a fake email phishing attack because it's so crafted specifically, right? They can do things like measure the age of the domain sending it to you, right? And sometimes that's a hallmark. If you have got a domain that's been registered in the last three months, it's likely to be a hacker domain, right? And so what do they do? What do they do?

is they turn those domains towards their persons of interest and some tools can weed that out. But there are a lot of hacking organizations that know all the tricks that are being used to filter out their messages and they register domains and keep them dormant for years on end and then they put them to use. So to answer your question, AI is a game changer for hackers to spearfish everyone in the world. Perfect grammar, punctuation,

and spelling, even when, this is the other key, even when the person, the hacker, their first language might be anything but English, AI can say, they can say in whatever language of choice, turn this into an English attack on this person of interest, and it's grammatically perfect. Now there might be, I think there are still tiny nuances of culture that can be

called out, right? But the days of the Nigerian prince who has a windfall of oil revenue they want to send to you are over. There's no more of that obvious fishing stuff.

Francis Gorman (23:17.139)
It's fascinating to watch and I think the more I see the shift towards artificial intelligence and I'm not sure if you picked up on the antropic attack in the last month where it was used to focus on 17 enterprises due to reconnaissance, due to identification of the vulnerability and then trigger the follow on and even write the custom ransom letters. know, AI is definitely having them.

is playing into the hands of the bad actors in this space. And I think that's only going to accelerate as these large language models get outsourced into the dark web. And, know, they're no longer held by the large companies, but they're being run on smaller footprints, but with more focused intent and harm. So I think that's a watch item for me, especially in this. This is one of the areas I really see large language models come into their own from a nefarious perspective. It's the it's the identification and

Craig Taylor (24:09.027)
Mm-hmm.

Francis Gorman (24:11.025)
coalition of information to persuade or lure someone into clicking or redirecting them to a website, enter the credentials or whatever it may be. But it's that, it's that initial demarcation point of an attack within an organization. And I think that leads me Craig, when we, when we think of security awareness, we kind of think of larger organizations, know, companies that have lots of, lots of people in their IT department, probably a cybersecurity team, et cetera, and they have the ability.

What SMEs are even more prone at the moment to, you know, the 12, 13 person company, no IT department. Maybe one guy that's a bit of IT smarts trying to keep everything running and the creative backend. How susceptible do you think those companies are to the phishing attacks and how badly do they need to get this level of training as well to arm them with the information they need to protect themselves?

Craig Taylor (25:07.566)
So there's some statistical analysis that has been done in the Verizon data breach report that I referenced earlier. They've come to the conclusion that the SMEs of the world are anywhere from 11 to 50 % more likely to be successfully attacked than the larger enterprises of the world with over 100 employees or more. So large enterprise might be 5,000 or more, but

Companies with 100 or more employees are more able to defend against these attacks. And companies with less than 10 employees are less likely to be targeted today, at least over the last five years. This is a statistic that I'm pulling out from my brain, the Verizon Data Breach Report. They said 11 to 100 is the sweet spot for attacks these days because A, they don't have deep pockets for security tool sets. So they might have gaps there.

They don't have some person who's cybersecurity focused for the business. It's the owner that also does cybersecurity. It's the IT person that also does cybersecurity. They might even have outsourced it to an MSP. They don't have any awareness training in place. Whether they have cyber insurance or not really is a secondary problem. It's not a true matter of importance because if you have 80 employees, you've got payroll and a large amount of money.

that could be turned to a ransom. And you either pay the ransom or you go out or you can't, you you don't get your data back. They might not have backups that are well tested. So they can't restore from that. They might have critical and sensitive data that leads to a double extortion type of ransom event. Double extortion is explained as follows. We encrypt your data and then we exfiltrate it as well. So that if you recover your data from backups, we can just release it to the public. And if you're an accounting firm or a law firm,

or a healthcare provider, guess what? That's regulated data. Not only are you gonna have the embarrassment and the challenge of non-public personal information being released to the internet, many of those areas are regulated industries where you're gonna have fines on top of it, right? And then in at least one case, there's triple extortion. There was a hacking firm that hacked a financial firm in the United States in New York state where there are reporting requirements of a breach.

Craig Taylor (27:35.466)
if you've been breached, you have to report it to the government governing authorities, right? And so the first was they encrypted the data. The second was they threatened to release the data. The firm still resisted both. And so they got reported to the FTC, the Federal Trade Commission, and said, find this company because we have evidence here it is that we breached them and they're not they're not letting you know they haven't reported it. And so there was a fine issued to the to the company. But before that happened, they were threatened. The company was threatened with hate.

