Re-thinking The Human Factor with Bruce Hallas

Humans have achieved great things, from survival through to prosperity, and all because of how our brains have evolved. However, our physical and cognitive evolution lags behind Moores law and our brains just cannot cope with the amounts of information and huge number of decisions we need to make both consciously and unconsciously every day How do our brains cope and why does this coping mechanism make us vulnerable and keep CISO’s awake at night? In this episode Bruce and ProofPoint's in resident CISO Andrew Rose tackle this thorny question amongst a range of other interesting points

A conversation with award-winning CISO, Andrew Rose   ANDREW ROSE joins us for Series 3, Episode 12 of the Re-Thinking the Human Factor Podcast. Join us for this straight forward discussion with an award winning CISO who transformed security management for three major organisations.   With his extensive background, Andrew is a strong relationship manager who is able to develop and lead teams, driving initiatives forward with a style that is facilitative, tenacious and positive. Able to communicate, co-ordinate and influence effectively at all levels and respond to challenges with dedication, enthusiasm and pragmatism.    Andrew Rose is strongly focussed on sensible, cost effective security solutions being used to enable a business to innovate and develop.     AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:     bruce.hallas@re-thinkingthehumanfactor.com     JOIN ANDREW ROSE AND BRUCE HALLAS AS THEY DISCUSS: The early days of cyber security and how people almost gave up on the human factor. How the idea of applying the knowledge of human awareness came into play. Challenges today’s cyber security managers face. How can you be safe if you are not secure? The key indicators to a healthy security culture. The influences that help to drive our decision-making and behaviour. Designing cyber security awareness and training with the human in mind. How to win over people to try something new. How hackers think.     RESOURCES AND TOPICS FOR FURTHER STUDY B.J. Fogg and his new book, "Tiny Habits" The Analogies Project   MORE ABOUT ANDREW ROSE: LinkedIn Twitter     Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Know your cyber security risks with Prudence Smith   PRUDENCE SMITH joins us for Series 3, Episode 11 of the Re-Thinking the Human Factor Podcast. Join us as we discuss risk assessment within a changing cyber landscape. We know our listeners are going to glean a great deal from this discussion this week and enjoy the fruits of Prudence’s years of experience.   PRUDENCE SMITH is a trusted cyber and security risk professional who has been working in security, technology and compliance in a career spanning over 20 years, working in large multinational financial institutions, senior management, client and government liaison, high-risk targets, intelligence and SMB infrastructures.   So put the kettle on, sit back and enjoy this riveting discussion as Prudence explains the importance of understanding the ever changing landscape of cyber security risk.     AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:   iwanttoknowmore@re-thinkingthehumanfactor.com     TOPICS DISCUSSED: When/why human behaviour become a focus in the cyber security industry. How an audit lead to the investigation into the human factor. Cyber security awareness. Risk-based profiling.   Cyber Security Education, Awareness and Culture. What impact events such as the Coronavirus have on culture and awareness.     RESOURCES AND TOPICS FOR FURTHER STUDY RSA Conference The Analogies Project Consumer Data Research Report   MORE ABOUT TERRY O’REILLY: LinkedIn  Twitter         Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Marketing Strategy Applied To Cyber Security with TERRY O’REILLY   TERRY O’REILLY joins us for Series 3, Episode 10 of the Re-Thinking the Human Factor Podcast. Join us as we delve into the brilliant marketing mind of our guest so we can apply this understanding to our industry of cyber security and awareness.   Terry O’Reilly is the host of CBC Radio's Under the Influence. Co-Founder of The Apostrophe Podcast Company. He is also an engaging speaker and author to boot, with over 35 years of experience as an adman. He discusses the bigger issues of marketing and how it affects the public.   But most of all, Terry connects the dots when it comes to pop culture, human nature and the numerous gales and undertows that effect communication. Sprinkled, of course, with the humour required to deal with it all.    AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com     JOIN TERRY O’REILLY AND BRUCE HALLAS AS THEY DISCUSS: Marketing, and its application to cyber security and awareness. Shish Kebab Theory. The long game of cyber security awareness and training. Strategies for effectively marketing cyber security campaigns. How to gain an understanding of your target audience. Are people gathering data frequently enough? Understanding and aligning your company’s values with your cyber security goals        RESOURCES AND TOPICS FOR FURTHER STUDY This I Know - By Terry O'Reilly The Analogies Project   MORE ABOUT TERRY O’REILLY: LinkedIn Company LinkedIn Page Under The Influence Podcast     Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Why we need to re-think the human factor in security, with Bruce Hallas   Bruce Hallas sits in the hot seat for a change as Alexia of Marmalade Box grills him, for this: Series 3, Episode 4 of the Re-Thinking the Human Factor Podcast. Having received a lot of emails asking us for more information about Bruce Hallas, the host of this podcast, Alexia agreed to put Bruce through some viewer lead questioning in the hopes of delving deeper into his background and expertise.   