Rachel Tobac is a hacker and the CEO of SocialProof Security, but her behavioral science and neuropsychology background is nontraditional for the information security field.

“I used to work in a rat lab,” Tobac said during an episode of the CISO Stories podcast with Cyberason Chief Security Officer Sam Curry. She said she didn’t know information security existed at the time she was earning her neuroscience degree. Combined with other experiences such as improv and theater, she pulls them all together to hack people.

“I had no idea you could be non-technical and hack,” Tobac said. “I don’t write code, so I completely hack people over the phone, over email, text message or social media — without any code.”

Listen to episode 33 of the CISO Stories podcast by Security Weekly: The Unpatchable Vulnerability That Is Human Nature

Some people are more difficult to hack because they’re more resistant, she said. For example, those with higher-level access are harder to hack because they tend to have more cybersecurity training, and may have even been phished before and have learned from the experience. But people who are a bit greener are easier, she added.

“I would say everybody is susceptible when they don’t understand what’s going on, or if they don’t have the technical tools to protect them.”

“I never say that it’s just awareness,” she said. “I always say ‘It’s awareness, plus technical tools to back people up when they make mistakes.’”

Bonus video: Tobac’s infosec sea shanty