Either you pay us the ransom or we're reporting you to the FTC where you will be fined anyways. yeah, AI and that size of SME is a huge target on their back, but they don't know it because they're too busy trying to survive as a business, right? They don't have the wherewithal, the knowledge that they are front and center on the front lines in the trenches of this global cyber crime spree that's going on.

Francis, by some accounts, now you can go to check this out at Cybersecurity Ventures is another website where I got the stat. Whether it's true or not, it is sobering. The third largest economy in the world last year, according to that website, is cybercrime. Whereas the United States with 30 trillion, then China with 20 trillion, and these are really raw numbers, don't quote me on that. And then cybercrime at 10 or 11 or 12 trillion, depending on who you believe.

And I tend to believe that number is accurate because we have direct evidence from the FBI and other sources of like what is publicly reported as crime, as profiteering from the criminals. And it's in the, you know, one to $2 trillion. But did you know that 60 to as much as 90 % of cyber crime goes unreported? People don't want to admit that they were hacked and that they were ransomed or they had this problem.

So it goes under the waterline like think of that as the part of the iceberg below the waterline It's can be by some estimates nine or ten times as much as what's publicly reported. So the numbers do make sense to me and that's absolutely Astounding that the third largest economy was cybercrime

Francis Gorman (29:47.739)
It doesn't surprise me though when we see ransomware groups that have help desks now.

Craig Taylor (29:53.72)
They not only have helped us, they've followed, we wrote a blog about this. We have a cyberhoot.com slash blog. We wrote about this recently. It wasn't our original research. We were re-blogging about a particular topic of hacking. Somebody studied the hacking organizations and they said they've applied the Henry Ford methodology of, your job is just to paint the car. Your job is put the tires on and your job is to, you know,

bolt in the engine, right? They did assembly line work for hacking. So there's organizations that all they do is they breach companies. They don't do anything with it. Then they sell the breached access to another company or to another hacking organization that could do a ransomware, could do, you know, come in, you know, land and expand and just stay in the network. And then there's the extortionists and so on and the support organizations. So they have different functions.

of hacking organizations today to make it more efficient, right? And it actually makes it harder to get caught, right? If you're the one that breaches a company, but you never do anything with it, you sell it to another person that's on the other side of the world that's gonna then deploy the ransomware, there's nothing tying back when the ransomware gets in there. How do you figure out, well, over here is what breached us, but over here is what put the hands, it's like, it's so difficult to catch anybody.

Francis Gorman (31:20.083)
really is and Craig I don't think I envision myself spending 30 minutes just talking about security awareness and culture but here you go we've done it now and it's been really interesting. If anyone wants to find you after this or wants to find out more about cyberhood is there a way they can get in touch with you?

Craig Taylor (31:37.816)
Yeah, please visit our website, cyberhoot.com. You can book a free meeting, a demo there if you'd like. We give cyberhoot away free for individuals. So if you're listening to this and you want to just try it out for yourself, go to cyberhoot.com slash individuals and you can get free access to everything. We produce a monthly video, a quarterly phishing test, and that allows you to experience the positive reinforcement effect and the gamification effects of our platform.

that really focuses in on rewarding you for engagement, rewarding you for good behaviors and teaching you those good behaviors. We have this interactive test that you have to go through to learn fishing and you become proficient at it. It's very simple through practice and repeated activities. If anyone ultimately signs up for a paid trial of our platform, we'll give you 20 % off for a year with the Entropy Podcast as the referral.

quote, how did we hear about cyber food? Just put in the entropy podcast, you get 20 % off for a year. And we're month to month. So there's really no risk to anyone giving us a try. And if you like what you see, the positive reinforcement, the psychological benefits of it, we think you'll stick around.

Francis Gorman (32:54.789)
stuff Craig and look I wish you all the best I hope it goes well into the future and it sounds like you're doing something unique which is always good to see in the industry a bit of innovation that kind of takes the psychology aspect and reinvents it then to look for real world impact. It's been a pleasure having you on Craig and I really enjoyed the conversation.

Craig Taylor (33:15.638)
Mine too. Thank you so much for having me, Francis, and good luck to your entropy podcast.

Francis Gorman (33:20.167)
Thanks, Greg.