Having trained in accounting and law, Bruce started his work life in business development, outside the realms of tech, and found himself passionate about security awareness and human behaviour. Via a series of questioning, 7 years ago Bruce was lead to his groundbreaking research that lead to his book ‘Rethinking The Human Factor’. Apart from his work as a researcher and author, he also runs Marmalade Box, a company dedicated to helping organisations cultivate and design a positive security awareness by raising awareness and influencing behaviours.   Bruce is an expert in reducing risk and helping companies design security processes that reduce the guesswork from the human factor. We know you will enjoy listening to how and why Bruce is so passionate about his chosen occupation and how you can benefit from his vast understanding.   AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com   JOIN BRUCE HALLAS AND ALEXIA AS THEY DISCUSS: The questions Bruce asked himself when he started his research journey. How understanding the human factor allows for better engagement.  Breaking down the entire system within information security to better the process.   The Analogies Project and how analogies help in shaping culture and behaviour. Who benefits the most from the Rethinking The Human Factor research? Designing with the human in mind. Does evidence point to the validity of the frame work created from the research done in Rethinking The Human Factor? The importance of establishing a cohesive vision as an anchor. How personal values influence culture. What can my organisation do to benefit from this?   RESOURCES AND TOPICS FOR FURTHER STUDY Rethinking The Human Factor by Bruce Hallas Nudge by Richard H. Thaler The Power Of Analogy by Dieter Wanner   MORE ABOUT BRUCE HALLAS: LinkedIn Marmalade Box The Analogies Project   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Taking risks to reduce risk, with Eric Ravello   If criminals are doing research into human behaviour then they are designing phishing attacks with the human in mind. As attackers change their attacks, so must cyber security providers change their methods of dealing with them.   Eric Ravello joins us for Episode 33 of the Re-Thinking the Human Factor Podcast. We are holding strong to our promise to bring you top notch guests this week, we cannot wait to delve into this podcast topic. Eric has more than 15 years of experience within cybersecurity, acquired with multiple programs in international environments. Eric loves to inspire confidence and create cooperation for people in long term strategy. He believes we can achieve a better environment by designing and managing positive security culture programs that respect all individuals.  To transform his environment, he delivers attractive and engaging campaigns for all or tailored to specific business functions. He is not afraid to go against the grain and take risks.   AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com   RESOURCES AND TOPICS FOR FURTHER STUDY Re-Thinking The Human Factor E-Book The Analogies Project   MORE ABOUT ERIC RAVELLO: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

NEIL FROST joins us for Series 3, Episode 7 of the Re-Thinking the Human Factor Podcast. Join us for this straight forward discussion on how to cultivate easy to digest security campaigns that have the lasting effect of benefiting culture. Neil Frost was part of the team responsible for Security Awareness and Culture at the HMRC (the UK Tax Office). Before that he worked at the UK Police Force on Training and Awareness.    AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:   iwanttoknowmore@re-thinkingthehumanfactor.com   JOIN NEIL FROST AND BRUCE HALLAS AS THEY DISCUSS: Defense against cyber attacks. Tips to make your cyber security training efforts more effective. How budgeting effects training outcomes. How perceptions can block the flow of information. Using data to create security training around the needs of your organization rather than throwing something against the wall and hoping it sticks. How to get the real data rather then answers given "just to please". Implementing lasting behavioural change through messaging and stories. Story telling as a means of communication is hard wired into human behaviour. Finding the right tools such as software platforms and technology to create your solutions.   RESOURCES AND TOPICS FOR FURTHER STUDY Wired For Story The Analogies Project   MORE ABOUT NEIL FROST: LinkedIn Bobs Business Bobs Business (Twitter)     Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

The Accidental Security Specialist, with David Shipley.   Living up to our promise to bring you fantastic guests, David Shipley joins us for Series 3, Episode 6 of the Re-Thinking the Human Factor Podcast. Time to go phishing so grab your rod. David is a self professed accidental cyber security professional, but has spent time as a soldier, newspaper reporter and marketer. After a cyber hack within his company occurred, David grew increasingly interested in cyber security and was asked to take on this role within his company. Currently based in Canada, David is an award-winning entrepreneur and head of Beauceron Security. Beauceron's holistic approach to measuring and reducing cyber risk brings together threat intelligence, user education and awareness, simulated attacks and real incident data into an easy-to-use and deploy cloud platform that transforms cybersecurity from an IT-centric issue into a pan-organization management opportunity.        AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com       IN THIS EPISODE, DAVID SHIPLEY AND BRUCE HALLAS DISCUSS: The sheepdog effect. Turning the cyber victims into defenders. Empowering the person. The importance of driving behavioural reinforcement within a culture to keep positive cyber security behaviour thriving. Getting the metrics correct- Repeat clickers and what we can learn. Taking the time to make sure people really retain new cyber security-related information and behaviours. Phishing fallibility: Is someone’s emotional state a factor to be considered? The 8 emotional scale. Fear response, social hi-jacking and engineering. How time affects people’s behaviour during a 24 hour period. The power of keeping calm. Speed can often be your enemy. The Power Model - what it is and how it can be used to boost cyber-security awareness: People, environment, actions and resources. Creating an easy to use protocol to gauge involvement.  Learning from each other. Building a solid support structure. Black box culture - going deeper into more effective cyber security training: Talking about issues without laying blame. The story of the mayor that got phished. Learning from mistakes in proactive ways. Rewarding right behaviour. Scoring people and then helping them improve their performance within the security culture. Compliance: Exceeding compliance via relative, contextual, timely informative videos. Treat your audience like adults.  Using Surveying as a tool to generate better metrics around risk and awareness: The importance of your baseline and the importance of a good survey. How does bias affect survey answers and are there ways around it? Using video responses to surveying to offer training in weak spots and offer guidance and support to colleagues. Start a positive feedback loop. Phishing attacks and data strategy. Data gathering from ‘time to click’ data proves to be very fruitful at limiting risk. Huge amounts of data are available to be mined to design cyber security awareness and education pieces that change behaviour. Having a strategy for data gathering is crucial. Learning when people click leads to a defined process towards a positive security culture.  Cyber Security Marketing. The same tools that marketing applies can be used when trying to form a new culture of awareness within a business. What is a KPI clash? Where is the cyber security industry failing? Not enough focus on the human factor. Not enough funding for training. Real meaningful change comes with data and planning correctly Data driven decision making around security awareness. The need for sharing resources exists to help strengthen the entire security industry.     RESOURCES AND TOPICS FOR FURTHER STUDY More about heuristics The Analogies Project Black Box Thinking   MORE ABOUT DAVID SHIPLEY: LinkedIn Beauceron Security Twitter       Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

DESIGNING LEARNING EXPERIENCES THAT STICK, WITH MEGAN SUMERACKI   Megan Sumeracki joins us for Series 3, Episode 5 of the Re-Thinking the Human Factor Podcast.  Megan Sumeracki is an Assistant Professor at Rhode Island College. She co-founded the Learning Scientists in January 2016 with Yana Weinstein. Megan received her Master’s in Experimental Psychology at Washington University in St. Louis and her PhD in Cognitive Psychology from Purdue University. Her area of expertise is in human learning and memory, and applying the science of learning in educational contexts.   WHAT'S THIS EPISODE ABOUT? As cyber security practitioners, we often ask ourselves the question of how we get people to remember to do the things we tell them to do. How do we get them to retain what we teach them in our trainings? Well, you’re in luck. This conversation is full of treasures to do with how our brains work when learning and strategies (based on scientific evidence) that can help you create training situations where the information will be more likely to stick.    Side Note -- We touch a lot on something called Retrieval Practice. Retrieval practice is simply a strategy in which bringing information to mind enhances and boosts learning. It’s about deliberately pulling what we’ve learned back out of our heads to examine it.   Megan addresses empirical questions such as: What retrieval practice formats promote student learning? What retrieval practice activities work well for different types of learners? And, why does retrieval increase learning?   AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: shortcuts@re-thinkingthehumanfactor.com       BELOW IS A MORE DETAILED OUTLINE OF WHAT MEGAN AND I DISCUSSED: Understanding how we learn information and how we apply and remember it. The goal of education is to teach students how to learn and retain information so they can use it in the future. The key words: Learn, memory, retain, apply. Even though a student needs to pass exams and get grades, it is more useful to retain information and are able to apply it in the future. Standardised testing could be improved as education needs to create a new behaviour rather then just stored information. Creating tests that mimic the real world can help people retain and then use new information. Data driven approach. Just because we enjoy certain methods of learning does it mean it will help me retain any new information? Challenging the way we learn can push us towards more durable learning processes. Instinct and intuition do not answer the question of education necessarily. Building effective strategies. Why cramming does not relate to long term memory of a topic. Understand what it is that helps people learn and retain information over a longer period of time. Retrieval practice bringing things to mind, spacing practice, spreading learning over a period of time. It is difficult to predict an individual way of learning rather then a larger group on average. Confirmation bias can muddy research waters. Expecting to see something can create patterns. Finding ways to remove bias such as breaking a theory down to disprove it. Results free of bias lead to stronger data.  Spacing and retrieval. Spacing and retrieval have been around since the 1800s and used repeatedly. How the true value of all knowledge and understanding is application. The art of communication. Student driven research into learning through accessibility.   What other misunderstandings do people have around learning? Designing with the human in mind. The cognitive process. Getting the information in is only one step, you have to be able to get the  information back out and apply it. Retrieval cues and how they help. The importance of finding ways to bring back to mind recently learned information to help it stick. Bridging the gap from study to new awareness and understanding. Situational awareness building can help develop new behaviours. Encoding information does not necessarily lead to retrieval.  Storytelling as a way to help retrieve new information. Holding interest to hold attention. Does interest really govern retention?  If a person likes engaging they will likely engage more with a topic or action. Attention span can often be affected by external influence like eating breakfast and rest. Bite sized learning spread out over a longer period can aid retention. Sometimes ’seductive details’ can be distracting even if entertaining.     RESOURCES AND TOPICS FOR FURTHER STUDY Understanding How We Learn: A Visual Guide Elizabeth Loftus More on Retrieval Practice   FIND MEGAN SUMERACKI ONLINE: LinkedIn Twitter Learning Scientists Website   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.  Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

Storytelling For Better Cybersecurity, with Sarah Moffat Sarah Moffat joins us for Series 3, Episode 4 of the Re-Thinking the Human Factor Podcast. With a vast background in cybersecurity and understanding the human factor, Sarah is currently advising the Federal Government on privacy and security in Washington, D.C.  She is also a leadership and development coach, using her knowledge of psychology to inspire others, tailoring specific training to meet the personal needs of her clients. Can storytelling shape culture within the workspace towards better cybersecurity?  Let’s hear what Sarah has to say on this enlightening topic.   MORE ABOUT SARAH MOFFAT: https://www.linkedin.com/in/sarahcmoffat/ https://www.leadingladies.co/   JOIN SARAH MOFFAT AND BRUCE HALLAS AS THEY DISCUSS: Navigating generational influences upon the way people pick up new technology. How storytelling can help instructional design. Millennials have a very different security culture to baby boomers. Creating a map as a framework to build a program to suit different attitude types. (Because realistically, what can learn from pilots and powerpoint?) How as an industry have we seen cybersecurity education and awareness training? Is it a good idea to have it as a stand alone piece of training? Cyber security needs to become interwoven at every level of life, especially at work. Security as a life skill is needed for this new tech-based environment. How early should we all be learning cybersecurity as a culture nowadays? Cultures are formed through a process of experience, so are we doing a good enough job developing behaviours early enough? The importance of identifying right action, not only as cyber security professionals, but also helping those we lead to understand easily which choices are the “right” ones Personal choice. How to cultivate a healthy reaction. Is once a year training worthwhile in a changing security landscape? The importance of awareness training and inspiring interest throughout the year. Bridging the gap -  Implanting security into the overall culture of the organisation can better protect it. Branding strategy, touch points and brand equity are all important attributes of an effective awareness and behaviour campaign How bridging the gap between the CIO and the rest of an organisation boosts security awareness and engagement. Mistakes that can happen when creating security cultures -  The percentage of people given the responsibility for security awareness within an organisation is really high but it is another hat they wear. Ticking boxes vs. building a new culture. Protecting PII should be about protecting people. Is security awareness a risky business? Personal responsibility plays a large role in adaptation of new behaviour across culture. Investment of time and money and/or the lack thereof, and how it influences change. As security professionals, we must remember that doing the same thing over and over again expecting different results is insanity. Capitalise on what we know drives human behaviour.  Telling stories costs very little, so not much risk involved, and stories have been proven to change behaviours.   DO YOU NEED SOME HELP IMPLEMENTING THE NEW STRATEGIES YOU’RE PICKING UP? SIGN UP FOR ONE OF OUR WORKSHOPS: Re-Thinking the Human Factor – Introductory Workshop Risk Assessment Workshop   Thanks for listening and sharing, Bruce & The Re-thinking the Human Factor Podcast Team